Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.115, 192.33.90.195, 157.159.226.72, 169.235.24.133, 156.56.250.227, 160.80.221.39, 155.98.35.7, 162.105.205.21, 192.41.135.219, 160.193.163.106 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 23:56:17.221 PDT Gen. Time: 07/17/2012 00:16:54.216 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (23:56:17.221 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2004 (23:56:17.221 PDT) 192.33.90.195 (2) (23:58:58.478 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2027<-2001 (23:58:58.478 PDT) 2007<-2027 (00:05:45.033 PDT) 157.159.226.72 (00:13:12.871 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2003 (00:13:12.871 PDT) 169.235.24.133 (00:02:33.046 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2006 (00:02:33.046 PDT) 156.56.250.227 (00:05:12.647 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2006 (00:05:12.647 PDT) 160.80.221.39 (00:10:46.370 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2016 (00:10:46.370 PDT) 155.98.35.7 (23:57:37.721 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2016 (23:57:37.721 PDT) 162.105.205.21 (2) (23:58:52.576 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2011 (23:58:52.576 PDT) 2019<-2001 (00:13:36.655 PDT) 192.41.135.219 (00:12:49.672 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2022 (00:12:49.672 PDT) 160.193.163.106 (23:56:47.158 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2010 (23:56:47.158 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.41.135.219 (23:56:59.255 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2023->2014 (23:56:59.255 PDT) 164.107.127.12 (23:58:55.707 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2018->2008 (23:58:55.707 PDT) 192.33.90.69 (00:08:58.241 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2006->2001 (00:08:58.241 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (00:04:11.868 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (00:04:11.868 PDT) 128.2.211.114 (00:14:20.141 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (00:14:20.141 PDT) DECLARE BOT tcpslice 1342508177.221 1342508177.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:24:25.798 PDT Gen. Time: 07/17/2012 00:24:25.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (00:24:25.798 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (00:24:25.798 PDT) DECLARE BOT tcpslice 1342509865.798 1342509865.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:24:25.798 PDT Gen. Time: 07/17/2012 00:28:11.226 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (00:26:02.998 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 40056->47749 (00:26:02.998 PDT) 206.207.248.34 (00:24:25.798 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (00:24:25.798 PDT) DECLARE BOT tcpslice 1342509865.798 1342509865.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52, 165.91.55.10 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:32:09.579 PDT Gen. Time: 07/17/2012 00:34:33.990 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (00:32:09.579 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2001 (00:32:09.579 PDT) 165.91.55.10 (00:32:52.413 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2008 (00:32:52.413 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (00:34:33.990 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (00:34:33.990 PDT) DECLARE BOT tcpslice 1342510329.579 1342510329.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52, 190.227.163.141, 165.91.55.10, 156.56.250.226 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:32:09.579 PDT Gen. Time: 07/17/2012 00:41:57.622 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (00:32:09.579 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2001 (00:32:09.579 PDT) 190.227.163.141 (00:36:31.537 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2026<-2009 (00:36:31.537 PDT) 165.91.55.10 (00:32:52.413 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2008 (00:32:52.413 PDT) 156.56.250.226 (00:38:35.418 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2030 (00:38:35.418 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (00:34:33.990 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (00:34:33.990 PDT) 130.104.72.201 (00:41:13.912 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 55999->49302 (00:41:13.912 PDT) DECLARE BOT tcpslice 1342510329.579 1342510329.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:42:16.140 PDT Gen. Time: 07/17/2012 00:44:41.827 PDT INBOUND SCAN EXPLOIT 165.91.55.9 (00:42:16.140 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2022 (00:42:16.140 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:44:41.827 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (00:44:41.827 PDT) DECLARE BOT tcpslice 1342510936.140 1342510936.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.119, 165.91.55.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:42:16.140 PDT Gen. Time: 07/17/2012 00:47:40.437 PDT INBOUND SCAN EXPLOIT 165.230.49.119 (00:45:28.985 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2029 (00:45:28.985 PDT) 165.91.55.9 (00:42:16.140 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2022 (00:42:16.140 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:44:41.827 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (00:44:41.827 PDT) DECLARE BOT tcpslice 1342510936.140 1342510936.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:54:42.678 PDT Gen. Time: 07/17/2012 00:54:42.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:54:42.678 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (00:54:42.678 PDT) DECLARE BOT tcpslice 1342511682.678 1342511682.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:54:42.678 PDT Gen. Time: 07/17/2012 00:57:39.751 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:54:42.678 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (00:54:42.678 PDT) 143.89.49.74 (00:55:17.985 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49680->49302 (00:55:17.985 PDT) DECLARE BOT tcpslice 1342511682.678 1342511682.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:06:25.491 PDT Gen. Time: 07/17/2012 01:06:25.491 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:06:25.491 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (01:06:25.491 PDT) DECLARE BOT tcpslice 1342512385.491 1342512385.492 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.246.12.164 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:14:06.870 PDT Gen. Time: 07/17/2012 01:15:03.740 PDT INBOUND SCAN EXPLOIT 155.246.12.164 (01:15:03.740 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2020 (01:15:03.740 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.193.163.106 (01:14:08.254 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2022->2027 (01:14:08.254 PDT) 165.91.55.9 (01:14:06.870 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2013->2023 (01:14:06.870 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342512846.870 1342512846.871 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.246.12.164, 192.42.43.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:14:06.870 PDT Gen. Time: 07/17/2012 01:18:05.429 PDT INBOUND SCAN EXPLOIT 155.246.12.164 (01:15:03.740 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2020 (01:15:03.740 PDT) 192.42.43.23 (01:15:28.601 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2013 (01:15:28.601 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.193.163.106 (01:14:08.254 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2022->2027 (01:14:08.254 PDT) 165.91.55.9 (01:14:06.870 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2013->2023 (01:14:06.870 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:16:35.900 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:16:35.900 PDT) DECLARE BOT tcpslice 1342512846.870 1342512846.871 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.51 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:18:12.874 PDT Gen. Time: 07/17/2012 01:20:34.277 PDT INBOUND SCAN EXPLOIT 156.17.10.51 (01:20:34.277 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2009 (01:20:34.277 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 155.98.35.7 (01:18:12.874 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2008->2011 (01:18:12.874 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342513092.874 1342513092.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:23:29.123 PDT Gen. Time: 07/17/2012 01:26:39.972 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (01:23:29.123 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51461 (01:23:29.123 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.114 (01:23:48.284 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2003->2026 (01:23:48.284 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (01:26:39.972 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:26:39.972 PDT) DECLARE BOT tcpslice 1342513409.123 1342513409.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.138.213.238, 155.98.35.7, 192.138.213.236 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:35:34.165 PDT Gen. Time: 07/17/2012 01:36:46.768 PDT INBOUND SCAN EXPLOIT 192.138.213.238 (01:35:45.586 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2015 (01:35:45.586 PDT) 155.98.35.7 (01:35:34.165 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2010<-2006 (01:35:34.165 PDT) 192.138.213.236 (01:36:23.526 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2022 (01:36:23.526 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (01:35:55.195 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->52509 (01:35:55.195 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (01:36:46.768 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (01:36:46.768 PDT) DECLARE BOT tcpslice 1342514134.165 1342514134.166 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.56.250.226 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:43:08.548 PDT Gen. Time: 07/17/2012 01:43:54.347 PDT INBOUND SCAN EXPLOIT 156.56.250.226 (01:43:08.548 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2012 (01:43:08.548 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (01:43:54.347 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2007 (01:43:54.347 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342514588.548 1342514588.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.56.250.226 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:43:08.548 PDT Gen. Time: 07/17/2012 01:48:10.121 PDT INBOUND SCAN EXPLOIT 156.56.250.226 (01:43:08.548 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2012 (01:43:08.548 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (01:48:10.121 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->55244 (01:48:10.121 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (01:43:54.347 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2007 (01:43:54.347 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:46:52.304 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (01:46:52.304 PDT) 143.89.49.74 (01:47:19.064 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 32819->54593 (01:47:19.064 PDT) DECLARE BOT tcpslice 1342514588.548 1342514588.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:48:47.410 PDT Gen. Time: 07/17/2012 01:51:22.839 PDT INBOUND SCAN EXPLOIT 192.33.90.66 (01:51:22.839 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2003 (01:51:22.839 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 164.107.127.12 (01:48:47.410 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2023->2013 (01:48:47.410 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342514927.410 1342514927.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:55:36.172 PDT Gen. Time: 07/17/2012 01:56:30.946 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (01:55:36.172 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2002 (01:55:36.172 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 156.17.10.52 (01:56:30.946 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2026->2015 (01:56:30.946 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342515336.172 1342515336.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:55:36.172 PDT Gen. Time: 07/17/2012 01:58:56.753 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (01:55:36.172 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2002 (01:55:36.172 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 156.17.10.52 (01:56:30.946 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2026->2015 (01:56:30.946 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (01:57:03.604 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:57:03.604 PDT) DECLARE BOT tcpslice 1342515336.172 1342515336.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.16.125.12 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:02:34.324 PDT Gen. Time: 07/17/2012 02:04:13.497 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (02:03:44.504 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2027<-2026 (02:03:44.504 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (02:02:34.324 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->55118 (02:02:34.324 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.80.221.39 (02:04:13.497 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2007 (02:04:13.497 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342515754.324 1342515754.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.16.125.12, 170.140.119.69 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:02:34.324 PDT Gen. Time: 07/17/2012 02:07:13.812 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (02:03:44.504 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2027<-2026 (02:03:44.504 PDT) 170.140.119.69 (02:04:40.342 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2002 (02:04:40.342 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (02:02:34.324 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->55118 (02:02:34.324 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.80.221.39 (02:04:13.497 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2007 (02:04:13.497 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342515754.324 1342515754.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:07:41.591 PDT Gen. Time: 07/17/2012 02:07:41.591 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (02:07:41.591 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:07:41.591 PDT) DECLARE BOT tcpslice 1342516061.591 1342516061.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.138.213.238, 165.230.49.114 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:07:41.591 PDT Gen. Time: 07/17/2012 02:13:57.058 PDT INBOUND SCAN EXPLOIT 192.138.213.238 (02:08:54.673 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2006 (02:08:54.673 PDT) 165.230.49.114 (02:10:23.733 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2013 (02:10:23.733 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (02:12:53.612 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->56689 (02:12:53.612 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (02:07:59.732 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45351->49302 (02:07:59.732 PDT) 195.37.16.125 (02:07:41.591 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:07:41.591 PDT) DECLARE BOT tcpslice 1342516061.591 1342516061.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:17:43.543 PDT Gen. Time: 07/17/2012 02:18:12.750 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (02:17:43.543 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (02:17:43.543 PDT) DECLARE BOT tcpslice 1342516663.543 1342516663.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.119, 165.91.55.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:18:53.148 PDT Gen. Time: 07/17/2012 02:20:45.397 PDT INBOUND SCAN EXPLOIT 165.230.49.119 (02:20:27.461 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2018 (02:20:27.461 PDT) 165.91.55.9 (02:18:53.148 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2007 (02:18:53.148 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.92.44.102 (02:20:45.397 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2016->2023 (02:20:45.397 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342516733.148 1342516733.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.98.35.8, 165.230.49.119, 165.91.55.9, 193.10.64.35 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:18:53.148 PDT Gen. Time: 07/17/2012 02:28:29.336 PDT INBOUND SCAN EXPLOIT 155.98.35.8 (02:24:06.746 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2012<-2012 (02:24:06.746 PDT) 165.230.49.119 (02:20:27.461 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2018 (02:20:27.461 PDT) 165.91.55.9 (02:18:53.148 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2007 (02:18:53.148 PDT) 193.10.64.35 (02:23:14.118 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2014 (02:23:14.118 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (02:24:59.508 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->56424 (02:24:59.508 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.92.44.102 (02:20:45.397 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2016->2023 (02:20:45.397 PDT) 192.33.90.69 (02:24:28.184 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2006 (02:24:28.184 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (02:27:49.248 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (02:27:49.248 PDT) DECLARE BOT tcpslice 1342516733.148 1342516733.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.41.135.218 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:29:35.177 PDT Gen. Time: 07/17/2012 02:31:14.857 PDT INBOUND SCAN EXPLOIT 192.41.135.218 (02:31:14.857 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2002 (02:31:14.857 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.114.4.3 (02:29:35.177 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2025->2003 (02:29:35.177 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342517375.177 1342517375.178 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.10, 169.226.40.2, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:35:15.748 PDT Gen. Time: 07/17/2012 02:37:54.167 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (02:36:02.593 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2001 (02:36:02.593 PDT) 169.226.40.2 (02:37:06.274 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2020 (02:37:06.274 PDT) 192.33.90.68 (02:35:15.748 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2017 (02:35:15.748 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:37:54.167 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:37:54.167 PDT) DECLARE BOT tcpslice 1342517715.748 1342517715.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.10, 169.226.40.2, 192.33.90.68 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:35:15.748 PDT Gen. Time: 07/17/2012 02:42:46.974 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (02:36:02.593 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2001 (02:36:02.593 PDT) 169.226.40.2 (02:37:06.274 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2020 (02:37:06.274 PDT) 192.33.90.68 (02:35:15.748 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2017 (02:35:15.748 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (02:42:01.222 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59996 (02:42:01.222 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.114 (02:40:00.854 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2004 (02:40:00.854 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:37:54.167 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:37:54.167 PDT) DECLARE BOT tcpslice 1342517715.748 1342517715.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:45:34.184 PDT Gen. Time: 07/17/2012 02:48:02.205 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 193.136.191.25 (02:45:34.184 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2005 (02:45:34.184 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (02:48:02.205 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (02:48:02.205 PDT) DECLARE BOT tcpslice 1342518334.184 1342518334.185 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 163.117.253.22, 192.197.121.3 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:54:27.193 PDT Gen. Time: 07/17/2012 02:59:09.424 PDT INBOUND SCAN EXPLOIT 163.117.253.22 (02:54:27.193 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2026<-2013 (02:54:27.193 PDT) 192.197.121.3 (02:55:37.096 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2027<-2018 (02:55:37.096 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (02:57:33.456 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->64192 (02:57:33.456 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (02:59:09.424 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:59:09.424 PDT) DECLARE BOT tcpslice 1342518867.193 1342518867.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:05:03.002 PDT Gen. Time: 07/17/2012 03:06:52.982 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 190.227.163.142 (03:05:03.002 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2022->2004 (03:05:03.002 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (03:06:52.982 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37882->49301 (03:06:52.982 PDT) DECLARE BOT tcpslice 1342519503.002 1342519503.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:05:03.002 PDT Gen. Time: 07/17/2012 03:09:09.583 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 190.227.163.142 (03:05:03.002 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2022->2004 (03:05:03.002 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:09:09.583 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:09:09.583 PDT) 132.239.17.226 (03:06:52.982 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37882->49301 (03:06:52.982 PDT) DECLARE BOT tcpslice 1342519503.002 1342519503.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:19:09.772 PDT Gen. Time: 07/17/2012 03:19:09.772 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:19:09.772 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:19:09.772 PDT) DECLARE BOT tcpslice 1342520349.772 1342520349.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:26:41.651 PDT Gen. Time: 07/17/2012 03:29:09.894 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (03:26:41.651 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->60563 (03:26:41.651 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:29:09.894 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:29:09.894 PDT) DECLARE BOT tcpslice 1342520801.651 1342520801.652 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:30:07.935 PDT Gen. Time: 07/17/2012 03:30:14.000 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (03:30:07.935 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2027 (03:30:07.935 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.91.55.9 (03:30:14.000 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2020->2026 (03:30:14.000 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342521007.935 1342521007.936 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.16.125.12, 169.226.40.2, 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:30:07.935 PDT Gen. Time: 07/17/2012 03:37:20.962 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (03:30:15.331 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2008 (03:30:15.331 PDT) 169.226.40.2 (03:31:01.531 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2015<-2003 (03:31:01.531 PDT) 165.230.49.115 (03:30:07.935 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2027 (03:30:07.935 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.32 (03:30:47.705 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2006->2007 (03:30:47.705 PDT) 165.91.55.9 (03:30:14.000 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2020->2026 (03:30:14.000 PDT) 192.6.26.31 (03:34:03.478 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2024->2005 (03:34:03.478 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342521007.935 1342521007.936 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:39:09.072 PDT Gen. Time: 07/17/2012 03:39:09.072 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:39:09.072 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:39:09.072 PDT) DECLARE BOT tcpslice 1342521549.072 1342521549.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.227.163.141, 192.16.125.12, 157.159.226.72, 165.91.55.9 Egg Source List: C & C List: 188.93.19.162 (2) Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:39:09.072 PDT Gen. Time: 07/17/2012 03:49:25.333 PDT INBOUND SCAN EXPLOIT 190.227.163.141 (03:42:43.529 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2001<-2016 (03:42:43.529 PDT) 192.16.125.12 (2) (03:41:36.581 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2015<-2024 (03:41:36.581 PDT) 2003<-2024 (03:46:35.141 PDT) 157.159.226.72 (03:40:49.170 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2026 (03:40:49.170 PDT) 165.91.55.9 (03:43:34.618 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2017 (03:43:34.618 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (2) (03:39:25.458 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59054 (03:39:25.458 PDT) 4815->54644 (03:49:25.333 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (03:39:09.072 PDT-03:49:09.776 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2: 2121->2121 (03:39:09.072 PDT-03:49:09.776 PDT) DECLARE BOT tcpslice 1342521549.072 1342522149.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:59:09.341 PDT Gen. Time: 07/17/2012 03:59:09.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:59:09.341 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:59:09.341 PDT) DECLARE BOT tcpslice 1342522749.341 1342522749.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:59:09.341 PDT Gen. Time: 07/17/2012 04:02:44.671 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (04:01:43.429 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->50530 (04:01:43.429 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:59:09.341 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:59:09.341 PDT) DECLARE BOT tcpslice 1342522749.341 1342522749.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.43.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:05:56.589 PDT Gen. Time: 07/17/2012 04:06:10.339 PDT INBOUND SCAN EXPLOIT 192.42.43.22 (04:06:10.339 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2021 (04:06:10.339 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.226.40.2 (04:05:56.589 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2027->2005 (04:05:56.589 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342523156.589 1342523156.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 160.80.221.39, 192.41.135.219, 169.226.40.2, 157.159.226.74, 192.42.43.22, 192.33.90.68 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:05:56.589 PDT Gen. Time: 07/17/2012 04:13:29.353 PDT INBOUND SCAN EXPLOIT 160.80.221.39 (04:08:09.515 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2012 (04:08:09.515 PDT) 192.41.135.219 (04:07:33.228 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2030 (04:07:33.228 PDT) 169.226.40.2 (04:10:24.464 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2026 (04:10:24.464 PDT) 157.159.226.74 (04:06:58.910 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2008 (04:06:58.910 PDT) 192.42.43.22 (04:06:10.339 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2021 (04:06:10.339 PDT) 192.33.90.68 (04:07:08.580 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2022 (04:07:08.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (04:13:29.353 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->58631 (04:13:29.353 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.226.40.2 (04:05:56.589 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2027->2005 (04:05:56.589 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (04:09:18.901 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (04:09:18.901 PDT) DECLARE BOT tcpslice 1342523156.589 1342523156.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:19:30.018 PDT Gen. Time: 07/17/2012 04:19:30.018 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (04:19:30.018 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (04:19:30.018 PDT) DECLARE BOT tcpslice 1342523970.018 1342523970.019 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:26:06.518 PDT Gen. Time: 07/17/2012 04:29:50.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (04:26:06.518 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->52164 (04:26:06.518 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (04:29:50.607 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (04:29:50.607 PDT) DECLARE BOT tcpslice 1342524366.518 1342524366.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:38:02.149 PDT Gen. Time: 07/17/2012 04:40:10.091 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (04:38:02.149 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->60130 (04:38:02.149 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (04:40:10.091 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:40:10.091 PDT) DECLARE BOT tcpslice 1342525082.149 1342525082.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.114, 157.159.226.74 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:46:55.114 PDT Gen. Time: 07/17/2012 04:50:28.103 PDT INBOUND SCAN EXPLOIT 165.230.49.114 (04:46:55.114 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2028 (04:46:55.114 PDT) 157.159.226.74 (04:47:55.302 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2028 (04:47:55.302 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (04:48:10.404 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->63018 (04:48:10.404 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (04:50:28.103 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (04:50:28.103 PDT) DECLARE BOT tcpslice 1342525615.114 1342525615.115 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:58:37.464 PDT Gen. Time: 07/17/2012 04:58:37.464 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:58:37.464 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 41313->42781 (04:58:37.464 PDT) DECLARE BOT tcpslice 1342526317.464 1342526317.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:58:37.464 PDT Gen. Time: 07/17/2012 05:01:02.371 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:58:51.733 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59402 (04:58:51.733 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:58:37.464 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 41313->42781 (04:58:37.464 PDT) DECLARE BOT tcpslice 1342526317.464 1342526317.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:01:11.416 PDT Gen. Time: 07/17/2012 05:01:11.416 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (05:01:11.416 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:01:11.416 PDT) DECLARE BOT tcpslice 1342526471.416 1342526471.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 169.226.40.2, 169.235.24.232 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:01:11.416 PDT Gen. Time: 07/17/2012 05:10:05.283 PDT INBOUND SCAN EXPLOIT 169.226.40.2 (05:06:17.533 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2006 (05:06:17.533 PDT) 169.235.24.232 (05:01:45.548 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2024 (05:01:45.548 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (05:10:05.283 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->53667 (05:10:05.283 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (05:01:11.416 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:01:11.416 PDT) DECLARE BOT tcpslice 1342526471.416 1342526471.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:11:11.998 PDT Gen. Time: 07/17/2012 05:11:11.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:11:11.998 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:11:11.998 PDT) DECLARE BOT tcpslice 1342527071.998 1342527071.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:16:49.924 PDT Gen. Time: 07/17/2012 05:18:32.717 PDT INBOUND SCAN EXPLOIT 165.91.55.9 (05:16:49.924 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2030 (05:16:49.924 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.32 (05:18:32.717 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2020->2026 (05:18:32.717 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342527409.924 1342527409.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.9, 192.41.135.218 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:16:49.924 PDT Gen. Time: 07/17/2012 05:22:38.245 PDT INBOUND SCAN EXPLOIT 165.91.55.9 (05:16:49.924 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2030 (05:16:49.924 PDT) 192.41.135.218 (05:19:49.819 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2030 (05:19:49.819 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.32 (05:18:32.717 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2020->2026 (05:18:32.717 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:21:11.737 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:21:11.737 PDT) DECLARE BOT tcpslice 1342527409.924 1342527409.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253, 192.42.83.251, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:28:40.374 PDT Gen. Time: 07/17/2012 05:29:53.184 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (05:28:40.374 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2002<-2008 (05:28:40.374 PDT) 192.42.83.251 (05:29:17.815 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2012 (05:29:17.815 PDT) 192.33.90.68 (05:29:29.097 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2027 (05:29:29.097 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:29:53.184 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 42879->49301 (05:29:53.184 PDT) DECLARE BOT tcpslice 1342528120.374 1342528120.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:31:11.903 PDT Gen. Time: 07/17/2012 05:31:11.903 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:31:11.903 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:31:11.903 PDT) DECLARE BOT tcpslice 1342528271.903 1342528271.904 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:41:11.053 PDT Gen. Time: 07/17/2012 05:41:11.053 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:41:11.053 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:41:11.053 PDT) DECLARE BOT tcpslice 1342528871.053 1342528871.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.119 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:41:11.053 PDT Gen. Time: 07/17/2012 05:48:24.318 PDT INBOUND SCAN EXPLOIT 165.230.49.119 (05:45:02.756 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2029 (05:45:02.756 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:47:32.961 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->46628 (05:47:32.961 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:41:11.053 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:41:11.053 PDT) DECLARE BOT tcpslice 1342528871.053 1342528871.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:51:11.235 PDT Gen. Time: 07/17/2012 05:51:11.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:51:11.235 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:51:11.235 PDT) DECLARE BOT tcpslice 1342529471.235 1342529471.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.197.121.2, 156.56.250.226, 155.246.12.163, 192.42.43.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:51:11.235 PDT Gen. Time: 07/17/2012 05:55:20.231 PDT INBOUND SCAN EXPLOIT 192.197.121.2 (05:53:17.160 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2011 (05:53:17.160 PDT) 156.56.250.226 (05:53:48.356 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2004 (05:53:48.356 PDT) 155.246.12.163 (05:54:23.015 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2008 (05:54:23.015 PDT) 192.42.43.23 (3) (05:53:36.393 PDT-05:54:05.537 PDT) event=1:22012087 (3) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2029 (05:53:36.393 PDT) 2: 2016<-2012 (05:54:02.469 PDT-05:54:05.537 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:51:11.235 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:51:11.235 PDT) 130.104.72.201 (05:51:32.921 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56170->49302 (05:51:32.921 PDT) DECLARE BOT tcpslice 1342529471.235 1342529645.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.43.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:55:32.948 PDT Gen. Time: 07/17/2012 05:55:44.562 PDT INBOUND SCAN EXPLOIT 192.42.43.23 (05:55:32.948 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2029 (05:55:32.948 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (05:55:44.562 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2007->2005 (05:55:44.562 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342529732.948 1342529732.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.67, 169.226.40.2, 155.98.35.7, 161.106.240.18, 192.42.43.23 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:55:32.948 PDT Gen. Time: 07/17/2012 06:02:24.628 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (05:56:48.195 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2020 (05:56:48.195 PDT) 169.226.40.2 (2) (05:56:53.022 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2011 (05:56:53.022 PDT) 2006<-2009 (05:58:41.817 PDT) 155.98.35.7 (05:56:03.701 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2016 (05:56:03.701 PDT) 161.106.240.18 (05:55:59.958 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2028 (05:55:59.958 PDT) 192.42.43.23 (05:55:32.948 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2029 (05:55:32.948 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:58:56.864 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->33497 (05:58:56.864 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (05:55:44.562 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2007->2005 (05:55:44.562 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (06:01:12.445 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (06:01:12.445 PDT) DECLARE BOT tcpslice 1342529732.948 1342529732.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 160.193.163.106, 192.197.121.2, 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:09:36.361 PDT Gen. Time: 07/17/2012 06:11:12.445 PDT INBOUND SCAN EXPLOIT 160.193.163.106 (06:10:47.524 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2028 (06:10:47.524 PDT) 192.197.121.2 (06:09:37.896 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2017 (06:09:37.896 PDT) 162.105.205.21 (06:09:36.361 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2019 (06:09:36.361 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (06:11:12.445 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (06:11:12.445 PDT) DECLARE BOT tcpslice 1342530576.361 1342530576.362 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 160.193.163.106, 192.197.121.2, 162.105.205.21 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:09:36.361 PDT Gen. Time: 07/17/2012 06:14:20.435 PDT INBOUND SCAN EXPLOIT 160.193.163.106 (06:10:47.524 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2028 (06:10:47.524 PDT) 192.197.121.2 (06:09:37.896 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2017 (06:09:37.896 PDT) 162.105.205.21 (06:09:36.361 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2019 (06:09:36.361 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:11:46.950 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59394 (06:11:46.950 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.41.135.219 (06:11:12.621 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2026->2018 (06:11:12.621 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (06:11:12.445 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (06:11:12.445 PDT) DECLARE BOT tcpslice 1342530576.361 1342530576.362 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:21:21.075 PDT Gen. Time: 07/17/2012 06:21:21.075 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (06:21:21.075 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:21:21.075 PDT) DECLARE BOT tcpslice 1342531281.075 1342531281.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:21:21.075 PDT Gen. Time: 07/17/2012 06:25:01.839 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:22:35.931 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->35676 (06:22:35.931 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (06:24:26.899 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58148->54593 (06:24:26.899 PDT) 130.104.72.201 (06:21:21.075 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:21:21.075 PDT) DECLARE BOT tcpslice 1342531281.075 1342531281.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:29:08.965 PDT Gen. Time: 07/17/2012 06:31:33.427 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 155.246.12.164 (06:29:08.965 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2005->2015 (06:29:08.965 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (06:31:33.427 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (06:31:33.427 PDT) DECLARE BOT tcpslice 1342531748.965 1342531748.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 193.10.64.35, 190.227.163.142 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:35:33.014 PDT Gen. Time: 07/17/2012 06:41:18.855 PDT INBOUND SCAN EXPLOIT 193.10.64.35 (06:37:36.556 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2023 (06:37:36.556 PDT) 190.227.163.142 (06:37:11.930 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2016 (06:37:11.930 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:35:33.014 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->37760 (06:35:33.014 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (06:41:18.855 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2015->2002 (06:41:18.855 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342532133.014 1342532133.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.10, 192.16.125.12, 193.10.64.35, 190.227.163.142 Egg Source List: C & C List: 218.6.19.3 (2) Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:35:33.014 PDT Gen. Time: 07/17/2012 06:50:41.446 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (06:41:59.479 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2017 (06:41:59.479 PDT) 192.16.125.12 (06:46:00.190 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2015<-2005 (06:46:00.190 PDT) 193.10.64.35 (2) (06:37:36.556 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2023 (06:37:36.556 PDT) 2010<-2008 (06:43:56.157 PDT) 190.227.163.142 (06:37:11.930 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2016 (06:37:11.930 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (2) (06:35:33.014 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->37760 (06:35:33.014 PDT) 4815->32981 (06:47:56.455 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (06:41:18.855 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2015->2002 (06:41:18.855 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (06:41:45.386 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:41:45.386 PDT) DECLARE BOT tcpslice 1342532133.014 1342532133.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.114.4.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:51:44.989 PDT Gen. Time: 07/17/2012 06:52:11.637 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (06:51:44.989 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2005 (06:51:44.989 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (06:52:11.637 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:52:11.637 PDT) DECLARE BOT tcpslice 1342533104.989 1342533104.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.114.4.3, 192.138.213.238, 160.80.221.37 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:51:44.989 PDT Gen. Time: 07/17/2012 07:01:38.876 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (06:51:44.989 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2005 (06:51:44.989 PDT) 192.138.213.238 (06:57:39.493 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2009 (06:57:39.493 PDT) 160.80.221.37 (06:53:02.193 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2028 (06:53:02.193 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:58:58.025 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->57900 (06:58:58.025 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (06:52:11.637 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:52:11.637 PDT) DECLARE BOT tcpslice 1342533104.989 1342533104.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:02:56.720 PDT Gen. Time: 07/17/2012 07:02:56.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:02:56.720 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:02:56.720 PDT) DECLARE BOT tcpslice 1342533776.720 1342533776.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.16.125.12, 165.230.49.119, 192.33.90.66, 192.197.121.3 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:02:56.720 PDT Gen. Time: 07/17/2012 07:19:22.991 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (07:10:20.338 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2006 (07:10:20.338 PDT) 165.230.49.119 (07:07:14.730 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2026 (07:07:14.730 PDT) 192.33.90.66 (07:13:13.673 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2007 (07:13:13.673 PDT) 192.197.121.3 (07:05:19.781 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2024 (07:05:19.781 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:11:14.445 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->33359 (07:11:14.445 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.193.163.106 (07:16:10.971 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2029->2029 (07:16:10.971 PDT) 165.230.49.119 (07:05:41.586 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2010->2017 (07:05:41.586 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (07:02:56.720 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:02:56.720 PDT) 2119->2119 (07:12:56.257 PDT) DECLARE BOT tcpslice 1342533776.720 1342533776.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:22:47.366 PDT Gen. Time: 07/17/2012 07:24:05.774 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (07:22:47.366 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->62158 (07:22:47.366 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (07:24:05.774 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:24:05.774 PDT) DECLARE BOT tcpslice 1342534967.366 1342534967.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:22:47.366 PDT Gen. Time: 07/17/2012 07:26:41.072 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (07:22:47.366 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->62158 (07:22:47.366 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (07:24:05.774 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:24:05.774 PDT) 132.239.17.226 (07:26:06.252 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 41070->47749 (07:26:06.252 PDT) DECLARE BOT tcpslice 1342534967.366 1342534967.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.246.12.163, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:26:42.225 PDT Gen. Time: 07/17/2012 07:34:15.881 PDT INBOUND SCAN EXPLOIT 155.246.12.163 (07:30:23.802 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2024 (07:30:23.802 PDT) 192.197.121.3 (07:26:42.225 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2025 (07:26:42.225 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:34:15.881 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:34:15.881 PDT) DECLARE BOT tcpslice 1342535202.225 1342535202.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:34:23.155 PDT Gen. Time: 07/17/2012 07:36:37.659 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:34:23.155 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42471 (07:34:23.155 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (07:36:37.659 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53574->49302 (07:36:37.659 PDT) DECLARE BOT tcpslice 1342535663.155 1342535663.156 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:44:19.099 PDT Gen. Time: 07/17/2012 07:44:19.099 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (07:44:19.099 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:44:19.099 PDT) DECLARE BOT tcpslice 1342536259.099 1342536259.100 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:44:19.099 PDT Gen. Time: 07/17/2012 07:48:25.021 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (07:45:43.938 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->60820 (07:45:43.938 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.138.213.238 (07:45:42.499 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2022->2018 (07:45:42.499 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (07:44:19.099 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:44:19.099 PDT) DECLARE BOT tcpslice 1342536259.099 1342536259.100 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:49:48.623 PDT Gen. Time: 07/17/2012 07:50:35.920 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (07:49:48.623 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2007 (07:49:48.623 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.41.135.219 (07:50:35.920 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2029->2004 (07:50:35.920 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342536588.623 1342536588.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:49:48.623 PDT Gen. Time: 07/17/2012 07:54:22.645 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (07:49:48.623 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2007 (07:49:48.623 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.41.135.219 (07:50:35.920 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2029->2004 (07:50:35.920 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (07:54:22.645 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:54:22.645 PDT) DECLARE BOT tcpslice 1342536588.623 1342536588.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.246.12.163 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:59:44.266 PDT Gen. Time: 07/17/2012 08:04:37.300 PDT INBOUND SCAN EXPLOIT 155.246.12.163 (07:59:44.266 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2002<-2009 (07:59:44.266 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (08:04:37.300 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (08:04:37.300 PDT) DECLARE BOT tcpslice 1342537184.266 1342537184.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:14:37.614 PDT Gen. Time: 07/17/2012 08:14:37.614 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:14:37.614 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:14:37.614 PDT) DECLARE BOT tcpslice 1342538077.614 1342538077.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:14:37.614 PDT Gen. Time: 07/17/2012 08:18:31.390 PDT INBOUND SCAN EXPLOIT 192.33.90.66 (08:15:59.614 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2013 (08:15:59.614 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:14:37.614 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:14:37.614 PDT) DECLARE BOT tcpslice 1342538077.614 1342538077.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:19:02.947 PDT Gen. Time: 07/17/2012 08:23:16.519 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (08:23:16.519 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2009 (08:23:16.519 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:21:00.335 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->47910 (08:21:00.335 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.118 (08:20:55.693 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2023 (08:20:55.693 PDT) 192.33.90.68 (08:19:02.947 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2021->2024 (08:19:02.947 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342538342.947 1342538342.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:19:02.947 PDT Gen. Time: 07/17/2012 08:26:41.702 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (08:23:16.519 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2009 (08:23:16.519 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:21:00.335 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->47910 (08:21:00.335 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.118 (08:20:55.693 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2023 (08:20:55.693 PDT) 192.33.90.68 (08:19:02.947 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2021->2024 (08:19:02.947 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:24:37.757 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:24:37.757 PDT) DECLARE BOT tcpslice 1342538342.947 1342538342.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:34:37.962 PDT Gen. Time: 07/17/2012 08:34:37.962 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:34:37.962 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:34:37.962 PDT) DECLARE BOT tcpslice 1342539277.962 1342539277.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52, 163.117.253.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:34:37.962 PDT Gen. Time: 07/17/2012 08:39:24.678 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (08:34:52.564 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2006 (08:34:52.564 PDT) 163.117.253.22 (08:35:15.536 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2003 (08:35:15.536 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:34:37.962 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:34:37.962 PDT) DECLARE BOT tcpslice 1342539277.962 1342539277.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.114, 157.181.175.249 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:43:10.233 PDT Gen. Time: 07/17/2012 08:44:37.162 PDT INBOUND SCAN EXPLOIT 165.230.49.114 (08:43:10.233 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2021 (08:43:10.233 PDT) 157.181.175.249 (08:44:12.123 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2021 (08:44:12.123 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:43:34.675 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41212 (08:43:34.675 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:44:37.162 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:44:37.162 PDT) DECLARE BOT tcpslice 1342539790.233 1342539790.234 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 193.136.191.25 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:54:05.803 PDT Gen. Time: 07/17/2012 08:54:37.266 PDT INBOUND SCAN EXPLOIT 193.136.191.25 (08:54:05.803 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2001<-2026 (08:54:05.803 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:54:37.266 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:54:37.266 PDT) DECLARE BOT tcpslice 1342540445.803 1342540445.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 193.136.191.25, 155.246.12.163, 165.242.90.129 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:54:05.803 PDT Gen. Time: 07/17/2012 09:00:43.522 PDT INBOUND SCAN EXPLOIT 193.136.191.25 (08:54:05.803 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2001<-2026 (08:54:05.803 PDT) 155.246.12.163 (08:55:18.321 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2017 (08:55:18.321 PDT) 165.242.90.129 (08:55:02.946 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2009 (08:55:02.946 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:55:29.202 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->39662 (08:55:29.202 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.80.221.39 (08:57:45.090 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2026->2002 (08:57:45.090 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (08:54:37.266 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:54:37.266 PDT) DECLARE BOT tcpslice 1342540445.803 1342540445.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:04:51.319 PDT Gen. Time: 07/17/2012 09:04:51.319 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:04:51.319 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (09:04:51.319 PDT) DECLARE BOT tcpslice 1342541091.319 1342541091.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.227.163.141 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:04:51.319 PDT Gen. Time: 07/17/2012 09:09:39.391 PDT INBOUND SCAN EXPLOIT 190.227.163.141 (09:06:38.096 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2015 (09:06:38.096 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:07:07.490 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->53838 (09:07:07.490 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:04:51.319 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (09:04:51.319 PDT) DECLARE BOT tcpslice 1342541091.319 1342541091.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:14:56.639 PDT Gen. Time: 07/17/2012 09:14:56.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (09:14:56.639 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (09:14:56.639 PDT) DECLARE BOT tcpslice 1342541696.639 1342541696.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:25:29.006 PDT Gen. Time: 07/17/2012 09:25:29.006 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:25:29.006 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (09:25:29.006 PDT) DECLARE BOT tcpslice 1342542329.006 1342542329.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:25:29.006 PDT Gen. Time: 07/17/2012 09:28:41.579 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:28:24.928 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->48587 (09:28:24.928 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:25:29.006 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (09:25:29.006 PDT) DECLARE BOT tcpslice 1342542329.006 1342542329.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.56.250.227, 157.181.175.249, 165.91.55.11 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:34:19.591 PDT Gen. Time: 07/17/2012 09:35:32.602 PDT INBOUND SCAN EXPLOIT 156.56.250.227 (09:34:36.020 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2012 (09:34:36.020 PDT) 157.181.175.249 (09:34:19.591 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2007 (09:34:19.591 PDT) 165.91.55.11 (09:34:32.193 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2005 (09:34:32.193 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:35:32.602 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (09:35:32.602 PDT) DECLARE BOT tcpslice 1342542859.591 1342542859.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.56.250.227, 192.33.90.66, 157.181.175.249, 192.138.213.236, 165.91.55.11 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:34:19.591 PDT Gen. Time: 07/17/2012 09:44:19.798 PDT INBOUND SCAN EXPLOIT 156.56.250.227 (09:34:36.020 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2012 (09:34:36.020 PDT) 192.33.90.66 (09:41:06.394 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2018 (09:41:06.394 PDT) 157.181.175.249 (09:34:19.591 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2007 (09:34:19.591 PDT) 192.138.213.236 (09:40:34.675 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2021 (09:40:34.675 PDT) 165.91.55.11 (09:34:32.193 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2005 (09:34:32.193 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:41:46.298 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42976 (09:41:46.298 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (09:36:19.536 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2024->2026 (09:36:19.536 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:35:32.602 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (09:35:32.602 PDT) DECLARE BOT tcpslice 1342542859.591 1342542859.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:45:48.100 PDT Gen. Time: 07/17/2012 09:45:48.100 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (09:45:48.100 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:45:48.100 PDT) DECLARE BOT tcpslice 1342543548.100 1342543548.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 163.117.253.22, 192.138.213.236 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:45:48.100 PDT Gen. Time: 07/17/2012 09:51:52.403 PDT INBOUND SCAN EXPLOIT 163.117.253.22 (09:46:20.058 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2005 (09:46:20.058 PDT) 192.138.213.236 (09:47:52.224 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2025 (09:47:52.224 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (09:45:48.100 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:45:48.100 PDT) DECLARE BOT tcpslice 1342543548.100 1342543548.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 169.235.24.133 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:52:04.281 PDT Gen. Time: 07/17/2012 09:55:54.274 PDT INBOUND SCAN EXPLOIT 169.235.24.133 (09:52:53.479 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2011 (09:52:53.479 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (09:52:04.281 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->50259 (09:52:04.281 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:55:54.274 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:55:54.274 PDT) DECLARE BOT tcpslice 1342543924.281 1342543924.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 169.235.24.133, 192.138.213.236 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:52:04.281 PDT Gen. Time: 07/17/2012 09:58:41.454 PDT INBOUND SCAN EXPLOIT 169.235.24.133 (09:52:53.479 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2011 (09:52:53.479 PDT) 192.138.213.236 (09:56:18.818 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2011 (09:56:18.818 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (09:52:04.281 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->50259 (09:52:04.281 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:55:54.274 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:55:54.274 PDT) DECLARE BOT tcpslice 1342543924.281 1342543924.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:04:22.251 PDT Gen. Time: 07/17/2012 10:04:34.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:04:22.251 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41156 (10:04:22.251 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (10:04:34.532 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39545->42781 (10:04:34.532 PDT) DECLARE BOT tcpslice 1342544662.251 1342544662.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 161.106.240.19, 157.159.226.72, 192.42.83.251, 192.42.43.22, 192.197.121.3 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:04:22.251 PDT Gen. Time: 07/17/2012 10:12:48.261 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (10:04:45.053 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2023 (10:04:45.053 PDT) 157.159.226.72 (10:06:21.135 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2017 (10:06:21.135 PDT) 192.42.83.251 (10:09:36.800 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2021 (10:09:36.800 PDT) 192.42.43.22 (10:06:49.041 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2025 (10:06:49.041 PDT) 192.197.121.3 (10:06:50.546 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2017 (10:06:50.546 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:04:22.251 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41156 (10:04:22.251 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.242.90.129 (10:06:36.529 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2013 (10:06:36.529 PDT) 190.227.163.142 (10:06:21.890 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2012->2003 (10:06:21.890 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (10:04:34.532 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39545->42781 (10:04:34.532 PDT) 206.207.248.34 (10:05:55.460 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:05:55.460 PDT) DECLARE BOT tcpslice 1342544662.251 1342544662.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:14:44.553 PDT Gen. Time: 07/17/2012 10:14:48.891 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:14:44.553 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->39949 (10:14:44.553 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (10:14:48.891 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 55730->49301 (10:14:48.891 PDT) DECLARE BOT tcpslice 1342545284.553 1342545284.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:14:44.553 PDT Gen. Time: 07/17/2012 10:18:58.306 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:14:44.553 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->39949 (10:14:44.553 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (2) (10:14:48.891 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 55730->49301 (10:14:48.891 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (10:15:55.022 PDT) DECLARE BOT tcpslice 1342545284.553 1342545284.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:25:23.204 PDT Gen. Time: 07/17/2012 10:25:58.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 155.98.35.7 (10:25:23.204 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2009->2017 (10:25:23.204 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (10:25:58.723 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (10:25:58.723 PDT) DECLARE BOT tcpslice 1342545923.204 1342545923.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.107.171.145, 192.107.171.147, 163.117.253.22, 157.181.175.249 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:25:23.204 PDT Gen. Time: 07/17/2012 10:35:58.451 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (10:30:46.433 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2002<-2018 (10:30:46.433 PDT) 192.107.171.147 (10:26:29.507 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2011 (10:26:29.507 PDT) 163.117.253.22 (10:27:05.772 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2009 (10:27:05.772 PDT) 157.181.175.249 (10:32:56.675 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2016 (10:32:56.675 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:26:11.896 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->49662 (10:26:11.896 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 155.98.35.7 (10:25:23.204 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2009->2017 (10:25:23.204 PDT) 164.107.127.12 (10:29:40.432 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2027 (10:29:40.432 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (2) (10:25:58.723 PDT-10:35:58.451 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2: 49301->49301 (10:25:58.723 PDT-10:35:58.451 PDT) DECLARE BOT tcpslice 1342545923.204 1342546558.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:46:00.768 PDT Gen. Time: 07/17/2012 10:46:00.768 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (10:46:00.768 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (10:46:00.768 PDT) DECLARE BOT tcpslice 1342547160.768 1342547160.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.67, 192.33.90.69, 157.159.226.74, 169.226.40.4, 192.33.90.68 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:46:00.768 PDT Gen. Time: 07/17/2012 10:58:32.791 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (10:54:22.186 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2003 (10:54:22.186 PDT) 192.33.90.69 (10:47:25.797 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2006 (10:47:25.797 PDT) 157.159.226.74 (10:49:56.094 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2014 (10:49:56.094 PDT) 169.226.40.4 (10:46:32.031 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2010<-2026 (10:46:32.031 PDT) 192.33.90.68 (10:52:58.511 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2029<-2005 (10:52:58.511 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (10:49:36.091 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59668 (10:49:36.091 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.114.4.3 (10:52:16.798 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2026->2001 (10:52:16.798 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (2) (10:46:00.768 PDT-10:56:02.414 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2: 49301->49301 (10:46:00.768 PDT-10:56:02.414 PDT) 132.239.17.226 (10:56:10.683 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37190->47749 (10:56:10.683 PDT) DECLARE BOT tcpslice 1342547160.768 1342547762.415 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253, 163.117.253.23 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:01:59.856 PDT Gen. Time: 07/17/2012 11:06:13.443 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (11:04:08.406 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2001<-2016 (11:04:08.406 PDT) 163.117.253.23 (11:02:02.994 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2019 (11:02:02.994 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:01:59.856 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51857 (11:01:59.856 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (11:06:13.443 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:06:13.443 PDT) DECLARE BOT tcpslice 1342548119.856 1342548119.857 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52, 192.42.83.253, 165.91.55.10, 156.17.10.51, 163.117.253.23 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:01:59.856 PDT Gen. Time: 07/17/2012 11:10:34.033 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (11:06:34.526 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2017 (11:06:34.526 PDT) 192.42.83.253 (11:04:08.406 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2001<-2016 (11:04:08.406 PDT) 165.91.55.10 (11:06:27.927 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2004 (11:06:27.927 PDT) 156.17.10.51 (11:06:16.178 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2023 (11:06:16.178 PDT) 163.117.253.23 (11:02:02.994 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2019 (11:02:02.994 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:01:59.856 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51857 (11:01:59.856 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (11:07:34.359 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2027->2002 (11:07:34.359 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (11:06:13.443 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:06:13.443 PDT) DECLARE BOT tcpslice 1342548119.856 1342548119.857 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:12:53.868 PDT Gen. Time: 07/17/2012 11:16:25.540 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:12:53.868 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->43330 (11:12:53.868 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:16:25.540 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:16:25.540 PDT) DECLARE BOT tcpslice 1342548773.868 1342548773.869 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:25:22.708 PDT Gen. Time: 07/17/2012 11:27:05.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:25:22.708 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->34116 (11:25:22.708 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (11:27:05.127 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (11:27:05.127 PDT) DECLARE BOT tcpslice 1342549522.708 1342549522.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:36:37.625 PDT Gen. Time: 07/17/2012 11:37:32.626 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:36:37.625 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->44768 (11:36:37.625 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (11:37:32.626 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:37:32.626 PDT) DECLARE BOT tcpslice 1342550197.625 1342550197.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:47:41.350 PDT Gen. Time: 07/17/2012 11:47:41.350 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (11:47:41.350 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (11:47:41.350 PDT) DECLARE BOT tcpslice 1342550861.350 1342550861.351 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:47:41.350 PDT Gen. Time: 07/17/2012 11:51:26.977 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:47:47.477 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->35181 (11:47:47.477 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (11:47:41.350 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (11:47:41.350 PDT) DECLARE BOT tcpslice 1342550861.350 1342550861.351 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:57:41.231 PDT Gen. Time: 07/17/2012 11:57:41.231 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (11:57:41.231 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (11:57:41.231 PDT) DECLARE BOT tcpslice 1342551461.231 1342551461.232 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:57:41.231 PDT Gen. Time: 07/17/2012 12:00:22.915 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:58:43.679 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51326 (11:58:43.679 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (11:57:41.231 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (11:57:41.231 PDT) DECLARE BOT tcpslice 1342551461.231 1342551461.232 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:07:41.044 PDT Gen. Time: 07/17/2012 12:07:41.044 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:07:41.044 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (12:07:41.044 PDT) DECLARE BOT tcpslice 1342552061.044 1342552061.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:07:41.044 PDT Gen. Time: 07/17/2012 12:10:44.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:10:14.220 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->36526 (12:10:14.220 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:07:41.044 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (12:07:41.044 PDT) DECLARE BOT tcpslice 1342552061.044 1342552061.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:17:41.486 PDT Gen. Time: 07/17/2012 12:17:41.486 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (12:17:41.486 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (12:17:41.486 PDT) DECLARE BOT tcpslice 1342552661.486 1342552661.487 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:21:41.952 PDT Gen. Time: 07/17/2012 12:23:23.415 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:21:41.952 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42836 (12:21:41.952 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (12:23:23.415 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 52394->49301 (12:23:23.415 PDT) DECLARE BOT tcpslice 1342552901.952 1342552901.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:27:41.657 PDT Gen. Time: 07/17/2012 12:27:41.657 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:27:41.657 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2007 (12:27:41.657 PDT) DECLARE BOT tcpslice 1342553261.657 1342553261.658 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:37:54.322 PDT Gen. Time: 07/17/2012 12:37:54.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (12:37:54.322 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:37:54.322 PDT) DECLARE BOT tcpslice 1342553874.322 1342553874.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:45:05.284 PDT Gen. Time: 07/17/2012 12:48:28.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:45:05.284 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->34107 (12:45:05.284 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (12:48:28.819 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2003 (12:48:28.819 PDT) DECLARE BOT tcpslice 1342554305.284 1342554305.285 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:58:37.553 PDT Gen. Time: 07/17/2012 12:58:37.553 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (12:58:37.553 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:58:37.553 PDT) DECLARE BOT tcpslice 1342555117.553 1342555117.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:58:37.553 PDT Gen. Time: 07/17/2012 13:01:43.899 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:58:45.789 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->47935 (12:58:45.789 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (12:58:37.553 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:58:37.553 PDT) DECLARE BOT tcpslice 1342555117.553 1342555117.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:06:59.211 PDT Gen. Time: 07/17/2012 13:08:37.291 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.42.43.22 (13:06:59.211 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2007->2002 (13:06:59.211 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:08:37.291 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2002 (13:08:37.291 PDT) DECLARE BOT tcpslice 1342555619.211 1342555619.212 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:06:59.211 PDT Gen. Time: 07/17/2012 13:10:51.382 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:10:39.033 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->45223 (13:10:39.033 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.42.43.22 (13:06:59.211 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2007->2002 (13:06:59.211 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:08:37.291 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2002 (13:08:37.291 PDT) DECLARE BOT tcpslice 1342555619.211 1342555619.212 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:18:37.416 PDT Gen. Time: 07/17/2012 13:18:37.416 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:18:37.416 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2004 (13:18:37.416 PDT) DECLARE BOT tcpslice 1342556317.416 1342556317.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:18:37.416 PDT Gen. Time: 07/17/2012 13:21:51.118 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:21:37.230 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41428 (13:21:37.230 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:18:37.416 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2004 (13:18:37.416 PDT) DECLARE BOT tcpslice 1342556317.416 1342556317.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:28:37.128 PDT Gen. Time: 07/17/2012 13:28:37.128 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:28:37.128 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2004 (13:28:37.128 PDT) DECLARE BOT tcpslice 1342556917.128 1342556917.129 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:38:37.301 PDT Gen. Time: 07/17/2012 13:38:37.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (13:38:37.301 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2007 (13:38:37.301 PDT) DECLARE BOT tcpslice 1342557517.301 1342557517.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:48:39.181 PDT Gen. Time: 07/17/2012 13:48:39.181 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:48:39.181 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2006 (13:48:39.181 PDT) DECLARE BOT tcpslice 1342558119.181 1342558119.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:57:25.279 PDT Gen. Time: 07/17/2012 13:58:39.015 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:57:55.386 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->47392 (13:57:55.386 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 164.107.127.12 (13:57:25.279 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2007->2001 (13:57:25.279 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:58:39.015 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2004 (13:58:39.015 PDT) DECLARE BOT tcpslice 1342558645.279 1342558645.280 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:08:10.896 PDT Gen. Time: 07/17/2012 14:08:49.332 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:08:10.896 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42484 (14:08:10.896 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (14:08:49.332 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:08:49.332 PDT) DECLARE BOT tcpslice 1342559290.896 1342559290.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.11.0.165 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:17:14.703 PDT Gen. Time: 07/17/2012 14:18:50.075 PDT INBOUND SCAN EXPLOIT 141.11.0.165 (14:17:14.703 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2005 (14:17:14.703 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:18:38.410 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41961 (14:18:38.410 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:18:50.075 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2006 (14:18:50.075 PDT) DECLARE BOT tcpslice 1342559834.703 1342559834.704 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:23:33.907 PDT Gen. Time: 07/17/2012 14:23:33.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (14:23:33.907 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 46731->54593 (14:23:33.907 PDT) DECLARE BOT tcpslice 1342560213.907 1342560213.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:28:59.157 PDT Gen. Time: 07/17/2012 14:28:59.157 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (14:28:59.157 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (14:28:59.157 PDT) DECLARE BOT tcpslice 1342560539.157 1342560539.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:28:59.157 PDT Gen. Time: 07/17/2012 14:31:36.753 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:30:22.943 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42965 (14:30:22.943 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (14:28:59.157 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (14:28:59.157 PDT) DECLARE BOT tcpslice 1342560539.157 1342560539.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:39:01.537 PDT Gen. Time: 07/17/2012 14:39:01.537 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:39:01.537 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2003 (14:39:01.537 PDT) DECLARE BOT tcpslice 1342561141.537 1342561141.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:39:01.537 PDT Gen. Time: 07/17/2012 14:42:15.118 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:41:46.191 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->35302 (14:41:46.191 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:39:01.537 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2003 (14:39:01.537 PDT) DECLARE BOT tcpslice 1342561141.537 1342561141.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:49:02.121 PDT Gen. Time: 07/17/2012 14:49:02.121 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (14:49:02.121 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (14:49:02.121 PDT) DECLARE BOT tcpslice 1342561742.121 1342561742.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:49:02.121 PDT Gen. Time: 07/17/2012 14:52:21.360 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (14:51:10.296 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54508->54593 (14:51:10.296 PDT) 128.2.211.114 (14:49:02.121 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (14:49:02.121 PDT) DECLARE BOT tcpslice 1342561742.121 1342561742.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:59:02.200 PDT Gen. Time: 07/17/2012 14:59:02.200 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:59:02.200 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2006 (14:59:02.200 PDT) DECLARE BOT tcpslice 1342562342.200 1342562342.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:09:26.466 PDT Gen. Time: 07/17/2012 15:09:26.466 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:09:26.466 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2003->2005 (15:09:26.466 PDT) DECLARE BOT tcpslice 1342562966.466 1342562966.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:15:56.332 PDT Gen. Time: 07/17/2012 15:19:32.169 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:15:56.332 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->49444 (15:15:56.332 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (15:19:32.169 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (15:19:32.169 PDT) DECLARE BOT tcpslice 1342563356.332 1342563356.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:26:12.710 PDT Gen. Time: 07/17/2012 15:29:33.327 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:26:12.710 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41252 (15:26:12.710 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:29:33.327 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2004 (15:29:33.327 PDT) DECLARE BOT tcpslice 1342563972.710 1342563972.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:39:33.025 PDT Gen. Time: 07/17/2012 15:39:33.025 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:39:33.025 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2002 (15:39:33.025 PDT) DECLARE BOT tcpslice 1342564773.025 1342564773.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:46:51.953 PDT Gen. Time: 07/17/2012 15:49:33.885 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:46:51.953 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->49036 (15:46:51.953 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:49:33.885 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2002 (15:49:33.885 PDT) DECLARE BOT tcpslice 1342565211.953 1342565211.954 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:58:04.152 PDT Gen. Time: 07/17/2012 15:59:15.252 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:58:04.152 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->45486 (15:58:04.152 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (15:59:15.252 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 50291->42781 (15:59:15.252 PDT) DECLARE BOT tcpslice 1342565884.152 1342565884.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:58:04.152 PDT Gen. Time: 07/17/2012 16:01:50.682 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:58:04.152 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->45486 (15:58:04.152 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:59:33.282 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2003 (15:59:33.282 PDT) 195.37.16.125 (15:59:15.252 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 50291->42781 (15:59:15.252 PDT) DECLARE BOT tcpslice 1342565884.152 1342565884.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:08:38.313 PDT Gen. Time: 07/17/2012 16:09:33.021 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:08:38.313 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->55375 (16:08:38.313 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:09:33.021 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2001 (16:09:33.021 PDT) DECLARE BOT tcpslice 1342566518.313 1342566518.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:19:47.853 PDT Gen. Time: 07/17/2012 16:19:47.853 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (16:19:47.853 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (16:19:47.853 PDT) DECLARE BOT tcpslice 1342567187.853 1342567187.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:19:47.853 PDT Gen. Time: 07/17/2012 16:23:43.807 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:20:05.909 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->50836 (16:20:05.909 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (16:19:47.853 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (16:19:47.853 PDT) DECLARE BOT tcpslice 1342567187.853 1342567187.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:25:47.328 PDT Gen. Time: 07/17/2012 16:25:47.328 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (16:25:47.328 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49423->49302 (16:25:47.328 PDT) DECLARE BOT tcpslice 1342567547.328 1342567547.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:30:09.204 PDT Gen. Time: 07/17/2012 16:30:09.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (16:30:09.204 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:30:09.204 PDT) DECLARE BOT tcpslice 1342567809.204 1342567809.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 140.123.230.248 Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:30:09.204 PDT Gen. Time: 07/17/2012 16:36:31.860 PDT INBOUND SCAN EXPLOIT 140.123.230.248 (16:32:09.591 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2007 (16:32:09.591 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:31:58.537 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->41536 (16:31:58.537 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (16:30:09.204 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:30:09.204 PDT) DECLARE BOT tcpslice 1342567809.204 1342567809.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:40:09.936 PDT Gen. Time: 07/17/2012 16:40:09.936 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:40:09.936 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2003 (16:40:09.936 PDT) DECLARE BOT tcpslice 1342568409.936 1342568409.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:40:09.936 PDT Gen. Time: 07/17/2012 16:43:48.689 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:43:48.689 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->36585 (16:43:48.689 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:40:09.936 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2003 (16:40:09.936 PDT) DECLARE BOT tcpslice 1342568409.936 1342568409.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:50:14.556 PDT Gen. Time: 07/17/2012 16:50:14.556 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:50:14.556 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:50:14.556 PDT) DECLARE BOT tcpslice 1342569014.556 1342569014.557 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:56:26.544 PDT Gen. Time: 07/17/2012 17:00:16.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:56:26.544 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->50358 (16:56:26.544 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:00:16.455 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2004 (17:00:16.455 PDT) DECLARE BOT tcpslice 1342569386.544 1342569386.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:10:16.267 PDT Gen. Time: 07/17/2012 17:10:16.267 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:10:16.267 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2007 (17:10:16.267 PDT) DECLARE BOT tcpslice 1342570216.267 1342570216.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:18:38.983 PDT Gen. Time: 07/17/2012 17:20:17.131 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:18:38.983 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->52411 (17:18:38.983 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:20:17.131 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2001 (17:20:17.131 PDT) DECLARE BOT tcpslice 1342570718.983 1342570718.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:30:17.830 PDT Gen. Time: 07/17/2012 17:30:17.830 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:30:17.830 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (17:30:17.830 PDT) DECLARE BOT tcpslice 1342571417.830 1342571417.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:30:17.830 PDT Gen. Time: 07/17/2012 17:33:43.023 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:32:08.250 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->58988 (17:32:08.250 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:30:17.830 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (17:30:17.830 PDT) 128.163.142.20 (17:32:13.028 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 51005->49302 (17:32:13.028 PDT) DECLARE BOT tcpslice 1342571417.830 1342571417.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:40:26.299 PDT Gen. Time: 07/17/2012 17:40:26.299 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (17:40:26.299 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:40:26.299 PDT) DECLARE BOT tcpslice 1342572026.299 1342572026.300 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:50:26.270 PDT Gen. Time: 07/17/2012 17:50:26.270 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:50:26.270 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2003 (17:50:26.270 PDT) DECLARE BOT tcpslice 1342572626.270 1342572626.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:00:26.431 PDT Gen. Time: 07/17/2012 18:00:26.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:00:26.431 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2001 (18:00:26.431 PDT) DECLARE BOT tcpslice 1342573226.431 1342573226.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:10:27.352 PDT Gen. Time: 07/17/2012 18:10:27.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:10:27.352 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2003 (18:10:27.352 PDT) DECLARE BOT tcpslice 1342573827.352 1342573827.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:10:27.352 PDT Gen. Time: 07/17/2012 18:12:48.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:10:27.352 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2003 (18:10:27.352 PDT) 206.207.248.34 (18:12:16.446 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59884->49302 (18:12:16.446 PDT) DECLARE BOT tcpslice 1342573827.352 1342573827.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:20:27.140 PDT Gen. Time: 07/17/2012 18:20:27.140 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (18:20:27.140 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2006 (18:20:27.140 PDT) DECLARE BOT tcpslice 1342574427.140 1342574427.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:20:27.140 PDT Gen. Time: 07/17/2012 18:24:02.407 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:21:36.488 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->35359 (18:21:36.488 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (18:20:27.140 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2006 (18:20:27.140 PDT) DECLARE BOT tcpslice 1342574427.140 1342574427.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:30:27.143 PDT Gen. Time: 07/17/2012 18:30:27.143 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:30:27.143 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2001 (18:30:27.143 PDT) DECLARE BOT tcpslice 1342575027.143 1342575027.144 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:38:46.160 PDT Gen. Time: 07/17/2012 18:40:27.123 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:38:46.160 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->48871 (18:38:46.160 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (18:40:27.123 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2007 (18:40:27.123 PDT) DECLARE BOT tcpslice 1342575526.160 1342575526.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:51:03.310 PDT Gen. Time: 07/17/2012 18:51:03.310 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:51:03.310 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2003 (18:51:03.310 PDT) DECLARE BOT tcpslice 1342576263.310 1342576263.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:51:03.310 PDT Gen. Time: 07/17/2012 18:53:53.908 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:52:24.431 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->35396 (18:52:24.431 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:51:03.310 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2003 (18:51:03.310 PDT) DECLARE BOT tcpslice 1342576263.310 1342576263.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:01:04.294 PDT Gen. Time: 07/17/2012 19:01:04.294 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:01:04.294 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2005 (19:01:04.294 PDT) DECLARE BOT tcpslice 1342576864.294 1342576864.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:01:04.294 PDT Gen. Time: 07/17/2012 19:05:35.955 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:03:29.882 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->46139 (19:03:29.882 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:01:04.294 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2005 (19:01:04.294 PDT) DECLARE BOT tcpslice 1342576864.294 1342576864.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:11:04.725 PDT Gen. Time: 07/17/2012 19:11:04.725 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:11:04.725 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2001 (19:11:04.725 PDT) DECLARE BOT tcpslice 1342577464.725 1342577464.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:21:04.553 PDT Gen. Time: 07/17/2012 19:21:04.553 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:21:04.553 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (19:21:04.553 PDT) DECLARE BOT tcpslice 1342578064.553 1342578064.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:31:07.217 PDT Gen. Time: 07/17/2012 19:31:07.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:31:07.217 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (19:31:07.217 PDT) DECLARE BOT tcpslice 1342578667.217 1342578667.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:38:47.811 PDT Gen. Time: 07/17/2012 19:41:07.363 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:38:47.811 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59661 (19:38:47.811 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:41:07.363 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2003 (19:41:07.363 PDT) DECLARE BOT tcpslice 1342579127.811 1342579127.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:43:15.741 PDT Gen. Time: 07/17/2012 19:43:15.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (19:43:15.741 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59323->54593 (19:43:15.741 PDT) DECLARE BOT tcpslice 1342579395.741 1342579395.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 151.97.9.225 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:43:15.741 PDT Gen. Time: 07/17/2012 19:47:56.018 PDT INBOUND SCAN EXPLOIT 151.97.9.225 (19:43:43.544 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2007 (19:43:43.544 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (19:43:15.741 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59323->54593 (19:43:15.741 PDT) DECLARE BOT tcpslice 1342579395.741 1342579395.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:50:41.033 PDT Gen. Time: 07/17/2012 19:51:10.867 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:50:41.033 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42410 (19:50:41.033 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:51:10.867 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (19:51:10.867 PDT) DECLARE BOT tcpslice 1342579841.033 1342579841.034 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:01:10.909 PDT Gen. Time: 07/17/2012 20:01:10.909 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:01:10.909 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2005 (20:01:10.909 PDT) DECLARE BOT tcpslice 1342580470.909 1342580470.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:01:10.909 PDT Gen. Time: 07/17/2012 20:03:57.821 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (20:02:15.107 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->45708 (20:02:15.107 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:01:10.909 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2005 (20:01:10.909 PDT) DECLARE BOT tcpslice 1342580470.909 1342580470.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:11:10.076 PDT Gen. Time: 07/17/2012 20:11:10.076 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:11:10.076 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2001 (20:11:10.076 PDT) DECLARE BOT tcpslice 1342581070.076 1342581070.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:11:10.076 PDT Gen. Time: 07/17/2012 20:14:11.105 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (20:12:57.198 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->53627 (20:12:57.198 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:11:10.076 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2001 (20:11:10.076 PDT) DECLARE BOT tcpslice 1342581070.076 1342581070.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:21:21.468 PDT Gen. Time: 07/17/2012 20:21:21.468 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:21:21.468 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2003 (20:21:21.468 PDT) DECLARE BOT tcpslice 1342581681.468 1342581681.469 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:31:48.256 PDT Gen. Time: 07/17/2012 20:31:48.256 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (20:31:48.256 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:31:48.256 PDT) DECLARE BOT tcpslice 1342582308.256 1342582308.257 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:41:48.160 PDT Gen. Time: 07/17/2012 20:41:48.160 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:41:48.160 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2001 (20:41:48.160 PDT) DECLARE BOT tcpslice 1342582908.160 1342582908.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:51:48.930 PDT Gen. Time: 07/17/2012 20:51:48.930 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:51:48.930 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2003 (20:51:48.930 PDT) DECLARE BOT tcpslice 1342583508.930 1342583508.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:01:48.617 PDT Gen. Time: 07/17/2012 21:01:48.617 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:01:48.617 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2003 (21:01:48.617 PDT) DECLARE BOT tcpslice 1342584108.617 1342584108.618 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:08:43.476 PDT Gen. Time: 07/17/2012 21:11:47.442 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (21:08:43.476 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59312 (21:08:43.476 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (21:11:47.442 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58722->42781 (21:11:47.442 PDT) DECLARE BOT tcpslice 1342584523.476 1342584523.477 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:08:43.476 PDT Gen. Time: 07/17/2012 21:16:01.047 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (21:08:43.476 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59312 (21:08:43.476 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.31 (21:12:09.337 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2004 (21:12:09.337 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:11:48.172 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2004->2003 (21:11:48.172 PDT) 195.37.16.125 (21:11:47.442 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58722->42781 (21:11:47.442 PDT) DECLARE BOT tcpslice 1342584523.476 1342584523.477 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:20:39.743 PDT Gen. Time: 07/17/2012 21:21:48.015 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (21:20:39.743 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->54928 (21:20:39.743 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:21:48.015 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2007->2005 (21:21:48.015 PDT) DECLARE BOT tcpslice 1342585239.743 1342585239.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:31:49.873 PDT Gen. Time: 07/17/2012 21:31:49.873 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:31:49.873 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2001 (21:31:49.873 PDT) DECLARE BOT tcpslice 1342585909.873 1342585909.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:31:49.873 PDT Gen. Time: 07/17/2012 21:36:19.382 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (21:32:18.018 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->42690 (21:32:18.018 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:31:49.873 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2006->2001 (21:31:49.873 PDT) DECLARE BOT tcpslice 1342585909.873 1342585909.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:42:02.235 PDT Gen. Time: 07/17/2012 21:42:02.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:42:02.235 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:42:02.235 PDT) DECLARE BOT tcpslice 1342586522.235 1342586522.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:42:02.235 PDT Gen. Time: 07/17/2012 21:46:28.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (21:43:18.522 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->38069 (21:43:18.522 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:42:02.235 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:42:02.235 PDT) DECLARE BOT tcpslice 1342586522.235 1342586522.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:52:02.664 PDT Gen. Time: 07/17/2012 21:52:02.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:52:02.664 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2002 (21:52:02.664 PDT) DECLARE BOT tcpslice 1342587122.664 1342587122.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:52:02.664 PDT Gen. Time: 07/17/2012 21:56:12.085 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (21:54:18.591 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->33885 (21:54:18.591 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:52:02.664 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2002->2002 (21:52:02.664 PDT) DECLARE BOT tcpslice 1342587122.664 1342587122.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:02:02.024 PDT Gen. Time: 07/17/2012 22:02:02.024 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:02:02.024 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2002 (22:02:02.024 PDT) DECLARE BOT tcpslice 1342587722.024 1342587722.025 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:12:02.068 PDT Gen. Time: 07/17/2012 22:12:02.068 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:12:02.068 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2005->2006 (22:12:02.068 PDT) DECLARE BOT tcpslice 1342588322.068 1342588322.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:22:07.514 PDT Gen. Time: 07/17/2012 22:22:07.514 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:22:07.514 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (22:22:07.514 PDT) DECLARE BOT tcpslice 1342588927.514 1342588927.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:28:43.772 PDT Gen. Time: 07/17/2012 22:32:07.386 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (22:28:43.772 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->56162 (22:28:43.772 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:32:07.386 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (22:32:07.386 PDT) DECLARE BOT tcpslice 1342589323.772 1342589323.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:41:24.175 PDT Gen. Time: 07/17/2012 22:42:07.015 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (22:41:24.175 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->38355 (22:41:24.175 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:42:07.015 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2001->2003 (22:42:07.015 PDT) DECLARE BOT tcpslice 1342590084.175 1342590084.176 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:52:11.900 PDT Gen. Time: 07/17/2012 22:52:16.906 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (22:52:11.900 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->40181 (22:52:11.900 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:52:16.906 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (22:52:16.906 PDT) DECLARE BOT tcpslice 1342590731.900 1342590731.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:52:11.900 PDT Gen. Time: 07/17/2012 22:56:13.838 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (22:52:11.900 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->40181 (22:52:11.900 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (22:56:13.838 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 48322->59885 (22:56:13.838 PDT) 128.2.211.114 (22:52:16.906 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (22:52:16.906 PDT) DECLARE BOT tcpslice 1342590731.900 1342590731.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================