Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 138.96.116.20 (3), 193.144.21.130 (3), 130.216.1.22 (3), 148.81.140.193, 129.186.205.78, 206.12.16.154, 152.66.245.161, 128.163.142.21 (3), 130.127.39.152 Resource List: Observed Start: 03/27/2013 08:17:03.295 PDT Gen. Time: 03/27/2013 08:19:34.999 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 138.96.116.20 (3) (08:17:09.449 PDT-08:17:34.649 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->52098 (08:17:09.449 PDT-08:17:34.649 PDT) 193.144.21.130 (3) (08:17:03.295 PDT-08:17:24.823 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->34241 (08:17:03.295 PDT-08:17:24.823 PDT) 130.216.1.22 (3) (08:17:05.391 PDT-08:17:30.653 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->55945 (08:17:05.391 PDT-08:17:30.653 PDT) 148.81.140.193 (08:17:31.679 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41000 (08:17:31.679 PDT) 129.186.205.78 (08:17:25.260 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 53541->6881 (08:17:25.260 PDT) 206.12.16.154 (08:17:33.849 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46356 (08:17:33.849 PDT) 152.66.245.161 (08:17:21.389 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (08:17:21.389 PDT) 128.163.142.21 (3) (08:17:06.523 PDT-08:17:28.212 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->40466 (08:17:06.523 PDT-08:17:28.212 PDT) 130.127.39.152 (08:17:06.205 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->60757 (08:17:06.205 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (08:19:34.999 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (08:19:34.999 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364397423.295 1364397454.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.84.154.41 (2), 129.15.78.30 (4), 130.192.157.132, 155.246.12.164, 115.242.246.155, 66.140.111.7, 130.237.43.75 (2), 203.178.133.11 (3), 134.151.255.181 (2) Resource List: Observed Start: 03/27/2013 20:00:54.227 PDT Gen. Time: 03/27/2013 20:02:35.098 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.84.154.41 (2) (20:00:56.420 PDT-20:01:08.096 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->38225 (20:00:56.420 PDT-20:01:08.096 PDT) 129.15.78.30 (4) (20:01:06.615 PDT-20:01:40.691 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->43287 (20:01:06.615 PDT-20:01:40.691 PDT) 130.192.157.132 (20:01:03.709 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41084 (20:01:03.709 PDT) 155.246.12.164 (20:00:54.227 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->57279 (20:00:54.227 PDT) 115.242.246.155 (20:01:41.358 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->45682 (20:01:41.358 PDT) 66.140.111.7 (20:01:51.484 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->56562 (20:01:51.484 PDT) 130.237.43.75 (2) (20:01:14.476 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 44576->6969 (20:01:14.476 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 44576->6969 (20:01:14.476 PDT) 203.178.133.11 (3) (20:01:21.509 PDT-20:01:44.710 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->43367 (20:01:21.509 PDT-20:01:44.710 PDT) 134.151.255.181 (2) (20:01:02.716 PDT-20:01:14.189 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->45223 (20:01:02.716 PDT-20:01:14.189 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (20:02:35.098 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (20:02:35.098 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364439654.227 1364439704.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 200.0.206.137, 130.237.43.75 (2), 128.187.223.212 Resource List: Observed Start: 03/27/2013 22:42:52.283 PDT Gen. Time: 03/27/2013 22:43:16.081 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.0.206.137 (22:42:55.465 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 43003->6881 (22:42:55.465 PDT) 130.237.43.75 (2) (22:42:58.722 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 43528->6969 (22:42:58.722 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 43528->6969 (22:42:58.722 PDT) 128.187.223.212 (22:42:52.283 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 56350->6881 (22:42:52.283 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:43:16.081 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (22:43:16.081 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364449372.283 1364449372.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 169.229.50.10, 142.103.2.2 (2), 128.187.223.212, 169.229.50.9, 141.161.20.32, 169.229.50.7, 158.130.6.254, 130.237.43.75 (4), 143.215.131.199, 200.0.206.137, 141.212.113.180, 129.97.74.12, 128.233.252.11 Resource List: Observed Start: 03/27/2013 22:42:52.283 PDT Gen. Time: 03/27/2013 22:46:53.306 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 169.229.50.10 (22:43:16.963 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55096->6881 (22:43:16.963 PDT) 142.103.2.2 (2) (22:43:16.939 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 39656->6881 (22:43:16.939 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39656->6881 (22:43:16.939 PDT) 128.187.223.212 (22:42:52.283 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 56350->6881 (22:42:52.283 PDT) 169.229.50.9 (22:43:17.024 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38088->6881 (22:43:17.024 PDT) 141.161.20.32 (22:43:17.024 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37572->6881 (22:43:17.024 PDT) 169.229.50.7 (22:43:16.963 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38843->6881 (22:43:16.963 PDT) 158.130.6.254 (22:43:16.989 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41220->6881 (22:43:16.989 PDT) 130.237.43.75 (4) (22:42:58.722 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 43528->6969 (22:42:58.722 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 43528->6969 (22:42:58.722 PDT) 43539->6969 (22:43:16.465 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 43539->6969 (22:43:16.465 PDT) 143.215.131.199 (22:43:16.989 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49595->6881 (22:43:16.989 PDT) 200.0.206.137 (22:42:55.465 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 43003->6881 (22:42:55.465 PDT) 141.212.113.180 (22:43:16.963 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38784->6881 (22:43:16.963 PDT) 129.97.74.12 (22:43:17.024 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54159->6881 (22:43:17.024 PDT) 128.233.252.11 (22:43:17.024 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44810->6881 (22:43:17.024 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:43:16.081 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (22:43:16.081 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364449372.283 1364449372.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================