Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.0.109.25 (2), 128.84.154.41 (2) Resource List: Observed Start: 04/08/2013 16:33:16.798 PDT Gen. Time: 04/08/2013 16:33:36.335 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.0.109.25 (2) (16:33:24.030 PDT-16:33:34.794 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->35712 (16:33:24.030 PDT-16:33:34.794 PDT) 128.84.154.41 (2) (16:33:16.798 PDT-16:33:27.122 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->38584 (16:33:16.798 PDT-16:33:27.122 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:33:36.335 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (16:33:36.335 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365463996.798 1365464014.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.84.154.41 (2), 128.42.142.41, 131.254.208.13, 129.15.78.30, 169.229.50.9, 139.19.158.231, 193.0.109.25 (2), 130.237.43.75 (2), 138.251.214.77, 142.104.21.245, 204.123.28.55 (2), 203.178.133.11, 128.42.142.42, 193.191.148.227, 132.239.17.226 Resource List: Observed Start: 04/08/2013 16:33:16.798 PDT Gen. Time: 04/08/2013 16:37:17.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.84.154.41 (2) (16:33:16.798 PDT-16:33:27.122 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->38584 (16:33:16.798 PDT-16:33:27.122 PDT) 128.42.142.41 (16:33:37.174 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38996->6881 (16:33:37.174 PDT) 131.254.208.13 (16:33:37.416 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48192->6881 (16:33:37.416 PDT) 129.15.78.30 (16:33:37.175 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59029->6881 (16:33:37.175 PDT) 169.229.50.9 (16:33:37.149 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48549->6882 (16:33:37.149 PDT) 139.19.158.231 (16:33:37.416 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54798->6881 (16:33:37.416 PDT) 193.0.109.25 (2) (16:33:24.030 PDT-16:33:34.794 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->35712 (16:33:24.030 PDT-16:33:34.794 PDT) 130.237.43.75 (2) (16:33:36.931 PDT) event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 41763->6969 (16:33:36.931 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 41763->6969 (16:33:36.931 PDT) 138.251.214.77 (16:33:37.416 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33656->6881 (16:33:37.416 PDT) 142.104.21.245 (16:33:37.149 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57547->6881 (16:33:37.149 PDT) 204.123.28.55 (2) (16:33:37.149 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 55609->6881 (16:33:37.149 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55609->6881 (16:33:37.149 PDT) 203.178.133.11 (16:33:37.416 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43915->6882 (16:33:37.416 PDT) 128.42.142.42 (16:33:37.177 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59017->6881 (16:33:37.177 PDT) 193.191.148.227 (16:33:37.416 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44355->6881 (16:33:37.416 PDT) 132.239.17.226 (16:33:37.174 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40639->6881 (16:33:37.174 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:33:36.335 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (16:33:36.335 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365463996.798 1365464014.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 142.103.2.2 (2), 72.36.112.79, 134.121.64.7 (2), 165.91.55.9, 130.237.43.75, 202.116.81.195 (2), 141.76.45.18, 139.18.38.190 (3), 80.65.237.10 (4) Resource List: Observed Start: 04/08/2013 20:01:15.471 PDT Gen. Time: 04/08/2013 20:03:46.937 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (20:03:05.379 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 47599->80 (20:03:05.379 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.103.2.2 (2) (20:01:39.310 PDT-20:01:50.174 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->52704 (20:01:39.310 PDT-20:01:50.174 PDT) 72.36.112.79 (20:01:47.778 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47192 (20:01:47.778 PDT) 134.121.64.7 (2) (20:01:25.798 PDT-20:01:37.259 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->48722 (20:01:25.798 PDT-20:01:37.259 PDT) 165.91.55.9 (20:01:19.122 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->60122 (20:01:19.122 PDT) 130.237.43.75 (20:01:53.875 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 44519->6969 (20:01:53.875 PDT) 202.116.81.195 (2) (20:01:17.877 PDT-20:01:28.097 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->52849 (20:01:17.877 PDT-20:01:28.097 PDT) 141.76.45.18 (20:01:15.471 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->36280 (20:01:15.471 PDT) 139.18.38.190 (3) (20:01:24.024 PDT-20:01:46.477 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->41525 (20:01:24.024 PDT-20:01:46.477 PDT) 80.65.237.10 (4) (20:01:21.599 PDT-20:01:53.349 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 53302->6882 (20:01:21.599 PDT-20:01:53.349 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 164.138.28.31 (20:03:46.937 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->54505 (20:03:46.937 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365476475.471 1365476513.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================