Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.107.171.145, 192.36.94.3, 211.68.70.40, 204.85.191.11, 138.4.0.120, 78.81.56.55, 193.175.135.59 (3), 193.206.22.134, 128.36.233.153, 195.113.161.14, 128.42.142.42, 140.109.17.180 (4) Resource List: Observed Start: 04/27/2013 03:05:50.549 PDT Gen. Time: 04/27/2013 03:09:28.968 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.107.171.145 (03:06:02.384 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 40212->6881 (03:06:02.384 PDT) 192.36.94.3 (03:06:01.967 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 47143->6881 (03:06:01.967 PDT) 211.68.70.40 (03:06:08.128 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 36993->6881 (03:06:08.128 PDT) 204.85.191.11 (03:06:10.767 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51706 (03:06:10.767 PDT) 138.4.0.120 (03:06:13.290 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 56944->6881 (03:06:13.290 PDT) 78.81.56.55 (03:06:00.988 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->64565 (03:06:00.988 PDT) 193.175.135.59 (3) (03:05:55.373 PDT-03:06:08.798 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 53783->6881 (03:05:55.373 PDT-03:06:08.798 PDT) 193.206.22.134 (03:06:08.489 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 47902->6882 (03:06:08.489 PDT) 128.36.233.153 (03:06:05.918 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 32878->6881 (03:06:05.918 PDT) 195.113.161.14 (03:06:13.740 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 55491->6882 (03:06:13.740 PDT) 128.42.142.42 (03:06:00.425 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 38819->6881 (03:06:00.425 PDT) 140.109.17.180 (4) (03:05:50.549 PDT-03:06:15.670 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 36816->6881 (03:05:50.549 PDT-03:06:15.670 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:09:28.968 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (03:09:28.968 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367057150.549 1367057175.671 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 141.161.20.33, 211.69.207.34 (2), 202.202.43.199 (2), 212.235.189.114, 80.69.61.160, 206.117.37.5, 156.17.10.52, 169.229.50.4 (3), 193.174.67.187 (2), 132.239.17.226 (3) Resource List: Observed Start: 04/27/2013 03:33:48.976 PDT Gen. Time: 04/27/2013 03:36:40.952 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 141.161.20.33 (03:34:04.163 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->59738 (03:34:04.163 PDT) 211.69.207.34 (2) (03:34:14.241 PDT-03:34:28.908 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->33131 (03:34:14.241 PDT-03:34:28.908 PDT) 202.202.43.199 (2) (03:34:01.154 PDT-03:34:12.042 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->39321 (03:34:01.154 PDT-03:34:12.042 PDT) 212.235.189.114 (03:33:48.976 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->38113 (03:33:48.976 PDT) 80.69.61.160 (03:34:28.530 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->10617 (03:34:28.530 PDT) 206.117.37.5 (03:33:54.071 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55016 (03:33:54.071 PDT) 156.17.10.52 (03:34:16.931 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45760 (03:34:16.931 PDT) 169.229.50.4 (3) (03:34:00.911 PDT-03:34:27.613 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->41821 (03:34:00.911 PDT-03:34:27.613 PDT) 193.174.67.187 (2) (03:33:59.563 PDT-03:34:11.599 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 60738->6881 (03:33:59.563 PDT-03:34:11.599 PDT) 132.239.17.226 (3) (03:34:04.299 PDT-03:34:28.955 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->40678 (03:34:04.299 PDT-03:34:28.955 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:36:40.952 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (03:36:40.952 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367058828.976 1367058868.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 149.43.80.22, 137.165.1.114, 164.107.127.12, 129.93.229.139, 129.93.229.138, 141.213.4.201, 128.84.154.45, 208.77.77.197, 128.223.8.114, 199.26.254.68, 193.136.124.228, 202.112.28.98, 128.208.4.198 (2), 193.166.167.4, 130.237.50.235 (2) Resource List: Observed Start: 04/27/2013 03:49:43.747 PDT Gen. Time: 04/27/2013 03:52:42.399 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 149.43.80.22 (03:49:51.272 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 34520->6881 (03:49:51.272 PDT) 137.165.1.114 (03:49:56.044 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 44650->6882 (03:49:56.044 PDT) 164.107.127.12 (03:49:56.035 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 60161->6881 (03:49:56.035 PDT) 129.93.229.139 (03:49:43.747 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->54215 (03:49:43.747 PDT) 129.93.229.138 (03:49:56.013 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49340->6881 (03:49:56.013 PDT) 141.213.4.201 (03:49:56.016 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 57409->6881 (03:49:56.016 PDT) 128.84.154.45 (03:49:56.031 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36168->6881 (03:49:56.031 PDT) 208.77.77.197 (03:49:55.990 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49192->6881 (03:49:55.990 PDT) 128.223.8.114 (03:49:53.099 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54201 (03:49:53.099 PDT) 199.26.254.68 (03:49:45.983 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 51167->6881 (03:49:45.983 PDT) 193.136.124.228 (03:49:51.793 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51674 (03:49:51.793 PDT) 202.112.28.98 (03:49:45.474 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 52339->6881 (03:49:45.474 PDT) 128.208.4.198 (2) (03:49:55.989 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 48616->6881 (03:49:55.989 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48616->6881 (03:49:55.989 PDT) 193.166.167.4 (03:49:55.814 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 44138->6884 (03:49:55.814 PDT) 130.237.50.235 (2) (03:49:55.762 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 36634->6969 (03:49:55.762 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 36634->6969 (03:49:55.762 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (03:52:42.399 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (03:52:42.399 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367059783.747 1367059783.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.178.133.2 (4), 193.166.160.98, 129.130.252.141 (3), 131.247.2.248 (3), 130.194.252.8 (3), 134.151.255.181, 193.136.227.164 (2) Resource List: Observed Start: 04/27/2013 04:01:45.003 PDT Gen. Time: 04/27/2013 04:03:39.118 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.178.133.2 (4) (04:01:48.691 PDT-04:02:23.308 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 45851->6881 (04:02:08.672 PDT) ------------------------- event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 45851->6881 (04:01:48.691 PDT-04:02:23.308 PDT) 193.166.160.98 (04:02:19.772 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->58746 (04:02:19.772 PDT) 129.130.252.141 (3) (04:01:53.897 PDT-04:02:18.279 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->60965 (04:01:53.897 PDT-04:02:18.279 PDT) 131.247.2.248 (3) (04:01:45.003 PDT-04:02:08.424 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->58383 (04:01:45.003 PDT-04:02:08.424 PDT) 130.194.252.8 (3) (04:01:50.043 PDT-04:02:13.313 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->43870 (04:01:50.043 PDT-04:02:13.313 PDT) 134.151.255.181 (04:02:01.193 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->50626 (04:02:01.193 PDT) 193.136.227.164 (2) (04:01:59.890 PDT-04:02:13.388 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 42725->6881 (04:01:59.890 PDT-04:02:13.388 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (04:03:39.118 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (04:03:39.118 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367060505.003 1367060543.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 169.235.24.232, 131.254.208.12 Resource List: Observed Start: 04/27/2013 04:13:49.928 PDT Gen. Time: 04/27/2013 04:13:51.205 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 169.235.24.232 (04:13:49.928 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 47410->6882 (04:13:49.928 PDT) 131.254.208.12 (04:13:51.176 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->58206 (04:13:51.176 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (04:13:51.205 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (04:13:51.205 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367061229.928 1367061229.929 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 221.143.43.214 Peer Coord. List: 149.43.80.22 (3), 169.235.24.232, 131.254.208.12, 204.85.191.11 (2), 155.246.12.164 (2), 198.82.160.239, 128.84.154.44, 128.232.103.201, 128.31.1.14, 66.140.111.5, 193.63.75.18, 194.29.178.13 (2) Resource List: Observed Start: 04/27/2013 04:13:49.928 PDT Gen. Time: 04/27/2013 04:17:45.864 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 221.143.43.214 (04:17:29.696 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 42438->53 (04:17:29.696 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 149.43.80.22 (3) (04:13:51.813 PDT-04:14:06.564 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 46462->6881 (04:14:18.133 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 46462->6881 (04:13:51.813 PDT-04:14:06.564 PDT) 169.235.24.232 (04:13:49.928 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 47410->6882 (04:13:49.928 PDT) 131.254.208.12 (04:13:51.176 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->58206 (04:13:51.176 PDT) 204.85.191.11 (2) (04:13:57.349 PDT-04:14:12.215 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 45769->6881 (04:13:57.349 PDT-04:14:12.215 PDT) 155.246.12.164 (2) (04:13:54.654 PDT-04:14:09.929 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->48489 (04:13:54.654 PDT-04:14:09.929 PDT) 198.82.160.239 (04:14:04.264 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 53559->6881 (04:14:04.264 PDT) 128.84.154.44 (04:13:55.159 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 56603->6881 (04:13:55.159 PDT) 128.232.103.201 (04:14:17.296 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 60755->6881 (04:14:17.296 PDT) 128.31.1.14 (04:13:55.403 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->42125 (04:13:55.403 PDT) 66.140.111.5 (04:13:58.533 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47022 (04:13:58.533 PDT) 193.63.75.18 (04:14:17.053 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 50846->6881 (04:14:17.053 PDT) 194.29.178.13 (2) (04:13:54.839 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 33870->6881 (04:13:54.839 PDT) ------------------------- event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 33870->6881 (04:13:55.202 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (04:13:51.205 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (04:13:51.205 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367061229.928 1367061252.216 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 128.111.52.63, 72.36.112.78 (4), 204.85.191.10, 155.185.54.249, 133.9.81.165 (3), 160.80.221.37, 128.252.19.19, 159.217.144.112 (2), 212.51.218.237 (3) Resource List: Observed Start: 04/27/2013 04:37:39.634 PDT Gen. Time: 04/27/2013 04:38:36.183 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 128.111.52.63 (04:37:46.330 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->59167 (04:37:46.330 PDT) 72.36.112.78 (4) (04:37:42.415 PDT-04:38:21.872 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->45251 (04:37:42.415 PDT-04:38:21.872 PDT) 204.85.191.10 (04:38:14.222 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->41293 (04:38:14.222 PDT) 155.185.54.249 (04:38:12.928 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->58651 (04:38:12.928 PDT) 133.9.81.165 (3) (04:37:51.668 PDT-04:38:16.414 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6882->56376 (04:37:51.668 PDT-04:38:16.414 PDT) 160.80.221.37 (04:37:47.047 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (04:37:47.047 PDT) 128.252.19.19 (04:37:39.634 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->52027 (04:37:39.634 PDT) 159.217.144.112 (2) (04:37:48.127 PDT-04:38:03.430 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->45321 (04:37:48.127 PDT-04:38:03.430 PDT) 212.51.218.237 (3) (04:37:47.217 PDT-04:38:11.046 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->53445 (04:37:47.217 PDT-04:38:11.046 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (04:38:36.183 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (04:38:36.183 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367062659.634 1367062701.873 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 132.227.62.122, 134.151.255.180 (2), 192.43.193.71, 129.93.229.138, 193.63.75.20, 208.77.77.197 (2), 192.52.240.214, 193.136.227.164, 130.37.193.141, 133.68.253.243, 194.47.148.172 (3), 138.48.3.202, 130.195.4.69 Resource List: Observed Start: 04/27/2013 05:57:31.469 PDT Gen. Time: 04/27/2013 06:01:08.558 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 132.227.62.122 (05:57:31.469 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 58844->6881 (05:57:31.469 PDT) 134.151.255.180 (2) (05:57:45.927 PDT-05:57:55.106 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6882->59490 (05:57:45.927 PDT-05:57:55.106 PDT) 192.43.193.71 (05:57:51.850 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->43050 (05:57:51.850 PDT) 129.93.229.138 (05:57:44.978 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 46497->6882 (05:57:44.978 PDT) 193.63.75.20 (05:58:00.596 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 45277->6881 (05:58:00.596 PDT) 208.77.77.197 (2) (05:57:51.682 PDT-05:58:01.473 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->52781 (05:57:51.682 PDT-05:58:01.473 PDT) 192.52.240.214 (05:57:50.385 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->39747 (05:57:50.385 PDT) 193.136.227.164 (05:57:39.255 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->38029 (05:57:39.255 PDT) 130.37.193.141 (05:57:44.947 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 49343->6881 (05:57:44.947 PDT) 133.68.253.243 (05:57:34.618 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6882->35592 (05:57:34.618 PDT) 194.47.148.172 (3) (05:57:35.358 PDT-05:57:45.290 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->46420 (05:57:53.131 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->46420 (05:57:35.358 PDT-05:57:45.290 PDT) 138.48.3.202 (05:57:38.116 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (05:57:38.116 PDT) 130.195.4.69 (05:57:34.055 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->43793 (05:57:34.055 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:01:08.558 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (06:01:08.558 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367067451.469 1367067481.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 192.107.171.145 (2), 129.242.19.196, 92.251.136.197, 200.10.150.253 (5), 192.33.90.66 (3), 136.159.220.42 (4), 188.162.132.11 Resource List: Observed Start: 04/27/2013 09:31:26.951 PDT Gen. Time: 04/27/2013 09:35:08.222 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 192.107.171.145 (2) (09:31:26.951 PDT-09:31:37.813 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->46803 (09:31:26.951 PDT-09:31:37.813 PDT) 129.242.19.196 (09:32:42.095 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41846 (09:32:42.095 PDT) 92.251.136.197 (09:32:36.157 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51883 (09:32:36.157 PDT) 200.10.150.253 (5) (09:31:42.305 PDT-09:32:33.064 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 5: 6881->41522 (09:31:42.305 PDT-09:32:33.064 PDT) 192.33.90.66 (3) (09:32:11.899 PDT-09:32:37.952 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->48075 (09:32:11.899 PDT-09:32:37.952 PDT) 136.159.220.42 (4) (09:31:34.634 PDT-09:32:10.102 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->57260 (09:31:34.634 PDT-09:32:10.102 PDT) 188.162.132.11 (09:31:31.306 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->53596 (09:31:31.306 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (09:35:08.222 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (09:35:08.222 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367080286.951 1367080357.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.130.124.1, 193.136.124.226, 211.69.207.34, 203.30.39.239, 200.19.159.34, 203.30.39.242 Resource List: Observed Start: 04/27/2013 13:48:22.697 PDT Gen. Time: 04/27/2013 13:48:42.163 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.130.124.1 (13:48:22.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34387->6882 (13:48:22.722 PDT) 193.136.124.226 (13:48:22.772 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56700->6882 (13:48:22.772 PDT) 211.69.207.34 (13:48:22.772 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37215->6884 (13:48:22.772 PDT) 203.30.39.239 (13:48:22.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43463->6882 (13:48:22.722 PDT) 200.19.159.34 (13:48:22.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 51752->6883 (13:48:22.697 PDT) 203.30.39.242 (13:48:22.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33236->6883 (13:48:22.697 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (13:48:42.163 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6884->61086 (13:48:42.163 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367095702.697 1367095702.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.136.124.226, 131.179.150.72, 200.19.159.34, 132.252.152.193, 211.69.207.34, 203.30.39.239, 195.130.124.1, 169.229.50.7, 86.177.172.61, 204.8.155.227, 206.117.37.5 (2), 203.30.39.242, 130.237.50.235 (4) Resource List: Observed Start: 04/27/2013 13:48:22.697 PDT Gen. Time: 04/27/2013 13:52:25.236 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.136.124.226 (13:48:22.772 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 56700->6882 (13:48:22.772 PDT) 131.179.150.72 (13:51:05.504 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33582->6883 (13:51:05.504 PDT) 200.19.159.34 (13:48:22.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 51752->6883 (13:48:22.697 PDT) 132.252.152.193 (13:50:52.383 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6884->6882 (13:50:52.383 PDT) 211.69.207.34 (13:48:22.772 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37215->6884 (13:48:22.772 PDT) 203.30.39.239 (13:48:22.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43463->6882 (13:48:22.722 PDT) 195.130.124.1 (13:48:22.722 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34387->6882 (13:48:22.722 PDT) 169.229.50.7 (13:51:05.529 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36993->6882 (13:51:05.529 PDT) 86.177.172.61 (13:48:47.669 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->28103 (13:48:47.669 PDT) 204.8.155.227 (13:49:49.769 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6882 (13:49:49.769 PDT) 206.117.37.5 (2) (13:51:05.504 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 39269->6882 (13:51:05.504 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 39269->6882 (13:51:05.504 PDT) 203.30.39.242 (13:48:22.697 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 33236->6883 (13:48:22.697 PDT) 130.237.50.235 (4) (13:50:29.719 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 38595->6969 (13:50:29.719 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 38595->6969 (13:50:29.719 PDT) 38615->6969 (13:51:05.247 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 38615->6969 (13:51:05.247 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (13:48:42.163 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6884->61086 (13:48:42.163 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367095702.697 1367095702.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 137.165.1.114 (4), 204.123.28.57 (6), 193.63.75.20 (2), 141.22.213.35 (4), 81.33.98.100 Resource List: Observed Start: 04/27/2013 14:23:59.735 PDT Gen. Time: 04/27/2013 14:25:59.186 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 137.165.1.114 (4) (14:23:59.735 PDT-14:24:34.743 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6884->53673 (14:23:59.735 PDT-14:24:34.743 PDT) 204.123.28.57 (6) (14:24:14.157 PDT-14:25:10.550 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6: 6884->34540 (14:24:14.157 PDT-14:25:10.550 PDT) 193.63.75.20 (2) (14:24:07.382 PDT-14:25:14.312 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6884->51709 (14:24:07.382 PDT-14:25:14.312 PDT) 141.22.213.35 (4) (14:24:44.252 PDT-14:25:18.838 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6884->57889 (14:24:44.252 PDT-14:25:18.838 PDT) 81.33.98.100 (14:24:19.807 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->18276 (14:24:19.807 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (14:25:59.186 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61086 (14:25:59.186 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367097839.735 1367097918.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================