Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 194.242.113.210 Peer Coord. List: 200.19.159.35 (3), 217.173.198.153, 131.254.208.12, 147.102.224.228 (2), 132.72.23.11 (2), 130.216.1.22, 132.227.62.124 (3), 194.254.215.12 (2), 128.233.252.12 (2) Resource List: Observed Start: 04/25/2013 04:52:45.526 PDT Gen. Time: 04/25/2013 04:55:23.357 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.242.113.210 (04:52:45.640 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36391->53 (04:52:45.640 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.19.159.35 (3) (04:52:47.669 PDT-04:53:00.177 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 50959->6882 (04:52:47.669 PDT-04:53:00.177 PDT) 217.173.198.153 (04:53:14.539 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45025 (04:53:14.539 PDT) 131.254.208.12 (04:52:53.824 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 55735->6881 (04:52:53.824 PDT) 147.102.224.228 (2) (04:52:45.526 PDT-04:52:56.244 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->57313 (04:52:45.526 PDT-04:52:56.244 PDT) 132.72.23.11 (2) (04:52:59.349 PDT-04:53:13.682 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->40406 (04:52:59.349 PDT-04:53:13.682 PDT) 130.216.1.22 (04:53:01.627 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 48060->6881 (04:53:01.627 PDT) 132.227.62.124 (3) (04:52:50.424 PDT-04:53:15.760 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 41701->6882 (04:52:50.424 PDT-04:53:15.760 PDT) 194.254.215.12 (2) (04:53:09.966 PDT-04:53:19.995 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->41480 (04:53:09.966 PDT-04:53:19.995 PDT) 128.233.252.12 (2) (04:52:57.053 PDT-04:53:07.746 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 43781->6881 (04:52:57.053 PDT-04:53:07.746 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (04:55:23.357 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (04:55:23.357 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366890765.526 1366890799.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.63.75.20, 203.178.133.3, 165.91.55.8 Resource List: Observed Start: 04/25/2013 12:51:49.773 PDT Gen. Time: 04/25/2013 12:51:55.110 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.63.75.20 (12:51:52.864 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->55958 (12:51:52.864 PDT) 203.178.133.3 (12:51:49.876 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 60269->6882 (12:51:49.876 PDT) 165.91.55.8 (12:51:49.773 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->36327 (12:51:49.773 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:51:55.110 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:51:55.110 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366919509.773 1366919509.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 211.233.11.26 Peer Coord. List: 128.111.52.64, 141.213.4.202 (2), 198.82.160.239, 129.110.125.51, 193.63.75.20, 165.91.55.8 (3), 200.0.206.137 (3), 129.186.205.78, 203.178.133.3, 193.206.22.133 (3) Resource List: Observed Start: 04/25/2013 12:51:49.773 PDT Gen. Time: 04/25/2013 12:55:49.768 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 211.233.11.26 (12:53:39.190 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37018->53 (12:53:39.190 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.111.52.64 (12:52:15.474 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->39459 (12:52:15.474 PDT) 141.213.4.202 (2) (12:52:00.660 PDT-12:52:11.431 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 57005->6881 (12:52:00.660 PDT-12:52:11.431 PDT) 198.82.160.239 (12:52:22.339 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 57238->6881 (12:52:22.339 PDT) 129.110.125.51 (12:52:02.857 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 37244->6881 (12:52:02.857 PDT) 193.63.75.20 (12:51:52.864 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->55958 (12:51:52.864 PDT) 165.91.55.8 (3) (12:51:49.773 PDT-12:52:15.568 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->36327 (12:51:49.773 PDT-12:52:15.568 PDT) 200.0.206.137 (3) (12:51:55.111 PDT-12:52:20.457 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->55539 (12:51:55.111 PDT-12:52:20.457 PDT) 129.186.205.78 (12:52:04.635 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51333->6882 (12:52:04.635 PDT) 203.178.133.3 (12:51:49.876 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 60269->6882 (12:51:49.876 PDT) 193.206.22.133 (3) (12:51:55.225 PDT-12:52:06.452 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 42636->6883 (12:52:18.844 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 42636->6883 (12:51:55.225 PDT-12:52:06.452 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:51:55.110 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (12:51:55.110 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366919509.773 1366919540.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 75.126.150.82 Peer Coord. List: 128.187.223.212, 139.78.141.243 (2), 204.85.191.11 (2), 128.111.52.63 (3), 200.132.1.4 (2), 163.117.253.22 (2), 139.30.240.192 (2), 158.130.6.253 (2), 156.17.10.51 Resource List: Observed Start: 04/25/2013 14:27:49.819 PDT Gen. Time: 04/25/2013 14:29:04.875 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 75.126.150.82 (14:27:54.053 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38396->53 (14:27:54.053 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.187.223.212 (14:27:53.599 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 37474->6881 (14:27:53.599 PDT) 139.78.141.243 (2) (14:27:55.608 PDT-14:28:06.281 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->47720 (14:27:55.608 PDT-14:28:06.281 PDT) 204.85.191.11 (2) (14:27:56.278 PDT-14:28:07.387 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 51545->6881 (14:27:56.278 PDT-14:28:07.387 PDT) 128.111.52.63 (3) (14:27:49.819 PDT-14:28:14.965 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->53529 (14:27:49.819 PDT-14:28:14.965 PDT) 200.132.1.4 (2) (14:28:08.976 PDT-14:28:26.091 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->33951 (14:28:08.976 PDT-14:28:26.091 PDT) 163.117.253.22 (2) (14:28:16.109 PDT-14:28:27.655 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->45970 (14:28:16.109 PDT-14:28:27.655 PDT) 139.30.240.192 (2) (14:27:53.181 PDT-14:28:05.161 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 32789->6881 (14:27:53.181 PDT-14:28:05.161 PDT) 158.130.6.253 (2) (14:27:59.202 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37615 (14:27:59.202 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->37615 (14:28:22.341 PDT) 156.17.10.51 (14:28:01.785 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (14:28:01.785 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (14:29:04.875 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (14:29:04.875 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366925269.819 1366925307.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================