Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 194.42.17.124, 78.157.72.98, 121.54.96.139, 165.91.55.8 Resource List: Observed Start: 01/25/2013 00:10:11.378 PST Gen. Time: 01/25/2013 00:13:03.708 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (00:12:44.417 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 59691->6969 (00:12:44.417 PST) 194.42.17.124 (00:10:11.378 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (00:10:11.378 PST) 78.157.72.98 (00:12:19.202 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->29687 (00:12:19.202 PST) 121.54.96.139 (00:11:18.479 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->56260 (00:11:18.479 PST) 165.91.55.8 (00:12:44.663 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 33916->6881 (00:12:44.663 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (00:13:03.708 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (00:13:03.708 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359101411.378 1359101411.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 194.42.17.124, 78.157.72.98, 121.54.96.139, 165.91.55.8, 188.252.237.198 Resource List: Observed Start: 01/25/2013 00:10:11.378 PST Gen. Time: 01/25/2013 00:14:11.966 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (00:12:44.417 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 59691->6969 (00:12:44.417 PST) 194.42.17.124 (00:10:11.378 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (00:10:11.378 PST) 78.157.72.98 (00:12:19.202 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->29687 (00:12:19.202 PST) 121.54.96.139 (00:11:18.479 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->56260 (00:11:18.479 PST) 165.91.55.8 (00:12:44.663 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 33916->6881 (00:12:44.663 PST) 188.252.237.198 (00:13:22.617 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27613 (00:13:22.617 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (00:13:03.708 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (00:13:03.708 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359101411.378 1359101411.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/25/2013 03:12:41.203 PST Gen. Time: 01/25/2013 03:12:41.203 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 88.190.26.141 (03:12:41.203 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->2122 (03:12:41.203 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359112361.203 1359112361.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 131.179.150.72, 93.159.50.230, 119.157.188.133, 79.135.167.157, 129.130.252.140, 122.67.170.8 Resource List: Observed Start: 01/25/2013 03:12:41.203 PST Gen. Time: 01/25/2013 03:16:57.862 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 131.179.150.72 (03:15:43.858 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 58568->62000 (03:15:43.858 PST) 93.159.50.230 (03:12:50.499 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (03:12:50.499 PST) 119.157.188.133 (03:15:54.627 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->43644 (03:15:54.627 PST) 79.135.167.157 (03:14:51.447 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->9694 (03:14:51.447 PST) 129.130.252.140 (03:15:43.579 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 46311->60000 (03:15:43.579 PST) 122.67.170.8 (03:13:50.937 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->29181 (03:13:50.937 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 88.190.26.141 (03:12:41.203 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->2122 (03:12:41.203 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359112361.203 1359112361.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 80.185.82.148 Resource List: Observed Start: 01/25/2013 08:26:34.758 PST Gen. Time: 01/25/2013 08:27:26.296 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 80.185.82.148 (08:26:34.758 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->64946 (08:26:34.758 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (08:27:26.296 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55790->49302 (08:27:26.296 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359131194.758 1359131194.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.176.222.172, 124.11.192.97, 82.234.131.11, 176.100.59.70, 80.185.82.148 Resource List: Observed Start: 01/25/2013 08:26:34.758 PST Gen. Time: 01/25/2013 08:30:53.295 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.176.222.172 (08:29:53.330 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61565 (08:29:53.330 PST) 124.11.192.97 (08:30:53.295 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->17888 (08:30:53.295 PST) 82.234.131.11 (08:28:42.369 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51413 (08:28:42.369 PST) 176.100.59.70 (08:27:42.368 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27502 (08:27:42.368 PST) 80.185.82.148 (08:26:34.758 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->64946 (08:26:34.758 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (08:27:26.296 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55790->49302 (08:27:26.296 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359131194.758 1359131194.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 169.229.50.10 Resource List: Observed Start: 01/25/2013 11:42:45.961 PST Gen. Time: 01/25/2013 11:42:46.016 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 169.229.50.10 (11:42:45.961 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 52736->6882 (11:42:45.961 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:42:46.016 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:42:46.016 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359142965.961 1359142965.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 169.229.50.15, 118.168.213.186, 93.73.93.88, 147.102.3.113, 169.229.50.10 Resource List: Observed Start: 01/25/2013 11:42:45.961 PST Gen. Time: 01/25/2013 11:45:02.525 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (11:44:09.128 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 56292->6969 (11:44:09.128 PST) 169.229.50.15 (11:44:09.362 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 38944->6881 (11:44:09.362 PST) 118.168.213.186 (11:43:50.239 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->49757 (11:43:50.239 PST) 93.73.93.88 (11:44:50.105 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35850 (11:44:50.105 PST) 147.102.3.113 (11:42:47.153 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (11:42:47.153 PST) 169.229.50.10 (11:42:45.961 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 52736->6882 (11:42:45.961 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:42:46.016 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:42:46.016 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359142965.961 1359142965.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================