Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.223.8.111 (2), 132.239.17.224 (2), 141.219.252.132, 128.6.192.158, 133.9.81.166, 139.19.158.231, 130.216.1.22, 206.12.16.155, 192.114.4.3, 133.9.81.164 (2), 130.37.193.141, 140.192.249.204, 129.22.150.29, 140.109.17.180 Resource List: Observed Start: 02/22/2013 04:43:38.852 PST Gen. Time: 02/22/2013 04:47:36.338 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.223.8.111 (2) (04:43:40.729 PST-04:43:49.128 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 37562->2706 (04:43:40.729 PST-04:43:49.128 PST) 132.239.17.224 (2) (04:43:40.286 PST-04:43:49.828 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 50910->2705 (04:43:40.286 PST-04:43:49.828 PST) 141.219.252.132 (04:43:40.729 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 53390->2706 (04:43:40.729 PST) 128.6.192.158 (04:43:44.850 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49024->2706 (04:43:44.850 PST) 133.9.81.166 (04:43:48.159 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 52741->2706 (04:43:48.159 PST) 139.19.158.231 (04:43:44.951 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 52484->2706 (04:43:44.951 PST) 130.216.1.22 (04:43:49.445 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 59802->2705 (04:43:49.445 PST) 206.12.16.155 (04:43:44.694 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 58296->2704 (04:43:44.694 PST) 192.114.4.3 (04:43:46.703 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41092 (04:43:46.703 PST) 133.9.81.164 (2) (04:43:44.052 PST-04:43:54.471 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->57667 (04:43:44.052 PST-04:43:54.471 PST) 130.37.193.141 (04:43:49.902 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59958 (04:43:49.902 PST) 140.192.249.204 (04:43:38.852 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 51468->2705 (04:43:38.852 PST) 129.22.150.29 (04:43:54.057 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36077->2706 (04:43:54.057 PST) 140.109.17.180 (04:43:54.289 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 48941->2706 (04:43:54.289 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (04:47:36.338 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49718->49302 (04:47:36.338 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361537018.852 1361537034.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 149.43.80.22, 193.196.39.10, 128.42.142.41, 193.205.215.75, 141.161.20.33, 88.2.234.60, 72.36.112.79, 128.220.231.3, 130.161.40.154 (2), 132.170.3.32, 151.97.9.225, 195.113.161.14, 212.51.218.237 (2), 169.229.50.18 (2) Resource List: Observed Start: 02/22/2013 07:32:06.887 PST Gen. Time: 02/22/2013 07:32:39.153 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 149.43.80.22 (07:32:09.487 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->45167 (07:32:09.487 PST) 193.196.39.10 (07:32:09.856 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50669 (07:32:09.856 PST) 128.42.142.41 (07:32:09.368 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->41594 (07:32:09.368 PST) 193.205.215.75 (07:32:23.718 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39942 (07:32:23.718 PST) 141.161.20.33 (07:32:10.813 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->35250 (07:32:10.813 PST) 88.2.234.60 (07:32:07.781 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47015 (07:32:07.781 PST) 72.36.112.79 (07:32:06.887 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->43197 (07:32:06.887 PST) 128.220.231.3 (07:32:16.648 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43841 (07:32:16.648 PST) 130.161.40.154 (2) (07:32:15.960 PST-07:32:25.344 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->52941 (07:32:15.960 PST-07:32:25.344 PST) 132.170.3.32 (07:32:28.909 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->49638 (07:32:28.909 PST) 151.97.9.225 (07:32:07.738 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51030 (07:32:07.738 PST) 195.113.161.14 (07:32:27.002 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->56449 (07:32:27.002 PST) 212.51.218.237 (2) (07:32:12.936 PST-07:32:24.196 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->38267 (07:32:12.936 PST-07:32:24.196 PST) 169.229.50.18 (2) (07:32:16.804 PST-07:32:27.534 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->50960 (07:32:16.804 PST-07:32:27.534 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:32:39.153 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (07:32:39.153 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361547126.887 1361547147.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 202.116.81.194, 190.202.214.242, 212.235.189.114 (2), 206.12.16.155 (2), 130.149.49.137 Resource List: Observed Start: 02/22/2013 18:55:03.973 PST Gen. Time: 02/22/2013 18:55:27.430 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 202.116.81.194 (18:55:11.063 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->50072 (18:55:11.063 PST) 190.202.214.242 (18:55:11.234 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->3571 (18:55:11.234 PST) 212.235.189.114 (2) (18:55:05.609 PST-18:55:16.517 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->53524 (18:55:05.609 PST-18:55:16.517 PST) 206.12.16.155 (2) (18:55:07.874 PST-18:55:18.841 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->33329 (18:55:07.874 PST-18:55:18.841 PST) 130.149.49.137 (18:55:03.973 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34587 (18:55:03.973 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:55:27.430 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (18:55:27.430 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361588103.973 1361588118.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 218.30.115.254 Peer Coord. List: 128.42.142.41, 132.239.17.225, 136.159.220.40, 134.88.5.251, 130.149.49.137, 212.235.189.114 (3), 129.22.150.78, 204.123.28.57 (2), 130.237.43.75 (3), 206.12.16.155 (3), 190.202.214.242, 202.116.81.194 Resource List: Observed Start: 02/22/2013 18:55:03.973 PST Gen. Time: 02/22/2013 18:59:04.269 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.30.115.254 (18:58:18.850 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 56176->80 (18:58:18.850 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.42.142.41 (18:55:31.870 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 51623->6881 (18:55:31.870 PST) 132.239.17.225 (18:55:31.870 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55684->6881 (18:55:31.870 PST) 136.159.220.40 (18:55:31.575 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42318->6881 (18:55:31.575 PST) 134.88.5.251 (18:55:31.870 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 47527->6881 (18:55:31.870 PST) 130.149.49.137 (18:55:03.973 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34587 (18:55:03.973 PST) 212.235.189.114 (3) (18:55:05.609 PST-18:55:28.964 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->53524 (18:55:05.609 PST-18:55:28.964 PST) 129.22.150.78 (18:55:31.870 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39708->6881 (18:55:31.870 PST) 204.123.28.57 (2) (18:55:31.549 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 39376->6881 (18:55:31.549 PST) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39376->6881 (18:55:31.549 PST) 130.237.43.75 (3) (18:55:30.912 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 48258->6969 (18:55:30.912 PST) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 48258->6969 (18:55:30.912 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 48258->6969 (18:55:30.912 PST) 206.12.16.155 (3) (18:55:07.874 PST-18:55:30.512 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->33329 (18:55:07.874 PST-18:55:30.512 PST) 190.202.214.242 (18:55:11.234 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->3571 (18:55:11.234 PST) 202.116.81.194 (18:55:11.063 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->50072 (18:55:11.063 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:55:27.430 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (18:55:27.430 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361588103.973 1361588130.513 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.148.124.74, 152.14.93.139 (3), 129.97.74.14, 130.237.43.75 (2), 163.117.253.22, 132.227.62.120 (2), 74.57.177.56 Resource List: Observed Start: 02/22/2013 19:22:52.345 PST Gen. Time: 02/22/2013 19:23:27.700 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.148.124.74 (19:22:56.368 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->42787 (19:22:56.368 PST) 152.14.93.139 (3) (19:22:57.320 PST-19:23:13.850 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 48525->6881 (19:22:57.320 PST-19:23:13.850 PST) 129.97.74.14 (19:23:06.960 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->54076 (19:23:06.960 PST) 130.237.43.75 (2) (19:23:01.186 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39556->6969 (19:23:01.186 PST) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 39556->6969 (19:23:01.186 PST) 163.117.253.22 (19:22:52.345 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34687 (19:22:52.345 PST) 132.227.62.120 (2) (19:23:05.689 PST-19:23:15.735 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 35814->6881 (19:23:05.689 PST-19:23:15.735 PST) 74.57.177.56 (19:23:18.613 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46143 (19:23:18.613 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (19:23:27.700 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (19:23:27.700 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361589772.345 1361589795.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 129.15.78.31, 74.57.177.56, 169.229.50.9, 165.91.55.11 (2), 152.14.93.139 (3), 132.227.62.120 (2), 204.123.28.57, 163.117.253.22, 129.97.74.14, 130.237.43.75 (4), 195.148.124.74, 192.1.249.138, 192.1.249.137 Resource List: Observed Start: 02/22/2013 19:22:52.345 PST Gen. Time: 02/22/2013 19:26:52.451 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 129.15.78.31 (19:23:31.698 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55835->6881 (19:23:31.698 PST) 74.57.177.56 (19:23:18.613 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46143 (19:23:18.613 PST) 169.229.50.9 (19:23:30.969 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->40963 (19:23:30.969 PST) 165.91.55.11 (2) (19:23:31.672 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 56066->6881 (19:23:31.672 PST) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56066->6881 (19:23:31.672 PST) 152.14.93.139 (3) (19:22:57.320 PST-19:23:13.850 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 48525->6881 (19:22:57.320 PST-19:23:13.850 PST) 132.227.62.120 (2) (19:23:05.689 PST-19:23:15.735 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 35814->6881 (19:23:05.689 PST-19:23:15.735 PST) 204.123.28.57 (19:23:31.672 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 50599->6881 (19:23:31.672 PST) 163.117.253.22 (19:22:52.345 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34687 (19:22:52.345 PST) 129.97.74.14 (19:23:06.960 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->54076 (19:23:06.960 PST) 130.237.43.75 (4) (19:23:01.186 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39556->6969 (19:23:01.186 PST) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 39556->6969 (19:23:01.186 PST) 39576->6969 (19:23:31.031 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 39576->6969 (19:23:31.031 PST) 195.148.124.74 (19:22:56.368 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->42787 (19:22:56.368 PST) 192.1.249.138 (19:23:30.969 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 57068->6881 (19:23:30.969 PST) 192.1.249.137 (19:23:31.672 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42574->6881 (19:23:31.672 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (19:23:27.700 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (19:23:27.700 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361589772.345 1361589795.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.36.112.79, 141.213.4.202, 134.226.52.35, 131.247.2.247, 202.249.37.69, 133.15.59.1, 137.226.138.155, 204.123.28.56, 128.6.192.156, 132.170.3.32, 129.82.12.187 (2), 133.68.253.243, 128.252.19.18, 129.237.161.194, 200.129.132.18, 128.223.8.112 Resource List: Observed Start: 02/22/2013 20:51:05.779 PST Gen. Time: 02/22/2013 20:52:20.510 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.36.112.79 (20:51:06.017 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 56030->2705 (20:51:06.017 PST) 141.213.4.202 (20:51:06.542 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 46933->2706 (20:51:06.542 PST) 134.226.52.35 (20:51:14.623 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 39642->6881 (20:51:14.623 PST) 131.247.2.247 (20:51:19.815 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 40096->2706 (20:51:19.815 PST) 202.249.37.69 (20:51:06.042 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 46830->2706 (20:51:06.042 PST) 133.15.59.1 (20:51:07.993 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36513->2705 (20:51:07.993 PST) 137.226.138.155 (20:51:17.802 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 58380->6881 (20:51:17.802 PST) 204.123.28.56 (20:51:05.779 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 38968->2706 (20:51:05.779 PST) 128.6.192.156 (20:51:11.834 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 46505->2705 (20:51:11.834 PST) 132.170.3.32 (20:51:17.700 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49413->2704 (20:51:17.700 PST) 129.82.12.187 (2) (20:51:07.621 PST-20:51:11.270 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 37660->2705 (20:51:07.621 PST-20:51:11.270 PST) 133.68.253.243 (20:51:07.020 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 42729->2706 (20:51:07.020 PST) 128.252.19.18 (20:51:09.506 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 33763->2705 (20:51:09.506 PST) 129.237.161.194 (20:51:19.432 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 43963->2706 (20:51:19.432 PST) 200.129.132.18 (20:51:09.608 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 57894->6881 (20:51:09.608 PST) 128.223.8.112 (20:51:08.455 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 44197->2705 (20:51:08.455 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:52:20.510 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (20:52:20.510 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361595065.779 1361595071.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================