Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.179.176.42 (2), 185.6.124.193, 164.107.127.13, 193.167.187.187, 129.10.120.194, 199.26.254.68 (2), 152.3.138.7 (2), 203.178.133.11 (3), 157.92.44.102, 194.47.148.172, 128.111.52.59, 128.208.4.198 Resource List: Observed Start: 04/24/2013 17:42:15.621 PDT Gen. Time: 04/24/2013 17:44:33.687 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.179.176.42 (2) (17:42:19.610 PDT-17:42:30.644 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6882->37383 (17:42:19.610 PDT-17:42:30.644 PDT) 185.6.124.193 (17:42:23.615 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6882->54312 (17:42:23.615 PDT) 164.107.127.13 (17:42:29.308 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->51190 (17:42:29.308 PDT) 193.167.187.187 (17:42:33.402 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 38134->6881 (17:42:33.402 PDT) 129.10.120.194 (17:42:20.771 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 51010->6881 (17:42:20.771 PDT) 199.26.254.68 (2) (17:42:19.433 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->36299 (17:42:19.433 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->36299 (17:42:34.730 PDT) 152.3.138.7 (2) (17:42:32.721 PDT-17:42:47.485 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6882->32926 (17:42:32.721 PDT-17:42:47.485 PDT) 203.178.133.11 (3) (17:42:15.621 PDT-17:42:39.855 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6882->36370 (17:42:15.621 PDT-17:42:39.855 PDT) 157.92.44.102 (17:42:46.056 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 45933->6882 (17:42:46.056 PDT) 194.47.148.172 (17:42:48.767 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->50072 (17:42:48.767 PDT) 128.111.52.59 (17:42:35.180 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 57800->6881 (17:42:35.180 PDT) 128.208.4.198 (17:42:27.005 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 52708->6881 (17:42:27.005 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 193.138.229.18 (17:44:33.687 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6882->51413 (17:44:33.687 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366850535.621 1366850567.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.50.235 (2), 193.226.19.30, 128.138.207.45 Resource List: Observed Start: 04/24/2013 21:03:46.632 PDT Gen. Time: 04/24/2013 21:04:09.846 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.50.235 (2) (21:03:56.153 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 60980->6969 (21:03:56.153 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:EC:40 60980->6969 (21:03:56.153 PDT) 193.226.19.30 (21:03:52.321 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->43082 (21:03:52.321 PDT) 128.138.207.45 (21:03:46.632 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->56843 (21:03:46.632 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 193.138.229.18 (21:04:09.846 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->51413 (21:04:09.846 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366862626.632 1366862626.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.178.143.10, 193.226.19.30, 129.110.125.52, 129.93.229.138, 129.22.150.78, 128.42.142.45, 128.138.207.45, 143.215.131.198, 206.117.37.5 (2), 198.82.160.221, 128.36.233.153, 136.159.220.42, 130.237.50.235 (4) Resource List: Observed Start: 04/24/2013 21:03:46.632 PDT Gen. Time: 04/24/2013 21:07:34.361 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.178.143.10 (21:04:10.160 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 45728->6881 (21:04:10.160 PDT) 193.226.19.30 (21:03:52.321 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->43082 (21:03:52.321 PDT) 129.110.125.52 (21:04:10.097 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 59750->6881 (21:04:10.097 PDT) 129.93.229.138 (21:04:10.098 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 55881->6881 (21:04:10.098 PDT) 129.22.150.78 (21:04:10.113 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 45183->6881 (21:04:10.113 PDT) 128.42.142.45 (21:04:10.095 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 54459->6881 (21:04:10.095 PDT) 128.138.207.45 (21:03:46.632 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->56843 (21:03:46.632 PDT) 143.215.131.198 (21:04:10.114 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 53242->6881 (21:04:10.114 PDT) 206.117.37.5 (2) (21:04:10.075 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 56136->6881 (21:04:10.075 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 56136->6881 (21:04:10.075 PDT) 198.82.160.221 (21:04:10.116 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 33149->6881 (21:04:10.116 PDT) 128.36.233.153 (21:04:10.113 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 56738->6881 (21:04:10.113 PDT) 136.159.220.42 (21:04:10.090 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 43843->6881 (21:04:10.090 PDT) 130.237.50.235 (4) (21:03:56.153 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 60980->6969 (21:03:56.153 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:EC:40 60980->6969 (21:03:56.153 PDT) 60999->6969 (21:04:09.851 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:EC:40 60999->6969 (21:04:09.851 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 193.138.229.18 (21:04:09.846 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->51413 (21:04:09.846 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366862626.632 1366862626.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================