Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.232.103.203, 152.14.93.140 (3), 137.165.1.115 (4), 128.163.142.21, 202.202.43.199 (3), 169.229.50.7 (4), 140.109.17.181 Resource List: Observed Start: 04/24/2013 14:11:35.418 PDT Gen. Time: 04/24/2013 14:14:46.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.232.103.203 (14:12:37.471 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->44428 (14:12:37.471 PDT) 152.14.93.140 (3) (14:11:37.664 PDT-14:12:03.300 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->57666 (14:11:37.664 PDT-14:12:03.300 PDT) 137.165.1.115 (4) (14:11:36.832 PDT-14:12:35.694 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (14:11:36.832 PDT) ------------------------- event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->48179 (14:12:11.419 PDT-14:12:35.694 PDT) 128.163.142.21 (14:11:35.418 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->34147 (14:11:35.418 PDT) 202.202.43.199 (3) (14:11:40.926 PDT-14:12:05.490 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->52069 (14:11:40.926 PDT-14:12:05.490 PDT) 169.229.50.7 (4) (14:12:07.736 PDT-14:12:47.837 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6882->59347 (14:12:07.736 PDT-14:12:47.837 PDT) 140.109.17.181 (14:12:37.642 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (14:12:37.642 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (14:14:46.435 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (14:14:46.435 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366837895.418 1366837967.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.42.142.41 (2), 138.48.3.201, 137.132.80.105 (2), 152.81.47.4 (2), 155.98.35.8, 149.43.80.20, 141.213.4.202 (2), 131.130.69.162, 199.26.254.68, 128.143.6.134 (2), 140.192.249.204 (2) Resource List: Observed Start: 04/24/2013 15:15:43.005 PDT Gen. Time: 04/24/2013 15:19:28.857 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.42.142.41 (2) (15:15:47.097 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 60873->6882 (15:15:47.097 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 60873->6882 (15:16:02.620 PDT) 138.48.3.201 (15:15:43.005 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 51497->6882 (15:15:43.005 PDT) 137.132.80.105 (2) (15:15:50.667 PDT-15:15:51.357 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->45127 (15:15:50.667 PDT-15:15:51.357 PDT) 152.81.47.4 (2) (15:16:01.860 PDT-15:16:11.579 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->37288 (15:16:01.860 PDT-15:16:11.579 PDT) 155.98.35.8 (15:15:46.249 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 42798->6882 (15:15:46.249 PDT) 149.43.80.20 (15:16:08.561 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 48923->6881 (15:16:08.561 PDT) 141.213.4.202 (2) (15:16:09.386 PDT-15:16:20.061 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->38373 (15:16:09.386 PDT-15:16:20.061 PDT) 131.130.69.162 (15:15:52.971 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 40080->6882 (15:15:52.971 PDT) 199.26.254.68 (15:15:56.475 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6882 (15:15:56.475 PDT) 128.143.6.134 (2) (15:15:44.990 PDT-15:15:55.571 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->51085 (15:15:44.990 PDT-15:15:55.571 PDT) 140.192.249.204 (2) (15:16:01.767 PDT-15:16:13.006 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 33962->6882 (15:16:01.767 PDT-15:16:13.006 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (15:19:28.857 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (15:19:28.857 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366841743.005 1366841780.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.107.171.145, 169.229.50.9, 137.132.80.105 (2), 221.199.217.145 (3), 13.7.64.22 (3), 129.97.74.14, 192.33.90.67, 200.129.132.19 (2), 212.51.218.237, 193.1.170.136 (2) Resource List: Observed Start: 04/24/2013 16:43:51.262 PDT Gen. Time: 04/24/2013 16:44:36.604 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.107.171.145 (16:44:16.009 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 47735->6882 (16:44:16.009 PDT) 169.229.50.9 (16:44:05.629 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 53676->6882 (16:44:05.629 PDT) 137.132.80.105 (2) (16:44:17.811 PDT-16:44:18.407 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 48288->6881 (16:44:17.811 PDT-16:44:18.407 PDT) 221.199.217.145 (3) (16:43:58.106 PDT-16:44:20.170 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->48792 (16:43:58.106 PDT-16:44:20.170 PDT) 13.7.64.22 (3) (16:43:51.262 PDT-16:44:15.115 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->59578 (16:43:51.262 PDT-16:44:15.115 PDT) 129.97.74.14 (16:44:16.741 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->33898 (16:44:16.741 PDT) 192.33.90.67 (16:44:06.449 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39718 (16:44:06.449 PDT) 200.129.132.19 (2) (16:44:03.263 PDT-16:44:14.296 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->34765 (16:44:03.263 PDT-16:44:14.296 PDT) 212.51.218.237 (16:43:53.218 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->33506 (16:43:53.218 PDT) 193.1.170.136 (2) (16:43:58.457 PDT-16:44:09.237 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->37871 (16:43:58.457 PDT-16:44:09.237 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (16:44:36.604 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (16:44:36.604 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366847031.262 1366847060.171 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================