Score:            1.9 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.160 (2), 199.255.189.60 (3), 216.239.32.25, 216.239.38.25, 67.21.67.66, 95.83.47.248
Peer Coord. List: 76.166.153.232, 70.73.43.249, 99.189.228.150, 169.229.50.9, 93.180.0.114, 137.165.1.112 (2), 60.50.90.86, 132.72.23.11, 89.32.220.198, 130.237.43.67, 200.0.206.137, 94.139.241.170, 117.212.18.21, 76.184.251.184, 200.129.132.18, 141.212.113.178
Resource List:    <unobserved>
Observed Start:   01/16/2013 00:54:14.192 PST
Gen. Time:        01/21/2013 19:47:14.310 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.150.9 (3) (00:54:14.192 PST-00:54:59.197 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          3: 32853<-80 (00:54:14.192 PST-00:54:59.197 PST)
       
    199.59.149.232 (3) (00:55:39.898 PST-09:27:58.747 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 52370<-80 (09:27:28.746 PST-09:27:58.747 PST)
          57399<-80 (00:55:39.898 PST)
       
    199.59.150.41 (6) (00:56:26.810 PST-01:03:32.857 PST)
       event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 45509<-80 (00:56:26.810 PST-00:56:56.810 PST)
          2: 37616<-80 (01:03:02.857 PST-01:03:32.857 PST)
          53098<-80 (01:00:48.519 PST)
          47546<-80 (00:57:21.287 PST)
       
    199.59.148.87 (6) (00:58:11.016 PST-09:29:36.125 PST)
       event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 36082<-80 (00:59:53.369 PST-01:00:23.375 PST)
          34009<-80 (00:58:11.016 PST)
          2: 52362<-80 (09:29:06.124 PST-09:29:36.125 PST)
          33572<-80 (01:03:59.266 PST)
       
    199.59.148.20 (5) (00:59:06.525 PST-09:28:41.004 PST)
       event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 43180<-80 (09:28:11.000 PST-09:28:41.004 PST)
          2: 45295<-80 (00:59:06.525 PST-00:59:36.527 PST)
          42080<-80 (01:01:38.042 PST)
       
C and C TRAFFIC
    199.255.189.160 (2) (09:27:03.618 PST)
       event=1:2012801 (2) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/Rg5oDRbHbZrmJ_qq7V8KEg?fsid=4gQ4QbEyDzI1Lg10M5zPVw&filtered_start=0] MAC_Src: 00:21:5A:08:BB:0C
          54107->80 (09:27:03.618 PST)
          60089->80 (01:50:57.998 PST)
       
    199.255.189.60 (3) (12:03:00.411 PST)
       event=1:2012801 (3) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/uEucSd4jwY_zb10AcEye_g?fsid=l-N-pZwUYpfbJBiTbkHQKw&filtered_start=80] MAC_Src: 00:21:5A:08:BB:0C
          37037->80 (12:03:00.411 PST)
          33965->80 (21:50:47.893 PST)
          53702->80 (08:07:51.394 PST)
       
    216.239.32.25 (08:10:46.276 PST)
       event=1:2007962 {tcp} E4[rb] ET TROJAN Vipdataend C&C Traffic Checkin, [] MAC_Src: 00:21:5A:08:BB:0C
          40832->3306 (08:10:46.276 PST)
       
    216.239.38.25 (20:24:44.333 PST)
       event=1:2007962 {tcp} E4[rb] ET TROJAN Vipdataend C&C Traffic Checkin, [] MAC_Src: 00:21:5A:08:BB:0C
          40305->3306 (20:24:44.333 PST)
       
C and C TRAFFIC (RBN)
    67.21.67.66 (17:16:28.387 PST)
       event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C
          445->1559 (17:16:28.387 PST)
       
    95.83.47.248 (10:30:59.561 PST)
       event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (10:30:59.561 PST)
       
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    76.166.153.232 (06:55:55.341 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->45592 (06:55:55.341 PST)
       
    70.73.43.249 (06:41:10.022 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->16881 (06:41:10.022 PST)
       
    99.189.228.150 (06:52:25.367 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->41495 (06:52:25.367 PST)
       
    169.229.50.9 (06:40:10.597 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          39994->6881 (06:40:10.597 PST)
       
    93.180.0.114 (06:49:42.262 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (06:49:42.262 PST)
       
    137.165.1.112 (2) (06:46:27.661 PST-06:47:27.971 PST)
       event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          2: 6881->6881 (06:46:27.661 PST-06:47:27.971 PST)
       
    60.50.90.86 (06:42:10.016 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->14539 (06:42:10.016 PST)
       
    132.72.23.11 (06:54:46.930 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (06:54:46.930 PST)
       
    89.32.220.198 (06:53:28.326 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->63555 (06:53:28.326 PST)
       
    130.237.43.67 (06:40:10.398 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          48216->6969 (06:40:10.398 PST)
       
    200.0.206.137 (06:48:38.023 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (06:48:38.023 PST)
       
    94.139.241.170 (06:43:11.232 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->37141 (06:43:11.232 PST)
       
    117.212.18.21 (06:51:21.074 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->31997 (06:51:21.074 PST)
       
    76.184.251.184 (06:40:10.181 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->51524 (06:40:10.181 PST)
       
    200.129.132.18 (06:45:21.707 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (06:45:21.707 PST)
       
    141.212.113.178 (06:44:18.185 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (06:44:18.185 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    8.5.1.45 (07:28:36.011 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          49302->49302 (07:28:36.011 PST)
       
    195.128.181.52 (16) (08:30:48.637 PST-13:31:13.862 PST)
       event=1:9930020 (16) {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          10: 6881->61834 (08:30:48.637 PST-13:31:13.862 PST)
          6: 6882->61834 (07:57:49.081 PST-13:00:17.361 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1358326454.192 1358631073.863 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================