Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/30/2013 10:18:20.124 PST Gen. Time: 01/30/2013 10:18:20.124 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (10:18:20.124 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33769->49302 (10:18:20.124 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359569900.124 1359569900.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.225.85.44, 82.237.101.153 Resource List: Observed Start: 01/30/2013 10:18:20.124 PST Gen. Time: 01/30/2013 10:21:21.406 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.225.85.44 (10:18:50.362 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->58242 (10:18:50.362 PST) 82.237.101.153 (10:20:06.138 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55817 (10:20:06.138 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (10:18:20.124 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33769->49302 (10:18:20.124 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359569900.124 1359569900.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 129.15.78.30, 137.132.80.105, 140.109.17.181, 132.252.152.193 Resource List: Observed Start: 01/30/2013 11:28:34.913 PST Gen. Time: 01/30/2013 11:32:13.964 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 129.15.78.30 (11:29:34.951 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:29:34.951 PST) 137.132.80.105 (11:28:34.913 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:28:34.913 PST) 140.109.17.181 (11:30:46.647 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:30:46.647 PST) 132.252.152.193 (11:32:00.118 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:32:00.118 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:32:13.964 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:32:13.964 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359574114.913 1359574114.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 129.15.78.30, 208.77.77.196, 137.132.80.105, 140.109.17.181, 132.252.152.193 Resource List: Observed Start: 01/30/2013 11:28:34.913 PST Gen. Time: 01/30/2013 11:32:36.633 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (11:32:14.170 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 35336->6969 (11:32:14.170 PST) 129.15.78.30 (11:29:34.951 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:29:34.951 PST) 208.77.77.196 (11:32:14.570 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 47641->6881 (11:32:14.570 PST) 137.132.80.105 (11:28:34.913 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:28:34.913 PST) 140.109.17.181 (11:30:46.647 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:30:46.647 PST) 132.252.152.193 (11:32:00.118 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:32:00.118 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:32:13.964 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:32:13.964 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359574114.913 1359574114.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 85.230.86.22, 204.123.28.55 Resource List: Observed Start: 01/30/2013 20:14:06.368 PST Gen. Time: 01/30/2013 20:14:27.056 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (20:14:06.980 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 50297->6969 (20:14:06.980 PST) 85.230.86.22 (20:14:06.368 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37408 (20:14:06.368 PST) 204.123.28.55 (20:14:07.269 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 53478->6882 (20:14:07.269 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:14:27.056 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (20:14:27.056 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359605646.368 1359605646.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.239.114.236, 130.237.43.220, 88.172.130.193, 211.178.213.17, 41.223.58.75, 85.230.86.22, 204.123.28.55 Resource List: Observed Start: 01/30/2013 20:14:06.368 PST Gen. Time: 01/30/2013 20:18:09.969 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.239.114.236 (20:18:09.969 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51413 (20:18:09.969 PST) 130.237.43.220 (20:14:06.980 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 50297->6969 (20:14:06.980 PST) 88.172.130.193 (20:17:09.413 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51413 (20:17:09.413 PST) 211.178.213.17 (20:16:06.555 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->10753 (20:16:06.555 PST) 41.223.58.75 (20:15:06.554 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->55945 (20:15:06.554 PST) 85.230.86.22 (20:14:06.368 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37408 (20:14:06.368 PST) 204.123.28.55 (20:14:07.269 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 53478->6882 (20:14:07.269 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:14:27.056 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (20:14:27.056 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359605646.368 1359605646.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 159.217.144.112, 221.206.36.190, 169.229.50.14 Resource List: Observed Start: 01/30/2013 20:43:00.050 PST Gen. Time: 01/30/2013 20:44:50.308 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (20:43:31.550 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 56855->6969 (20:43:31.550 PST) 159.217.144.112 (20:43:00.050 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (20:43:00.050 PST) 221.206.36.190 (20:44:06.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->31437 (20:44:06.334 PST) 169.229.50.14 (20:43:31.778 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 36161->6881 (20:43:31.778 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:44:50.308 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (20:44:50.308 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359607380.050 1359607380.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 159.217.144.112, 208.77.77.196, 103.11.117.227, 221.206.36.190, 190.11.92.129, 169.229.50.14 Resource List: Observed Start: 01/30/2013 20:43:00.050 PST Gen. Time: 01/30/2013 20:46:10.725 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (20:43:31.550 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 56855->6969 (20:43:31.550 PST) 56947->6969 (20:44:50.719 PST) 159.217.144.112 (20:43:00.050 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (20:43:00.050 PST) 208.77.77.196 (20:44:51.017 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 34672->6881 (20:44:51.017 PST) 103.11.117.227 (20:46:10.725 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33387 (20:46:10.725 PST) 221.206.36.190 (20:44:06.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->31437 (20:44:06.334 PST) 190.11.92.129 (20:45:06.152 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->16076 (20:45:06.152 PST) 169.229.50.14 (20:43:31.778 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 36161->6881 (20:43:31.778 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:44:50.308 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (20:44:50.308 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359607380.050 1359607380.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/30/2013 21:30:05.039 PST Gen. Time: 01/30/2013 21:30:05.039 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (21:30:05.039 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:30:05.039 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359610205.039 1359610205.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 123.203.72.89, 92.17.253.99, 128.111.52.59 Resource List: Observed Start: 01/30/2013 21:30:05.039 PST Gen. Time: 01/30/2013 21:32:26.079 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (21:31:32.261 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 34602->6969 (21:31:32.261 PST) 123.203.72.89 (21:31:26.748 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->10039 (21:31:26.748 PST) 92.17.253.99 (21:30:26.447 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51413 (21:30:26.447 PST) 128.111.52.59 (21:31:52.224 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 52292->6882 (21:31:52.224 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (21:30:05.039 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:30:05.039 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359610205.039 1359610205.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================