Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.43.193.72, 132.239.17.225, 169.235.24.232, 139.78.141.243, 128.232.103.203 (2), 131.179.150.70, 135.109.221.103, 128.42.142.45 (2), 130.237.43.75 (3), 202.125.215.12, 129.97.74.12, 128.36.233.153, 128.42.142.42 Resource List: Observed Start: 03/09/2013 22:45:59.972 PST Gen. Time: 03/09/2013 22:46:36.668 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.43.193.72 (22:46:07.889 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46914->6881 (22:46:07.889 PST) 132.239.17.225 (22:46:07.762 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53080->6881 (22:46:07.762 PST) 169.235.24.232 (22:46:07.762 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33223->6881 (22:46:07.762 PST) 139.78.141.243 (22:46:07.889 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53043->6881 (22:46:07.889 PST) 128.232.103.203 (2) (22:46:02.294 PST-22:46:03.067 PST) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->53934 (22:46:02.294 PST-22:46:03.067 PST) 131.179.150.70 (22:46:07.635 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59173 (22:46:07.635 PST) 135.109.221.103 (22:46:07.889 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 50773->6881 (22:46:07.889 PST) 128.42.142.45 (2) (22:46:07.738 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 47942->6881 (22:46:07.738 PST) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 47942->6881 (22:46:07.738 PST) 130.237.43.75 (3) (22:46:06.166 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 33024->6969 (22:46:06.166 PST) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 33024->6969 (22:46:06.166 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 33024->6969 (22:46:06.166 PST) 202.125.215.12 (22:46:07.914 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 45989->6881 (22:46:07.914 PST) 129.97.74.12 (22:45:59.972 PST) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->59537 (22:45:59.972 PST) 128.36.233.153 (22:46:07.889 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59558->6881 (22:46:07.889 PST) 128.42.142.42 (22:46:07.914 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 47540->6881 (22:46:07.914 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 5.135.19.212 (22:46:36.668 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->63543 (22:46:36.668 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362897959.972 1362897963.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================