Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.130.121.205, 202.249.37.69, 148.81.140.194 (2), 217.173.198.153, 158.130.6.254 Resource List: Observed Start: 03/10/2013 06:32:06.271 PDT Gen. Time: 03/10/2013 06:32:27.213 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.130.121.205 (06:32:08.318 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52193 (06:32:08.318 PDT) 202.249.37.69 (06:32:20.311 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->34756 (06:32:20.311 PDT) 148.81.140.194 (2) (06:32:06.271 PDT-06:32:16.616 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->33060 (06:32:06.271 PDT-06:32:16.616 PDT) 217.173.198.153 (06:32:08.933 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54353 (06:32:08.933 PDT) 158.130.6.254 (06:32:08.188 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 43520->6881 (06:32:08.188 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:32:27.213 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (06:32:27.213 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362922326.271 1362922336.617 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.107.171.145, 217.173.198.153, 128.220.251.52, 210.32.181.184 (2), 134.226.52.35 (2), 192.33.210.16, 158.130.6.254, 202.249.37.69, 148.81.140.194 (3), 175.139.31.75, 192.52.240.213, 195.130.121.205, 128.208.4.198, 138.15.10.56 Resource List: Observed Start: 03/10/2013 06:32:06.271 PDT Gen. Time: 03/10/2013 06:33:01.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.107.171.145 (06:32:32.332 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35395 (06:32:32.332 PDT) 217.173.198.153 (06:32:08.933 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54353 (06:32:08.933 PDT) 128.220.251.52 (06:32:44.074 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->58100 (06:32:44.074 PDT) 210.32.181.184 (2) (06:32:40.831 PDT-06:32:52.628 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->34091 (06:32:40.831 PDT-06:32:52.628 PDT) 134.226.52.35 (2) (06:32:48.609 PDT-06:32:59.352 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->33045 (06:32:48.609 PDT-06:32:59.352 PDT) 192.33.210.16 (06:33:00.880 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->56366 (06:33:00.880 PDT) 158.130.6.254 (06:32:08.188 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 43520->6881 (06:32:08.188 PDT) 202.249.37.69 (06:32:20.311 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->34756 (06:32:20.311 PDT) 148.81.140.194 (3) (06:32:06.271 PDT-06:32:28.942 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->33060 (06:32:06.271 PDT-06:32:28.942 PDT) 175.139.31.75 (06:32:32.081 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->26085 (06:32:32.081 PDT) 192.52.240.213 (06:32:43.527 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->59759 (06:32:43.527 PDT) 195.130.121.205 (06:32:08.318 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52193 (06:32:08.318 PDT) 128.208.4.198 (06:32:42.972 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->42765 (06:32:42.972 PDT) 138.15.10.56 (06:32:28.463 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->58132 (06:32:28.463 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:32:27.213 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (06:32:27.213 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362922326.271 1362922379.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.194.252.8, 128.223.8.111, 128.84.154.40, 76.114.66.22, 141.219.252.132 (2), 136.145.115.196, 206.23.240.29, 139.19.158.231, 192.33.90.69, 143.215.131.199, 204.123.28.56, 170.140.119.70, 128.227.150.12, 129.82.12.187, 128.208.4.198, 128.233.252.11 Resource List: Observed Start: 03/10/2013 15:38:12.130 PDT Gen. Time: 03/10/2013 15:38:39.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.194.252.8 (15:38:26.720 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->58246 (15:38:26.720 PDT) 128.223.8.111 (15:38:12.130 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->45840 (15:38:12.130 PDT) 128.84.154.40 (15:38:17.751 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->39437 (15:38:17.751 PDT) 76.114.66.22 (15:38:15.938 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52596 (15:38:15.938 PDT) 141.219.252.132 (2) (15:38:23.447 PDT-15:38:28.534 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2706->34436 (15:38:23.447 PDT-15:38:28.534 PDT) 136.145.115.196 (15:38:25.092 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->57993 (15:38:25.092 PDT) 206.23.240.29 (15:38:24.476 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->38360 (15:38:24.476 PDT) 139.19.158.231 (15:38:27.006 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->50810 (15:38:27.006 PDT) 192.33.90.69 (15:38:15.193 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->33439 (15:38:15.193 PDT) 143.215.131.199 (15:38:26.759 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->38427 (15:38:26.759 PDT) 204.123.28.56 (15:38:29.414 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->40060 (15:38:29.414 PDT) 170.140.119.70 (15:38:22.369 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->41336 (15:38:22.369 PDT) 128.227.150.12 (15:38:21.767 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->43517 (15:38:21.767 PDT) 129.82.12.187 (15:38:25.598 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->41172 (15:38:25.598 PDT) 128.208.4.198 (15:38:16.885 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->34259 (15:38:16.885 PDT) 128.233.252.11 (15:38:21.950 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->51138 (15:38:21.950 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:38:39.264 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (15:38:39.264 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362955092.130 1362955108.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================