Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 198.51.132.160 Peer Coord. List: 203.178.133.2, 204.85.191.10, 131.247.2.248, 193.157.115.250, 199.26.254.66 (2), 200.0.206.136 Resource List: Observed Start: 04/25/2013 03:43:19.388 PDT Gen. Time: 04/25/2013 03:43:47.918 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 198.51.132.160 (03:43:47.918 PDT) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=0z7CYyBIh4emkv6_-DtC6g&thanx_start=3580] MAC_Src: 00:21:5A:08:EC:40 56992->80 (03:43:47.918 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.178.133.2 (03:43:34.267 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->43238 (03:43:34.267 PDT) 204.85.191.10 (03:43:29.653 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->47153 (03:43:29.653 PDT) 131.247.2.248 (03:43:38.258 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->38226 (03:43:38.258 PDT) 193.157.115.250 (03:43:25.658 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6882 (03:43:25.658 PDT) 199.26.254.66 (2) (03:43:19.388 PDT-03:43:30.117 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->38362 (03:43:19.388 PDT-03:43:30.117 PDT) 200.0.206.136 (03:43:33.259 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->36512 (03:43:33.259 PDT) PEER COORDINATION DECLARE BOT Standard Port 204.11.237.4 (03:43:35.779 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 54948->53 (03:43:35.779 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366886599.388 1366886610.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 198.51.132.160, 219.240.39.230 Peer Coord. List: 130.194.252.8 (3), 131.247.2.248, 204.85.191.10, 200.0.206.136 (2), 193.157.115.250, 128.42.142.42, 128.208.4.198, 200.129.132.18 (2), 203.178.133.2 (3), 199.26.254.66 (3) Resource List: Observed Start: 04/25/2013 03:43:19.388 PDT Gen. Time: 04/25/2013 03:47:42.454 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 198.51.132.160 (03:43:47.918 PDT) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=0z7CYyBIh4emkv6_-DtC6g&thanx_start=3580] MAC_Src: 00:21:5A:08:EC:40 56992->80 (03:43:47.918 PDT) C and C TRAFFIC (RBN) 219.240.39.230 (03:46:37.190 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50768->53 (03:46:37.190 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.194.252.8 (3) (03:44:03.614 PDT-03:44:15.110 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->34161 (03:44:23.359 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->34161 (03:44:03.614 PDT-03:44:15.110 PDT) 131.247.2.248 (03:43:38.258 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->38226 (03:43:38.258 PDT) 204.85.191.10 (03:43:29.653 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->47153 (03:43:29.653 PDT) 200.0.206.136 (2) (03:43:33.259 PDT-03:43:51.420 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->36512 (03:43:33.259 PDT-03:43:51.420 PDT) 193.157.115.250 (03:43:25.658 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6882 (03:43:25.658 PDT) 128.42.142.42 (03:44:11.878 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->36114 (03:44:11.878 PDT) 128.208.4.198 (03:44:25.584 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (03:44:25.584 PDT) 200.129.132.18 (2) (03:43:56.537 PDT-03:44:10.289 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->36575 (03:43:56.537 PDT-03:44:10.289 PDT) 203.178.133.2 (3) (03:43:34.267 PDT-03:43:51.488 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->43238 (03:44:12.661 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->43238 (03:43:34.267 PDT-03:43:51.488 PDT) 199.26.254.66 (3) (03:43:19.388 PDT-03:44:23.129 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->38362 (03:43:19.388 PDT-03:44:23.129 PDT) PEER COORDINATION DECLARE BOT Standard Port 204.11.237.4 (03:43:35.779 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 54948->53 (03:43:35.779 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366886599.388 1366886663.130 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 198.51.132.60 Peer Coord. List: 129.15.78.31, 140.192.249.203, 152.14.93.140, 129.10.120.194, 141.161.20.32, 156.56.250.226, 204.85.191.11, 130.253.21.121, 169.229.50.7, 141.213.4.201, 170.140.119.70, 128.138.207.45, 204.123.28.56, 13.7.64.20 (2), 198.82.160.220, 130.237.50.235 Resource List: Observed Start: 04/25/2013 12:27:41.930 PDT Gen. Time: 04/25/2013 12:30:28.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 198.51.132.60 (12:28:24.225 PDT) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=Tqm7Wu7IBJ1td3Ab5ZpUhw&thanx_start=73490] MAC_Src: 00:21:5A:08:EC:40 60475->80 (12:28:24.225 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 129.15.78.31 (12:27:42.228 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 52252->6882 (12:27:42.228 PDT) 140.192.249.203 (12:27:42.260 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 46643->6881 (12:27:42.260 PDT) 152.14.93.140 (12:27:42.260 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 40491->6881 (12:27:42.260 PDT) 129.10.120.194 (12:27:42.286 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 33028->6881 (12:27:42.286 PDT) 141.161.20.32 (12:27:41.997 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->44016 (12:27:41.997 PDT) 156.56.250.226 (12:27:42.286 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 50430->6882 (12:27:42.286 PDT) 204.85.191.11 (12:27:42.261 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 43659->6882 (12:27:42.261 PDT) 130.253.21.121 (12:27:42.261 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 34164->6881 (12:27:42.261 PDT) 169.229.50.7 (12:27:42.220 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 33895->6881 (12:27:42.220 PDT) 141.213.4.201 (12:27:42.260 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 59135->6882 (12:27:42.260 PDT) 170.140.119.70 (12:27:42.286 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 56403->6882 (12:27:42.286 PDT) 128.138.207.45 (12:27:42.286 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 45003->6882 (12:27:42.286 PDT) 204.123.28.56 (12:27:42.221 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 52566->6881 (12:27:42.221 PDT) 13.7.64.20 (2) (12:27:42.206 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 45289->6881 (12:27:42.206 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 45289->6881 (12:27:42.206 PDT) 198.82.160.220 (12:27:42.261 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 38877->6882 (12:27:42.261 PDT) 130.237.50.235 (12:27:41.930 PDT) event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:EC:40 43612->6969 (12:27:41.930 PDT) PEER COORDINATION DECLARE BOT Standard Port 204.11.237.4 (12:30:28.144 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 48568->53 (12:30:28.144 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366918061.930 1366918061.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================