Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 212.235.189.115, 132.187.230.2 Resource List: Observed Start: 03/06/2013 00:12:51.962 PST Gen. Time: 03/06/2013 00:12:54.204 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 212.235.189.115 (00:12:51.962 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 39617->6881 (00:12:51.962 PST) 132.187.230.2 (00:12:53.470 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 52513->6881 (00:12:53.470 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (00:12:54.204 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (00:12:54.204 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362557571.962 1362557571.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.42.142.41, 134.117.226.180 (2), 131.179.150.72, 93.180.0.114, 165.230.49.114, 72.36.112.71, 131.193.34.193, 212.235.189.115, 128.111.52.63, 131.247.2.247, 65.36.76.157, 193.175.135.59 (2), 198.133.224.147, 132.187.230.2, 131.193.34.150 Resource List: Observed Start: 03/06/2013 00:12:51.962 PST Gen. Time: 03/06/2013 00:16:53.373 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.42.142.41 (00:13:10.745 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->40878 (00:13:10.745 PST) 134.117.226.180 (2) (00:13:00.309 PST-00:13:21.277 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 35405->6881 (00:13:00.309 PST-00:13:21.277 PST) 131.179.150.72 (00:13:18.568 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 34130->6881 (00:13:18.568 PST) 93.180.0.114 (00:13:16.020 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->51033 (00:13:16.020 PST) 165.230.49.114 (00:12:57.340 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 55027->6881 (00:12:57.340 PST) 72.36.112.71 (00:13:14.886 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->44062 (00:13:14.886 PST) 131.193.34.193 (00:13:12.195 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 44658->2704 (00:13:12.195 PST) 212.235.189.115 (00:12:51.962 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 39617->6881 (00:12:51.962 PST) 128.111.52.63 (00:13:13.541 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->58730 (00:13:13.541 PST) 131.247.2.247 (00:13:18.543 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->57732 (00:13:18.543 PST) 65.36.76.157 (00:13:22.268 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->64005 (00:13:22.268 PST) 193.175.135.59 (2) (00:13:00.747 PST-00:13:14.757 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 60635->6881 (00:13:00.747 PST-00:13:14.757 PST) 198.133.224.147 (00:13:10.674 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 43283->6881 (00:13:10.674 PST) 132.187.230.2 (00:12:53.470 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 52513->6881 (00:12:53.470 PST) 131.193.34.150 (00:13:10.959 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 44455->2704 (00:13:10.959 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (00:12:54.204 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (00:12:54.204 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362557571.962 1362557601.278 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 94.23.1.180 Peer Coord. List: 176.119.190.154, 128.84.154.40, 129.10.120.193 (3), 165.230.49.119, 141.11.0.165 (3), 192.91.235.230, 200.17.202.195, 140.192.249.204, 217.173.198.154 (5) Resource List: Observed Start: 03/06/2013 09:04:24.272 PST Gen. Time: 03/06/2013 09:07:44.181 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 94.23.1.180 (09:07:16.028 PST) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 6881->63007 (09:07:16.028 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.119.190.154 (09:04:32.084 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51751 (09:04:32.084 PST) 128.84.154.40 (09:05:22.659 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->54728 (09:05:22.659 PST) 129.10.120.193 (3) (09:04:32.607 PST-09:04:54.195 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->53729 (09:04:32.607 PST-09:04:54.195 PST) 165.230.49.119 (09:04:28.241 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->46897 (09:04:28.241 PST) 141.11.0.165 (3) (09:04:58.447 PST-09:05:22.992 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->36552 (09:04:58.447 PST-09:05:22.992 PST) 192.91.235.230 (09:04:58.923 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->39192 (09:04:58.923 PST) 200.17.202.195 (09:05:14.067 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 52619->2705 (09:05:14.067 PST) 140.192.249.204 (09:04:24.272 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 33232->2706 (09:04:24.272 PST) 217.173.198.154 (5) (09:04:27.649 PST-09:05:14.268 PST) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6881->51977 (09:04:27.649 PST-09:05:14.268 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:07:44.181 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:07:44.181 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362589464.272 1362589522.993 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 149.43.80.22, 137.132.80.105 (2), 211.69.207.34, 129.22.150.78 (2), 88.197.53.228 (3), 204.123.28.56, 130.65.6.227, 200.129.132.18, 140.109.17.180, 138.15.10.56 (3), 195.8.44.21 Resource List: Observed Start: 03/06/2013 09:20:36.920 PST Gen. Time: 03/06/2013 09:23:55.971 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 149.43.80.22 (09:20:42.976 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->38535 (09:20:42.976 PST) 137.132.80.105 (2) (09:21:04.258 PST-09:21:17.782 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 53770->6881 (09:21:04.258 PST-09:21:17.782 PST) 211.69.207.34 (09:21:14.637 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->33258 (09:21:14.637 PST) 129.22.150.78 (2) (09:20:54.487 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35158 (09:20:54.487 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35158 (09:21:18.684 PST) 88.197.53.228 (3) (09:20:46.404 PST-09:20:56.983 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->48603 (09:21:11.954 PST) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->48603 (09:20:46.404 PST-09:20:56.983 PST) 204.123.28.56 (09:21:07.133 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->58717 (09:21:07.133 PST) 130.65.6.227 (09:21:03.844 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36280 (09:21:03.844 PST) 200.129.132.18 (09:21:11.979 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->41932 (09:21:11.979 PST) 140.109.17.180 (09:21:07.525 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->45130 (09:21:07.525 PST) 138.15.10.56 (3) (09:20:36.920 PST-09:21:00.442 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 59350->6881 (09:20:36.920 PST-09:21:00.442 PST) 195.8.44.21 (09:21:02.823 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50627 (09:21:02.823 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:23:55.971 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:23:55.971 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362590436.920 1362590477.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.208.4.197, 131.188.44.102, 137.165.1.114 (2), 141.161.20.33, 131.247.2.241, 131.254.208.12 (2), 136.145.115.196, 129.22.150.78 (2), 208.77.77.196 (3), 141.212.113.180, 89.189.191.52, 133.68.253.242 Resource List: Observed Start: 03/06/2013 09:36:31.704 PST Gen. Time: 03/06/2013 09:39:35.605 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.208.4.197 (09:36:45.730 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->33721 (09:36:45.730 PST) 131.188.44.102 (09:36:42.832 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 47882->6881 (09:36:42.832 PST) 137.165.1.114 (2) (09:36:33.325 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 46370->6881 (09:36:50.957 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 46370->6881 (09:36:33.325 PST) 141.161.20.33 (09:36:43.147 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->59978 (09:36:43.147 PST) 131.247.2.241 (09:36:47.693 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->46130 (09:36:47.693 PST) 131.254.208.12 (2) (09:36:39.292 PST-09:36:50.128 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->47488 (09:36:39.292 PST-09:36:50.128 PST) 136.145.115.196 (09:36:45.840 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->48005 (09:36:45.840 PST) 129.22.150.78 (2) (09:36:38.821 PST-09:36:49.646 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->35158 (09:36:38.821 PST-09:36:49.646 PST) 208.77.77.196 (3) (09:36:35.716 PST-09:36:52.099 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37716 (09:36:35.716 PST) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->37716 (09:36:37.881 PST-09:36:52.099 PST) 141.212.113.180 (09:36:31.704 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->55294 (09:36:31.704 PST) 89.189.191.52 (09:36:48.818 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->15045 (09:36:48.818 PST) 133.68.253.242 (09:36:33.032 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->40410 (09:36:33.032 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:39:35.605 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:39:35.605 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362591391.704 1362591412.100 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 129.242.19.196 (2), 193.206.22.134 (2), 206.23.240.28, 137.189.98.208, 193.1.170.135 (2) Resource List: Observed Start: 03/06/2013 09:52:40.095 PST Gen. Time: 03/06/2013 09:52:56.965 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 129.242.19.196 (2) (09:52:42.095 PST-09:52:52.820 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->35036 (09:52:42.095 PST-09:52:52.820 PST) 193.206.22.134 (2) (09:52:41.495 PST-09:52:52.399 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->48617 (09:52:41.495 PST-09:52:52.399 PST) 206.23.240.28 (09:52:49.182 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->56676 (09:52:49.182 PST) 137.189.98.208 (09:52:55.900 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->49864 (09:52:55.900 PST) 193.1.170.135 (2) (09:52:40.095 PST-09:52:50.632 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 38491->6881 (09:52:40.095 PST-09:52:50.632 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:52:56.965 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:52:56.965 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362592360.095 1362592372.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 218.30.115.254 Peer Coord. List: 193.1.170.135 (3), 189.11.161.22, 129.242.19.196 (3), 128.138.207.54, 206.23.240.29, 192.33.90.69, 141.11.0.165, 206.23.240.28 (2), 202.116.81.195, 137.189.98.208 (2), 193.206.22.134 (2), 128.223.8.113, 200.129.132.18 Resource List: Observed Start: 03/06/2013 09:52:40.095 PST Gen. Time: 03/06/2013 09:56:40.451 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.30.115.254 (09:53:54.932 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 44130->80 (09:53:54.932 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.1.170.135 (3) (09:52:40.095 PST-09:52:50.632 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 38491->6881 (09:53:14.565 PST) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 38491->6881 (09:52:40.095 PST-09:52:50.632 PST) 189.11.161.22 (09:53:16.988 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50453 (09:53:16.988 PST) 129.242.19.196 (3) (09:52:42.095 PST-09:53:10.606 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->35036 (09:52:42.095 PST-09:53:10.606 PST) 128.138.207.54 (09:53:14.248 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 46003->2706 (09:53:14.248 PST) 206.23.240.29 (09:53:17.015 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->45825 (09:53:17.015 PST) 192.33.90.69 (09:53:15.338 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->42503 (09:53:15.338 PST) 141.11.0.165 (09:53:07.348 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->54305 (09:53:07.348 PST) 206.23.240.28 (2) (09:52:49.182 PST-09:53:14.836 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->56676 (09:52:49.182 PST-09:53:14.836 PST) 202.116.81.195 (09:53:15.016 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->35958 (09:53:15.016 PST) 137.189.98.208 (2) (09:52:55.900 PST-09:53:10.469 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->49864 (09:52:55.900 PST-09:53:10.469 PST) 193.206.22.134 (2) (09:52:41.495 PST-09:52:52.399 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->48617 (09:52:41.495 PST-09:52:52.399 PST) 128.223.8.113 (09:53:11.871 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->43117 (09:53:11.871 PST) 200.129.132.18 (09:53:13.307 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->49534 (09:53:13.307 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:52:56.965 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:52:56.965 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362592360.095 1362592394.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 87.236.232.174, 140.192.249.204, 212.235.189.115, 128.10.19.52 Resource List: Observed Start: 03/06/2013 10:04:51.693 PST Gen. Time: 03/06/2013 10:05:02.008 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 87.236.232.174 (10:04:51.693 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->38884 (10:04:51.693 PST) 140.192.249.204 (10:04:59.505 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->40794 (10:04:59.505 PST) 212.235.189.115 (10:05:00.089 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->48194 (10:05:00.089 PST) 128.10.19.52 (10:04:58.458 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50023 (10:04:58.458 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:05:02.008 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (10:05:02.008 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362593091.693 1362593091.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 218.30.115.254 Peer Coord. List: 87.236.232.174 (4), 139.19.142.5, 128.10.19.52, 156.56.250.226 (3), 212.235.189.115 (3), 206.12.16.155, 200.17.202.195, 140.192.249.204 (2), 128.163.142.20 Resource List: Observed Start: 03/06/2013 10:04:51.693 PST Gen. Time: 03/06/2013 10:08:52.760 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.30.115.254 (10:06:15.715 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [ B%10%DCE%FE4] MAC_Src: 00:21:5A:08:BB:0C 38370->80 (10:06:15.715 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 87.236.232.174 (4) (10:04:51.693 PST-10:05:28.230 PST) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->38884 (10:04:51.693 PST-10:05:28.230 PST) 139.19.142.5 (10:05:31.140 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->46644 (10:05:31.140 PST) 128.10.19.52 (10:04:58.458 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50023 (10:04:58.458 PST) 156.56.250.226 (3) (10:05:10.817 PST-10:05:23.170 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->57000 (10:05:30.095 PST) 2: 2706->51695 (10:05:10.817 PST-10:05:23.170 PST) 212.235.189.115 (3) (10:05:00.089 PST-10:05:26.075 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->48194 (10:05:00.089 PST-10:05:26.075 PST) 206.12.16.155 (10:05:09.220 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->57485 (10:05:09.220 PST) 200.17.202.195 (10:05:28.256 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->39218 (10:05:28.256 PST) 140.192.249.204 (2) (10:04:59.505 PST-10:05:27.196 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2706->40794 (10:04:59.505 PST-10:05:27.196 PST) 128.163.142.20 (10:05:22.924 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->37415 (10:05:22.924 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:05:02.008 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (10:05:02.008 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362593091.693 1362593128.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 140.192.249.203, 202.189.126.85, 193.205.215.75 (4), 132.72.23.11, 206.12.16.155, 192.91.235.230, 192.114.4.3 (3), 199.26.254.68, 200.10.150.252, 131.193.34.150, 128.119.41.211 (2) Resource List: Observed Start: 03/06/2013 10:24:59.777 PST Gen. Time: 03/06/2013 10:27:56.504 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 140.192.249.203 (10:25:19.098 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 54899->6881 (10:25:19.098 PST) 202.189.126.85 (10:25:22.250 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52580 (10:25:22.250 PST) 193.205.215.75 (4) (10:25:00.443 PST-10:25:57.880 PST) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->52501 (10:25:00.443 PST-10:25:57.880 PST) 132.72.23.11 (10:25:49.783 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->41244 (10:25:49.783 PST) 206.12.16.155 (10:25:13.071 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->39242 (10:25:13.071 PST) 192.91.235.230 (10:25:01.508 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->35110 (10:25:01.508 PST) 192.114.4.3 (3) (10:25:30.030 PST-10:25:52.877 PST) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 33370->6881 (10:25:30.030 PST-10:25:52.877 PST) 199.26.254.68 (10:25:57.626 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->33452 (10:25:57.626 PST) 200.10.150.252 (10:25:49.020 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 59433->6881 (10:25:49.020 PST) 131.193.34.150 (10:25:16.661 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->54429 (10:25:16.661 PST) 128.119.41.211 (2) (10:24:59.777 PST-10:25:24.903 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 38086->6881 (10:24:59.777 PST-10:25:24.903 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:27:56.504 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (10:27:56.504 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362594299.777 1362594357.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 83.246.92.212, 202.237.248.222, 203.110.240.190, 202.23.159.51, 131.247.2.241, 149.43.80.20, 132.72.23.11 (2), 193.191.148.228 (2), 129.63.159.101, 128.36.233.153 (2), 193.10.64.36 (2), 131.193.34.173, 133.68.253.242 Resource List: Observed Start: 03/06/2013 10:40:52.179 PST Gen. Time: 03/06/2013 10:42:51.053 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 83.246.92.212 (10:41:11.576 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50528 (10:41:11.576 PST) 202.237.248.222 (10:41:03.573 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->58757 (10:41:03.573 PST) 203.110.240.190 (10:41:02.186 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 53587->6881 (10:41:02.186 PST) 202.23.159.51 (10:40:58.850 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 49319->6881 (10:40:58.850 PST) 131.247.2.241 (10:41:09.446 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->58546 (10:41:09.446 PST) 149.43.80.20 (10:41:03.306 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->39645 (10:41:03.306 PST) 132.72.23.11 (2) (10:41:00.918 PST-10:41:12.775 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->39853 (10:41:00.918 PST-10:41:12.775 PST) 193.191.148.228 (2) (10:41:02.912 PST-10:41:12.958 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 37153->6881 (10:41:02.912 PST-10:41:12.958 PST) 129.63.159.101 (10:40:52.179 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->45415 (10:40:52.179 PST) 128.36.233.153 (2) (10:40:57.984 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43091 (10:41:05.731 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43091 (10:40:57.984 PST) 193.10.64.36 (2) (10:41:04.594 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 50047->6881 (10:41:04.594 PST) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 50047->6881 (10:41:10.509 PST) 131.193.34.173 (10:40:54.034 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->42014 (10:40:54.034 PST) 133.68.253.242 (10:41:03.609 PST) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->37639 (10:41:03.609 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:42:51.053 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (10:42:51.053 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362595252.179 1362595272.959 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================