Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 204.85.191.10 (4), 202.189.126.85, 128.138.207.54 (4), 204.123.28.55 (4), 193.137.173.218 (4) Resource List: Observed Start: 04/04/2013 17:59:49.249 PDT Gen. Time: 04/04/2013 18:03:32.211 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 204.85.191.10 (4) (17:59:55.124 PDT-18:00:17.188 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->35147 (17:59:55.124 PDT-18:00:17.188 PDT) 202.189.126.85 (18:00:20.283 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 43853->6881 (18:00:20.283 PDT) 128.138.207.54 (4) (17:59:49.249 PDT-18:00:23.158 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->55678 (17:59:49.249 PDT-18:00:23.158 PDT) 204.123.28.55 (4) (17:59:52.880 PDT-18:00:26.020 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->39191 (17:59:52.880 PDT-18:00:26.020 PDT) 193.137.173.218 (4) (17:59:50.427 PDT-18:00:23.267 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->52278 (17:59:50.427 PDT-18:00:23.267 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:03:32.211 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:03:32.211 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365123589.249 1365123626.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 129.15.78.31, 132.239.17.225, 216.48.80.12, 136.159.220.40, 165.91.55.10, 142.150.238.12, 66.140.111.7, 192.138.213.236, 198.133.224.149, 130.237.43.75 (2), 128.84.154.44, 208.77.77.196, 208.77.77.195, 128.252.19.18, 128.223.8.112 (2) Resource List: Observed Start: 04/04/2013 18:11:59.501 PDT Gen. Time: 04/04/2013 18:13:48.481 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 129.15.78.31 (18:11:59.790 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57540->6881 (18:11:59.790 PDT) 132.239.17.225 (18:11:59.764 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39047->6881 (18:11:59.764 PDT) 216.48.80.12 (18:11:59.839 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48194->6882 (18:11:59.839 PDT) 136.159.220.40 (18:11:59.764 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41295->6881 (18:11:59.764 PDT) 165.91.55.10 (18:11:59.790 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36252->6881 (18:11:59.790 PDT) 142.150.238.12 (18:11:59.839 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40780->6881 (18:11:59.839 PDT) 66.140.111.7 (18:11:59.790 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49520->6881 (18:11:59.790 PDT) 192.138.213.236 (18:11:59.814 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36590->6881 (18:11:59.814 PDT) 198.133.224.149 (18:11:59.814 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39286->6882 (18:11:59.814 PDT) 130.237.43.75 (2) (18:11:59.501 PDT) event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 40994->6969 (18:11:59.501 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 40994->6969 (18:11:59.501 PDT) 128.84.154.44 (18:11:59.814 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39870->6881 (18:11:59.814 PDT) 208.77.77.196 (18:11:59.764 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60206->6881 (18:11:59.764 PDT) 208.77.77.195 (18:11:59.764 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60069->6881 (18:11:59.764 PDT) 128.252.19.18 (18:11:59.790 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39973->6881 (18:11:59.790 PDT) 128.223.8.112 (2) (18:11:59.764 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 58606->6881 (18:11:59.764 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 58606->6881 (18:11:59.764 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (18:13:48.481 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (18:13:48.481 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365124319.501 1365124319.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================