Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 94.12.142.209, 212.21.3.10, 204.123.28.57, 131.188.44.102, 119.67.73.160 Resource List: Observed Start: 01/25/2013 23:56:55.323 PST Gen. Time: 01/26/2013 00:01:00.741 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (23:57:28.284 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 46726->6969 (23:57:28.284 PST) 94.12.142.209 (23:58:57.315 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->29572 (23:58:57.315 PST) 212.21.3.10 (00:00:00.779 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45554 (00:00:00.779 PST) 204.123.28.57 (23:58:17.032 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 60917->6881 (23:58:17.032 PST) 131.188.44.102 (23:57:57.095 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (23:57:57.095 PST) 119.67.73.160 (23:56:55.323 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6890 (23:56:55.323 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (23:58:15.605 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (23:58:15.605 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359187015.323 1359187015.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 Resource List: Observed Start: 01/26/2013 00:15:53.547 PST Gen. Time: 01/26/2013 00:16:04.213 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (00:15:53.547 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 52532->6969 (00:15:53.547 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (00:16:04.213 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (00:16:04.213 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359188153.547 1359188153.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.163.74.208, 130.237.43.220, 62.18.41.168, 192.43.193.71, 204.123.28.55 Resource List: Observed Start: 01/26/2013 00:15:53.547 PST Gen. Time: 01/26/2013 00:19:15.106 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.163.74.208 (00:16:36.203 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->18448 (00:16:36.203 PST) 130.237.43.220 (00:15:53.547 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 52532->6969 (00:15:53.547 PST) 62.18.41.168 (00:18:44.755 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->10069 (00:18:44.755 PST) 192.43.193.71 (00:17:40.866 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (00:17:40.866 PST) 204.123.28.55 (00:16:05.395 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 60744->6881 (00:16:05.395 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (00:16:04.213 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (00:16:04.213 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359188153.547 1359188153.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 37.235.185.175, 67.162.29.99, 132.239.17.224 Resource List: Observed Start: 01/26/2013 01:30:05.300 PST Gen. Time: 01/26/2013 01:31:17.648 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 37.235.185.175 (01:30:05.300 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->23319 (01:30:05.300 PST) 67.162.29.99 (01:31:07.136 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->40316 (01:31:07.136 PST) 132.239.17.224 (01:30:35.184 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 55223->6882 (01:30:35.184 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (01:31:17.648 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (01:31:17.648 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359192605.300 1359192605.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.25.150.247, 37.204.119.146, 37.235.185.175, 67.162.29.99, 132.239.17.224 Resource List: Observed Start: 01/26/2013 01:30:05.300 PST Gen. Time: 01/26/2013 01:33:59.246 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.25.150.247 (01:33:12.234 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->25024 (01:33:12.234 PST) 37.204.119.146 (01:32:07.076 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34546 (01:32:07.076 PST) 37.235.185.175 (01:30:05.300 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->23319 (01:30:05.300 PST) 67.162.29.99 (01:31:07.136 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->40316 (01:31:07.136 PST) 132.239.17.224 (01:30:35.184 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 55223->6882 (01:30:35.184 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (01:31:17.648 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (01:31:17.648 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359192605.300 1359192605.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 111.120.44.181 Resource List: Observed Start: 01/26/2013 06:27:16.261 PST Gen. Time: 01/26/2013 06:28:15.741 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 111.120.44.181 (06:27:16.261 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->4041 (06:27:16.261 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:28:15.741 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 44035->49302 (06:28:15.741 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359210436.261 1359210436.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 75.156.185.90, 212.109.6.89, 111.120.44.181 Resource List: Observed Start: 01/26/2013 06:27:16.261 PST Gen. Time: 01/26/2013 06:29:55.882 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 75.156.185.90 (06:29:24.202 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->16520 (06:29:24.202 PST) 212.109.6.89 (06:28:16.551 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->13623 (06:28:16.551 PST) 111.120.44.181 (06:27:16.261 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->4041 (06:27:16.261 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:28:15.741 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 44035->49302 (06:28:15.741 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359210436.261 1359210436.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 201.141.69.253 Resource List: Observed Start: 01/26/2013 08:48:53.726 PST Gen. Time: 01/26/2013 08:49:40.053 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 201.141.69.253 (08:48:53.726 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35924 (08:48:53.726 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (08:49:40.053 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 38367->49302 (08:49:40.053 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359218933.726 1359218933.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 194.228.13.105, 169.229.50.14, 193.63.75.19, 78.155.199.140, 201.141.69.253 Resource List: Observed Start: 01/26/2013 08:48:53.726 PST Gen. Time: 01/26/2013 08:52:15.309 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (08:51:10.178 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 58738->6969 (08:51:10.178 PST) 194.228.13.105 (08:49:55.217 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->3223 (08:49:55.217 PST) 169.229.50.14 (08:51:10.394 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 53794->6881 (08:51:10.394 PST) 193.63.75.19 (08:51:59.914 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (08:51:59.914 PST) 78.155.199.140 (08:50:55.574 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->32459 (08:50:55.574 PST) 201.141.69.253 (08:48:53.726 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35924 (08:48:53.726 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (08:49:40.053 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 38367->49302 (08:49:40.053 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359218933.726 1359218933.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 119.157.230.143, 128.223.8.113, 123.52.134.10, 88.161.44.184, 129.186.205.78, 177.159.32.108 Resource List: Observed Start: 01/26/2013 10:37:18.174 PST Gen. Time: 01/26/2013 10:40:18.073 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (10:38:04.690 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 36716->6969 (10:38:04.690 PST) 36811->6969 (10:39:52.651 PST) 119.157.230.143 (10:39:18.176 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->62193 (10:39:18.176 PST) 128.223.8.113 (10:40:17.652 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 52134->6881 (10:40:17.652 PST) 123.52.134.10 (10:38:18.175 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->16001 (10:38:18.175 PST) 88.161.44.184 (10:37:18.174 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->49618 (10:37:18.174 PST) 129.186.205.78 (10:38:04.919 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 37252->6881 (10:38:04.919 PST) 177.159.32.108 (10:40:18.005 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->54657 (10:40:18.005 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:40:18.073 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (10:40:18.073 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359225438.174 1359225438.175 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 132.72.23.10, 132.239.17.224 Resource List: Observed Start: 01/26/2013 15:01:15.276 PST Gen. Time: 01/26/2013 15:01:50.132 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (15:01:27.247 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51050->6969 (15:01:27.247 PST) 132.72.23.10 (15:01:15.276 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:01:15.276 PST) 132.239.17.224 (15:01:27.777 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 38238->6882 (15:01:27.777 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:01:50.132 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (15:01:50.132 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359241275.276 1359241275.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 132.72.23.10, 93.86.183.90, 132.239.17.224 Resource List: Observed Start: 01/26/2013 15:01:15.276 PST Gen. Time: 01/26/2013 15:03:10.113 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (15:01:27.247 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51050->6969 (15:01:27.247 PST) 132.72.23.10 (15:01:15.276 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:01:15.276 PST) 93.86.183.90 (15:02:16.561 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->22048 (15:02:16.561 PST) 132.239.17.224 (15:01:27.777 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 38238->6882 (15:01:27.777 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:01:50.132 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (15:01:50.132 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359241275.276 1359241275.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 84.101.192.42, 192.36.94.2, 169.229.50.14 Resource List: Observed Start: 01/26/2013 21:02:28.534 PST Gen. Time: 01/26/2013 21:04:15.417 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (21:03:46.064 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 53251->6969 (21:03:46.064 PST) 84.101.192.42 (21:03:45.398 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->34756 (21:03:45.398 PST) 192.36.94.2 (21:02:28.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (21:02:28.534 PST) 169.229.50.14 (21:03:46.326 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 35163->6881 (21:03:46.326 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:04:15.417 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (21:04:15.417 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359262948.534 1359262948.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 36.73.127.65, 84.101.192.42, 192.36.94.2, 204.123.28.57, 169.229.50.14, 204.123.28.56 Resource List: Observed Start: 01/26/2013 21:02:28.534 PST Gen. Time: 01/26/2013 21:06:27.697 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (21:03:46.064 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 53251->6969 (21:03:46.064 PST) 38199->6969 (21:05:52.913 PST) 36.73.127.65 (21:04:46.111 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->10054 (21:04:46.111 PST) 84.101.192.42 (21:03:45.398 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->34756 (21:03:45.398 PST) 192.36.94.2 (21:02:28.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (21:02:28.534 PST) 204.123.28.57 (21:05:53.111 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 34634->6881 (21:05:53.111 PST) 169.229.50.14 (21:03:46.326 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 35163->6881 (21:03:46.326 PST) 204.123.28.56 (21:05:53.134 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (21:05:53.134 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:04:15.417 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (21:04:15.417 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359262948.534 1359262948.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 169.229.50.15, 95.241.216.151 Resource List: Observed Start: 01/26/2013 21:20:45.468 PST Gen. Time: 01/26/2013 21:21:39.432 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (21:20:45.468 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 38595->6969 (21:20:45.468 PST) 169.229.50.15 (21:21:10.534 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 54247->6881 (21:21:10.534 PST) 95.241.216.151 (21:21:32.801 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->52937 (21:21:32.801 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:21:39.432 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (21:21:39.432 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359264045.468 1359264045.469 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 169.229.50.15, 95.241.216.151, 128.143.6.134, 124.84.132.30, 77.212.250.171 Resource List: Observed Start: 01/26/2013 21:20:45.468 PST Gen. Time: 01/26/2013 21:24:49.918 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (21:20:45.468 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 38595->6969 (21:20:45.468 PST) 169.229.50.15 (21:21:10.534 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 54247->6881 (21:21:10.534 PST) 95.241.216.151 (21:21:32.801 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->52937 (21:21:32.801 PST) 128.143.6.134 (21:24:35.481 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (21:24:35.481 PST) 124.84.132.30 (21:22:33.690 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->18000 (21:22:33.690 PST) 77.212.250.171 (21:23:34.563 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39581 (21:23:34.563 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:21:39.432 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (21:21:39.432 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359264045.468 1359264045.469 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 113.83.118.244 Resource List: Observed Start: 01/26/2013 21:38:12.431 PST Gen. Time: 01/26/2013 21:39:11.827 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 113.83.118.244 (21:38:12.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->16001 (21:38:12.431 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:39:11.827 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (21:39:11.827 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359265092.431 1359265092.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 119.116.75.221, 208.77.77.196, 204.123.28.57, 113.83.118.244, 178.49.46.29 Resource List: Observed Start: 01/26/2013 21:38:12.431 PST Gen. Time: 01/26/2013 21:41:14.177 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (21:39:55.896 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 48756->6969 (21:39:55.896 PST) 34443->6969 (21:41:09.753 PST) 119.116.75.221 (21:40:12.883 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->16001 (21:40:12.883 PST) 208.77.77.196 (21:39:56.132 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 43927->6881 (21:39:56.132 PST) 204.123.28.57 (21:41:09.968 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 48978->6881 (21:41:09.968 PST) 113.83.118.244 (21:38:12.431 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->16001 (21:38:12.431 PST) 178.49.46.29 (21:39:12.432 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51413 (21:39:12.432 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:39:11.827 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (21:39:11.827 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359265092.431 1359265092.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 137.165.1.114, 88.123.217.10, 31.134.237.192, 169.229.50.18 Resource List: Observed Start: 01/26/2013 21:57:25.438 PST Gen. Time: 01/26/2013 22:00:06.445 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (21:57:26.615 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 57737->6969 (21:57:26.615 PST) 57872->6969 (21:59:35.487 PST) 137.165.1.114 (21:59:58.493 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6882 (21:59:58.493 PST) 88.123.217.10 (21:57:25.438 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51413 (21:57:25.438 PST) 31.134.237.192 (21:58:43.073 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59853 (21:58:43.073 PST) 169.229.50.18 (21:57:26.814 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 45609->6881 (21:57:26.814 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:00:06.445 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (22:00:06.445 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359266245.438 1359266245.439 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (3), 128.114.63.64, 137.165.1.114, 88.123.217.10, 74.220.170.108, 31.134.237.192, 169.229.50.18 Resource List: Observed Start: 01/26/2013 21:57:25.438 PST Gen. Time: 01/26/2013 22:01:26.834 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (3) (21:57:26.615 PST) event=1:1100018 (3) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 57737->6969 (21:57:26.615 PST) 57872->6969 (21:59:35.487 PST) 50949->6969 (22:00:35.779 PST) 128.114.63.64 (22:00:07.559 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 40568->6881 (22:00:07.559 PST) 137.165.1.114 (21:59:58.493 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6882 (21:59:58.493 PST) 88.123.217.10 (21:57:25.438 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51413 (21:57:25.438 PST) 74.220.170.108 (22:01:02.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->35911 (22:01:02.182 PST) 31.134.237.192 (21:58:43.073 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59853 (21:58:43.073 PST) 169.229.50.18 (21:57:26.814 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 45609->6881 (21:57:26.814 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:00:06.445 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (22:00:06.445 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359266245.438 1359266245.439 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================