Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 83.10.18.43 Resource List: Observed Start: 01/23/2013 15:18:55.520 PST Gen. Time: 01/23/2013 15:19:42.536 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (15:19:26.388 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 43475->6969 (15:19:26.388 PST) 83.10.18.43 (15:18:55.520 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->27655 (15:18:55.520 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:19:42.536 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (15:19:42.536 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358983135.520 1358983135.521 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 83.10.18.43, 131.247.2.241, 169.229.50.18, 128.220.231.2 Resource List: Observed Start: 01/23/2013 15:18:55.520 PST Gen. Time: 01/23/2013 15:22:04.149 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (15:19:26.388 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 43475->6969 (15:19:26.388 PST) 83.10.18.43 (15:18:55.520 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->27655 (15:18:55.520 PST) 131.247.2.241 (15:19:55.880 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6882 (15:19:55.880 PST) 169.229.50.18 (15:19:43.889 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 41117->6882 (15:19:43.889 PST) 128.220.231.2 (15:20:59.115 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:20:59.115 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:19:42.536 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (15:19:42.536 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358983135.520 1358983135.521 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 46.39.244.16 Resource List: Observed Start: 01/23/2013 15:31:10.514 PST Gen. Time: 01/23/2013 15:31:23.676 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (15:31:14.116 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 57817->6969 (15:31:14.116 PST) 46.39.244.16 (15:31:10.514 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->53258 (15:31:10.514 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:31:23.676 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (15:31:23.676 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358983870.514 1358983870.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 68.196.39.210, 130.237.43.220 (2), 220.244.145.131, 46.39.244.16, 208.77.77.195, 204.123.28.56, 128.187.223.212 Resource List: Observed Start: 01/23/2013 15:31:10.514 PST Gen. Time: 01/23/2013 15:34:43.570 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.196.39.210 (15:33:10.327 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6926 (15:33:10.327 PST) 130.237.43.220 (2) (15:31:14.116 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 57817->6969 (15:31:14.116 PST) 58038->6969 (15:34:22.280 PST) 220.244.145.131 (15:32:10.301 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46062 (15:32:10.301 PST) 46.39.244.16 (15:31:10.514 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->53258 (15:31:10.514 PST) 208.77.77.195 (15:31:24.735 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 58742->6881 (15:31:24.735 PST) 204.123.28.56 (15:34:43.570 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 49156->6881 (15:34:43.570 PST) 128.187.223.212 (15:34:11.175 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6882 (15:34:11.175 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:31:23.676 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (15:31:23.676 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358983870.514 1358983870.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 77.35.230.96, 132.239.17.224, 146.57.249.98 Resource List: Observed Start: 01/23/2013 16:44:41.112 PST Gen. Time: 01/23/2013 16:46:38.601 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (16:45:46.708 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 37526->6969 (16:45:46.708 PST) 77.35.230.96 (16:45:41.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (16:45:41.431 PST) 132.239.17.224 (16:46:09.185 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 35261->6881 (16:46:09.185 PST) 146.57.249.98 (16:44:41.112 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (16:44:41.112 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:46:38.601 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (16:46:38.601 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358988281.112 1358988281.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 77.35.230.96, 72.193.169.223, 88.87.30.40, 132.239.17.224, 146.57.249.98 Resource List: Observed Start: 01/23/2013 16:44:41.112 PST Gen. Time: 01/23/2013 16:48:05.511 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (16:45:46.708 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 37526->6969 (16:45:46.708 PST) 77.35.230.96 (16:45:41.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (16:45:41.431 PST) 72.193.169.223 (16:47:47.476 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->33130 (16:47:47.476 PST) 88.87.30.40 (16:46:47.636 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->48735 (16:46:47.636 PST) 132.239.17.224 (16:46:09.185 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 35261->6881 (16:46:09.185 PST) 146.57.249.98 (16:44:41.112 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (16:44:41.112 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:46:38.601 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (16:46:38.601 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358988281.112 1358988281.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================