Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.84.154.41, 202.141.161.44, 131.247.2.241, 165.91.55.10 (2), 128.111.52.63, 136.145.115.196, 128.114.63.63, 198.133.224.149, 130.216.1.22, 130.237.43.75 (2), 66.140.111.5, 128.8.126.98, 129.97.74.12, 169.229.50.3, 132.239.17.226 Resource List: Observed Start: 03/12/2013 05:29:11.456 PDT Gen. Time: 03/12/2013 05:29:18.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.84.154.41 (05:29:17.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56048->6881 (05:29:17.697 PDT) 202.141.161.44 (05:29:16.066 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59224 (05:29:16.066 PDT) 131.247.2.241 (05:29:15.396 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54709 (05:29:15.396 PDT) 165.91.55.10 (2) (05:29:17.671 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 37496->6882 (05:29:17.671 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37496->6882 (05:29:17.671 PDT) 128.111.52.63 (05:29:17.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43644->6881 (05:29:17.722 PDT) 136.145.115.196 (05:29:12.692 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->42466 (05:29:12.692 PDT) 128.114.63.63 (05:29:17.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42530->6881 (05:29:17.697 PDT) 198.133.224.149 (05:29:17.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38258->6881 (05:29:17.722 PDT) 130.216.1.22 (05:29:11.456 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->42280 (05:29:11.456 PDT) 130.237.43.75 (2) (05:29:17.263 PDT) event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 55837->6969 (05:29:17.263 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 55837->6969 (05:29:17.263 PDT) 66.140.111.5 (05:29:17.749 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 52749->6881 (05:29:17.749 PDT) 128.8.126.98 (05:29:15.594 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->48543 (05:29:15.594 PDT) 129.97.74.12 (05:29:15.430 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->57203 (05:29:15.430 PDT) 169.229.50.3 (05:29:17.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56507->6881 (05:29:17.697 PDT) 132.239.17.226 (05:29:17.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 52277->6881 (05:29:17.722 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (05:29:18.302 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (05:29:18.302 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363091351.456 1363091351.457 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.43.193.72, 219.243.208.60, 139.19.142.5, 88.2.234.60, 156.56.250.226, 141.219.252.132, 133.9.81.166 (2), 202.125.215.12, 139.19.142.2 (2), 128.8.126.98, 129.107.35.131, 129.82.12.187, 133.68.253.243 (2), 133.68.253.242 Resource List: Observed Start: 03/12/2013 17:42:02.412 PDT Gen. Time: 03/12/2013 17:42:29.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.43.193.72 (17:42:09.670 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 49397->6881 (17:42:09.670 PDT) 219.243.208.60 (17:42:05.101 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45633 (17:42:05.101 PDT) 139.19.142.5 (17:42:05.611 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 47522->2706 (17:42:05.611 PDT) 88.2.234.60 (17:42:02.412 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 34793->6881 (17:42:02.412 PDT) 156.56.250.226 (17:42:04.949 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 39882->2705 (17:42:04.949 PDT) 141.219.252.132 (17:42:07.659 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 50057->2705 (17:42:07.659 PDT) 133.9.81.166 (2) (17:42:09.595 PDT-17:42:13.153 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->33190 (17:42:09.595 PDT-17:42:13.153 PDT) 202.125.215.12 (17:42:09.272 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 40084->6881 (17:42:09.272 PDT) 139.19.142.2 (2) (17:42:05.257 PDT-17:42:11.057 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 48202->2705 (17:42:05.257 PDT-17:42:11.057 PDT) 128.8.126.98 (17:42:15.213 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 40739->2705 (17:42:15.213 PDT) 129.107.35.131 (17:42:08.363 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 58317->2706 (17:42:08.363 PDT) 129.82.12.187 (17:42:05.101 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->59576 (17:42:05.101 PDT) 133.68.253.243 (2) (17:42:06.219 PDT-17:42:10.040 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 33223->2705 (17:42:06.219 PDT-17:42:10.040 PDT) 133.68.253.242 (17:42:04.922 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->49538 (17:42:04.922 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (17:42:29.308 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (17:42:29.308 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363135322.412 1363135333.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================