Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 165.242.90.129 (2), 164.107.127.12 (2), 147.229.10.250, 143.215.131.199 (2), 170.140.119.70 (2), 143.215.131.206 (2), 133.9.81.164 (2), 87.236.232.153 (2), 143.215.131.197, 72.36.112.74 Resource List: Observed Start: 03/05/2013 02:40:58.755 PST Gen. Time: 03/05/2013 02:43:59.179 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 165.242.90.129 (2) (02:41:01.015 PST-02:41:22.636 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 41194->2706 (02:41:01.015 PST-02:41:22.636 PST) 164.107.127.12 (2) (02:41:05.148 PST-02:41:15.854 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->41353 (02:41:05.148 PST-02:41:15.854 PST) 147.229.10.250 (02:40:59.080 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 38078->2705 (02:40:59.080 PST) 143.215.131.199 (2) (02:41:00.558 PST-02:41:02.276 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 40152->2705 (02:41:00.558 PST-02:41:02.276 PST) 170.140.119.70 (2) (02:41:19.920 PST-02:41:22.677 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 47305->2706 (02:41:19.920 PST-02:41:22.677 PST) 143.215.131.206 (2) (02:40:58.755 PST-02:41:00.911 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 33076->2706 (02:40:58.755 PST-02:41:00.911 PST) 133.9.81.164 (2) (02:41:01.270 PST-02:41:03.152 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 43173->2706 (02:41:01.270 PST-02:41:03.152 PST) 87.236.232.153 (2) (02:41:00.829 PST-02:41:11.611 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->56384 (02:41:00.829 PST-02:41:11.611 PST) 143.215.131.197 (02:41:16.823 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 55243->2706 (02:41:16.823 PST) 72.36.112.74 (02:41:17.520 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->37822 (02:41:17.520 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (02:43:59.179 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (02:43:59.179 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362480058.755 1362480082.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.178.143.10, 138.96.116.20, 93.180.0.114, 139.19.142.4 (5), 137.165.1.111, 139.19.142.2, 193.63.75.19 (4), 129.107.35.131, 129.237.161.194, 200.129.132.18 Resource List: Observed Start: 03/05/2013 02:56:34.093 PST Gen. Time: 03/05/2013 02:57:57.926 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.178.143.10 (02:57:19.349 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->42823 (02:57:19.349 PST) 138.96.116.20 (02:56:34.093 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37795->6881 (02:56:34.093 PST) 93.180.0.114 (02:56:40.233 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->37672 (02:56:40.233 PST) 139.19.142.4 (5) (02:56:41.574 PST-02:57:27.957 PST) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6882->34988 (02:56:41.574 PST-02:57:27.957 PST) 137.165.1.111 (02:57:16.821 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39492 (02:57:16.821 PST) 139.19.142.2 (02:56:41.669 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->54850 (02:56:41.669 PST) 193.63.75.19 (4) (02:56:39.134 PST-02:57:11.396 PST) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->39905 (02:56:39.134 PST-02:57:11.396 PST) 129.107.35.131 (02:57:21.484 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->48996 (02:57:21.484 PST) 129.237.161.194 (02:56:35.074 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->37504 (02:56:35.074 PST) 200.129.132.18 (02:56:34.093 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 45263->6882 (02:56:34.093 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (02:57:57.926 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (02:57:57.926 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362480994.093 1362481047.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.43.193.72, 165.230.49.115 (2), 134.88.5.251, 131.193.34.193, 192.52.240.214 (2), 136.145.115.194 (2), 148.81.140.193, 152.66.245.162, 195.113.161.83, 193.136.227.163 (2), 141.76.45.17, 195.113.161.82 (2) Resource List: Observed Start: 03/05/2013 03:04:39.397 PST Gen. Time: 03/05/2013 03:08:01.015 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.43.193.72 (03:05:01.364 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 42021->6881 (03:05:01.364 PST) 165.230.49.115 (2) (03:04:39.397 PST-03:04:52.428 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 58699->6881 (03:04:39.397 PST-03:04:52.428 PST) 134.88.5.251 (03:04:49.188 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 52044->6881 (03:04:49.188 PST) 131.193.34.193 (03:04:44.191 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 53583->2704 (03:04:44.191 PST) 192.52.240.214 (2) (03:04:40.819 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 54928->6881 (03:04:40.819 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 54928->6881 (03:04:59.801 PST) 136.145.115.194 (2) (03:04:42.397 PST-03:04:53.210 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->47729 (03:04:42.397 PST-03:04:53.210 PST) 148.81.140.193 (03:04:41.115 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 33827->6882 (03:04:41.115 PST) 152.66.245.162 (03:04:43.244 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 57127->6881 (03:04:43.244 PST) 195.113.161.83 (03:04:55.064 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55125 (03:04:55.064 PST) 193.136.227.163 (2) (03:04:45.456 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36356 (03:04:59.801 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36356 (03:04:45.456 PST) 141.76.45.17 (03:04:50.678 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33768 (03:04:50.678 PST) 195.113.161.82 (2) (03:04:40.211 PST-03:04:52.892 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 45687->6881 (03:04:40.211 PST-03:04:52.892 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:08:01.015 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (03:08:01.015 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362481479.397 1362481493.211 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================