Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 94.1.211.98
Resource List:    <unobserved>
Observed Start:   02/01/2013 12:15:52.294 PST
Gen. Time:        02/01/2013 12:16:37.487 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    94.1.211.98 (12:15:52.294 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->22036 (12:15:52.294 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    8.5.1.45 (12:16:37.487 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          49302->49302 (12:16:37.487 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359749752.294 1359749752.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.237.43.220, 189.227.43.123, 198.82.160.221, 169.229.50.9, 66.140.111.5, 94.1.211.98
Resource List:    <unobserved>
Observed Start:   02/01/2013 12:15:52.294 PST
Gen. Time:        02/01/2013 12:19:52.680 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.237.43.220 (12:18:33.776 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          38481->6969 (12:18:33.776 PST)
       
    189.227.43.123 (12:19:04.005 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->27924 (12:19:04.005 PST)
       
    198.82.160.221 (12:18:00.450 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->6881 (12:18:00.450 PST)
       
    169.229.50.9 (12:18:33.978 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          56781->6882 (12:18:33.978 PST)
       
    66.140.111.5 (12:17:00.369 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->6881 (12:17:00.369 PST)
       
    94.1.211.98 (12:15:52.294 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->22036 (12:15:52.294 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    8.5.1.45 (12:16:37.487 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          49302->49302 (12:16:37.487 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359749752.294 1359749752.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.237.43.220, 78.62.160.235, 67.207.148.120
Resource List:    <unobserved>
Observed Start:   02/01/2013 15:44:39.133 PST
Gen. Time:        02/01/2013 15:46:31.862 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.237.43.220 (15:46:21.335 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          34320->6969 (15:46:21.335 PST)
       
    78.62.160.235 (15:44:39.133 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->1305 (15:44:39.133 PST)
       
    67.207.148.120 (15:45:41.460 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->21758 (15:45:41.460 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (15:46:31.862 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61834 (15:46:31.862 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359762279.133 1359762279.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.237.43.220, 78.62.160.235, 128.187.223.211, 88.123.217.10, 109.168.188.175, 194.254.215.11, 67.207.148.120
Resource List:    <unobserved>
Observed Start:   02/01/2013 15:44:39.133 PST
Gen. Time:        02/01/2013 15:48:52.231 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.237.43.220 (15:46:21.335 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          34320->6969 (15:46:21.335 PST)
       
    78.62.160.235 (15:44:39.133 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->1305 (15:44:39.133 PST)
       
    128.187.223.211 (15:46:32.679 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          35708->6881 (15:46:32.679 PST)
       
    88.123.217.10 (15:47:52.230 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->51413 (15:47:52.230 PST)
       
    109.168.188.175 (15:48:52.231 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61051 (15:48:52.231 PST)
       
    194.254.215.11 (15:46:43.152 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (15:46:43.152 PST)
       
    67.207.148.120 (15:45:41.460 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->21758 (15:45:41.460 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (15:46:31.862 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61834 (15:46:31.862 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359762279.133 1359762279.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.237.43.220, 200.17.202.194, 13.7.64.22
Resource List:    <unobserved>
Observed Start:   02/01/2013 18:38:21.059 PST
Gen. Time:        02/01/2013 18:39:25.038 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.237.43.220 (18:38:21.059 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          52379->6969 (18:38:21.059 PST)
       
    200.17.202.194 (18:38:47.651 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (18:38:47.651 PST)
       
    13.7.64.22 (18:38:55.901 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          42183->6881 (18:38:55.901 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (18:39:25.038 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->61834 (18:39:25.038 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359772701.059 1359772701.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.237.43.220 (2), 92.160.76.235, 200.17.202.194, 13.7.64.22, 101.109.230.226, 50.136.205.65
Resource List:    <unobserved>
Observed Start:   02/01/2013 18:38:21.059 PST
Gen. Time:        02/01/2013 18:42:23.302 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.237.43.220 (2) (18:38:21.059 PST)
       event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          52379->6969 (18:38:21.059 PST)
          36294->6969 (18:42:23.302 PST)
       
    92.160.76.235 (18:39:48.604 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->55129 (18:39:48.604 PST)
       
    200.17.202.194 (18:38:47.651 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6881 (18:38:47.651 PST)
       
    13.7.64.22 (18:38:55.901 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          42183->6881 (18:38:55.901 PST)
       
    101.109.230.226 (18:41:48.650 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->18965 (18:41:48.650 PST)
       
    50.136.205.65 (18:40:48.283 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->24665 (18:40:48.283 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (18:39:25.038 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->61834 (18:39:25.038 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359772701.059 1359772701.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.237.43.220, 87.121.175.14
Resource List:    <unobserved>
Observed Start:   02/01/2013 18:55:04.141 PST
Gen. Time:        02/01/2013 18:56:41.873 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.237.43.220 (18:55:04.141 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          34909->6969 (18:55:04.141 PST)
       
    87.121.175.14 (18:55:44.173 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->48585 (18:55:44.173 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (18:56:41.873 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->61834 (18:56:41.873 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359773704.141 1359773704.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 77.38.29.34, 68.10.248.226, 130.237.43.220 (3), 128.111.52.58, 87.121.175.14, 200.213.29.134, 132.239.17.225
Resource List:    <unobserved>
Observed Start:   02/01/2013 18:55:04.141 PST
Gen. Time:        02/01/2013 18:58:46.403 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    77.38.29.34 (18:58:46.403 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->17425 (18:58:46.403 PST)
       
    68.10.248.226 (18:56:44.174 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->6890 (18:56:44.174 PST)
       
    130.237.43.220 (3) (18:55:04.141 PST)
       event=1:1100018 (3) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          34909->6969 (18:55:04.141 PST)
          34949->6969 (18:56:42.649 PST)
          35017->6969 (18:57:57.124 PST)
       
    128.111.52.58 (18:58:27.306 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          60680->6881 (18:58:27.306 PST)
       
    87.121.175.14 (18:55:44.173 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->48585 (18:55:44.173 PST)
       
    200.213.29.134 (18:57:44.175 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->15428 (18:57:44.175 PST)
       
    132.239.17.225 (18:56:42.914 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          50628->6881 (18:56:42.914 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (18:56:41.873 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6882->61834 (18:56:41.873 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1359773704.141 1359773704.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================