Score: 2.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 198.51.132.160, 198.51.132.60 (2), 208.88.226.10, 208.95.172.130, 64.111.214.2, 4.8.2.0, 217.199.217.100 (2), 218.30.115.254 (9), 84.45.63.21 (2) Peer Coord. List: 128.220.231.2 (10) Resource List: Observed Start: 04/18/2013 09:17:47.466 PDT Gen. Time: 04/23/2013 08:56:41.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 198.51.132.160 (14:19:43.585 PDT) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=MtHD0Wdh4FtbyFJCb4yfUQ&thanx_start=6470] MAC_Src: 00:21:5A:08:BB:0C 53598->80 (14:19:43.585 PDT) 198.51.132.60 (2) (05:58:21.863 PDT) event=1:2012801 (2) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=fS7GSBB_xI_tPgPCfrO-vA&thanx_start=0] MAC_Src: 00:21:5A:08:BB:0C 35557->80 (05:58:21.863 PDT) 49119->80 (07:30:28.372 PDT) C and C TRAFFIC (RBN) 208.88.226.10 (11:27:19.438 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 34760->80 (11:27:19.438 PDT) 208.95.172.130 (13:55:55.070 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 56374->80 (13:55:55.070 PDT) 64.111.214.2 (12:04:04.304 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 47309->80 (12:04:04.304 PDT) 4.8.2.0 (11:38:03.513 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 57890->80 (11:38:03.513 PDT) 217.199.217.100 (2) (13:33:29.902 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37118->80 (13:33:29.902 PDT) 38591->80 (13:43:47.554 PDT) 218.30.115.254 (9) (09:26:08.854 PDT) event=1:3810007 (9) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50614->80 (09:26:08.854 PDT) 48836->80 (09:48:44.236 PDT) 38620->80 (10:05:54.689 PDT) 32884->80 (10:27:46.225 PDT) 37998->80 (10:37:46.709 PDT) 57984->80 (11:50:31.661 PDT) 41058->80 (12:35:24.186 PDT) 39668->80 (12:55:44.607 PDT) 38965->80 (13:12:38.709 PDT) 84.45.63.21 (2) (11:01:10.316 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37965->80 (11:01:10.316 PDT) 59861->80 (11:12:58.773 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 4.5.92.92 (10:51:35.031 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (1 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:51:35.031 PDT) 4.2.154.86 (10:03:23.952 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (3 /24s) (# pkts S/M/O/I=0/10/2/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:03:23.952 PDT) 4.3.17.20 (10:11:25.023 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (2 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:11:25.023 PDT) 4.8.146.140 (11:47:49.037 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (2 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (11:47:49.037 PDT) 4.7.50.92 (11:23:43.028 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (11:23:43.028 PDT) 4.3.251.92 (10:27:29.014 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (2 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:27:29.014 PDT) 4.5.209.200 (10:59:37.166 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:59:37.166 PDT) 83.246.92.210 (11:15:42.087 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 15 IPs (4 /24s) (# pkts S/M/O/I=0/12/3/0): 22:12, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:15:42.087 PDT) 4.8.28.117 (11:39:47.117 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (11:39:47.117 PDT) 128.208.4.86 (4) (09:43:18.245 PDT-10:19:27.060 PDT) event=777:7777005 (4) {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (4 /24s) (# pkts S/M/O/I=0/10/2/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:43:33.460 PDT) 2: 0->0 (09:43:18.245 PDT-10:19:27.060 PDT) 0->0 (10:35:31.064 PDT) 206.117.37.5 (11:55:51.414 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (5 /24s) (# pkts S/M/O/I=0/16/4/0): 22:16, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:55:51.414 PDT) 4.1.234.18 (09:51:20.007 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (1 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (09:51:20.007 PDT) 4.0.254.13 (09:35:16.540 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (09:35:16.540 PDT) 4.7.167.34 (11:31:45.271 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (2 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (11:31:45.271 PDT) OUTBOUND SCAN 4.0.0.53 (09:17:47.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 44378->22 (09:17:47.606 PDT) 4.0.0.45 (09:17:47.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 45221->22 (09:17:47.586 PDT) 4.0.0.14 (09:17:47.496 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 56201->22 (09:17:47.496 PDT) 4.0.0.29 (09:17:47.540 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 58707->22 (09:17:47.540 PDT) 4.0.0.59 (2) (09:17:47.626 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 57518->22 (09:17:47.626 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 57518->22 (09:17:47.626 PDT) 4.0.0.4 (09:17:47.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 36742->22 (09:17:47.466 PDT) 4.0.0.19 (2) (09:17:47.509 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 41251->22 (09:17:47.509 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 41251->22 (09:17:47.509 PDT) 4.0.0.34 (09:17:47.561 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 41068->22 (09:17:47.561 PDT) 4.0.0.49 (09:17:47.596 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 33499->22 (09:17:47.596 PDT) 4.0.0.64 (09:17:47.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 60980->22 (09:17:47.659 PDT) 4.0.0.9 (09:17:47.480 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 35825->22 (09:17:47.480 PDT) 4.0.0.24 (09:17:47.526 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 33741->22 (09:17:47.526 PDT) 4.0.0.39 (2) (09:17:47.574 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:5A:08:BB:0C 50966->22 (09:17:47.574 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 50966->22 (09:17:47.574 PDT) 4.0.0.69 (09:17:47.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:5A:08:BB:0C 35137->22 (09:17:47.659 PDT) ATTACK PREP PEER COORDINATION Info 128.220.231.2 (10) (22:10:22.258 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 46333->6969 (22:43:32.591 PDT) ------------------------- event=1:1100018 (3) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 37825->6969 (22:10:22.258 PDT) 59872->6969 (22:25:40.478 PDT) 45324->6969 (22:43:24.525 PDT) ------------------------- event=1:2000369 (3) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 37825->6969 (22:10:22.258 PDT) 59872->6969 (22:25:40.478 PDT) 45324->6969 (22:43:24.525 PDT) ------------------------- event=1:2102180 (3) {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 37825->6969 (22:10:22.258 PDT) 59872->6969 (22:25:40.478 PDT) 45324->6969 (22:43:24.525 PDT) PEER COORDINATION DECLARE BOT Standard Port 195.70.51.165 (03:01:06.138 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55880->53 (03:01:06.138 PDT) 208.87.35.103 (22:11:49.844 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 60795->80 (22:11:49.844 PDT) 213.249.68.98 (4) (01:52:52.191 PDT) event=1:9920020 (4) {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 41459->53 (01:52:52.191 PDT) 52607->53 (04:05:29.843 PDT) 35736->53 (06:09:45.462 PDT) 47570->53 (07:50:28.582 PDT) 213.239.193.176 (6) (00:44:52.313 PDT) event=1:9920020 (6) {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 56191->53 (00:44:52.313 PDT) 45712->53 (02:22:46.676 PDT) 48326->53 (02:47:18.952 PDT) 45235->53 (04:21:23.432 PDT) 49325->53 (06:58:26.251 PDT) 34597->53 (08:18:11.989 PDT) 204.11.237.4 (5) (01:17:08.182 PDT) event=1:9920020 (5) {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 37437->53 (01:17:08.182 PDT) 35746->53 (03:18:21.995 PDT) 55884->53 (05:44:28.240 PDT) 45331->53 (07:10:51.131 PDT) 42690->53 (08:07:23.408 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 4.5.92.92 (10:51:35.031 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (1 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:51:35.031 PDT) 4.2.154.86 (10:03:24.059 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/18/3/0): 22:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:03:24.059 PDT) 4.7.50.92 (11:23:43.421 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (11:23:43.421 PDT) 4.5.209.200 (10:59:37.194 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:59:37.194 PDT) 83.246.92.210 (11:15:42.087 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/18/3/0): 22:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:15:42.087 PDT) 128.208.4.86 (4) (09:27:16.199 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (7 /24s) (# pkts S/M/O/I=0/20/5/1): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (09:27:16.199 PDT) 0->0 (09:43:18.324 PDT) 0->0 (09:51:20.150 PDT) 0->0 (10:35:31.117 PDT) 128.223.8.122 (09:52:07.559 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 500 IPs (251 /24s) (# pkts S/M/O/I=0/201/177/170): 22:200, 4380, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (09:52:07.559 PDT) 113.87.51.116 (2) (10:11:25.132 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (3 /24s) (# pkts S/M/O/I=0/20/2/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:11:25.132 PDT) 0->0 (11:31:45.703 PDT) 4.3.134.101 (10:19:27.140 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:19:27.140 PDT) 41.225.7.4 (11:07:39.675 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (6 /24s) (# pkts S/M/O/I=0/28/7/0): 22:28, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (11:07:39.675 PDT) 4.0.254.13 (09:35:16.565 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (09:35:16.565 PDT) 4.4.230.18 (10:43:33.657 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (4 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:43:33.657 PDT) 4.3.251.94 (10:27:29.169 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (2 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:5A:08:BB:0C 0->0 (10:27:29.169 PDT) tcpslice 1366301867.466 1366305567.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================