Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.96.133.165, 192.43.193.71 (2), 219.243.208.62 (3), 149.156.5.116, 216.48.80.12, 178.22.88.44, 147.102.224.227, 138.48.3.202 Resource List: Observed Start: 04/26/2013 01:24:41.704 PDT Gen. Time: 04/26/2013 01:25:05.575 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.96.133.165 (01:24:43.095 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->21968 (01:24:43.095 PDT) 192.43.193.71 (2) (01:24:49.485 PDT-01:25:02.025 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 56905->6884 (01:24:49.485 PDT-01:25:02.025 PDT) 219.243.208.62 (3) (01:24:41.704 PDT-01:25:05.122 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 35981->6881 (01:24:41.704 PDT-01:25:05.122 PDT) 149.156.5.116 (01:24:42.153 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36803->6881 (01:24:42.153 PDT) 216.48.80.12 (01:24:57.867 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->57953 (01:24:57.867 PDT) 178.22.88.44 (01:24:45.592 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 52302->6881 (01:24:45.592 PDT) 147.102.224.227 (01:25:02.352 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->46032 (01:25:02.352 PDT) 138.48.3.202 (01:24:50.185 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 34860->6881 (01:24:50.185 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (01:25:05.575 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (01:25:05.575 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366964681.704 1366964705.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.22.88.44, 194.47.148.170, 216.48.80.12, 192.43.193.71 (3), 131.254.208.12 (2), 160.80.221.39, 147.102.224.227, 128.114.63.63, 149.156.5.116, 128.114.63.15, 219.243.208.62 (4), 177.96.133.165, 138.48.3.202, 203.178.133.2 Resource List: Observed Start: 04/26/2013 01:24:41.704 PDT Gen. Time: 04/26/2013 01:28:42.764 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.22.88.44 (01:24:45.592 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 52302->6881 (01:24:45.592 PDT) 194.47.148.170 (01:25:12.924 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50874 (01:25:12.924 PDT) 216.48.80.12 (01:24:57.867 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->57953 (01:24:57.867 PDT) 192.43.193.71 (3) (01:24:49.485 PDT-01:25:12.838 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 56905->6884 (01:24:49.485 PDT-01:25:12.838 PDT) 131.254.208.12 (2) (01:25:17.814 PDT-01:25:23.238 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->48660 (01:25:17.814 PDT-01:25:23.238 PDT) 160.80.221.39 (01:25:18.190 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 35157->6882 (01:25:18.190 PDT) 147.102.224.227 (01:25:02.352 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->46032 (01:25:02.352 PDT) 128.114.63.63 (01:25:14.185 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 59621->6881 (01:25:14.185 PDT) 149.156.5.116 (01:24:42.153 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 36803->6881 (01:24:42.153 PDT) 128.114.63.15 (01:25:34.166 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->45594 (01:25:34.166 PDT) 219.243.208.62 (4) (01:24:41.704 PDT-01:25:05.122 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 35981->6881 (01:25:16.509 PDT) ------------------------- event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 35981->6881 (01:24:41.704 PDT-01:25:05.122 PDT) 177.96.133.165 (01:24:43.095 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->21968 (01:24:43.095 PDT) 138.48.3.202 (01:24:50.185 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 34860->6881 (01:24:50.185 PDT) 203.178.133.2 (01:25:24.587 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 54287->6882 (01:25:24.587 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (01:25:05.575 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (01:25:05.575 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366964681.704 1366964723.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 198.51.132.160 Peer Coord. List: 199.26.254.68, 133.68.253.243 (3), 203.110.240.191, 204.123.28.56 (5), 128.10.19.52, 147.83.29.234 (6) Resource List: Observed Start: 04/26/2013 19:12:36.563 PDT Gen. Time: 04/26/2013 19:14:28.626 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 198.51.132.160 (19:14:28.626 PDT) event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=o84KZeqgy0YGLmz5I9P-pg&thanx_start=3280] MAC_Src: 00:21:5A:08:BB:0C 52270->80 (19:14:28.626 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 199.26.254.68 (19:12:42.350 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50187 (19:12:42.350 PDT) 133.68.253.243 (3) (19:13:24.196 PDT-19:13:48.467 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->56921 (19:13:24.196 PDT-19:13:48.467 PDT) 203.110.240.191 (19:13:38.447 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (19:13:38.447 PDT) 204.123.28.56 (5) (19:12:36.563 PDT-19:13:18.717 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6881->55095 (19:12:36.563 PDT-19:13:18.717 PDT) 128.10.19.52 (19:13:54.254 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->44836 (19:13:54.254 PDT) 147.83.29.234 (6) (19:12:54.210 PDT-19:13:50.660 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6: 6881->34571 (19:12:54.210 PDT-19:13:50.660 PDT) PEER COORDINATION DECLARE BOT Standard Port 195.70.51.165 (19:13:12.437 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 50402->53 (19:13:12.437 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367028756.563 1367028830.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 149.43.80.22 (2), 165.230.49.115, 139.78.141.245 (2), 212.51.218.235 (3), 137.132.80.105, 155.246.12.164 (2), 116.240.177.129, 165.91.55.8, 88.197.53.226 (3), 66.140.111.5 Resource List: Observed Start: 04/26/2013 22:23:00.857 PDT Gen. Time: 04/26/2013 22:26:19.737 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 149.43.80.22 (2) (22:23:24.766 PDT-22:23:38.261 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->55906 (22:23:24.766 PDT-22:23:38.261 PDT) 165.230.49.115 (22:23:16.148 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39141 (22:23:16.148 PDT) 139.78.141.245 (2) (22:23:08.978 PDT-22:23:19.674 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->51679 (22:23:08.978 PDT-22:23:19.674 PDT) 212.51.218.235 (3) (22:23:07.658 PDT-22:23:31.988 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->45853 (22:23:07.658 PDT-22:23:31.988 PDT) 137.132.80.105 (22:23:07.193 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50530 (22:23:07.193 PDT) 155.246.12.164 (2) (22:23:09.150 PDT-22:23:19.825 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->54674 (22:23:09.150 PDT-22:23:19.825 PDT) 116.240.177.129 (22:23:15.285 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54657 (22:23:15.285 PDT) 165.91.55.8 (22:23:22.428 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 50482->6881 (22:23:22.428 PDT) 88.197.53.226 (3) (22:23:00.857 PDT-22:23:37.241 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->36486 (22:23:00.857 PDT-22:23:37.241 PDT) 66.140.111.5 (22:23:25.106 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39785 (22:23:25.106 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:26:19.489 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (22:26:19.489 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367040180.857 1367040218.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 64.46.38.31 Peer Coord. List: 149.43.80.22 (2), 165.230.49.115, 139.78.141.245 (2), 132.239.17.225, 212.51.218.235 (3), 137.132.80.105, 169.235.24.232, 13.7.64.22, 155.246.12.164 (2), 128.220.251.50, 116.240.177.129, 192.52.240.214, 165.91.55.8, 204.8.155.226, 88.197.53.226 (3), 66.140.111.5, 132.239.17.226 Resource List: Observed Start: 04/26/2013 22:23:00.857 PDT Gen. Time: 04/26/2013 22:27:03.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.46.38.31 (22:26:51.620 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 60532->53 (22:26:51.620 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 149.43.80.22 (2) (22:23:24.766 PDT-22:23:38.261 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->55906 (22:23:24.766 PDT-22:23:38.261 PDT) 165.230.49.115 (22:23:16.148 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39141 (22:23:16.148 PDT) 139.78.141.245 (2) (22:23:08.978 PDT-22:23:19.674 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->51679 (22:23:08.978 PDT-22:23:19.674 PDT) 132.239.17.225 (22:26:19.737 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44368->6881 (22:26:19.737 PDT) 212.51.218.235 (3) (22:23:07.658 PDT-22:23:31.988 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->45853 (22:23:07.658 PDT-22:23:31.988 PDT) 137.132.80.105 (22:23:07.193 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50530 (22:23:07.193 PDT) 169.235.24.232 (22:26:19.737 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57787->6881 (22:26:19.737 PDT) 13.7.64.22 (22:26:19.762 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 58783->6881 (22:26:19.762 PDT) 155.246.12.164 (2) (22:23:09.150 PDT-22:23:19.825 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->54674 (22:23:09.150 PDT-22:23:19.825 PDT) 128.220.251.50 (22:26:19.787 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 50799->6881 (22:26:19.787 PDT) 116.240.177.129 (22:23:15.285 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54657 (22:23:15.285 PDT) 192.52.240.214 (22:26:19.787 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 38189->6882 (22:26:19.787 PDT) 165.91.55.8 (22:23:22.428 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 50482->6881 (22:23:22.428 PDT) 204.8.155.226 (22:26:19.787 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 59507->6881 (22:26:19.787 PDT) 88.197.53.226 (3) (22:23:00.857 PDT-22:23:37.241 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->36486 (22:23:00.857 PDT-22:23:37.241 PDT) 66.140.111.5 (22:23:25.106 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39785 (22:23:25.106 PDT) 132.239.17.226 (22:26:19.762 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36060->6881 (22:26:19.762 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (22:26:19.489 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (22:26:19.489 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367040180.857 1367040218.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================