Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 193.166.167.4, 78.144.193.98, 199.26.254.66, 130.237.43.75 (3), 91.155.130.91, 193.205.215.74 (4), 223.135.219.76
Resource List:    <unobserved>
Observed Start:   02/16/2013 10:11:32.373 PST
Gen. Time:        02/16/2013 10:12:22.907 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    193.166.167.4 (10:11:47.952 PST)
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          34845->6892 (10:11:47.952 PST)
       
    78.144.193.98 (10:11:32.373 PST)
       event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->51413 (10:11:32.373 PST)
       
    199.26.254.66 (10:12:20.295 PST)
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->33267 (10:12:20.295 PST)
       
    130.237.43.75 (3) (10:11:37.534 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          33065->6969 (10:11:37.534 PST)
       -------------------------
       event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C
          33065->6969 (10:11:37.534 PST)
       -------------------------
       event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C
          33065->6969 (10:11:37.534 PST)
       
    91.155.130.91 (10:12:04.865 PST)
       event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->24601 (10:12:04.865 PST)
       
    193.205.215.74 (4) (10:11:38.391 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:11:38.391 PST)
       -------------------------
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:11:42.795 PST)
       -------------------------
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:12:09.615 PST)
       -------------------------
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:11:38.391 PST)
       
    223.135.219.76 (10:11:33.845 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->25462 (10:11:33.845 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (10:12:22.907 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61834 (10:12:22.907 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1361038292.373 1361038292.374 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 193.166.167.4, 78.144.193.98, 199.26.254.66 (4), 130.237.43.75 (3), 91.155.130.91, 118.160.89.49, 223.135.219.76, 193.205.215.74 (5)
Resource List:    <unobserved>
Observed Start:   02/16/2013 10:11:32.373 PST
Gen. Time:        02/16/2013 10:15:33.678 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    193.166.167.4 (10:11:47.952 PST)
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          34845->6892 (10:11:47.952 PST)
       
    78.144.193.98 (10:11:32.373 PST)
       event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->51413 (10:11:32.373 PST)
       
    199.26.254.66 (4) (10:12:20.295 PST-10:12:36.066 PST)
       event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          4: 6881->33267 (10:12:20.295 PST-10:12:36.066 PST)
       
    130.237.43.75 (3) (10:11:37.534 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          33065->6969 (10:11:37.534 PST)
       -------------------------
       event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C
          33065->6969 (10:11:37.534 PST)
       -------------------------
       event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C
          33065->6969 (10:11:37.534 PST)
       
    91.155.130.91 (10:12:04.865 PST)
       event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->24601 (10:12:04.865 PST)
       
    118.160.89.49 (10:12:33.193 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->13738 (10:12:33.193 PST)
       
    223.135.219.76 (10:11:33.845 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->25462 (10:11:33.845 PST)
       
    193.205.215.74 (5) (10:11:38.391 PST-10:12:38.797 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:11:38.391 PST)
       -------------------------
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:11:42.795 PST)
       -------------------------
       event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          2: 54015->6881 (10:12:09.615 PST-10:12:38.797 PST)
       -------------------------
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          54015->6881 (10:11:38.391 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (10:12:22.907 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61834 (10:12:22.907 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1361038292.373 1361038358.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.9 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       218.30.115.254
Peer Coord. List: 133.68.253.243 (2), 90.148.13.64, 82.179.176.42 (2), 193.138.2.12, 147.102.3.113 (2)
Resource List:    <unobserved>
Observed Start:   02/16/2013 16:32:49.713 PST
Gen. Time:        02/16/2013 16:33:21.535 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    218.30.115.254 (16:33:16.163 PST)
       event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C
          32852->80 (16:33:16.163 PST)
       
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    133.68.253.243 (2) (16:32:49.713 PST-16:33:04.176 PST)
       event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          2: 6881->52900 (16:32:49.713 PST-16:33:04.176 PST)
       
    90.148.13.64 (16:33:10.474 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->15514 (16:33:10.474 PST)
       
    82.179.176.42 (2) (16:32:55.960 PST)
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->59675 (16:32:55.960 PST)
       -------------------------
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->59675 (16:33:10.943 PST)
       
    193.138.2.12 (16:33:10.494 PST)
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->53231 (16:33:10.494 PST)
       
    147.102.3.113 (2) (16:33:01.058 PST)
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->35346 (16:33:13.831 PST)
       -------------------------
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->35346 (16:33:01.058 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (16:33:21.535 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61834 (16:33:21.535 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1361061169.713 1361061184.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.9 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       218.30.115.254
Peer Coord. List: 82.179.176.42 (2), 129.237.161.193, 132.239.17.224, 193.138.2.12, 129.93.229.138, 128.2.211.113, 130.237.43.75 (2), 198.82.160.238, 147.102.3.113 (2), 133.68.253.243 (2), 128.111.52.59 (2), 169.229.50.18, 90.148.13.64
Resource List:    <unobserved>
Observed Start:   02/16/2013 16:32:49.713 PST
Gen. Time:        02/16/2013 16:36:43.509 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (RBN)
    218.30.115.254 (16:33:16.163 PST)
       event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C
          32852->80 (16:33:16.163 PST)
       
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    82.179.176.42 (2) (16:32:55.960 PST)
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->59675 (16:32:55.960 PST)
       -------------------------
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->59675 (16:33:10.943 PST)
       
    129.237.161.193 (16:33:23.193 PST)
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          34381->6881 (16:33:23.193 PST)
       
    132.239.17.224 (16:33:23.166 PST)
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          50096->6881 (16:33:23.166 PST)
       
    193.138.2.12 (16:33:10.494 PST)
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->53231 (16:33:10.494 PST)
       
    129.93.229.138 (16:33:23.208 PST)
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          54414->6881 (16:33:23.208 PST)
       
    128.2.211.113 (16:33:23.213 PST)
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          42742->6881 (16:33:23.213 PST)
       
    130.237.43.75 (2) (16:33:22.957 PST)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          59516->6969 (16:33:22.957 PST)
       -------------------------
       event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C
          59516->6969 (16:33:22.957 PST)
       
    198.82.160.238 (16:33:23.217 PST)
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          59248->6881 (16:33:23.217 PST)
       
    147.102.3.113 (2) (16:33:01.058 PST)
       event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->35346 (16:33:13.831 PST)
       -------------------------
       event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->35346 (16:33:01.058 PST)
       
    133.68.253.243 (2) (16:32:49.713 PST-16:33:04.176 PST)
       event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C
          2: 6881->52900 (16:32:49.713 PST-16:33:04.176 PST)
       
    128.111.52.59 (2) (16:33:23.145 PST)
       event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C
          46160->6881 (16:33:23.145 PST)
       -------------------------
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          46160->6881 (16:33:23.145 PST)
       
    169.229.50.18 (16:33:23.152 PST)
       event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C
          56052->6881 (16:33:23.152 PST)
       
    90.148.13.64 (16:33:10.474 PST)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->15514 (16:33:10.474 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    195.128.181.52 (16:33:21.535 PST)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          6881->61834 (16:33:21.535 PST)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1361061169.713 1361061184.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================