Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 05:11:49.589 PST Gen. Time: 01/24/2013 05:11:49.589 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (05:11:49.589 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (05:11:49.589 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359033109.589 1359033109.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 109.200.159.244, 1.236.67.159, 95.93.157.13, 142.103.2.2 Resource List: Observed Start: 01/24/2013 05:11:49.589 PST Gen. Time: 01/24/2013 05:14:58.278 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (05:13:45.531 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 59665->6969 (05:13:45.531 PST) 109.200.159.244 (05:13:32.509 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->10464 (05:13:32.509 PST) 1.236.67.159 (05:12:25.833 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->64519 (05:12:25.833 PST) 95.93.157.13 (05:14:35.771 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->44371 (05:14:35.771 PST) 142.103.2.2 (05:13:45.931 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 58685->6882 (05:13:45.931 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (05:11:49.589 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (05:11:49.589 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359033109.589 1359033109.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 06:39:25.320 PST Gen. Time: 01/24/2013 06:39:25.320 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:39:25.320 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 57968->49302 (06:39:25.320 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359038365.320 1359038365.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.240.229.190, 130.237.43.220, 95.82.206.105, 95.129.166.142 Resource List: Observed Start: 01/24/2013 06:39:25.320 PST Gen. Time: 01/24/2013 06:41:51.833 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.240.229.190 (06:41:51.833 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51413 (06:41:51.833 PST) 130.237.43.220 (06:41:09.403 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39434->6969 (06:41:09.403 PST) 95.82.206.105 (06:39:42.511 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (06:39:42.511 PST) 95.129.166.142 (06:40:51.657 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->19673 (06:40:51.657 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:39:25.320 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 57968->49302 (06:39:25.320 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359038365.320 1359038365.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 93.73.93.88, 169.229.50.14 Resource List: Observed Start: 01/24/2013 10:17:48.917 PST Gen. Time: 01/24/2013 10:18:29.595 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (10:17:48.917 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 37349->6969 (10:17:48.917 PST) 93.73.93.88 (10:18:24.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35850 (10:18:24.047 PST) 169.229.50.14 (10:17:59.942 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 43230->6881 (10:17:59.942 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:18:29.595 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (10:18:29.595 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359051468.917 1359051468.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 93.73.93.88, 169.229.50.14, 189.228.123.114 Resource List: Observed Start: 01/24/2013 10:17:48.917 PST Gen. Time: 01/24/2013 10:20:27.859 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (10:17:48.917 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 37349->6969 (10:17:48.917 PST) 93.73.93.88 (10:18:24.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35850 (10:18:24.047 PST) 169.229.50.14 (10:17:59.942 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 43230->6881 (10:17:59.942 PST) 189.228.123.114 (10:19:28.857 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->18137 (10:19:28.857 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:18:29.595 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (10:18:29.595 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359051468.917 1359051468.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 200.102.12.2, 169.229.50.9 Resource List: Observed Start: 01/24/2013 10:28:46.338 PST Gen. Time: 01/24/2013 10:29:29.973 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (10:28:59.812 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 35869->6969 (10:28:59.812 PST) 200.102.12.2 (10:28:46.338 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54174 (10:28:46.338 PST) 169.229.50.9 (10:29:00.016 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 56561->6881 (10:29:00.016 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:29:29.973 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (10:29:29.973 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359052126.338 1359052126.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 212.93.105.6, 200.102.12.2, 169.229.50.9 Resource List: Observed Start: 01/24/2013 10:28:46.338 PST Gen. Time: 01/24/2013 10:30:47.871 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (10:28:59.812 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 35869->6969 (10:28:59.812 PST) 212.93.105.6 (10:29:46.339 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->25298 (10:29:46.339 PST) 200.102.12.2 (10:28:46.338 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54174 (10:28:46.338 PST) 169.229.50.9 (10:29:00.016 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 56561->6881 (10:29:00.016 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:29:29.973 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (10:29:29.973 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359052126.338 1359052126.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 84.43.178.85, 78.90.5.80, 109.233.225.154, 169.229.50.9 Resource List: Observed Start: 01/24/2013 15:16:35.104 PST Gen. Time: 01/24/2013 15:18:43.790 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (15:16:35.672 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 46943->6969 (15:16:35.672 PST) 84.43.178.85 (15:18:35.325 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->23721 (15:18:35.325 PST) 78.90.5.80 (15:16:35.104 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->32582 (15:16:35.104 PST) 109.233.225.154 (15:17:35.104 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:17:35.104 PST) 169.229.50.9 (15:16:35.920 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 49448->6881 (15:16:35.920 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:18:43.790 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (15:18:43.790 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359069395.104 1359069395.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 87.236.232.174, 130.237.43.220, 84.43.178.85, 78.90.5.80, 109.233.225.154, 169.229.50.9 Resource List: Observed Start: 01/24/2013 15:16:35.104 PST Gen. Time: 01/24/2013 15:20:17.436 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 87.236.232.174 (15:19:35.326 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:19:35.326 PST) 130.237.43.220 (15:16:35.672 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 46943->6969 (15:16:35.672 PST) 84.43.178.85 (15:18:35.325 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->23721 (15:18:35.325 PST) 78.90.5.80 (15:16:35.104 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->32582 (15:16:35.104 PST) 109.233.225.154 (15:17:35.104 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:17:35.104 PST) 169.229.50.9 (15:16:35.920 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 49448->6881 (15:16:35.920 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (15:20:12.137 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51383->49302 (15:20:12.137 PST) 195.128.181.52 (15:18:43.790 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (15:18:43.790 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359069395.104 1359069395.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 204.123.28.57, 193.63.75.19, 192.33.90.68 Resource List: Observed Start: 01/24/2013 18:44:52.401 PST Gen. Time: 01/24/2013 18:46:31.917 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (18:45:42.045 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 58412->6969 (18:45:42.045 PST) 204.123.28.57 (18:45:42.464 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 35983->6881 (18:45:42.464 PST) 193.63.75.19 (18:45:52.272 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (18:45:52.272 PST) 192.33.90.68 (18:44:52.401 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (18:44:52.401 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 88.190.26.141 (18:46:31.917 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->2122 (18:46:31.917 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359081892.401 1359081892.402 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 31.162.97.121 Resource List: Observed Start: 01/24/2013 20:06:55.340 PST Gen. Time: 01/24/2013 20:07:13.424 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 31.162.97.121 (20:06:55.340 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->38100 (20:06:55.340 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:07:13.424 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (20:07:13.424 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359086815.340 1359086815.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.206.108.82, 13.7.64.20, 138.48.3.203, 31.162.97.121, 94.22.15.6 Resource List: Observed Start: 01/24/2013 20:06:55.340 PST Gen. Time: 01/24/2013 20:10:58.604 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.206.108.82 (20:07:55.581 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->8325 (20:07:55.581 PST) 13.7.64.20 (20:07:13.728 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 47223->6881 (20:07:13.728 PST) 138.48.3.203 (20:09:02.378 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (20:09:02.378 PST) 31.162.97.121 (20:06:55.340 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->38100 (20:06:55.340 PST) 94.22.15.6 (20:10:12.863 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35408 (20:10:12.863 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:07:13.424 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (20:07:13.424 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359086815.340 1359086815.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 88.173.144.162, 132.239.17.226 Resource List: Observed Start: 01/24/2013 20:58:04.538 PST Gen. Time: 01/24/2013 20:58:06.530 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (20:58:05.029 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 50300->6969 (20:58:05.029 PST) 88.173.144.162 (20:58:04.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->55556 (20:58:04.538 PST) 132.239.17.226 (20:58:05.571 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 59526->6881 (20:58:05.571 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:58:06.530 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (20:58:06.530 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359089884.538 1359089884.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 88.173.144.162, 99.95.251.47, 132.239.17.226, 86.25.177.164, 82.234.131.11 Resource List: Observed Start: 01/24/2013 20:58:04.538 PST Gen. Time: 01/24/2013 21:02:01.177 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (20:58:05.029 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 50300->6969 (20:58:05.029 PST) 88.173.144.162 (20:58:04.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->55556 (20:58:04.538 PST) 99.95.251.47 (21:01:06.401 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (21:01:06.401 PST) 132.239.17.226 (20:58:05.571 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 59526->6881 (20:58:05.571 PST) 86.25.177.164 (21:00:05.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->20988 (21:00:05.431 PST) 82.234.131.11 (20:59:05.056 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51413 (20:59:05.056 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:58:06.530 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (20:58:06.530 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359089884.538 1359089884.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 22:16:10.089 PST Gen. Time: 01/24/2013 22:16:10.089 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:16:10.089 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (22:16:10.089 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359094570.089 1359094570.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 101.51.216.194, 211.28.46.26 Resource List: Observed Start: 01/24/2013 22:16:10.089 PST Gen. Time: 01/24/2013 22:18:17.479 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 101.51.216.194 (22:17:23.514 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->40832 (22:17:23.514 PST) 211.28.46.26 (22:16:23.513 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->40677 (22:16:23.513 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:16:10.089 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (22:16:10.089 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359094570.089 1359094570.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================