Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 129.15.78.31, 203.110.240.191, 142.103.2.1, 165.230.49.114, 141.219.252.132, 136.145.115.196, 129.22.150.78, 139.19.158.231, 204.123.28.56, 128.227.150.12, 129.82.12.187, 151.97.9.225, 129.237.161.194, 131.193.34.173 (2), 200.129.132.18, 128.223.8.112 Resource List: Observed Start: 03/14/2013 11:26:06.398 PDT Gen. Time: 03/14/2013 11:30:00.625 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 129.15.78.31 (11:26:06.398 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->42697 (11:26:06.398 PDT) 203.110.240.191 (11:26:09.007 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->47534 (11:26:09.007 PDT) 142.103.2.1 (11:26:23.367 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->48398 (11:26:23.367 PDT) 165.230.49.114 (11:26:15.858 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->44536 (11:26:15.858 PDT) 141.219.252.132 (11:26:21.548 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->59166 (11:26:21.548 PDT) 136.145.115.196 (11:26:19.062 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->47737 (11:26:19.062 PDT) 129.22.150.78 (11:26:20.276 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->48692 (11:26:20.276 PDT) 139.19.158.231 (11:26:18.668 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->50973 (11:26:18.668 PDT) 204.123.28.56 (11:26:10.704 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->46411 (11:26:10.704 PDT) 128.227.150.12 (11:26:18.221 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->54386 (11:26:18.221 PDT) 129.82.12.187 (11:26:19.957 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->44833 (11:26:19.957 PDT) 151.97.9.225 (11:26:10.642 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50545 (11:26:10.642 PDT) 129.237.161.194 (11:26:13.672 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52619 (11:26:13.672 PDT) 131.193.34.173 (2) (11:26:15.090 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 54328->6969 (11:26:15.090 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 54328->6969 (11:26:15.090 PDT) 200.129.132.18 (11:26:11.080 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->42201 (11:26:11.080 PDT) 128.223.8.112 (11:26:22.290 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->39493 (11:26:22.290 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:30:00.625 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (11:30:00.625 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363285566.398 1363285566.399 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================