Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.1.201.26, 150.140.184.251, 193.1.170.136, 129.63.159.101, 131.179.150.70, 133.1.74.163, 129.97.74.12, 130.216.1.22 Resource List: Observed Start: 03/15/2013 12:03:09.043 PDT Gen. Time: 03/15/2013 12:03:22.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.1.201.26 (12:03:09.833 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 45348->6881 (12:03:09.833 PDT) 150.140.184.251 (12:03:09.537 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35609 (12:03:09.537 PDT) 193.1.170.136 (12:03:16.450 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 56021->6881 (12:03:16.450 PDT) 129.63.159.101 (12:03:19.183 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->38460 (12:03:19.183 PDT) 131.179.150.70 (12:03:11.775 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45307 (12:03:11.775 PDT) 133.1.74.163 (12:03:09.043 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->45762 (12:03:09.043 PDT) 129.97.74.12 (12:03:16.289 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->49799 (12:03:16.289 PDT) 130.216.1.22 (12:03:10.662 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->32834 (12:03:10.662 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:03:22.947 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:03:22.947 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363374189.043 1363374189.044 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.1.201.26 (2), 94.233.189.127, 157.181.175.248, 131.179.150.70 (2), 130.216.1.22 (2), 129.97.74.12 (2), 150.140.184.251, 129.63.159.101 (2), 193.1.170.136, 133.1.74.163, 140.109.17.180 (2) Resource List: Observed Start: 03/15/2013 12:03:09.043 PDT Gen. Time: 03/15/2013 12:07:03.852 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.1.201.26 (2) (12:03:09.833 PDT-12:03:26.516 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 45348->6881 (12:03:09.833 PDT-12:03:26.516 PDT) 94.233.189.127 (12:03:23.138 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->11789 (12:03:23.138 PDT) 157.181.175.248 (12:03:26.295 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36120 (12:03:26.295 PDT) 131.179.150.70 (2) (12:03:11.775 PDT-12:03:36.833 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->45307 (12:03:11.775 PDT-12:03:36.833 PDT) 130.216.1.22 (2) (12:03:10.662 PDT-12:03:26.264 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->32834 (12:03:10.662 PDT-12:03:26.264 PDT) 129.97.74.12 (2) (12:03:16.289 PDT-12:03:29.273 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->49799 (12:03:16.289 PDT-12:03:29.273 PDT) 150.140.184.251 (12:03:09.537 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35609 (12:03:09.537 PDT) 129.63.159.101 (2) (12:03:19.183 PDT-12:03:23.111 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->38460 (12:03:19.183 PDT-12:03:23.111 PDT) 193.1.170.136 (12:03:16.450 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 56021->6881 (12:03:16.450 PDT) 133.1.74.163 (12:03:09.043 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->45762 (12:03:09.043 PDT) 140.109.17.180 (2) (12:03:24.824 PDT-12:03:34.821 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 45516->2705 (12:03:24.824 PDT-12:03:34.821 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:03:22.947 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:03:22.947 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363374189.043 1363374216.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 155.225.2.72 (2), 165.230.49.115, 211.69.207.34, 152.14.93.139, 129.110.125.52, 131.247.2.247, 129.22.150.78, 206.23.240.29 (2), 139.19.158.231, 128.143.6.134, 202.116.81.194, 140.109.17.180, 212.199.61.205, 133.68.253.242 (2) Resource List: Observed Start: 03/15/2013 12:31:08.812 PDT Gen. Time: 03/15/2013 12:34:38.965 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 155.225.2.72 (2) (12:31:08.812 PDT-12:31:20.764 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->46611 (12:31:08.812 PDT-12:31:20.764 PDT) 165.230.49.115 (12:31:23.067 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->41966 (12:31:23.067 PDT) 211.69.207.34 (12:31:10.070 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->53379 (12:31:10.070 PDT) 152.14.93.139 (12:31:12.860 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 35816->6881 (12:31:12.860 PDT) 129.110.125.52 (12:31:22.261 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43427 (12:31:22.261 PDT) 131.247.2.247 (12:31:11.844 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->51151 (12:31:11.844 PDT) 129.22.150.78 (12:31:30.588 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->35529 (12:31:30.588 PDT) 206.23.240.29 (2) (12:31:09.450 PDT-12:31:22.761 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2706->52975 (12:31:09.450 PDT-12:31:22.761 PDT) 139.19.158.231 (12:31:19.078 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->55586 (12:31:19.078 PDT) 128.143.6.134 (12:31:30.883 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 47723->6881 (12:31:30.883 PDT) 202.116.81.194 (12:31:10.070 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2706->39574 (12:31:10.070 PDT) 140.109.17.180 (12:31:27.787 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2706->42565 (12:31:27.787 PDT) 212.199.61.205 (12:31:16.748 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 44050->6881 (12:31:16.748 PDT) 133.68.253.242 (2) (12:31:15.720 PDT-12:31:23.419 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2706->37775 (12:31:15.720 PDT-12:31:23.419 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:34:38.965 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:34:38.965 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363375868.812 1363375883.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.223.8.111, 155.225.2.71, 192.16.125.12, 141.219.252.133, 147.229.10.250, 132.72.23.11 (2), 202.249.37.69, 165.91.55.8, 136.145.115.194, 133.9.81.164, 204.123.28.55, 202.116.81.194, 128.111.52.59, 216.48.80.14, 128.208.4.198 (2) Resource List: Observed Start: 03/15/2013 17:56:40.564 PDT Gen. Time: 03/15/2013 17:59:51.509 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.223.8.111 (17:56:46.495 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->59966 (17:56:46.495 PDT) 155.225.2.71 (17:56:42.089 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->34283 (17:56:42.089 PDT) 192.16.125.12 (17:56:50.679 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52474 (17:56:50.679 PDT) 141.219.252.133 (17:56:42.932 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->33166 (17:56:42.932 PDT) 147.229.10.250 (17:57:02.999 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->40695 (17:57:02.999 PDT) 132.72.23.11 (2) (17:56:47.720 PDT-17:57:00.926 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->42471 (17:56:47.720 PDT-17:57:00.926 PDT) 202.249.37.69 (17:56:51.628 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->44009 (17:56:51.628 PDT) 165.91.55.8 (17:56:48.239 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 54708->2706 (17:56:48.239 PDT) 136.145.115.194 (17:56:50.323 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41101 (17:56:50.323 PDT) 133.9.81.164 (17:56:40.564 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->34398 (17:56:40.564 PDT) 204.123.28.55 (17:56:46.806 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50585 (17:56:46.806 PDT) 202.116.81.194 (17:56:46.323 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->46708 (17:56:46.323 PDT) 128.111.52.59 (17:56:57.963 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41686 (17:56:57.963 PDT) 216.48.80.14 (17:56:42.822 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 44765->6881 (17:56:42.822 PDT) 128.208.4.198 (2) (17:56:46.056 PDT-17:57:00.179 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->58143 (17:56:46.056 PDT-17:57:00.179 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (17:59:51.509 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (17:59:51.509 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363395400.564 1363395420.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.32.98.228 Resource List: Observed Start: 03/15/2013 18:25:35.213 PDT Gen. Time: 03/15/2013 18:25:35.332 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.32.98.228 (18:25:35.213 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->30560 (18:25:35.213 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:25:35.332 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:25:35.332 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363397135.213 1363397135.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 140.192.249.203, 139.78.141.245, 169.229.50.9, 155.98.35.8, 188.32.98.228, 155.98.35.7, 130.237.43.75 (2), 128.84.154.44, 128.31.1.14, 192.33.90.67, 128.143.6.134, 169.229.50.4, 128.36.233.153, 72.36.112.74, 131.193.34.173, 132.239.17.226 Resource List: Observed Start: 03/15/2013 18:25:35.213 PDT Gen. Time: 03/15/2013 18:29:35.548 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 140.192.249.203 (18:25:55.384 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54324->6881 (18:25:55.384 PDT) 139.78.141.245 (18:25:55.511 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 45008->6881 (18:25:55.511 PDT) 169.229.50.9 (18:25:55.384 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 50124->6882 (18:25:55.384 PDT) 155.98.35.8 (18:25:55.486 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38463->6881 (18:25:55.486 PDT) 188.32.98.228 (18:25:35.213 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->30560 (18:25:35.213 PDT) 155.98.35.7 (18:25:55.511 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57943->6881 (18:25:55.511 PDT) 130.237.43.75 (2) (18:25:54.388 PDT) event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 44931->6969 (18:25:54.388 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 44931->6969 (18:25:54.388 PDT) 128.84.154.44 (18:25:55.557 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34116->6881 (18:25:55.557 PDT) 128.31.1.14 (18:25:55.444 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 50000->6881 (18:25:55.444 PDT) 192.33.90.67 (18:25:55.486 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36996->6881 (18:25:55.486 PDT) 128.143.6.134 (18:25:55.584 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44977->6881 (18:25:55.584 PDT) 169.229.50.4 (18:25:55.486 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42110->6881 (18:25:55.486 PDT) 128.36.233.153 (18:25:55.557 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59101->6881 (18:25:55.557 PDT) 72.36.112.74 (18:25:55.511 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59211->6881 (18:25:55.511 PDT) 131.193.34.173 (18:25:52.702 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 50769->2705 (18:25:52.702 PDT) 132.239.17.226 (18:25:55.444 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53873->6881 (18:25:55.444 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:25:35.332 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:25:35.332 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363397135.213 1363397135.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.178.143.10 (2), 128.223.8.111 (2), 131.193.34.193, 203.30.39.239, 133.9.81.165 (2), 198.133.224.149 (3), 202.249.37.67 (2), 170.140.119.69 (2), 66.140.111.5, 133.68.253.243 Resource List: Observed Start: 03/15/2013 22:17:34.584 PDT Gen. Time: 03/15/2013 22:18:41.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.178.143.10 (2) (22:17:36.739 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 2705->54783 (22:17:49.186 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->54783 (22:17:36.739 PDT) 128.223.8.111 (2) (22:17:40.303 PDT-22:17:41.993 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->58481 (22:17:40.303 PDT-22:17:41.993 PDT) 131.193.34.193 (22:17:42.831 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 46330->2704 (22:17:42.831 PDT) 203.30.39.239 (22:17:44.937 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->40265 (22:17:44.937 PDT) 133.9.81.165 (2) (22:17:34.584 PDT-22:17:49.796 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->35841 (22:17:34.584 PDT-22:17:49.796 PDT) 198.133.224.149 (3) (22:17:36.111 PDT-22:17:46.840 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 2705->58357 (22:17:36.111 PDT-22:17:46.840 PDT) 202.249.37.67 (2) (22:17:40.930 PDT-22:17:44.608 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->51443 (22:17:40.930 PDT-22:17:44.608 PDT) 170.140.119.69 (2) (22:17:38.392 PDT-22:17:39.244 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2705->43514 (22:17:38.392 PDT-22:17:39.244 PDT) 66.140.111.5 (22:17:41.752 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->41621 (22:17:41.752 PDT) 133.68.253.243 (22:17:47.118 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2705->60009 (22:17:47.118 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:18:41.430 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (22:18:41.430 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363411054.584 1363411069.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================