Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.110.240.190 (3), 88.168.217.84, 128.10.19.52, 66.140.111.7, 169.229.50.14, 130.237.43.75 (4), 156.17.10.52, 130.83.166.245, 141.20.103.210, 216.48.80.14 (3) Resource List: Observed Start: 04/03/2013 03:30:55.820 PDT Gen. Time: 04/03/2013 03:32:21.122 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.110.240.190 (3) (03:30:55.820 PDT-03:31:19.050 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->44692 (03:30:55.820 PDT-03:31:19.050 PDT) 88.168.217.84 (03:31:59.258 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->44474 (03:31:59.258 PDT) 128.10.19.52 (03:31:20.691 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55243 (03:31:20.691 PDT) 66.140.111.7 (03:31:16.351 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 36932->6881 (03:31:16.351 PDT) 169.229.50.14 (03:32:00.221 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 33592->6881 (03:32:00.221 PDT) 130.237.43.75 (4) (03:31:40.640 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 37472->6969 (03:31:40.640 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 37494->6969 (03:31:59.986 PDT) 37472->6969 (03:31:40.640 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 37494->6969 (03:31:59.986 PDT) 156.17.10.52 (03:31:09.939 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51925->6881 (03:31:09.939 PDT) 130.83.166.245 (03:31:27.297 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->37901 (03:31:27.297 PDT) 141.20.103.210 (03:31:27.809 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51614 (03:31:27.809 PDT) 216.48.80.14 (3) (03:30:57.032 PDT-03:31:20.480 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->49853 (03:30:57.032 PDT-03:31:20.480 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:32:21.122 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (03:32:21.122 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364985055.820 1364985080.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.34.93.242, 155.98.35.7 (3), 139.19.158.233 (2), 134.121.64.7 Resource List: Observed Start: 04/03/2013 18:33:12.468 PDT Gen. Time: 04/03/2013 18:33:39.224 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.34.93.242 (18:33:29.383 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27947 (18:33:29.383 PDT) 155.98.35.7 (3) (18:33:12.468 PDT-18:33:36.244 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 59908->6881 (18:33:12.468 PDT-18:33:36.244 PDT) 139.19.158.233 (2) (18:33:16.458 PDT-18:33:27.221 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->47921 (18:33:16.458 PDT-18:33:27.221 PDT) 134.121.64.7 (18:33:29.916 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 35816->6881 (18:33:29.916 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:33:39.224 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:33:39.224 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365039192.468 1365039216.245 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.42.142.41, 129.237.161.193, 142.103.2.1, 132.239.17.224, 128.111.52.64 (2), 139.19.158.233 (2), 134.121.64.7 (2), 155.98.35.7 (3), 208.77.77.197, 130.237.43.75 (4), 186.34.93.242, 132.239.17.226 Resource List: Observed Start: 04/03/2013 18:33:12.468 PDT Gen. Time: 04/03/2013 18:37:05.439 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.42.142.41 (18:34:09.604 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53948->6881 (18:34:09.604 PDT) 129.237.161.193 (18:33:49.285 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 44556->6881 (18:33:49.285 PDT) 142.103.2.1 (18:34:09.579 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55108->6881 (18:34:09.579 PDT) 132.239.17.224 (18:34:09.579 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59715->6881 (18:34:09.579 PDT) 128.111.52.64 (2) (18:34:09.554 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 40155->6881 (18:34:09.554 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40155->6881 (18:34:09.554 PDT) 139.19.158.233 (2) (18:33:16.458 PDT-18:33:27.221 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->47921 (18:33:16.458 PDT-18:33:27.221 PDT) 134.121.64.7 (2) (18:33:29.916 PDT-18:33:44.759 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 35816->6881 (18:33:29.916 PDT-18:33:44.759 PDT) 155.98.35.7 (3) (18:33:12.468 PDT-18:33:36.244 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 59908->6881 (18:33:12.468 PDT-18:33:36.244 PDT) 208.77.77.197 (18:34:09.579 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 42593->6881 (18:34:09.579 PDT) 130.237.43.75 (4) (18:33:52.049 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 42191->6969 (18:33:52.049 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 42218->6969 (18:34:09.336 PDT) 42191->6969 (18:33:52.049 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 42218->6969 (18:34:09.336 PDT) 186.34.93.242 (18:33:29.383 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27947 (18:33:29.383 PDT) 132.239.17.226 (18:34:09.579 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 32820->6881 (18:34:09.579 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:33:39.224 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:33:39.224 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365039192.468 1365039224.760 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.187.223.211 (3), 132.239.17.224, 194.42.17.124 (2), 222.99.146.83, 72.36.112.78 (3), 128.59.20.228 (2), 204.123.28.56 (3), 128.36.233.154, 66.140.111.5 Resource List: Observed Start: 04/03/2013 19:29:01.823 PDT Gen. Time: 04/03/2013 19:32:31.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.187.223.211 (3) (19:29:12.155 PDT-19:29:32.821 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->49555 (19:29:12.155 PDT-19:29:32.821 PDT) 132.239.17.224 (19:29:41.492 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45013 (19:29:41.492 PDT) 194.42.17.124 (2) (19:29:27.033 PDT-19:29:38.862 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 40394->6881 (19:29:27.033 PDT-19:29:38.862 PDT) 222.99.146.83 (19:29:04.458 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (19:29:04.458 PDT) 72.36.112.78 (3) (19:29:06.446 PDT-19:29:32.437 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->50803 (19:29:06.446 PDT-19:29:32.437 PDT) 128.59.20.228 (2) (19:29:01.823 PDT-19:29:15.334 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->39723 (19:29:01.823 PDT-19:29:15.334 PDT) 204.123.28.56 (3) (19:29:10.886 PDT-19:29:37.278 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->51316 (19:29:10.886 PDT-19:29:37.278 PDT) 128.36.233.154 (19:29:08.839 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59494 (19:29:08.839 PDT) 66.140.111.5 (19:29:42.751 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37621 (19:29:42.751 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (19:32:31.459 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (19:32:31.459 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365042541.823 1365042578.863 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.187.223.212, 128.84.154.40 (2), 129.10.120.193, 130.253.21.121, 129.22.150.78, 66.140.111.7, 184.172.169.226, 130.237.43.75 (5), 206.12.16.155 (2), 208.77.77.195, 193.10.64.36 Resource List: Observed Start: 04/03/2013 21:20:57.006 PDT Gen. Time: 04/03/2013 21:22:29.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.187.223.212 (21:21:42.110 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49496->6881 (21:21:42.110 PDT) 128.84.154.40 (2) (21:20:58.911 PDT-21:21:14.324 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->51458 (21:20:58.911 PDT-21:21:14.324 PDT) 129.10.120.193 (21:20:57.006 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->46074 (21:20:57.006 PDT) 130.253.21.121 (21:21:42.110 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 45985->6881 (21:21:42.110 PDT) 129.22.150.78 (21:21:42.182 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46542->6881 (21:21:42.182 PDT) 66.140.111.7 (21:21:42.182 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46048->6881 (21:21:42.182 PDT) 184.172.169.226 (21:21:37.710 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->15038 (21:21:37.710 PDT) 130.237.43.75 (5) (21:21:02.073 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 60614->6969 (21:21:02.073 PDT) ------------------------- event=1:2000369 (3) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 60614->6969 (21:21:02.073 PDT) 60645->6969 (21:21:41.487 PDT) 60624->6969 (21:21:16.451 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 60645->6969 (21:21:41.487 PDT) 206.12.16.155 (2) (21:21:42.085 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 54746->6882 (21:21:42.085 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54746->6882 (21:21:42.085 PDT) 208.77.77.195 (21:21:42.182 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39784->6882 (21:21:42.182 PDT) 193.10.64.36 (21:21:02.475 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->58611 (21:21:02.475 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (21:22:29.010 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (21:22:29.010 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365049257.006 1365049274.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================