Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.130.190.90, 95.191.36.21 Resource List: Observed Start: 02/02/2013 05:30:22.428 PST Gen. Time: 02/02/2013 05:31:34.378 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.130.190.90 (05:31:22.387 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->18788 (05:31:22.387 PST) 95.191.36.21 (05:30:22.428 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55832 (05:30:22.428 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (05:31:34.378 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (05:31:34.378 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359811822.428 1359811822.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.130.190.90, 123.23.153.73, 95.191.36.21 Resource List: Observed Start: 02/02/2013 05:30:22.428 PST Gen. Time: 02/02/2013 05:32:51.861 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.130.190.90 (05:31:22.387 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->18788 (05:31:22.387 PST) 123.23.153.73 (05:32:22.471 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36697 (05:32:22.471 PST) 95.191.36.21 (05:30:22.428 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55832 (05:30:22.428 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (05:31:34.378 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (05:31:34.378 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359811822.428 1359811822.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 208.77.77.196, 129.97.74.14, 31.7.173.180, 218.212.220.205, 128.84.154.40 Resource List: Observed Start: 02/02/2013 07:51:20.183 PST Gen. Time: 02/02/2013 07:54:54.568 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (07:53:04.089 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 55145->6969 (07:53:04.089 PST) 55242->6969 (07:54:20.372 PST) 208.77.77.196 (07:53:47.423 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 38712->6881 (07:53:47.423 PST) 129.97.74.14 (07:52:31.441 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (07:52:31.441 PST) 31.7.173.180 (07:54:38.316 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33113 (07:54:38.316 PST) 218.212.220.205 (07:53:38.597 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->62180 (07:53:38.597 PST) 128.84.154.40 (07:51:20.183 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (07:51:20.183 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:54:54.568 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (07:54:54.568 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359820280.183 1359820280.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================