Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 216.239.36.25, 199.255.189.160 (2), 199.255.189.60, 216.239.34.25, 88.212.196.87 (17) Peer Coord. List: 130.237.43.67, 68.118.168.173, 79.179.194.243, 169.229.50.9, 68.71.55.18 (13) Resource List: Observed Start: 01/16/2013 00:53:57.938 PST Gen. Time: 01/20/2013 20:12:41.176 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.150.9 (4) (16:58:10.395 PST-17:00:00.652 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 45850<-80 (16:58:10.395 PST-16:58:40.397 PST) 2: 53438<-80 (16:59:30.650 PST-17:00:00.652 PST) 199.59.149.232 (5) (00:56:27.514 PST-00:57:52.078 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 33690<-80 (01:03:03.630 PST) 2: 53377<-80 (00:56:27.514 PST-00:56:57.516 PST) 2: 42766<-80 (00:57:22.077 PST-00:57:52.078 PST) 199.59.150.41 (6) (00:58:11.791 PST-01:02:08.847 PST) event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 53988<-80 (00:59:07.341 PST-00:59:37.348 PST) 2: 34642<-80 (01:01:38.840 PST-01:02:08.847 PST) 2: 51696<-80 (00:58:11.791 PST-00:58:41.792 PST) 199.59.148.87 (3) (00:53:57.938 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 35099<-80 (01:00:49.379 PST) 46431<-80 (00:53:57.938 PST) 44394<-80 (16:57:34.116 PST) 199.59.148.20 (6) (00:55:40.735 PST-01:00:24.137 PST) event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 53756<-80 (16:58:54.097 PST) 2: 35113<-80 (00:55:40.735 PST-00:56:10.736 PST) 2: 56728<-80 (00:59:54.134 PST-01:00:24.137 PST) 34344<-80 (17:00:11.901 PST) C and C TRAFFIC 216.239.36.25 (02:04:09.702 PST) event=1:2007962 {tcp} E4[rb] ET TROJAN Vipdataend C&C Traffic Checkin, [] MAC_Src: 00:21:5A:08:EC:40 50144->3306 (02:04:09.702 PST) 199.255.189.160 (2) (16:57:23.348 PST) event=1:2012801 (2) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/91tq8ElTgfhg1dJbJoo8NQ/ajax_captcha_post] MAC_Src: 00:21:5A:08:EC:40 37374->80 (16:57:23.348 PST) 36175->80 (07:44:09.770 PST) 199.255.189.60 (11:06:42.230 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/9khiThDEa48ChpK5TkDg5g/ajax_captcha_post] MAC_Src: 00:21:5A:08:EC:40 36782->80 (11:06:42.230 PST) 216.239.34.25 (05:39:33.405 PST) event=1:2007962 {tcp} E4[rb] ET TROJAN Vipdataend C&C Traffic Checkin, [] MAC_Src: 00:21:5A:08:EC:40 36630->3306 (05:39:33.405 PST) C and C TRAFFIC (RBN) 88.212.196.87 (17) (00:07:11.105 PST) event=1:3810007 (17) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%FDk%E1G%A0%A2T!%BB%C7!%93%18] MAC_Src: 00:21:5A:08:EC:40 47057->80 (00:07:11.105 PST) 36777->80 (02:31:32.409 PST) 47711->80 (04:54:52.348 PST) 35727->80 (07:22:32.497 PST) 39429->80 (09:48:46.115 PST) 33009->80 (12:12:21.858 PST) 50665->80 (14:32:20.250 PST) 41211->80 (16:57:45.004 PST) 50989->80 (19:21:57.606 PST) 58006->80 (21:52:59.439 PST) 32785->80 (00:20:01.132 PST) 39767->80 (02:42:41.030 PST) 45612->80 (05:05:20.696 PST) 40599->80 (07:29:43.614 PST) 39691->80 (10:01:30.438 PST) 42910->80 (12:33:19.323 PST) 48715->80 (14:53:17.865 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.67 (06:50:36.740 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 46204->6969 (06:50:36.740 PST) 68.118.168.173 (06:50:36.529 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->33345 (06:50:36.529 PST) 79.179.194.243 (06:51:36.505 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->56193 (06:51:36.505 PST) 169.229.50.9 (06:50:36.980 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 38519->6881 (06:50:36.980 PST) 68.71.55.18 (13) (23:59:33.869 PST) event=1:1100010 (13) {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:EC:40 58890->80 (23:59:33.869 PST) 43508->80 (02:26:19.907 PST) 39056->80 (04:48:10.449 PST) 51301->80 (07:16:21.427 PST) 42757->80 (09:42:21.016 PST) 58552->80 (12:04:14.083 PST) 57230->80 (14:26:52.931 PST) 33565->80 (16:47:58.381 PST) 49748->80 (19:15:59.060 PST) 52470->80 (21:44:12.356 PST) 47986->80 (00:13:47.411 PST) 49277->80 (02:36:43.945 PST) 55633->80 (04:58:48.231 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (2) (10:42:04.828 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54797->49302 (10:42:04.828 PST) ------------------------- event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (09:10:39.981 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358326437.938 1358384400.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================