Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.110.240.191, 142.103.2.1 (2), 128.84.154.40, 139.19.142.5 (2), 156.56.250.226, 136.145.115.196 (2), 169.229.50.14, 128.232.103.202, 155.246.12.163, 128.6.192.156, 88.197.53.226, 129.82.12.187 (3) Resource List: Observed Start: 02/27/2013 20:04:54.030 PST Gen. Time: 02/27/2013 20:06:34.738 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.110.240.191 (20:04:55.715 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->56006 (20:04:55.715 PST) 142.103.2.1 (2) (20:05:33.971 PST-20:06:16.027 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2706->39750 (20:05:33.971 PST-20:06:16.027 PST) 128.84.154.40 (20:05:48.486 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->59845 (20:05:48.486 PST) 139.19.142.5 (2) (20:05:32.537 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->59910 (20:05:32.537 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->59910 (20:06:13.846 PST) 156.56.250.226 (20:05:47.775 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->52278 (20:05:47.775 PST) 136.145.115.196 (2) (20:05:44.446 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->57629 (20:05:44.446 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->57629 (20:05:44.771 PST) 169.229.50.14 (20:05:48.880 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->47828 (20:05:48.880 PST) 128.232.103.202 (20:04:55.278 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->40602 (20:04:55.278 PST) 155.246.12.163 (20:04:54.030 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 60583->6881 (20:04:54.030 PST) 128.6.192.156 (20:04:58.745 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->55319 (20:04:58.745 PST) 88.197.53.226 (20:04:55.508 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->46515 (20:04:55.508 PST) 129.82.12.187 (3) (20:05:25.709 PST-20:06:24.264 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 2706->44539 (20:05:25.709 PST-20:06:24.264 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (20:06:34.738 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 60220->49302 (20:06:34.738 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362024294.030 1362024384.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================