Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/21/2013 15:16:45.058 PST Gen. Time: 02/21/2013 15:16:45.058 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (15:16:45.058 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (15:16:45.058 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361488605.058 1361488605.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.190.168.49 (4), 208.77.77.196 (5), 138.4.0.120, 128.70.195.25, 140.109.17.181 (2), 129.82.12.187 (4) Resource List: Observed Start: 02/21/2013 15:16:45.058 PST Gen. Time: 02/21/2013 15:20:37.293 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.190.168.49 (4) (15:16:49.732 PST-15:17:22.169 PST) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 4: 6881->38808 (15:16:49.732 PST-15:17:22.169 PST) 208.77.77.196 (5) (15:16:57.403 PST-15:17:43.158 PST) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 5: 6881->34815 (15:16:57.403 PST-15:17:43.158 PST) 138.4.0.120 (15:17:52.601 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->35015 (15:17:52.601 PST) 128.70.195.25 (15:17:47.059 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->11789 (15:17:47.059 PST) 140.109.17.181 (2) (15:16:46.727 PST-15:17:48.162 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->49525 (15:16:46.727 PST-15:17:48.162 PST) 129.82.12.187 (4) (15:16:46.107 PST-15:17:51.254 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (15:16:46.107 PST) ------------------------- event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->44452 (15:17:27.967 PST-15:17:51.254 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (15:16:45.058 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (15:16:45.058 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361488605.058 1361488671.255 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================