Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 134.88.5.253, 128.8.126.111, 132.239.17.225 (2), 134.121.64.7, 204.123.28.57, 66.140.111.7, 130.237.43.75 (2), 113.160.56.190, 130.206.158.138, 169.229.50.3 (5), 132.239.17.226 Resource List: Observed Start: 03/28/2013 00:30:44.824 PDT Gen. Time: 03/28/2013 00:33:56.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 134.88.5.253 (00:31:17.562 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 57660->6881 (00:31:17.562 PDT) 128.8.126.111 (00:31:17.657 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 51536->6881 (00:31:17.657 PDT) 132.239.17.225 (2) (00:31:17.562 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 39367->6881 (00:31:17.562 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 39367->6881 (00:31:17.562 PDT) 134.121.64.7 (00:31:17.562 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 54359->6881 (00:31:17.562 PDT) 204.123.28.57 (00:31:17.562 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 35286->6881 (00:31:17.562 PDT) 66.140.111.7 (00:31:17.562 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 57615->6881 (00:31:17.562 PDT) 130.237.43.75 (2) (00:31:17.197 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 56989->6969 (00:31:17.197 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:EC:40 56989->6969 (00:31:17.197 PDT) 113.160.56.190 (00:31:09.466 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->44393 (00:31:09.466 PDT) 130.206.158.138 (00:31:02.591 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->51884 (00:31:02.591 PDT) 169.229.50.3 (5) (00:30:44.824 PDT-00:31:03.672 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 4: 6881->48894 (00:30:44.824 PDT-00:31:03.672 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 42930->6881 (00:31:17.562 PDT) 132.239.17.226 (00:31:17.562 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 37399->6881 (00:31:17.562 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 88.198.213.163 (00:33:56.322 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (00:33:56.322 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364455844.824 1364455863.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================