Score: 2.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 208.88.226.10 (2), 64.111.199.221 (2), 64.111.214.2 (2), 217.199.217.100 (2), 218.30.115.254 (8), 84.45.63.21 Peer Coord. List: Resource List: Observed Start: 04/16/2013 14:11:07.131 PDT Gen. Time: 04/18/2013 08:54:03.026 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.88.226.10 (2) (16:58:34.017 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 39559->80 (16:58:34.017 PDT) 49899->80 (17:09:33.622 PDT) 64.111.199.221 (2) (16:05:34.496 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 32930->80 (16:05:34.496 PDT) 58898->80 (16:16:13.689 PDT) 64.111.214.2 (2) (17:24:48.029 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 57926->80 (17:24:48.029 PDT) 59106->80 (17:36:05.455 PDT) 217.199.217.100 (2) (14:42:28.183 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 35646->80 (14:42:28.183 PDT) 55940->80 (14:55:00.466 PDT) 218.30.115.254 (8) (14:29:07.001 PDT) event=1:3810007 (8) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 45909->80 (14:29:07.001 PDT) 36504->80 (15:05:57.825 PDT) 55678->80 (15:20:07.676 PDT) 49278->80 (15:39:23.078 PDT) 37586->80 (15:52:18.328 PDT) 43386->80 (16:32:06.590 PDT) 40396->80 (17:53:15.063 PDT) 51474->80 (18:07:14.278 PDT) 84.45.63.21 (16:47:17.571 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 34185->80 (16:47:17.571 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 80.1.51.16 (15:00:40.407 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:00:40.407 PDT) 80.0.55.243 (14:20:30.519 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (4 /24s) (# pkts S/M/O/I=0/10/2/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:20:30.519 PDT) 80.2.111.179 (15:52:54.480 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 15 IPs (4 /24s) (# pkts S/M/O/I=0/12/3/0): 22:12, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:52:54.480 PDT) 80.2.62.218 (15:44:51.101 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:44:51.101 PDT) 80.3.96.61 (16:33:03.296 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (1 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:33:03.296 PDT) 80.2.207.250 (16:08:57.152 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (2 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:08:57.152 PDT) 80.2.160.176 (16:00:55.238 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:00:55.238 PDT) 80.0.107.100 (14:28:32.037 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (1 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:28:32.037 PDT) 128.208.4.86 (2) (14:52:38.120 PDT-15:28:47.150 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 2: 0->0 (14:52:38.120 PDT-15:28:47.150 PDT) 80.0.202.113 (14:44:36.029 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:44:36.029 PDT) 80.0.154.111 (14:36:35.024 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (3 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:36:35.024 PDT) 80.2.255.73 (16:16:59.341 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (1 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:16:59.341 PDT) 80.2.15.3 (15:36:49.121 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:36:49.121 PDT) 80.1.124.53 (15:12:43.094 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (3 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:12:43.094 PDT) 80.1.172.16 (15:20:45.161 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (3 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:20:45.161 PDT) 183.12.102.248 (16:25:01.297 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 14 IPs (3 /24s) (# pkts S/M/O/I=0/12/3/0): 22:12, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:25:01.297 PDT) OUTBOUND SCAN 80.0.0.33 (14:11:07.246 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 42436->22 (14:11:07.246 PDT) 80.0.0.40 (2) (14:11:07.268 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 33413->22 (14:11:07.268 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 33413->22 (14:11:07.268 PDT) 80.0.0.9 (14:11:07.146 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 35002->22 (14:11:07.146 PDT) 80.0.0.24 (14:11:07.209 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 42869->22 (14:11:07.209 PDT) 80.0.0.69 (14:11:07.395 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 34531->22 (14:11:07.395 PDT) 80.0.0.15 (14:11:07.166 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 55264->22 (14:11:07.166 PDT) 80.0.0.53 (14:11:07.327 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 44779->22 (14:11:07.327 PDT) 80.0.0.29 (14:11:07.231 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 39466->22 (14:11:07.231 PDT) 80.0.0.44 (14:11:07.286 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 44585->22 (14:11:07.286 PDT) 80.0.0.59 (2) (14:11:07.347 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 38065->22 (14:11:07.347 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 38065->22 (14:11:07.347 PDT) 80.0.0.4 (14:11:07.131 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 39033->22 (14:11:07.131 PDT) 80.0.0.19 (2) (14:11:07.183 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 44723->22 (14:11:07.183 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 44723->22 (14:11:07.183 PDT) 80.0.0.49 (14:11:07.309 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 41145->22 (14:11:07.309 PDT) 80.0.0.64 (14:11:07.381 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 36671->22 (14:11:07.381 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 199.59.243.109 (15:41:27.537 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55869->80 (15:41:27.537 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 80.1.51.24 (15:00:40.408 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:00:40.408 PDT) 142.4.54.222 (15:01:55.582 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 500 IPs (228 /24s) (# pkts S/M/O/I=0/201/252/95): 22:200, 1433, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:01:55.582 PDT) 80.2.160.124 (16:00:55.257 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:00:55.257 PDT) 80.2.207.250 (16:08:57.356 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/18/1/2): 22:18, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:08:57.356 PDT) 80.0.107.108 (14:28:32.065 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (1 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:28:32.065 PDT) 128.208.4.86 (2) (14:52:38.391 PDT-15:28:47.255 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 2: 0->0 (14:52:38.391 PDT-15:28:47.255 PDT) 80.0.154.111 (14:36:35.733 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:36:35.733 PDT) 80.2.255.73 (16:16:59.743 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (1 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:16:59.743 PDT) 80.2.15.3 (15:36:49.447 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:36:49.447 PDT) 80.1.124.53 (15:12:43.336 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (5 /24s) (# pkts S/M/O/I=0/18/1/2): 22:18, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:12:43.336 PDT) 80.2.111.244 (15:52:54.545 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/18/3/0): 22:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:52:54.545 PDT) 80.2.62.222 (15:44:51.229 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:44:51.229 PDT) 80.1.172.16 (15:20:45.394 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (3 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (15:20:45.394 PDT) 183.12.102.248 (16:25:01.506 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (5 /24s) (# pkts S/M/O/I=0/20/5/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (16:25:01.506 PDT) 80.0.55.252 (14:20:30.550 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:20:30.550 PDT) 80.0.202.125 (14:44:36.147 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (14:44:36.147 PDT) tcpslice 1366146667.131 1366151327.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 218.30.115.254 Peer Coord. List: Resource List: Observed Start: 04/18/2013 09:17:47.466 PDT Gen. Time: 04/18/2013 09:27:16.199 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.30.115.254 (09:26:08.854 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50614->80 (09:26:08.854 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 4.0.0.53 (09:17:47.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 44378->22 (09:17:47.606 PDT) 4.0.0.45 (09:17:47.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 45221->22 (09:17:47.586 PDT) 4.0.0.14 (09:17:47.496 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 56201->22 (09:17:47.496 PDT) 4.0.0.29 (09:17:47.540 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 58707->22 (09:17:47.540 PDT) 4.0.0.59 (2) (09:17:47.626 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 57518->22 (09:17:47.626 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 57518->22 (09:17:47.626 PDT) 4.0.0.4 (09:17:47.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 36742->22 (09:17:47.466 PDT) 4.0.0.19 (2) (09:17:47.509 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 41251->22 (09:17:47.509 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 41251->22 (09:17:47.509 PDT) 4.0.0.34 (09:17:47.561 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 41068->22 (09:17:47.561 PDT) 4.0.0.49 (09:17:47.596 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 33499->22 (09:17:47.596 PDT) 4.0.0.64 (09:17:47.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 60980->22 (09:17:47.659 PDT) 4.0.0.9 (09:17:47.480 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 35825->22 (09:17:47.480 PDT) 4.0.0.24 (09:17:47.526 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 33741->22 (09:17:47.526 PDT) 4.0.0.39 (2) (09:17:47.574 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 50966->22 (09:17:47.574 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 50966->22 (09:17:47.574 PDT) 4.0.0.69 (09:17:47.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 35137->22 (09:17:47.659 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.86 (09:27:16.199 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (7 /24s) (# pkts S/M/O/I=0/20/5/1): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (09:27:16.199 PDT) tcpslice 1366301867.466 1366301867.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================