Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.220.231.3 (2), 212.51.207.206, 130.237.43.75 (4), 129.110.125.51 (4), 137.165.1.113 (3), 169.235.24.232 (2), 128.84.154.44 Resource List: Observed Start: 02/17/2013 03:31:05.135 PST Gen. Time: 02/17/2013 03:32:57.914 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.220.231.3 (2) (03:31:38.409 PST-03:31:44.294 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->49416 (03:31:38.409 PST-03:31:44.294 PST) 212.51.207.206 (03:31:51.352 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->44834 (03:31:51.352 PST) 130.237.43.75 (4) (03:31:54.104 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 43126->6969 (03:31:54.104 PST) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 43143->6969 (03:32:04.780 PST) 43126->6969 (03:31:54.104 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 43143->6969 (03:32:04.780 PST) 129.110.125.51 (4) (03:31:05.135 PST-03:31:36.216 PST) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->58646 (03:31:05.135 PST-03:31:36.216 PST) 137.165.1.113 (3) (03:31:06.034 PST-03:31:27.602 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->41175 (03:31:06.034 PST-03:31:27.602 PST) 169.235.24.232 (2) (03:32:05.479 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 45911->6881 (03:32:05.479 PST) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 45911->6881 (03:32:05.479 PST) 128.84.154.44 (03:31:45.642 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->49605 (03:31:45.642 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:32:57.914 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (03:32:57.914 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361100665.135 1361100704.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.22.88.44, 202.23.159.51 (2), 165.91.55.10 (3), 141.219.252.132 (2), 94.68.58.47, 129.186.205.78, 130.83.166.245 (3), 129.107.35.131 (2), 128.223.8.113, 193.10.64.36 Resource List: Observed Start: 02/17/2013 11:50:58.747 PST Gen. Time: 02/17/2013 11:53:53.050 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.22.88.44 (11:52:08.226 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->53664 (11:52:08.226 PST) 202.23.159.51 (2) (11:51:01.625 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55040 (11:51:23.853 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55040 (11:51:01.625 PST) 165.91.55.10 (3) (11:50:58.747 PST-11:51:31.796 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->33658 (11:50:58.747 PST-11:51:31.796 PST) 141.219.252.132 (2) (11:51:38.122 PST-11:51:54.293 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->54003 (11:51:38.122 PST-11:51:54.293 PST) 94.68.58.47 (11:51:38.198 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27366 (11:51:38.198 PST) 129.186.205.78 (11:51:57.887 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->33736 (11:51:57.887 PST) 130.83.166.245 (3) (11:51:08.001 PST-11:51:33.188 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->35655 (11:51:08.001 PST-11:51:33.188 PST) 129.107.35.131 (2) (11:51:37.673 PST-11:51:53.844 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->55287 (11:51:37.673 PST-11:51:53.844 PST) 128.223.8.113 (11:51:41.022 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36530 (11:51:41.022 PST) 193.10.64.36 (11:51:13.863 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->60500 (11:51:13.863 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:53:53.050 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:53:53.050 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361130658.747 1361130714.294 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.103.2.2, 129.105.15.38, 131.254.208.12, 193.190.168.51, 155.98.35.7 (2), 133.9.81.166 (2), 129.97.74.14, 200.0.206.168, 133.9.81.164 (2), 140.109.17.181, 202.116.81.194, 128.227.150.11, 130.195.4.69, 141.212.113.178 Resource List: Observed Start: 02/17/2013 12:27:12.524 PST Gen. Time: 02/17/2013 12:29:31.908 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.103.2.2 (12:27:31.897 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 37633->6882 (12:27:31.897 PST) 129.105.15.38 (12:27:32.186 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 36662->6881 (12:27:32.186 PST) 131.254.208.12 (12:27:14.142 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->42671 (12:27:14.142 PST) 193.190.168.51 (12:27:22.017 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46068 (12:27:22.017 PST) 155.98.35.7 (2) (12:27:15.868 PST-12:27:26.662 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->34878 (12:27:15.868 PST-12:27:26.662 PST) 133.9.81.166 (2) (12:27:17.169 PST-12:27:27.965 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 33754->6881 (12:27:17.169 PST-12:27:27.965 PST) 129.97.74.14 (12:27:19.308 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 55735->6881 (12:27:19.308 PST) 200.0.206.168 (12:27:24.813 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 58418->6881 (12:27:24.813 PST) 133.9.81.164 (2) (12:27:19.683 PST-12:27:30.998 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 59011->6882 (12:27:19.683 PST-12:27:30.998 PST) 140.109.17.181 (12:27:25.617 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->58838 (12:27:25.617 PST) 202.116.81.194 (12:27:12.524 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46968 (12:27:12.524 PST) 128.227.150.11 (12:27:27.103 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33147 (12:27:27.103 PST) 130.195.4.69 (12:27:35.240 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 43007->6882 (12:27:35.240 PST) 141.212.113.178 (12:27:19.607 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 46942->6882 (12:27:19.607 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (12:29:31.908 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (12:29:31.908 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361132832.524 1361132850.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 200.0.206.203, 195.130.121.204, 159.217.144.110, 147.83.29.234 (2), 132.227.62.120, 129.93.229.138, 155.246.12.163, 202.249.37.67, 200.129.132.19 (2), 87.236.232.153, 72.36.112.74 (2) Resource List: Observed Start: 02/17/2013 17:49:59.624 PST Gen. Time: 02/17/2013 17:50:21.115 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.0.206.203 (17:50:04.426 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 35162->6881 (17:50:04.426 PST) 195.130.121.204 (17:50:04.371 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->44423 (17:50:04.371 PST) 159.217.144.110 (17:50:01.288 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->43191 (17:50:01.288 PST) 147.83.29.234 (2) (17:49:59.624 PST-17:50:10.590 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->52178 (17:49:59.624 PST-17:50:10.590 PST) 132.227.62.120 (17:50:08.229 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51839->6882 (17:50:08.229 PST) 129.93.229.138 (17:50:07.531 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 47756->6881 (17:50:07.531 PST) 155.246.12.163 (17:50:16.270 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54153 (17:50:16.270 PST) 202.249.37.67 (17:50:08.229 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51109 (17:50:08.229 PST) 200.129.132.19 (2) (17:50:01.017 PST-17:50:12.315 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->38847 (17:50:01.017 PST-17:50:12.315 PST) 87.236.232.153 (17:50:14.973 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 39603->6881 (17:50:14.973 PST) 72.36.112.74 (2) (17:50:07.213 PST-17:50:17.967 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->45688 (17:50:07.213 PST-17:50:17.967 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (17:50:21.115 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:50:21.115 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361152199.624 1361152217.968 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================