Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.10.64.35, 165.242.90.129 (3), 128.187.223.211 (3), 139.78.141.243 (2), 193.175.135.61, 134.121.64.4 (2), 129.63.159.102, 138.48.3.203, 200.129.132.18 (3) Resource List: Observed Start: 03/28/2013 01:22:57.188 PDT Gen. Time: 03/28/2013 01:25:42.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.10.64.35 (01:23:25.101 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49099->6881 (01:23:25.101 PDT) 165.242.90.129 (3) (01:22:59.243 PDT-01:23:20.786 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->59205 (01:22:59.243 PDT-01:23:20.786 PDT) 128.187.223.211 (3) (01:23:03.233 PDT-01:23:24.863 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->44111 (01:23:03.233 PDT-01:23:24.863 PDT) 139.78.141.243 (2) (01:22:57.188 PDT-01:23:06.225 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->57474 (01:22:57.188 PDT-01:23:06.225 PDT) 193.175.135.61 (01:23:05.917 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 34464->6881 (01:23:05.917 PDT) 134.121.64.4 (2) (01:23:08.920 PDT-01:23:23.795 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->54596 (01:23:08.920 PDT-01:23:23.795 PDT) 129.63.159.102 (01:23:15.880 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 40024->6881 (01:23:15.880 PDT) 138.48.3.203 (01:23:09.950 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51168->6881 (01:23:09.950 PDT) 200.129.132.18 (3) (01:22:59.434 PDT-01:23:25.112 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->48950 (01:22:59.434 PDT-01:23:25.112 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (01:25:42.012 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (01:25:42.012 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364458977.188 1364459005.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.103.2.2, 128.187.223.212, 137.165.1.114, 169.229.50.9 (2), 158.130.6.254, 128.42.142.45, 143.215.131.199, 130.237.43.75 (3), 128.138.207.45, 192.52.240.213, 141.212.113.180, 176.14.217.146, 129.130.252.141, 129.22.150.29 Resource List: Observed Start: 03/28/2013 12:18:13.687 PDT Gen. Time: 03/28/2013 12:18:29.100 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.103.2.2 (12:18:14.442 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54565->6881 (12:18:14.442 PDT) 128.187.223.212 (12:18:14.416 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 52441->6881 (12:18:14.416 PDT) 137.165.1.114 (12:18:14.497 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 35298->6881 (12:18:14.497 PDT) 169.229.50.9 (2) (12:18:14.416 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 41282->6881 (12:18:14.416 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41282->6881 (12:18:14.416 PDT) 158.130.6.254 (12:18:14.472 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 52723->6881 (12:18:14.472 PDT) 128.42.142.45 (12:18:14.442 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49695->6881 (12:18:14.442 PDT) 143.215.131.199 (12:18:14.497 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42960->6881 (12:18:14.497 PDT) 130.237.43.75 (3) (12:18:14.155 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 40265->6969 (12:18:14.155 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 40265->6969 (12:18:14.155 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 40265->6969 (12:18:14.155 PDT) 128.138.207.45 (12:18:14.444 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44505->6881 (12:18:14.444 PDT) 192.52.240.213 (12:18:14.472 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41607->6881 (12:18:14.472 PDT) 141.212.113.180 (12:18:14.472 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33426->6881 (12:18:14.472 PDT) 176.14.217.146 (12:18:13.687 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->33801 (12:18:13.687 PDT) 129.130.252.141 (12:18:14.442 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60333->6881 (12:18:14.442 PDT) 129.22.150.29 (12:18:14.497 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33896->6881 (12:18:14.497 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:18:29.100 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:18:29.100 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364498293.687 1364498293.688 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.223.8.114 (3), 138.246.99.250 (4), 138.96.116.23 (2), 139.78.141.245 (2), 130.195.4.68, 130.237.43.75 (2), 190.200.191.229, 192.138.213.236 (2) Resource List: Observed Start: 03/28/2013 17:39:09.775 PDT Gen. Time: 03/28/2013 17:41:47.547 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.223.8.114 (3) (17:39:11.958 PDT-17:39:33.570 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->35442 (17:39:11.958 PDT-17:39:33.570 PDT) 138.246.99.250 (4) (17:39:20.378 PDT-17:39:52.288 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->49338 (17:39:20.378 PDT-17:39:52.288 PDT) 138.96.116.23 (2) (17:39:38.398 PDT-17:39:49.161 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->41066 (17:39:38.398 PDT-17:39:49.161 PDT) 139.78.141.245 (2) (17:39:16.307 PDT-17:39:27.082 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->57478 (17:39:16.307 PDT-17:39:27.082 PDT) 130.195.4.68 (17:39:09.775 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51676 (17:39:09.775 PDT) 130.237.43.75 (2) (17:39:42.276 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 44543->6969 (17:39:42.276 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 44543->6969 (17:39:42.276 PDT) 190.200.191.229 (17:39:12.072 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->1296 (17:39:12.072 PDT) 192.138.213.236 (2) (17:39:20.528 PDT-17:39:31.290 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->56637 (17:39:20.528 PDT-17:39:31.290 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (17:41:47.547 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (17:41:47.547 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364517549.775 1364517592.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 139.78.141.245, 165.242.90.129, 128.114.63.64, 66.140.111.7 (2), 165.230.49.119, 139.30.240.192 (4), 130.149.49.136 (2), 90.231.43.111, 128.112.139.97 (2), 128.111.52.59 (2) Resource List: Observed Start: 03/28/2013 18:07:07.585 PDT Gen. Time: 03/28/2013 18:10:59.850 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 139.78.141.245 (18:07:35.137 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33341 (18:07:35.137 PDT) 165.242.90.129 (18:07:28.555 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->44467 (18:07:28.555 PDT) 128.114.63.64 (18:07:07.945 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->55002 (18:07:07.945 PDT) 66.140.111.7 (2) (18:07:07.986 PDT-18:07:18.672 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->36993 (18:07:07.986 PDT-18:07:18.672 PDT) 165.230.49.119 (18:07:22.582 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->39770 (18:07:22.582 PDT) 139.30.240.192 (4) (18:07:08.395 PDT-18:07:44.518 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->57678 (18:07:08.395 PDT-18:07:44.518 PDT) 130.149.49.136 (2) (18:07:07.585 PDT-18:07:44.560 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->57452 (18:07:07.585 PDT-18:07:44.560 PDT) 90.231.43.111 (18:07:22.312 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->60731 (18:07:22.312 PDT) 128.112.139.97 (2) (18:07:10.641 PDT-18:07:25.308 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 37902->6881 (18:07:10.641 PDT-18:07:25.308 PDT) 128.111.52.59 (2) (18:07:27.656 PDT-18:07:39.619 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->39756 (18:07:27.656 PDT-18:07:39.619 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:10:59.850 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:10:59.850 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364519227.585 1364519264.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.103.2.2, 128.42.142.41, 128.111.52.58, 141.219.252.133, 132.239.17.224, 128.114.63.63 (2), 130.237.43.75 (3), 206.12.16.155, 129.107.35.132, 129.186.205.78, 13.7.64.20, 142.104.21.245, 169.229.50.12, 129.130.252.141 Resource List: Observed Start: 03/28/2013 19:51:02.205 PDT Gen. Time: 03/28/2013 19:52:14.154 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.103.2.2 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49778->6881 (19:51:02.487 PDT) 128.42.142.41 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 52598->6881 (19:51:02.487 PDT) 128.111.52.58 (19:51:02.462 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42403->6881 (19:51:02.462 PDT) 141.219.252.133 (19:51:02.512 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53333->6881 (19:51:02.512 PDT) 132.239.17.224 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44862->6881 (19:51:02.487 PDT) 128.114.63.63 (2) (19:51:02.461 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 51621->6881 (19:51:02.461 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 51621->6881 (19:51:02.461 PDT) 130.237.43.75 (3) (19:51:02.205 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 36767->6969 (19:51:02.205 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 36767->6969 (19:51:02.205 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 36767->6969 (19:51:02.205 PDT) 206.12.16.155 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40079->6881 (19:51:02.487 PDT) 129.107.35.132 (19:51:02.512 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60824->6881 (19:51:02.512 PDT) 129.186.205.78 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44603->6881 (19:51:02.487 PDT) 13.7.64.20 (19:51:02.462 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59791->6881 (19:51:02.462 PDT) 142.104.21.245 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57051->6881 (19:51:02.487 PDT) 169.229.50.12 (19:51:02.461 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36585->6881 (19:51:02.461 PDT) 129.130.252.141 (19:51:02.487 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33127->6881 (19:51:02.487 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (19:52:14.154 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (19:52:14.154 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364525462.205 1364525462.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================