Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.37.193.143, 131.247.2.245 (4), 141.161.20.32 (5), 194.47.148.172 (2), 193.136.124.228 (2), 141.219.252.132 (3) Resource List: Observed Start: 02/22/2013 12:04:51.190 PST Gen. Time: 02/22/2013 12:07:05.219 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.37.193.143 (12:04:58.060 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->52111 (12:04:58.060 PST) 131.247.2.245 (4) (12:05:02.883 PST-12:06:07.073 PST) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 4: 38199->6881 (12:05:02.883 PST-12:06:07.073 PST) 141.161.20.32 (5) (12:04:51.190 PST-12:05:19.488 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 50932->6881 (12:05:25.614 PST) ------------------------- event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 4: 50932->6881 (12:04:51.190 PST-12:05:19.488 PST) 194.47.148.172 (2) (12:05:51.251 PST-12:06:02.136 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 33803->6881 (12:05:51.251 PST-12:06:02.136 PST) 193.136.124.228 (2) (12:04:51.743 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 57337->6882 (12:04:51.743 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 57337->6882 (12:05:40.923 PST) 141.219.252.132 (3) (12:05:11.788 PST-12:05:45.009 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (12:05:11.788 PST) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 44015->6881 (12:05:35.151 PST-12:05:45.009 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (12:07:05.219 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (12:07:05.219 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361563491.190 1361563567.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 74.115.1.239, 192.36.94.3, 192.107.171.145 (3), 164.107.127.12, 158.130.6.254 (3), 200.0.206.137 (2), 192.114.4.3, 128.6.192.156, 138.48.3.203 (3), 132.65.240.102 Resource List: Observed Start: 02/22/2013 22:04:12.576 PST Gen. Time: 02/22/2013 22:07:01.969 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 74.115.1.239 (22:04:15.983 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->16656 (22:04:15.983 PST) 192.36.94.3 (22:04:13.886 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->57595 (22:04:13.886 PST) 192.107.171.145 (3) (22:04:13.971 PST-22:04:36.045 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 56415->6882 (22:04:13.971 PST-22:04:36.045 PST) 164.107.127.12 (22:04:38.974 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 41622->6881 (22:04:38.974 PST) 158.130.6.254 (3) (22:04:17.150 PST-22:04:36.392 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6882->33148 (22:04:17.150 PST-22:04:36.392 PST) 200.0.206.137 (2) (22:04:24.325 PST-22:04:35.095 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6882->45747 (22:04:24.325 PST-22:04:35.095 PST) 192.114.4.3 (22:04:32.913 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6882->57855 (22:04:32.913 PST) 128.6.192.156 (22:04:18.644 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->52414 (22:04:18.644 PST) 138.48.3.203 (3) (22:04:14.421 PST-22:04:36.494 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 40585->6881 (22:04:14.421 PST-22:04:36.494 PST) 132.65.240.102 (22:04:12.576 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6882->33357 (22:04:12.576 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (22:07:01.969 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (22:07:01.969 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361599452.576 1361599476.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================