Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 143.215.131.199 (7), 152.3.138.7 (3), 160.80.221.37 (4), 95.84.46.176, 137.165.1.112 (2) Resource List: Observed Start: 04/26/2013 06:50:52.473 PDT Gen. Time: 04/26/2013 06:54:03.233 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 143.215.131.199 (7) (06:50:52.473 PDT-06:51:49.878 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (06:51:00.268 PDT) ------------------------- event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6: 6881->39023 (06:50:52.473 PDT-06:51:49.878 PDT) 152.3.138.7 (3) (06:50:57.362 PDT-06:51:19.076 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->41805 (06:50:57.362 PDT-06:51:19.076 PDT) 160.80.221.37 (4) (06:51:22.994 PDT-06:52:01.680 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 4: 6881->37564 (06:51:22.994 PDT-06:52:01.680 PDT) 95.84.46.176 (06:52:07.186 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (06:52:07.186 PDT) 137.165.1.112 (2) (06:51:52.661 PDT-06:52:07.627 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 2: 6881->34209 (06:51:52.661 PDT-06:52:07.627 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:54:03.233 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6881->61086 (06:54:03.233 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366984252.473 1366984327.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: 136.159.220.40, 169.226.40.2, 204.123.28.57 (2), 128.223.8.114 (2), 66.140.111.5 (3), 198.133.224.147, 147.83.30.164 (3), 132.239.17.226, 130.237.50.235 (3) Resource List: Observed Start: 04/26/2013 07:46:42.613 PDT Gen. Time: 04/26/2013 07:49:23.668 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 136.159.220.40 (07:47:13.125 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->47048 (07:47:13.125 PDT) 169.226.40.2 (07:47:17.370 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 42261->6881 (07:47:17.370 PDT) 204.123.28.57 (2) (07:47:17.067 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 52395->6881 (07:47:17.067 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 52395->6881 (07:47:17.067 PDT) 128.223.8.114 (2) (07:46:52.978 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:EC:40 6881->56757 (07:46:52.978 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 6881->56757 (07:47:12.675 PDT) 66.140.111.5 (3) (07:46:42.613 PDT-07:47:06.735 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->60851 (07:46:42.613 PDT-07:47:06.735 PDT) 198.133.224.147 (07:47:17.369 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 52159->6881 (07:47:17.369 PDT) 147.83.30.164 (3) (07:46:43.512 PDT-07:47:07.281 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:EC:40 3: 6881->34278 (07:46:43.512 PDT-07:47:07.281 PDT) 132.239.17.226 (07:47:17.369 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:EC:40 39026->6881 (07:47:17.369 PDT) 130.237.50.235 (3) (07:47:16.104 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 41780->6969 (07:47:16.104 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:EC:40 41780->6969 (07:47:16.104 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:EC:40 41780->6969 (07:47:16.104 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 193.138.229.18 (07:49:23.668 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 6882->51413 (07:49:23.668 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366987602.613 1366987627.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================