Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 103.6.238.125 Egg Source List: 103.6.238.125 C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 00:47:52.239 PST Gen. Time: 01/24/2013 00:47:52.762 PST INBOUND SCAN EXPLOIT 103.6.238.125 (00:47:52.239 PST) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 445<-4612 (00:47:52.239 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 103.6.238.125 (00:47:52.762 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-1062 (00:47:52.762 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359017272.239 1359017272.240 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 49.206.175.174, 130.237.43.220, 169.229.50.12, 201.254.45.5 Resource List: Observed Start: 01/24/2013 02:17:55.665 PST Gen. Time: 01/24/2013 02:19:25.420 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 49.206.175.174 (02:18:55.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->54911 (02:18:55.666 PST) 130.237.43.220 (02:18:12.860 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 36926->6969 (02:18:12.860 PST) 169.229.50.12 (02:18:13.062 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 56031->6881 (02:18:13.062 PST) 201.254.45.5 (02:17:55.665 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->26302 (02:17:55.665 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (02:19:25.420 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54370->49302 (02:19:25.420 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359022675.665 1359022675.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.134.35.25, 49.206.175.174, 130.237.43.220, 169.229.50.12, 201.254.45.5 Resource List: Observed Start: 01/24/2013 02:17:55.665 PST Gen. Time: 01/24/2013 02:20:50.117 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.134.35.25 (02:19:55.668 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->11789 (02:19:55.668 PST) 49.206.175.174 (02:18:55.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->54911 (02:18:55.666 PST) 130.237.43.220 (02:18:12.860 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 36926->6969 (02:18:12.860 PST) 169.229.50.12 (02:18:13.062 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 56031->6881 (02:18:13.062 PST) 201.254.45.5 (02:17:55.665 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->26302 (02:17:55.665 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (02:19:25.420 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54370->49302 (02:19:25.420 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359022675.665 1359022675.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 17:50:15.756 PST Gen. Time: 01/24/2013 17:50:15.756 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (17:50:15.756 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (17:50:15.756 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359078615.756 1359078615.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 129.237.161.194 Resource List: Observed Start: 01/24/2013 17:50:15.756 PST Gen. Time: 01/24/2013 17:52:05.209 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (17:51:57.134 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 59764->6969 (17:51:57.134 PST) 129.237.161.194 (17:51:34.710 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (17:51:34.710 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (17:50:15.756 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (17:50:15.756 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359078615.756 1359078615.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.157.242.195, 108.162.167.26, 125.60.246.135, 67.160.22.66 Resource List: Observed Start: 01/24/2013 19:33:29.314 PST Gen. Time: 01/24/2013 19:37:40.848 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.157.242.195 (19:34:32.619 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->23258 (19:34:32.619 PST) 108.162.167.26 (19:36:40.278 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (19:36:40.278 PST) 125.60.246.135 (19:33:29.314 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->20638 (19:33:29.314 PST) 67.160.22.66 (19:35:36.467 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->34576 (19:35:36.467 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (19:37:40.848 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 60521->49302 (19:37:40.848 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359084809.314 1359084809.315 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================