Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.103.2.2, 128.187.223.212, 169.229.50.9 (2), 82.237.158.208, 158.130.6.254, 114.108.82.142, 128.42.142.45, 130.237.43.75 (3), 128.138.207.45, 192.52.240.213, 141.212.113.180, 129.130.252.141, 129.22.150.29, 203.178.133.2 Resource List: Observed Start: 04/02/2013 05:45:01.038 PDT Gen. Time: 04/02/2013 05:45:52.025 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.103.2.2 (05:45:01.713 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56587->6881 (05:45:01.713 PDT) 128.187.223.212 (05:45:01.699 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37388->6881 (05:45:01.699 PDT) 169.229.50.9 (2) (05:45:01.680 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 59567->6881 (05:45:01.680 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59567->6881 (05:45:01.680 PDT) 82.237.158.208 (05:45:01.195 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6890 (05:45:01.195 PDT) 158.130.6.254 (05:45:01.751 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41792->6881 (05:45:01.751 PDT) 114.108.82.142 (05:45:01.038 PDT) event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50056 (05:45:01.038 PDT) 128.42.142.45 (05:45:01.729 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41434->6881 (05:45:01.729 PDT) 130.237.43.75 (3) (05:45:01.488 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39553->6969 (05:45:01.488 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 39553->6969 (05:45:01.488 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 39553->6969 (05:45:01.488 PDT) 128.138.207.45 (05:45:01.734 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59275->6881 (05:45:01.734 PDT) 192.52.240.213 (05:45:01.748 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59665->6881 (05:45:01.748 PDT) 141.212.113.180 (05:45:01.738 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48576->6881 (05:45:01.738 PDT) 129.130.252.141 (05:45:01.730 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42495->6881 (05:45:01.730 PDT) 129.22.150.29 (05:45:01.748 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54822->6881 (05:45:01.748 PDT) 203.178.133.2 (05:45:01.794 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48003->6881 (05:45:01.794 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (05:45:52.025 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (05:45:52.025 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364906701.038 1364906701.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.220.231.4 (2), 194.29.178.14 (3), 142.103.2.2 (4), 108.58.13.205 (2), 147.102.3.113, 193.174.67.186, 147.102.224.227 (2), 66.140.111.5 (2) Resource List: Observed Start: 04/02/2013 11:57:05.000 PDT Gen. Time: 04/02/2013 11:59:51.088 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.220.231.4 (2) (11:57:29.708 PDT-11:57:40.504 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->43452 (11:57:29.708 PDT-11:57:40.504 PDT) 194.29.178.14 (3) (11:57:20.957 PDT-11:57:45.154 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->40769 (11:57:20.957 PDT-11:57:45.154 PDT) 142.103.2.2 (4) (11:57:11.939 PDT-11:57:47.348 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->48401 (11:57:11.939 PDT-11:57:47.348 PDT) 108.58.13.205 (2) (11:57:05.166 PDT-11:57:15.929 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->33206 (11:57:05.166 PDT-11:57:15.929 PDT) 147.102.3.113 (11:57:30.595 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55886 (11:57:30.595 PDT) 193.174.67.186 (11:57:13.557 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45715 (11:57:13.557 PDT) 147.102.224.227 (2) (11:57:26.115 PDT-11:57:33.701 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->40417 (11:57:26.115 PDT-11:57:33.701 PDT) 66.140.111.5 (2) (11:57:05.000 PDT-11:57:17.548 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 42169->6881 (11:57:05.000 PDT-11:57:17.548 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:59:51.088 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (11:59:51.088 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364929025.000 1364929067.349 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 147.83.30.164, 195.130.124.1 (2), 193.190.168.51, 131.227.23.12 (2), 193.167.187.185 Resource List: Observed Start: 04/02/2013 17:10:55.370 PDT Gen. Time: 04/02/2013 17:11:12.445 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 147.83.30.164 (17:10:58.809 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51088->6881 (17:10:58.809 PDT) 195.130.124.1 (2) (17:10:55.370 PDT-17:11:07.497 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->49937 (17:10:55.370 PDT-17:11:07.497 PDT) 193.190.168.51 (17:11:08.471 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36121->6881 (17:11:08.471 PDT) 131.227.23.12 (2) (17:11:00.009 PDT-17:11:05.451 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->55466 (17:11:00.009 PDT-17:11:05.451 PDT) 193.167.187.185 (17:11:00.360 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36062->6881 (17:11:00.360 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (17:11:12.445 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (17:11:12.445 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364947855.370 1364947867.498 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 134.88.5.253, 130.253.21.123, 139.19.142.5 (2), 193.190.168.51 (2), 129.93.229.139 (2), 193.167.187.185, 131.227.23.12 (3), 195.130.124.1 (2), 193.157.115.251 (2), 157.92.44.103, 147.83.30.164 (2) Resource List: Observed Start: 04/02/2013 17:10:55.370 PDT Gen. Time: 04/02/2013 17:14:55.936 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 134.88.5.253 (17:11:29.225 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 43082->6881 (17:11:29.225 PDT) 130.253.21.123 (17:11:33.492 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 45914->6882 (17:11:33.492 PDT) 139.19.142.5 (2) (17:11:15.234 PDT-17:11:30.390 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 50377->6881 (17:11:15.234 PDT-17:11:30.390 PDT) 193.190.168.51 (2) (17:11:08.471 PDT-17:11:19.013 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 36121->6881 (17:11:08.471 PDT-17:11:19.013 PDT) 129.93.229.139 (2) (17:11:14.785 PDT-17:11:29.941 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 40155->6881 (17:11:14.785 PDT-17:11:29.941 PDT) 193.167.187.185 (17:11:00.360 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36062->6881 (17:11:00.360 PDT) 131.227.23.12 (3) (17:11:00.009 PDT-17:11:14.119 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->55466 (17:11:00.009 PDT-17:11:14.119 PDT) 195.130.124.1 (2) (17:10:55.370 PDT-17:11:07.497 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->49937 (17:10:55.370 PDT-17:11:07.497 PDT) 193.157.115.251 (2) (17:11:19.462 PDT-17:11:34.704 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 36472->6881 (17:11:19.462 PDT-17:11:34.704 PDT) 157.92.44.103 (17:11:32.901 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->46345 (17:11:32.901 PDT) 147.83.30.164 (2) (17:10:58.809 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51088->6881 (17:10:58.809 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 51088->6881 (17:11:29.319 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (17:11:12.445 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (17:11:12.445 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364947855.370 1364947894.705 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.187.223.212 (2), 200.19.159.34, 128.10.19.52, 146.57.249.98, 129.110.125.52, 130.149.49.137, 165.230.49.119, 165.91.55.8, 130.237.43.75 (2), 128.42.142.44, 141.212.113.180, 134.121.64.4, 66.140.111.5, 198.133.224.147, 129.22.150.29 Resource List: Observed Start: 04/02/2013 22:47:56.112 PDT Gen. Time: 04/02/2013 22:50:01.981 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.187.223.212 (2) (22:48:04.024 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 54961->6882 (22:48:04.024 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54961->6882 (22:48:04.024 PDT) 200.19.159.34 (22:48:00.819 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37049 (22:48:00.819 PDT) 128.10.19.52 (22:47:56.112 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->60699 (22:47:56.112 PDT) 146.57.249.98 (22:48:04.070 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40344->6881 (22:48:04.070 PDT) 129.110.125.52 (22:48:04.070 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55795->6881 (22:48:04.070 PDT) 130.149.49.137 (22:47:58.703 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->37873 (22:47:58.703 PDT) 165.230.49.119 (22:48:04.078 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40610->6881 (22:48:04.078 PDT) 165.91.55.8 (22:48:04.055 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34251->6881 (22:48:04.055 PDT) 130.237.43.75 (2) (22:48:03.808 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 58699->6969 (22:48:03.808 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 58699->6969 (22:48:03.808 PDT) 128.42.142.44 (22:48:04.064 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54631->6881 (22:48:04.064 PDT) 141.212.113.180 (22:48:04.061 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 47043->6882 (22:48:04.061 PDT) 134.121.64.4 (22:48:04.051 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37208->6881 (22:48:04.051 PDT) 66.140.111.5 (22:48:04.060 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54476->6881 (22:48:04.060 PDT) 198.133.224.147 (22:48:04.071 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46984->6881 (22:48:04.071 PDT) 129.22.150.29 (22:48:04.076 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43038->6882 (22:48:04.076 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:50:01.981 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (22:50:01.981 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364968076.112 1364968076.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================