Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.119.41.210 (5), 213.73.40.105 (2), 88.170.28.180, 165.91.55.8 (3), 128.227.150.12 (6) Resource List: Observed Start: 03/25/2013 10:24:45.412 PDT Gen. Time: 03/25/2013 10:27:27.606 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.119.41.210 (5) (10:25:15.522 PDT-10:26:07.186 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6881->47237 (10:25:15.522 PDT-10:26:07.186 PDT) 213.73.40.105 (2) (10:25:45.657 PDT-10:26:00.551 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->39057 (10:25:45.657 PDT-10:26:00.551 PDT) 88.170.28.180 (10:25:18.511 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51413 (10:25:18.511 PDT) 165.91.55.8 (3) (10:24:51.213 PDT-10:25:12.826 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->45299 (10:24:51.213 PDT-10:25:12.826 PDT) 128.227.150.12 (6) (10:24:45.412 PDT-10:25:43.323 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6: 6881->35126 (10:24:45.412 PDT-10:25:43.323 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:27:27.606 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (10:27:27.606 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364232285.412 1364232367.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 199.255.189.60 Peer Coord. List: 193.136.166.54 (2), 165.242.90.129, 195.130.124.2, 128.111.52.64, 143.225.229.238 (3), 129.93.229.138, 130.73.142.88, 128.223.8.114, 193.136.227.164, 129.97.74.12 (2), 130.83.166.245, 80.65.237.10, 203.178.133.2 Resource List: Observed Start: 03/25/2013 12:13:00.406 PDT Gen. Time: 03/25/2013 12:16:40.890 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 199.255.189.60 (12:16:40.890 PDT) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/bacon-austin?start=200&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C 54184->80 (12:16:40.890 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.136.166.54 (2) (12:13:00.859 PDT-12:13:13.249 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 54480->6881 (12:13:00.859 PDT-12:13:13.249 PDT) 165.242.90.129 (12:13:05.871 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43284 (12:13:05.871 PDT) 195.130.124.2 (12:13:14.262 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 57054->6881 (12:13:14.262 PDT) 128.111.52.64 (12:13:19.956 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33885 (12:13:19.956 PDT) 143.225.229.238 (3) (12:13:03.657 PDT-12:13:27.568 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->43712 (12:13:03.657 PDT-12:13:27.568 PDT) 129.93.229.138 (12:13:16.678 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->41389 (12:13:16.678 PDT) 130.73.142.88 (12:13:20.827 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->59618 (12:13:20.827 PDT) 128.223.8.114 (12:13:09.606 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 43502->6881 (12:13:09.606 PDT) 193.136.227.164 (12:13:03.622 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34331 (12:13:03.622 PDT) 129.97.74.12 (2) (12:13:12.851 PDT-12:13:25.252 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->60801 (12:13:12.851 PDT-12:13:25.252 PDT) 130.83.166.245 (12:13:10.095 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 38972->6881 (12:13:10.095 PDT) 80.65.237.10 (12:13:19.397 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->60854 (12:13:19.397 PDT) 203.178.133.2 (12:13:00.406 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->53342 (12:13:00.406 PDT) PEER COORDINATION DECLARE BOT Standard Port 213.249.68.98 (12:15:10.035 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51423->53 (12:15:10.035 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364238780.406 1364238807.569 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 199.255.189.60 (2), 69.16.229.102 Peer Coord. List: 193.136.166.54 (2), 165.242.90.129, 195.130.124.2, 129.242.19.197, 128.111.52.64, 147.83.29.232, 143.225.229.238 (3), 129.93.229.138, 130.73.142.88, 129.107.35.132, 128.223.8.114, 193.136.227.164, 129.97.74.12 (2), 130.83.166.245, 147.83.30.164, 80.65.237.10, 203.178.133.2 Resource List: Observed Start: 03/25/2013 12:13:00.406 PDT Gen. Time: 03/25/2013 12:20:42.291 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 199.255.189.60 (2) (12:16:40.890 PDT) event=1:2012801 (2) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/bacon-austin?start=200&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:BB:0C 54184->80 (12:16:40.890 PDT) 54184->80 (12:16:40.990 PDT) C and C TRAFFIC (RBN) 69.16.229.102 (12:17:52.924 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40554->53 (12:17:52.924 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.136.166.54 (2) (12:13:00.859 PDT-12:13:13.249 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 54480->6881 (12:13:00.859 PDT-12:13:13.249 PDT) 165.242.90.129 (12:13:05.871 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43284 (12:13:05.871 PDT) 195.130.124.2 (12:13:14.262 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 57054->6881 (12:13:14.262 PDT) 129.242.19.197 (12:16:43.075 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->36814 (12:16:43.075 PDT) 128.111.52.64 (12:13:19.956 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33885 (12:13:19.956 PDT) 147.83.29.232 (12:16:47.912 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41848 (12:16:47.912 PDT) 143.225.229.238 (3) (12:13:03.657 PDT-12:13:27.568 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->43712 (12:13:03.657 PDT-12:13:27.568 PDT) 129.93.229.138 (12:13:16.678 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->41389 (12:13:16.678 PDT) 130.73.142.88 (12:13:20.827 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->59618 (12:13:20.827 PDT) 129.107.35.132 (12:16:50.359 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->52568 (12:16:50.359 PDT) 128.223.8.114 (12:13:09.606 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 43502->6881 (12:13:09.606 PDT) 193.136.227.164 (12:13:03.622 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->34331 (12:13:03.622 PDT) 129.97.74.12 (2) (12:13:12.851 PDT-12:13:25.252 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->60801 (12:13:12.851 PDT-12:13:25.252 PDT) 130.83.166.245 (12:13:10.095 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 38972->6881 (12:13:10.095 PDT) 147.83.30.164 (12:16:47.266 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 49872->6881 (12:16:47.266 PDT) 80.65.237.10 (12:13:19.397 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->60854 (12:13:19.397 PDT) 203.178.133.2 (12:13:00.406 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->53342 (12:13:00.406 PDT) PEER COORDINATION DECLARE BOT Standard Port 213.249.68.98 (12:15:10.035 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51423->53 (12:15:10.035 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364238780.406 1364238807.569 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.79.48.57 (4), 130.253.21.123 (2), 200.17.202.195 (2), 193.167.187.187 (2), 141.76.45.17, 194.29.178.13 (4), 141.212.113.180 (2) Resource List: Observed Start: 03/25/2013 12:20:46.832 PDT Gen. Time: 03/25/2013 12:23:49.101 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.79.48.57 (4) (12:20:50.771 PDT-12:21:27.614 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->39760 (12:20:50.771 PDT-12:21:27.614 PDT) 130.253.21.123 (2) (12:20:46.832 PDT-12:21:08.324 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->35667 (12:20:46.832 PDT-12:21:08.324 PDT) 200.17.202.195 (2) (12:20:48.294 PDT-12:20:59.059 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->57868 (12:20:48.294 PDT-12:20:59.059 PDT) 193.167.187.187 (2) (12:21:02.739 PDT-12:21:17.110 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->33453 (12:21:02.739 PDT-12:21:17.110 PDT) 141.76.45.17 (12:21:25.040 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6882 (12:21:25.040 PDT) 194.29.178.13 (4) (12:20:47.845 PDT-12:21:23.835 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->40075 (12:20:47.845 PDT-12:21:23.835 PDT) 141.212.113.180 (2) (12:21:10.120 PDT-12:21:25.420 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->59821 (12:21:10.120 PDT-12:21:25.420 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:23:49.101 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (12:23:49.101 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364239246.832 1364239287.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.119.41.210, 219.243.208.62 (3), 72.36.112.79 (2), 128.6.192.156 (3), 193.157.115.250 (3), 202.112.28.98 (3), 204.123.28.55 (2) Resource List: Observed Start: 03/25/2013 15:14:53.226 PDT Gen. Time: 03/25/2013 15:18:40.410 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.119.41.210 (15:15:21.819 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51459 (15:15:21.819 PDT) 219.243.208.62 (3) (15:14:58.470 PDT-15:15:20.022 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->35369 (15:14:58.470 PDT-15:15:20.022 PDT) 72.36.112.79 (2) (15:15:24.706 PDT-15:15:35.790 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->36949 (15:15:24.706 PDT-15:15:35.790 PDT) 128.6.192.156 (3) (15:15:03.359 PDT-15:15:26.723 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->43663 (15:15:03.359 PDT-15:15:26.723 PDT) 193.157.115.250 (3) (15:14:53.226 PDT-15:15:16.126 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->43380 (15:14:53.226 PDT-15:15:16.126 PDT) 202.112.28.98 (3) (15:15:12.636 PDT-15:15:32.388 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->53972 (15:15:12.636 PDT-15:15:32.388 PDT) 204.123.28.55 (2) (15:14:53.675 PDT-15:15:04.452 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->44583 (15:14:53.675 PDT-15:15:04.452 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:18:40.410 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (15:18:40.410 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364249693.226 1364249735.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.187.223.211, 131.247.2.241 (2), 193.205.215.75, 157.92.44.104 Resource List: Observed Start: 03/25/2013 18:41:39.886 PDT Gen. Time: 03/25/2013 18:41:56.187 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.187.223.211 (18:41:53.835 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49535->6881 (18:41:53.835 PDT) 131.247.2.241 (2) (18:41:50.779 PDT-18:41:56.116 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 40549->6881 (18:41:50.779 PDT-18:41:56.116 PDT) 193.205.215.75 (18:41:40.336 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 37802->6881 (18:41:40.336 PDT) 157.92.44.104 (18:41:39.886 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 49751->6881 (18:41:39.886 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:41:56.187 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:41:56.187 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364262099.886 1364262116.117 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 141.161.20.33, 186.221.1.240, 128.187.223.211 (3), 131.247.2.241 (6), 169.235.24.232, 193.205.215.75 (2), 165.91.55.8 (2), 157.92.44.104 (2) Resource List: Observed Start: 03/25/2013 18:41:39.886 PDT Gen. Time: 03/25/2013 18:45:40.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 141.161.20.33 (18:42:46.790 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 48834->6881 (18:42:46.790 PDT) 186.221.1.240 (18:42:36.279 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->58485 (18:42:36.279 PDT) 128.187.223.211 (3) (18:41:53.835 PDT-18:42:27.913 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49535->6881 (18:41:53.835 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 49535->6881 (18:42:11.269 PDT-18:42:27.913 PDT) 131.247.2.241 (6) (18:41:50.779 PDT-18:42:36.090 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6: 40549->6881 (18:41:50.779 PDT-18:42:36.090 PDT) 169.235.24.232 (18:42:44.716 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 40220->6881 (18:42:44.716 PDT) 193.205.215.75 (2) (18:41:40.336 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 37802->6881 (18:42:29.820 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 37802->6881 (18:41:40.336 PDT) 165.91.55.8 (2) (18:42:16.610 PDT-18:42:38.188 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 48078->6881 (18:42:16.610 PDT-18:42:38.188 PDT) 157.92.44.104 (2) (18:41:39.886 PDT-18:42:17.508 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 49751->6881 (18:41:39.886 PDT-18:42:17.508 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:41:56.187 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:41:56.187 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364262099.886 1364262158.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 157.181.175.249 (2), 128.111.52.64 (3), 195.116.53.23 (2), 131.114.59.242, 94.93.82.147, 131.247.2.245 (3), 195.148.124.74, 156.17.10.52 (3), 138.48.3.203 Resource List: Observed Start: 03/25/2013 19:17:58.029 PDT Gen. Time: 03/25/2013 19:19:23.198 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 157.181.175.249 (2) (19:18:11.536 PDT-19:18:22.735 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->57577 (19:18:11.536 PDT-19:18:22.735 PDT) 128.111.52.64 (3) (19:18:00.324 PDT-19:18:22.261 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->41751 (19:18:00.324 PDT-19:18:22.261 PDT) 195.116.53.23 (2) (19:17:58.029 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 35351->6881 (19:17:58.029 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 35351->6881 (19:17:58.832 PDT) 131.114.59.242 (19:18:19.268 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->48174 (19:18:19.268 PDT) 94.93.82.147 (19:18:04.303 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 33302->6881 (19:18:04.303 PDT) 131.247.2.245 (3) (19:18:07.507 PDT-19:18:29.266 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->35533 (19:18:07.507 PDT-19:18:29.266 PDT) 195.148.124.74 (19:18:23.533 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6882 (19:18:23.533 PDT) 156.17.10.52 (3) (19:18:01.129 PDT-19:18:25.831 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->49803 (19:18:01.129 PDT-19:18:25.831 PDT) 138.48.3.203 (19:18:00.999 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 45606->6881 (19:18:00.999 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (19:19:23.198 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (19:19:23.198 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364264278.029 1364264309.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================