Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 212.36.9.1 Peer Coord. List: 77.53.187.3 (3), 128.8.126.111, 132.239.17.225, 210.32.133.7 (2), 193.190.168.51, 169.229.50.14 (2), 128.220.251.50, 128.59.20.227, 130.237.43.75 (2), 13.7.64.20, 192.52.240.213, 83.230.127.122 Resource List: Observed Start: 03/18/2013 14:35:34.199 PDT Gen. Time: 03/18/2013 14:39:10.365 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 212.36.9.1 (14:36:21.791 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 57043->53 (14:36:21.791 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.53.187.3 (3) (14:36:04.192 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41187 (14:36:07.197 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41187 (14:36:07.197 PDT) ------------------------- event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41187 (14:36:04.192 PDT) 128.8.126.111 (14:36:08.920 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49533->6881 (14:36:08.920 PDT) 132.239.17.225 (14:36:14.781 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59416 (14:36:14.781 PDT) 210.32.133.7 (2) (14:35:34.199 PDT-14:36:08.844 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->35860 (14:35:34.199 PDT-14:36:08.844 PDT) 193.190.168.51 (14:36:11.275 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 45131->6881 (14:36:11.275 PDT) 169.229.50.14 (2) (14:36:15.879 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 39446->6881 (14:36:15.879 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39446->6881 (14:36:15.879 PDT) 128.220.251.50 (14:36:04.736 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 48377->6881 (14:36:04.736 PDT) 128.59.20.227 (14:36:08.816 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50978 (14:36:08.816 PDT) 130.237.43.75 (2) (14:36:15.685 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 42959->6969 (14:36:15.685 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 42959->6969 (14:36:15.685 PDT) 13.7.64.20 (14:36:04.787 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->38205 (14:36:04.787 PDT) 192.52.240.213 (14:36:08.453 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->44607 (14:36:08.453 PDT) 83.230.127.122 (14:36:15.230 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55365 (14:36:15.230 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 94.23.32.56 (14:39:10.365 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->49806 (14:39:10.365 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363642534.199 1363642568.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================