Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 88.212.196.87 (3), 217.199.217.100 Peer Coord. List: 208.117.131.116, 169.229.50.9, 135.19.137.101, 31.28.41.5, 72.36.112.78, 203.30.39.238 (2), 85.26.241.208, 128.114.63.63, 130.237.43.67 (2), 130.37.193.141, 76.104.233.167, 195.113.161.14, 93.64.51.185, 68.71.55.18 (2) Resource List: Observed Start: 01/20/2013 20:13:13.068 PST Gen. Time: 01/21/2013 06:10:54.008 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.150.9 (20:20:08.658 PST) event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 40508<-80 (20:20:08.658 PST) 199.59.149.232 (5) (20:19:17.976 PST-20:22:55.337 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 55309<-80 (20:24:01.442 PST) 2: 56021<-80 (20:22:25.333 PST-20:22:55.337 PST) 2: 49716<-80 (20:19:17.976 PST-20:19:47.979 PST) 199.59.150.41 (2) (20:17:03.132 PST-20:17:33.139 PST) event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 49591<-80 (20:17:03.132 PST-20:17:33.139 PST) 199.59.148.87 (4) (20:14:03.407 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 51017<-80 (20:23:11.009 PST) 50709<-80 (20:16:52.367 PST) 41804<-80 (20:24:42.446 PST) 50674<-80 (20:14:03.407 PST) 199.59.148.20 (5) (20:13:13.068 PST-20:16:07.890 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 36766<-80 (20:21:32.603 PST) 2: 36928<-80 (20:15:37.893 PST-20:16:07.890 PST) 50377<-80 (20:13:13.068 PST) 56013<-80 (20:17:49.339 PST) C and C TRAFFIC C and C TRAFFIC (RBN) 88.212.196.87 (3) (22:37:03.774 PST) event=1:3810007 (3) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [q%86%B7$D%EF%A9Z%C4@bf%09?%15%90%C36%1C%C1%C3%11%F0%16%A6%0E@%89%B3t%CFz%88%D0p%FAA%F0%90%AE%14%AF%D1Y%C9:1%A5S%DC^%85%E3%E2] MAC_Src: 00:21:5A:08:EC:40 38675->80 (22:37:03.774 PST) 45929->80 (01:24:49.957 PST) 36173->80 (04:05:09.844 PST) 217.199.217.100 (01:37:38.069 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41098->80 (01:37:38.069 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.117.131.116 (03:47:00.138 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:47:00.138 PST) 169.229.50.9 (03:40:46.669 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 36477->6881 (03:40:46.669 PST) 135.19.137.101 (03:40:45.558 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->55883 (03:40:45.558 PST) 31.28.41.5 (03:42:45.605 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->62474 (03:42:45.605 PST) 72.36.112.78 (03:48:00.443 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:48:00.443 PST) 203.30.39.238 (2) (01:34:28.545 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 37936->60000 (01:34:28.545 PST) 45776->60000 (01:53:36.594 PST) 85.26.241.208 (03:43:50.207 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->11526 (03:43:50.207 PST) 128.114.63.63 (03:49:48.205 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 58723->6881 (03:49:48.205 PST) 130.237.43.67 (2) (03:40:46.355 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 44333->6969 (03:40:46.355 PST) 38723->6969 (03:49:47.964 PST) 130.37.193.141 (03:49:16.951 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:49:16.951 PST) 76.104.233.167 (03:41:45.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->35611 (03:41:45.431 PST) 195.113.161.14 (03:45:58.036 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:45:58.036 PST) 93.64.51.185 (03:44:50.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->8773 (03:44:50.226 PST) 68.71.55.18 (2) (22:29:46.215 PST) event=1:1100010 (2) {tcp} E7[info] P2P .torrent metafile request, [%8EW%BC%94:%L%D1%ED%BE%C8^%9EvN%BC%CB] MAC_Src: 00:21:5A:08:EC:40 60794->80 (22:29:46.215 PST) 41961->80 (01:15:36.824 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:10:54.008 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (06:10:54.008 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358741593.068 1358742175.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20 C & C List: 199.255.189.60, 208.95.172.130, 88.212.196.87 (9), 217.199.217.100 Peer Coord. List: 208.117.131.116, 169.229.50.9, 135.19.137.101, 31.28.41.5, 72.36.112.78, 203.30.39.238 (2), 85.26.241.208, 128.114.63.63, 130.237.43.67 (2), 130.37.193.141, 76.104.233.167, 195.113.161.14, 93.64.51.185, 68.71.55.18 (2) Resource List: Observed Start: 01/20/2013 20:13:13.068 PST Gen. Time: 01/21/2013 20:45:38.568 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 199.59.150.9 (2) (20:20:08.658 PST) event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 40508<-80 (20:20:08.658 PST) 45473<-80 (06:11:50.725 PST) 199.59.149.232 (5) (20:19:17.976 PST-20:22:55.337 PST) event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 2: 56021<-80 (20:22:25.333 PST-20:22:55.337 PST) 55309<-80 (20:24:01.442 PST) 2: 49716<-80 (20:19:17.976 PST-20:19:47.979 PST) 199.59.150.41 (3) (20:17:03.132 PST-20:17:33.139 PST) event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 58866<-80 (06:12:28.535 PST) 2: 49591<-80 (20:17:03.132 PST-20:17:33.139 PST) 199.59.148.87 (4) (20:14:03.407 PST) event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 51017<-80 (20:23:11.009 PST) 50709<-80 (20:16:52.367 PST) 41804<-80 (20:24:42.446 PST) 50674<-80 (20:14:03.407 PST) 199.59.148.20 (7) (20:13:13.068 PST-06:11:32.089 PST) event=1:2013036 (7) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00 36766<-80 (20:21:32.603 PST) 2: 36928<-80 (20:15:37.893 PST-20:16:07.890 PST) 50377<-80 (20:13:13.068 PST) 56013<-80 (20:17:49.339 PST) 2: 38645<-80 (06:11:02.083 PST-06:11:32.089 PST) C and C TRAFFIC 199.255.189.60 (07:07:30.539 PST) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/-RK6opWNzIt4z53iQPTr0g?fsid=5oOXRoy0o7V5Bp5vPFXfMQ&filtered_start=70] MAC_Src: 00:21:5A:08:EC:40 39343->80 (07:07:30.539 PST) C and C TRAFFIC (RBN) 208.95.172.130 (09:57:26.504 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%05%F9%FA%BD\%0E%D2%9C%17%03%01%03%092%DC5%B6's] ^+%E5%CE%B1%96%BA%CA@)%A0%F5%EC%FD%F4{LZ%DA%0B%D1%0A%DB%BDxT(%AE@%BE%B0%A2%B0] MAC_Src: 00:21:5A:08:EC:40 41976->80 (09:57:26.504 PST) 88.212.196.87 (9) (22:37:03.774 PST) event=1:3810007 (9) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [q%86%B7$D%EF%A9Z%C4@bf%09?%15%90%C36%1C%C1%C3%11%F0%16%A6%0E@%89%B3t%CFz%88%D0p%FAA%F0%90%AE%14%AF%D1Y%C9:1%A5S%DC^%85%E3%E2] MAC_Src: 00:21:5A:08:EC:40 38675->80 (22:37:03.774 PST) 45929->80 (01:24:49.957 PST) 36173->80 (04:05:09.844 PST) 41641->80 (06:58:38.137 PST) 53836->80 (09:44:39.983 PST) 57525->80 (12:29:19.612 PST) 52753->80 (15:15:58.383 PST) 36340->80 (18:05:35.891 PST) 45063->80 (20:38:35.604 PST) 217.199.217.100 (01:37:38.069 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41098->80 (01:37:38.069 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.117.131.116 (03:47:00.138 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:47:00.138 PST) 169.229.50.9 (03:40:46.669 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 36477->6881 (03:40:46.669 PST) 135.19.137.101 (03:40:45.558 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->55883 (03:40:45.558 PST) 31.28.41.5 (03:42:45.605 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->62474 (03:42:45.605 PST) 72.36.112.78 (03:48:00.443 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:48:00.443 PST) 203.30.39.238 (2) (01:34:28.545 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 37936->60000 (01:34:28.545 PST) 45776->60000 (01:53:36.594 PST) 85.26.241.208 (03:43:50.207 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->11526 (03:43:50.207 PST) 128.114.63.63 (03:49:48.205 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 58723->6881 (03:49:48.205 PST) 130.237.43.67 (2) (03:40:46.355 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 44333->6969 (03:40:46.355 PST) 38723->6969 (03:49:47.964 PST) 130.37.193.141 (03:49:16.951 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:49:16.951 PST) 76.104.233.167 (03:41:45.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->35611 (03:41:45.431 PST) 195.113.161.14 (03:45:58.036 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:45:58.036 PST) 93.64.51.185 (03:44:50.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->8773 (03:44:50.226 PST) 68.71.55.18 (2) (22:29:46.215 PST) event=1:1100010 (2) {tcp} E7[info] P2P .torrent metafile request, [%8EW%BC%94:%L%D1%ED%BE%C8^%9EvN%BC%CB] MAC_Src: 00:21:5A:08:EC:40 60794->80 (22:29:46.215 PST) 41961->80 (01:15:36.824 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:10:54.008 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (06:10:54.008 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358741593.068 1358777492.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================