Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.179.147, 130.79.48.57, 169.226.40.4, 117.24.114.37, 192.33.90.69 (2), 143.205.172.12, 82.179.176.44, 195.113.161.14 (3), 192.1.249.138, 72.36.112.74 (3), 193.166.167.4, 203.178.133.2 Resource List: Observed Start: 03/29/2013 03:26:55.587 PDT Gen. Time: 03/29/2013 03:28:11.280 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.179.147 (03:27:24.945 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 45799->6882 (03:27:24.945 PDT) 130.79.48.57 (03:27:44.315 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54255 (03:27:44.315 PDT) 169.226.40.4 (03:27:52.019 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 40489->6881 (03:27:52.019 PDT) 117.24.114.37 (03:27:38.059 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->16001 (03:27:38.059 PDT) 192.33.90.69 (2) (03:26:55.587 PDT-03:27:04.998 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 56446->6881 (03:26:55.587 PDT-03:27:04.998 PDT) 143.205.172.12 (03:27:19.003 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 38145->6881 (03:27:19.003 PDT) 82.179.176.44 (03:27:16.249 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51787 (03:27:16.249 PDT) 195.113.161.14 (3) (03:26:56.485 PDT-03:27:07.302 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50209 (03:27:31.486 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->50209 (03:26:56.485 PDT-03:27:07.302 PDT) 192.1.249.138 (03:27:29.438 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 41964->6881 (03:27:29.438 PDT) 72.36.112.74 (3) (03:27:17.655 PDT-03:27:34.289 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 56634->6881 (03:27:47.817 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 56634->6881 (03:27:17.655 PDT-03:27:34.289 PDT) 193.166.167.4 (03:27:29.177 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 60360->6905 (03:27:29.177 PDT) 203.178.133.2 (03:27:38.834 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 44763->6881 (03:27:38.834 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:28:11.280 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (03:28:11.280 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364552815.587 1364552854.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.103.2.2, 128.187.223.212, 137.165.1.114, 169.229.50.9 (2), 128.42.142.45, 143.215.131.199, 130.237.43.75 (3), 128.138.207.45, 192.52.240.213, 141.212.113.180, 129.130.252.141, 129.22.150.29, 79.131.116.137, 203.178.133.2 Resource List: Observed Start: 03/29/2013 08:33:08.465 PDT Gen. Time: 03/29/2013 08:34:40.761 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.103.2.2 (08:33:09.987 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41726->6881 (08:33:09.987 PDT) 128.187.223.212 (08:33:09.987 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 47980->6881 (08:33:09.987 PDT) 137.165.1.114 (08:33:10.013 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56203->6881 (08:33:10.013 PDT) 169.229.50.9 (2) (08:33:09.936 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 42326->6881 (08:33:09.936 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42326->6881 (08:33:09.936 PDT) 128.42.142.45 (08:33:09.987 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 51131->6881 (08:33:09.987 PDT) 143.215.131.199 (08:33:09.987 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40776->6881 (08:33:09.987 PDT) 130.237.43.75 (3) (08:33:09.587 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 46333->6969 (08:33:09.587 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 46333->6969 (08:33:09.587 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 46333->6969 (08:33:09.587 PDT) 128.138.207.45 (08:33:09.987 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37960->6881 (08:33:09.987 PDT) 192.52.240.213 (08:33:10.013 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 35310->6881 (08:33:10.013 PDT) 141.212.113.180 (08:33:10.013 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60076->6881 (08:33:10.013 PDT) 129.130.252.141 (08:33:09.962 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49002->6881 (08:33:09.962 PDT) 129.22.150.29 (08:33:09.987 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48820->6881 (08:33:09.987 PDT) 79.131.116.137 (08:33:08.465 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->29055 (08:33:08.465 PDT) 203.178.133.2 (08:33:10.013 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38719->6881 (08:33:10.013 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (08:34:40.761 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (08:34:40.761 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364571188.465 1364571188.466 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.111.52.58, 169.229.50.10 (2), 142.103.2.2, 128.187.223.211, 216.48.80.12, 193.1.13.14, 169.229.50.7, 138.4.0.120, 128.42.142.45, 130.237.43.75 (2), 128.138.207.45, 129.130.252.141, 75.130.96.13 (2), 192.1.249.137 Resource List: Observed Start: 03/29/2013 08:48:52.343 PDT Gen. Time: 03/29/2013 08:51:28.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.111.52.58 (08:48:57.678 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->42695 (08:48:57.678 PDT) 169.229.50.10 (2) (08:49:30.702 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 59364->6881 (08:49:30.702 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59364->6881 (08:49:30.702 PDT) 142.103.2.2 (08:49:30.726 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 58974->6881 (08:49:30.726 PDT) 128.187.223.211 (08:49:30.727 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46007->6881 (08:49:30.727 PDT) 216.48.80.12 (08:49:18.544 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 43405->6881 (08:49:18.544 PDT) 193.1.13.14 (08:48:52.343 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 33270->6881 (08:48:52.343 PDT) 169.229.50.7 (08:49:30.703 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46405->6881 (08:49:30.703 PDT) 138.4.0.120 (08:48:53.630 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 49068->6881 (08:48:53.630 PDT) 128.42.142.45 (08:49:30.772 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40316->6881 (08:49:30.772 PDT) 130.237.43.75 (2) (08:49:30.486 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 44296->6969 (08:49:30.486 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 44296->6969 (08:49:30.486 PDT) 128.138.207.45 (08:49:30.772 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 35867->6881 (08:49:30.772 PDT) 129.130.252.141 (08:49:30.747 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40716->6881 (08:49:30.747 PDT) 75.130.96.13 (2) (08:49:14.196 PDT-08:49:19.499 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->59908 (08:49:14.196 PDT-08:49:19.499 PDT) 192.1.249.137 (08:49:29.442 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 57352->6881 (08:49:29.442 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (08:51:28.204 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (08:51:28.204 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364572132.343 1364572159.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.36.233.153, 192.1.249.138 (5), 200.10.150.252 (3), 193.10.64.35, 141.20.103.211 (6), 132.187.230.2 Resource List: Observed Start: 03/29/2013 09:20:45.497 PDT Gen. Time: 03/29/2013 09:23:22.300 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.36.233.153 (09:20:45.497 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (09:20:45.497 PDT) 192.1.249.138 (5) (09:20:51.107 PDT-09:21:34.197 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6881->50547 (09:20:51.107 PDT-09:21:34.197 PDT) 200.10.150.252 (3) (09:21:35.995 PDT-09:22:02.070 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->43509 (09:21:35.995 PDT-09:22:02.070 PDT) 193.10.64.35 (09:20:55.126 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 58552->6881 (09:20:55.126 PDT) 141.20.103.211 (6) (09:21:05.859 PDT-09:22:04.484 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6: 6881->46783 (09:21:05.859 PDT-09:22:04.484 PDT) 132.187.230.2 (09:21:59.470 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (09:21:59.470 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:23:22.300 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:23:22.300 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364574045.497 1364574124.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 198.133.224.149 (2), 135.109.221.104, 130.237.43.75 (2), 128.84.154.44, 37.140.99.204 Resource List: Observed Start: 03/29/2013 10:28:56.701 PDT Gen. Time: 03/29/2013 10:29:24.416 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 198.133.224.149 (2) (10:28:56.701 PDT-10:29:08.811 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->40930 (10:28:56.701 PDT-10:29:08.811 PDT) 135.109.221.104 (10:29:02.488 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45862 (10:29:02.488 PDT) 130.237.43.75 (2) (10:29:12.131 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 58349->6969 (10:29:12.131 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 58349->6969 (10:29:12.131 PDT) 128.84.154.44 (10:29:05.633 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->53967 (10:29:05.633 PDT) 37.140.99.204 (10:29:24.327 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (10:29:24.327 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:29:24.416 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (10:29:24.416 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364578136.701 1364578148.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 37.140.99.204, 132.239.17.225 (2), 128.84.154.40, 135.109.221.104, 128.6.192.158, 13.7.64.22, 204.123.28.57, 66.140.111.7, 130.237.43.75 (4), 198.133.224.149 (2), 170.140.119.70, 128.84.154.44, 169.229.50.12 Resource List: Observed Start: 03/29/2013 10:28:56.701 PDT Gen. Time: 03/29/2013 10:32:56.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 37.140.99.204 (10:29:24.327 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (10:29:24.327 PDT) 132.239.17.225 (2) (10:29:25.631 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 41891->6881 (10:29:25.631 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41891->6881 (10:29:25.631 PDT) 128.84.154.40 (10:29:25.769 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34884->6881 (10:29:25.769 PDT) 135.109.221.104 (10:29:02.488 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45862 (10:29:02.488 PDT) 128.6.192.158 (10:29:25.769 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55494->6881 (10:29:25.769 PDT) 13.7.64.22 (10:29:25.709 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39696->6881 (10:29:25.709 PDT) 204.123.28.57 (10:29:25.769 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36122->6881 (10:29:25.769 PDT) 66.140.111.7 (10:29:25.709 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33698->6881 (10:29:25.709 PDT) 130.237.43.75 (4) (10:29:12.131 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 58349->6969 (10:29:12.131 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 58349->6969 (10:29:12.131 PDT) 58388->6969 (10:29:25.026 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 58388->6969 (10:29:25.026 PDT) 198.133.224.149 (2) (10:28:56.701 PDT-10:29:08.811 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->40930 (10:28:56.701 PDT-10:29:08.811 PDT) 170.140.119.70 (10:29:25.709 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38506->6881 (10:29:25.709 PDT) 128.84.154.44 (10:29:05.633 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->53967 (10:29:05.633 PDT) 169.229.50.12 (10:29:25.709 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60237->6881 (10:29:25.709 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (10:29:24.416 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (10:29:24.416 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364578136.701 1364578148.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 136.159.220.40, 128.187.223.211 (2), 163.117.253.23 (2), 165.91.55.9, 192.52.240.214, 130.237.43.75 (3), 128.2.211.113, 128.223.8.114, 193.63.75.18, 208.77.77.195, 128.111.52.59, 123.202.36.173, 169.229.50.3 Resource List: Observed Start: 03/29/2013 12:40:54.170 PDT Gen. Time: 03/29/2013 12:42:11.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 136.159.220.40 (12:41:12.268 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54728->6881 (12:41:12.268 PDT) 128.187.223.211 (2) (12:41:12.186 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 33008->6881 (12:41:12.186 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33008->6881 (12:41:12.186 PDT) 163.117.253.23 (2) (12:40:54.170 PDT-12:41:07.257 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->40350 (12:40:54.170 PDT-12:41:07.257 PDT) 165.91.55.9 (12:41:12.211 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41699->6881 (12:41:12.211 PDT) 192.52.240.214 (12:41:12.211 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 32861->6882 (12:41:12.211 PDT) 130.237.43.75 (3) (12:41:11.669 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 42854->6969 (12:41:11.669 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 42854->6969 (12:41:11.669 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 42854->6969 (12:41:11.669 PDT) 128.2.211.113 (12:41:12.211 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53021->6881 (12:41:12.211 PDT) 128.223.8.114 (12:41:12.211 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44277->6881 (12:41:12.211 PDT) 193.63.75.18 (12:40:59.594 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45373 (12:40:59.594 PDT) 208.77.77.195 (12:41:12.236 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57615->6881 (12:41:12.236 PDT) 128.111.52.59 (12:41:12.211 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43990->6881 (12:41:12.211 PDT) 123.202.36.173 (12:40:57.688 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->13239 (12:40:57.688 PDT) 169.229.50.3 (12:41:12.211 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37920->6881 (12:41:12.211 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:42:11.515 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:42:11.515 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364586054.170 1364586067.258 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.233.252.11 (2), 193.157.115.251 (3), 193.191.148.227 (3), 128.143.6.134 (5), 94.93.82.149 (3), 82.179.176.44 Resource List: Observed Start: 03/29/2013 19:10:54.770 PDT Gen. Time: 03/29/2013 19:12:34.584 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.233.252.11 (2) (19:11:26.668 PDT-19:11:37.444 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->58835 (19:11:26.668 PDT-19:11:37.444 PDT) 193.157.115.251 (3) (19:11:05.085 PDT-19:11:27.118 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 53612->6881 (19:11:05.085 PDT-19:11:27.118 PDT) 193.191.148.227 (3) (19:10:54.770 PDT-19:11:16.438 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->33786 (19:10:54.770 PDT-19:11:16.438 PDT) 128.143.6.134 (5) (19:11:01.702 PDT-19:11:33.883 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6882->39191 (19:11:01.702 PDT-19:11:33.883 PDT) 94.93.82.149 (3) (19:11:08.836 PDT-19:11:30.426 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->44199 (19:11:08.836 PDT-19:11:30.426 PDT) 82.179.176.44 (19:10:57.625 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->41913 (19:10:57.625 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (19:12:34.584 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (19:12:34.584 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364609454.770 1364609497.445 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================