Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 139.78.141.245 (2), 165.230.49.115 (6), 128.42.142.41 (5), 89.227.25.225, 165.230.49.114 (3) Resource List: Observed Start: 03/27/2013 08:17:00.124 PDT Gen. Time: 03/27/2013 08:19:03.335 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 139.78.141.245 (2) (08:17:04.650 PDT-08:17:18.533 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6882->43579 (08:17:04.650 PDT-08:17:18.533 PDT) 165.230.49.115 (6) (08:17:00.124 PDT-08:17:58.026 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6: 6882->46974 (08:17:00.124 PDT-08:17:58.026 PDT) 128.42.142.41 (5) (08:17:29.703 PDT-08:18:17.310 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 5: 6882->52689 (08:17:29.703 PDT-08:18:17.310 PDT) 89.227.25.225 (08:17:56.707 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->27314 (08:17:56.707 PDT) 165.230.49.114 (3) (08:18:00.271 PDT-08:18:26.043 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6882->57970 (08:18:00.271 PDT-08:18:26.043 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (08:19:03.335 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->61086 (08:19:03.335 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364397420.124 1364397506.044 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 83.230.127.122, 193.0.109.23 (2) Resource List: Observed Start: 03/27/2013 16:56:59.711 PDT Gen. Time: 03/27/2013 16:57:16.234 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 83.230.127.122 (16:57:05.502 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 49579->6881 (16:57:05.502 PDT) 193.0.109.23 (2) (16:56:59.711 PDT-16:57:12.289 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->41319 (16:56:59.711 PDT-16:57:12.289 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:57:16.234 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->61086 (16:57:16.234 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364428619.711 1364428632.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.149.49.136 (2), 156.17.10.51 (4), 128.114.63.63, 83.230.127.122 (2), 193.0.109.23 (5), 138.251.214.78 (3), 24.94.131.211 Resource List: Observed Start: 03/27/2013 16:56:59.711 PDT Gen. Time: 03/27/2013 17:00:56.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.149.49.136 (2) (16:57:59.103 PDT-16:58:11.647 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->54288 (16:57:59.103 PDT-16:58:11.647 PDT) 156.17.10.51 (4) (16:57:19.251 PDT-16:57:44.764 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->42500 (16:57:58.842 PDT) ------------------------- event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->42500 (16:57:19.251 PDT-16:57:44.764 PDT) 128.114.63.63 (16:58:18.812 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->44774 (16:58:18.812 PDT) 83.230.127.122 (2) (16:57:05.502 PDT-16:57:16.439 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 49579->6881 (16:57:05.502 PDT-16:57:16.439 PDT) 193.0.109.23 (5) (16:56:59.711 PDT-16:57:49.322 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 5: 6881->41319 (16:56:59.711 PDT-16:57:49.322 PDT) 138.251.214.78 (3) (16:57:48.741 PDT-16:58:15.719 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->35687 (16:57:48.741 PDT-16:58:15.719 PDT) 24.94.131.211 (16:57:55.088 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->45455 (16:57:55.088 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:57:16.234 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->61086 (16:57:16.234 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364428619.711 1364428695.720 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================