Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/01/2013 04:03:37.426 PST Gen. Time: 02/01/2013 04:03:37.426 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.154.105.36 (04:03:37.426 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 500 IPs (137 /24s) (# pkts S/M/O/I=0/250/0/1): 1433:22, 3127:20, 4350:19, 5000:19, 2067:16, 3410:15, 2745:14, 3278:14, 3218:13, 3306:13, 2535:12, 4347:12, 2082:11, 4445:11, 4709:11, 2100:10, 3479:9, 4380:9, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:03:37.426 PST) tcpslice 1359720217.426 1359720217.427 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 157.159.226.72, 177.42.159.194 Resource List: Observed Start: 02/01/2013 04:03:37.426 PST Gen. Time: 02/01/2013 04:06:13.954 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 157.159.226.72 (04:05:18.209 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->6881 (04:05:18.209 PST) 177.42.159.194 (04:04:11.289 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->22871 (04:04:11.289 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.154.105.36 (04:03:37.426 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 500 IPs (137 /24s) (# pkts S/M/O/I=0/250/0/1): 1433:22, 3127:20, 4350:19, 5000:19, 2067:16, 3410:15, 2745:14, 3278:14, 3218:13, 3306:13, 2535:12, 4347:12, 2082:11, 4445:11, 4709:11, 2100:10, 3479:9, 4380:9, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:03:37.426 PST) tcpslice 1359720217.426 1359720217.427 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 140.247.60.126, 178.172.185.19 Resource List: Observed Start: 02/01/2013 04:03:52.561 PST Gen. Time: 02/01/2013 04:03:52.561 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 140.247.60.126 (07:43:51.965 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->6881 (07:43:51.965 PST) 178.172.185.19 (07:44:55.087 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->36330 (07:44:55.087 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.36.72.207 (04:03:52.561 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 500 IPs (137 /24s) (# pkts S/M/O/I=0/389/39871/1): 1433:33, 2745:28, 5000:27, 3127:24, 3218:24, 4350:24, 4709:24, 3278:22, 2535:21, 3410:21, 2067:20, 2100:18, 3306:18, 4380:18, 4445:18, 2082:17, 4347:16, 3479:14, 5554, 11768, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:03:52.561 PST) tcpslice 1359720232.561 1359720232.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 134.88.5.253, 130.237.43.220, 140.247.60.126, 213.87.132.77, 132.239.17.224, 178.172.185.19 Resource List: Observed Start: 02/01/2013 04:03:52.561 PST Gen. Time: 02/01/2013 07:47:49.721 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 134.88.5.253 (07:47:06.560 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->6881 (07:47:06.560 PST) 130.237.43.220 (07:46:12.868 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 34909->6969 (07:46:12.868 PST) 140.247.60.126 (07:43:51.965 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->6881 (07:43:51.965 PST) 213.87.132.77 (07:46:03.742 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->33755 (07:46:03.742 PST) 132.239.17.224 (07:46:13.081 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 33242->6882 (07:46:13.081 PST) 178.172.185.19 (07:44:55.087 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->36330 (07:44:55.087 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.36.72.207 (04:03:52.561 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 500 IPs (137 /24s) (# pkts S/M/O/I=0/389/39871/1): 1433:33, 2745:28, 5000:27, 3127:24, 3218:24, 4350:24, 4709:24, 3278:22, 2535:21, 3410:21, 2067:20, 2100:18, 3306:18, 4380:18, 4445:18, 2082:17, 4347:16, 3479:14, 5554, 11768, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:03:52.561 PST) tcpslice 1359720232.561 1359720232.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================