Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119, 90.200.248.77, 208.83.20.164, 95.215.61.199 Resource List: Observed Start: 01/15/2013 12:38:16.588 PST Gen. Time: 01/15/2013 12:39:30.385 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (12:39:16.953 PST) event=1:1100019 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54780->80 (12:39:16.953 PST) 90.200.248.77 (12:38:34.055 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59823 (12:38:34.055 PST) 208.83.20.164 (12:39:16.953 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [%0F%8F%E1%F2|%F5x%CEalt/BotHunter-Windows-Distribution-v1.0.4a.exe] MAC_Src: 00:01:64:FF:CE:EA 54773->80 (12:39:16.953 PST) 95.215.61.199 (12:38:16.588 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54727->80 (12:38:16.588 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:39:30.385 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:39:30.385 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358282296.588 1358282296.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.215.61.199, 208.83.20.164, 181.47.147.164, 90.200.248.77, 81.206.26.246, 2.25.74.252, 50.19.95.119, 178.239.54.153, 88.80.29.6 Resource List: Observed Start: 01/15/2013 12:38:16.588 PST Gen. Time: 01/15/2013 12:41:34.015 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.215.61.199 (12:38:16.588 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54727->80 (12:38:16.588 PST) 208.83.20.164 (12:39:16.953 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [%0F%8F%E1%F2|%F5x%CEalt/BotHunter-Windows-Distribution-v1.0.4a.exe] MAC_Src: 00:01:64:FF:CE:EA 54773->80 (12:39:16.953 PST) 181.47.147.164 (12:40:34.830 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58485 (12:40:34.830 PST) 90.200.248.77 (12:38:34.055 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59823 (12:38:34.055 PST) 81.206.26.246 (12:39:34.103 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63083 (12:39:34.103 PST) 2.25.74.252 (12:41:34.015 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63614 (12:41:34.015 PST) 50.19.95.119 (12:39:16.953 PST) event=1:1100019 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54780->80 (12:39:16.953 PST) 178.239.54.153 (12:40:48.685 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56309->3310 (12:40:48.685 PST) 88.80.29.6 (12:39:32.789 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55185->6969 (12:39:32.789 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:39:30.385 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:39:30.385 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358282296.588 1358282296.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 82.4.13.115, 69.118.19.218, 202.103.67.135 Resource List: Observed Start: 01/15/2013 12:42:07.337 PST Gen. Time: 01/15/2013 12:42:58.974 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (12:42:58.953 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58160->2710 (12:42:58.953 PST) 82.4.13.115 (12:42:07.337 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57522->16587 (12:42:07.337 PST) 69.118.19.218 (12:42:34.615 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (12:42:34.615 PST) 202.103.67.135 (12:42:58.953 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%007p%E6%00%92%%04%17%03%01%00@%E5%0F[%D3%8C%91%B2%00%00Y%CA9%F8%19%15%99%C6%A3'%84%FBv%E9%E1;%1D^/@%C1%9FZ%00%B3%E28%E7^%93w%CF] MAC_Src: 00:01:64:FF:CE:EA 58147->8080 (12:42:58.953 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:42:58.974 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58369->6099 (12:42:58.974 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358282527.337 1358282527.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 157.181.102.170, 208.95.173.194, 202.103.67.135, 182.234.12.5, 82.4.13.115, 87.241.99.41, 50.19.95.119, 69.118.19.218, 143.176.16.96, 190.95.2.82, 74.125.228.5 Resource List: Observed Start: 01/15/2013 12:42:07.337 PST Gen. Time: 01/15/2013 12:45:38.229 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 157.181.102.170 (12:45:37.981 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49371 (12:45:37.981 PST) 208.95.173.194 (12:42:58.953 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58160->2710 (12:42:58.953 PST) 202.103.67.135 (12:42:58.953 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%007p%E6%00%92%%04%17%03%01%00@%E5%0F[%D3%8C%91%B2%00%00Y%CA9%F8%19%15%99%C6%A3'%84%FBv%E9%E1;%1D^/@%C1%9FZ%00%B3%E28%E7^%93w%CF] MAC_Src: 00:01:64:FF:CE:EA 58147->8080 (12:42:58.953 PST) 182.234.12.5 (12:43:27.125 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58941->22912 (12:43:27.125 PST) 82.4.13.115 (12:42:07.337 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57522->16587 (12:42:07.337 PST) 87.241.99.41 (12:44:44.666 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60064->2710 (12:44:44.666 PST) 50.19.95.119 (12:44:32.392 PST) event=1:1100019 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60001->80 (12:44:32.392 PST) 69.118.19.218 (12:42:34.615 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (12:42:34.615 PST) 143.176.16.96 (12:44:37.464 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16354 (12:44:37.464 PST) 190.95.2.82 (12:43:35.297 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47999 (12:43:35.297 PST) 74.125.228.5 (12:44:02.310 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59440->80 (12:44:02.310 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:42:58.974 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58369->6099 (12:42:58.974 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358282527.337 1358282527.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 208.83.20.164, 79.116.254.87 Resource List: Observed Start: 01/15/2013 12:48:44.191 PST Gen. Time: 01/15/2013 12:49:40.446 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (12:49:27.948 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63812->11897 (12:49:27.948 PST) 208.83.20.164 (12:49:31.117 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63896->6969 (12:49:31.117 PST) 79.116.254.87 (12:48:44.191 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21284 (12:48:44.191 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:49:40.446 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:49:40.446 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358282924.191 1358282924.192 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149 (2), 71.233.85.119, 85.17.143.16, 79.119.102.165, 96.43.178.88, 2.25.74.252, 208.83.20.164 (2), 79.116.254.87 Resource List: Observed Start: 01/15/2013 12:48:44.191 PST Gen. Time: 01/15/2013 12:52:14.647 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (2) (12:49:27.948 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63812->11897 (12:49:27.948 PST) 64887->11897 (12:51:09.085 PST) 71.233.85.119 (12:50:45.736 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41600 (12:50:45.736 PST) 85.17.143.16 (12:49:50.998 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64063->6969 (12:49:50.998 PST) 79.119.102.165 (12:49:45.013 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44388 (12:49:45.013 PST) 96.43.178.88 (12:52:14.647 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65450->6890 (12:52:14.647 PST) 2.25.74.252 (12:51:45.066 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63614 (12:51:45.066 PST) 208.83.20.164 (2) (12:49:31.117 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63896->6969 (12:49:31.117 PST) 64498->6969 (12:50:31.082 PST) 79.116.254.87 (12:48:44.191 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21284 (12:48:44.191 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:49:40.446 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:49:40.446 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358282924.191 1358282924.192 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 5.14.210.26, 79.182.183.30, 96.43.178.88 (2), 190.78.20.229, 174.95.112.179 Resource List: Observed Start: 01/15/2013 12:52:48.738 PST Gen. Time: 01/15/2013 12:56:31.040 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 5.14.210.26 (12:55:49.049 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38171 (12:55:49.049 PST) 79.182.183.30 (12:54:49.725 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37646 (12:54:49.725 PST) 96.43.178.88 (2) (12:54:07.719 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50135->6890 (12:54:07.719 PST) 50894->6890 (12:55:41.478 PST) 190.78.20.229 (12:52:48.738 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (12:52:48.738 PST) 174.95.112.179 (12:53:49.391 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->4663 (12:53:49.391 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:56:31.040 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51422->6099 (12:56:31.040 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358283168.738 1358283168.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 (2), 46.121.14.61, 81.135.58.137, 189.60.17.149, 119.80.181.61, 96.43.178.88, 88.80.29.6, 212.59.28.49 Resource List: Observed Start: 01/15/2013 13:09:56.463 PST Gen. Time: 01/15/2013 13:13:10.805 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (2) (13:12:00.018 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59635->3310 (13:13:01.191 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59058->3310 (13:12:00.018 PST) 46.121.14.61 (13:10:57.651 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44473 (13:10:57.651 PST) 81.135.58.137 (13:12:57.347 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28442 (13:12:57.347 PST) 189.60.17.149 (13:11:57.299 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21268 (13:11:57.299 PST) 119.80.181.61 (13:09:56.463 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16001 (13:09:56.463 PST) 96.43.178.88 (13:11:32.798 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58826->6890 (13:11:32.798 PST) 88.80.29.6 (13:10:51.627 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58439->6969 (13:10:51.627 PST) 212.59.28.49 (13:13:08.583 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59702->2710 (13:13:08.583 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:13:10.805 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:13:10.805 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358284196.463 1358284196.464 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 (2), 46.121.14.61, 81.135.58.137, 189.60.17.149, 119.80.181.61, 96.43.178.88 (2), 88.80.29.6, 212.59.28.49 Resource List: Observed Start: 01/15/2013 13:09:56.463 PST Gen. Time: 01/15/2013 13:13:58.527 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (2) (13:12:00.018 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59635->3310 (13:13:01.191 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59058->3310 (13:12:00.018 PST) 46.121.14.61 (13:10:57.651 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44473 (13:10:57.651 PST) 81.135.58.137 (13:12:57.347 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28442 (13:12:57.347 PST) 189.60.17.149 (13:11:57.299 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21268 (13:11:57.299 PST) 119.80.181.61 (13:09:56.463 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16001 (13:09:56.463 PST) 96.43.178.88 (2) (13:11:32.798 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58826->6890 (13:11:32.798 PST) 59783->6890 (13:13:19.548 PST) 88.80.29.6 (13:10:51.627 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58439->6969 (13:10:51.627 PST) 212.59.28.49 (13:13:08.583 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59702->2710 (13:13:08.583 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:13:10.805 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:13:10.805 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358284196.463 1358284196.464 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.43.178.88, 88.120.28.250 Resource List: Observed Start: 01/15/2013 13:29:05.629 PST Gen. Time: 01/15/2013 13:29:40.894 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.43.178.88 (13:29:05.629 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53603->6890 (13:29:05.629 PST) 88.120.28.250 (13:29:07.086 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20267 (13:29:07.086 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:29:40.894 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53868->6099 (13:29:40.894 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358285345.629 1358285345.630 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 219.78.204.230, 92.233.253.189, 96.43.178.88 (2), 190.78.20.229, 121.14.98.151, 88.120.28.250 Resource List: Observed Start: 01/15/2013 13:29:05.629 PST Gen. Time: 01/15/2013 13:32:25.742 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 219.78.204.230 (13:31:07.454 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18535 (13:31:07.454 PST) 92.233.253.189 (13:30:07.356 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14556 (13:30:07.356 PST) 96.43.178.88 (2) (13:29:05.629 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53603->6890 (13:29:05.629 PST) 54662->6890 (13:31:13.151 PST) 190.78.20.229 (13:32:08.103 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (13:32:08.103 PST) 121.14.98.151 (13:31:51.384 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55099->9090 (13:31:51.384 PST) 88.120.28.250 (13:29:07.086 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20267 (13:29:07.086 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:29:40.894 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53868->6099 (13:29:40.894 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358285345.629 1358285345.630 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 112.206.116.33 Resource List: Observed Start: 01/15/2013 13:59:34.071 PST Gen. Time: 01/15/2013 14:00:00.209 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 112.206.116.33 (13:59:34.071 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34499 (13:59:34.071 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:00:00.209 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:00:00.209 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358287174.071 1358287174.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 112.206.116.33, 109.226.58.242, 95.93.1.44, 96.43.178.88, 67.9.87.156, 121.14.98.151 Resource List: Observed Start: 01/15/2013 13:59:34.071 PST Gen. Time: 01/15/2013 14:03:34.089 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 112.206.116.33 (13:59:34.071 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34499 (13:59:34.071 PST) 109.226.58.242 (14:02:35.135 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24544 (14:02:35.135 PST) 95.93.1.44 (14:01:34.809 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45560 (14:01:34.809 PST) 96.43.178.88 (14:00:40.204 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54162->6890 (14:00:40.204 PST) 67.9.87.156 (14:00:34.042 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42007 (14:00:34.042 PST) 121.14.98.151 (14:02:00.633 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54807->9090 (14:02:00.633 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:00:00.209 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:00:00.209 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358287174.071 1358287174.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.84.2.143, 178.137.42.249, 85.101.20.239, 177.52.225.7 Resource List: Observed Start: 01/15/2013 14:29:47.324 PST Gen. Time: 01/15/2013 14:31:55.531 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.84.2.143 (14:30:47.341 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40143 (14:30:47.341 PST) 178.137.42.249 (14:29:47.324 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (14:29:47.324 PST) 85.101.20.239 (14:31:48.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35968 (14:31:48.022 PST) 177.52.225.7 (14:30:47.451 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54432->3666 (14:30:47.451 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:31:55.531 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54843->6099 (14:31:55.531 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358288987.324 1358288987.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 71.84.2.143, 178.137.42.249, 85.101.20.239, 186.214.244.118, 142.68.234.151, 121.14.98.151, 177.52.225.7 Resource List: Observed Start: 01/15/2013 14:29:47.324 PST Gen. Time: 01/15/2013 14:33:55.750 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (14:32:20.025 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55180->11897 (14:32:20.025 PST) 71.84.2.143 (14:30:47.341 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40143 (14:30:47.341 PST) 178.137.42.249 (14:29:47.324 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (14:29:47.324 PST) 85.101.20.239 (14:31:48.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35968 (14:31:48.022 PST) 186.214.244.118 (14:32:55.841 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58680 (14:32:55.841 PST) 142.68.234.151 (14:33:55.750 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51547 (14:33:55.750 PST) 121.14.98.151 (14:32:01.901 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54868->9090 (14:32:01.901 PST) 177.52.225.7 (14:30:47.451 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54432->3666 (14:30:47.451 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:31:55.531 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54843->6099 (14:31:55.531 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358288987.324 1358288987.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 41.237.216.106, 76.168.0.243 Resource List: Observed Start: 01/15/2013 15:30:43.023 PST Gen. Time: 01/15/2013 15:32:10.669 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:31:07.887 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52652->11897 (15:31:07.887 PST) 41.237.216.106 (15:31:43.524 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (15:31:43.524 PST) 76.168.0.243 (15:30:43.023 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44822 (15:30:43.023 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:32:10.669 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:32:10.669 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358292643.023 1358292643.024 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 81.136.150.113 (2), 173.49.217.170 (2), 24.65.230.239, 41.237.216.106, 121.14.98.151, 76.168.0.243 Resource List: Observed Start: 01/15/2013 15:30:43.023 PST Gen. Time: 01/15/2013 15:34:43.152 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:31:07.887 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52652->11897 (15:31:07.887 PST) 81.136.150.113 (2) (15:32:43.153 PST-15:34:43.152 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->49906 (15:32:43.153 PST-15:34:43.152 PST) 173.49.217.170 (2) (15:32:11.895 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53114->6890 (15:32:11.895 PST) 54045->6890 (15:34:06.706 PST) 24.65.230.239 (15:33:43.052 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55008 (15:33:43.052 PST) 41.237.216.106 (15:31:43.524 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (15:31:43.524 PST) 121.14.98.151 (15:32:21.322 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53178->9090 (15:32:21.322 PST) 76.168.0.243 (15:30:43.023 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44822 (15:30:43.023 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:32:10.669 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:32:10.669 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358292643.023 1358292883.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 97.84.148.133, 46.141.12.193, 77.98.17.110, 121.14.98.151 Resource List: Observed Start: 01/15/2013 16:32:04.225 PST Gen. Time: 01/15/2013 16:33:51.541 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 97.84.148.133 (16:32:05.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40871 (16:32:05.226 PST) 46.141.12.193 (16:32:04.225 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50741->6890 (16:32:04.225 PST) 77.98.17.110 (16:33:05.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13925 (16:33:05.666 PST) 121.14.98.151 (16:32:50.938 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51059->9090 (16:32:50.938 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:33:51.541 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51453->6099 (16:33:51.541 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358296324.225 1358296324.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 97.84.148.133, 173.49.217.170, 46.141.12.193, 181.47.52.15, 77.98.17.110, 121.14.98.151 Resource List: Observed Start: 01/15/2013 16:32:04.225 PST Gen. Time: 01/15/2013 16:34:50.760 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 97.84.148.133 (16:32:05.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40871 (16:32:05.226 PST) 173.49.217.170 (16:34:03.908 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51663->6890 (16:34:03.908 PST) 46.141.12.193 (16:32:04.225 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50741->6890 (16:32:04.225 PST) 181.47.52.15 (16:34:05.413 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46359 (16:34:05.413 PST) 77.98.17.110 (16:33:05.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13925 (16:33:05.666 PST) 121.14.98.151 (16:32:50.938 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51059->9090 (16:32:50.938 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:33:51.541 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51453->6099 (16:33:51.541 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358296324.225 1358296324.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.3.137.27, 91.224.160.192, 114.241.0.38, 46.141.12.193, 85.139.72.201, 177.18.108.231 Resource List: Observed Start: 01/15/2013 18:31:31.087 PST Gen. Time: 01/15/2013 18:34:00.205 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.3.137.27 (18:31:31.087 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53962->51413 (18:31:31.087 PST) 91.224.160.192 (18:33:32.209 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54788->2710 (18:33:32.209 PST) 114.241.0.38 (18:32:44.378 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->7003 (18:32:44.378 PST) 46.141.12.193 (18:33:05.096 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54698->6890 (18:33:05.096 PST) 85.139.72.201 (18:31:42.491 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54962 (18:31:42.491 PST) 177.18.108.231 (18:33:44.057 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45725 (18:33:44.057 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:34:00.205 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:34:00.205 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358303491.087 1358303491.088 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.141.12.193 (2), 188.138.32.243, 99.230.246.195, 91.218.38.132, 85.139.72.201, 114.241.0.38, 91.224.160.192, 177.18.108.231, 82.3.137.27 Resource List: Observed Start: 01/15/2013 18:31:31.087 PST Gen. Time: 01/15/2013 18:35:19.358 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.141.12.193 (2) (18:33:05.096 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54698->6890 (18:33:05.096 PST) 55256->6890 (18:34:41.105 PST) 188.138.32.243 (18:34:01.986 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55144->2710 (18:34:01.986 PST) 99.230.246.195 (18:34:45.594 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18588 (18:34:45.594 PST) 91.218.38.132 (18:35:19.358 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55570->2710 (18:35:19.358 PST) 85.139.72.201 (18:31:42.491 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54962 (18:31:42.491 PST) 114.241.0.38 (18:32:44.378 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->7003 (18:32:44.378 PST) 91.224.160.192 (18:33:32.209 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54788->2710 (18:33:32.209 PST) 177.18.108.231 (18:33:44.057 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45725 (18:33:44.057 PST) 82.3.137.27 (18:31:31.087 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53962->51413 (18:31:31.087 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:34:00.205 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:34:00.205 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358303491.087 1358303491.088 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 62.31.127.226, 46.121.14.61, 173.49.217.170 (2), 109.64.54.39, 173.11.243.162, 212.59.28.49 Resource List: Observed Start: 01/15/2013 20:33:57.294 PST Gen. Time: 01/15/2013 20:36:00.924 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 62.31.127.226 (20:36:00.183 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57882->6890 (20:36:00.183 PST) 46.121.14.61 (20:33:58.389 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44473 (20:33:58.389 PST) 173.49.217.170 (2) (20:33:57.406 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57017->6890 (20:33:57.406 PST) 57556->6890 (20:34:58.130 PST) 109.64.54.39 (20:34:58.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (20:34:58.226 PST) 173.11.243.162 (20:35:58.340 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (20:35:58.340 PST) 212.59.28.49 (20:33:57.294 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57018->2710 (20:33:57.294 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:36:00.924 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57899->6099 (20:36:00.924 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358310837.294 1358310837.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.203.205.25, 62.31.127.226, 46.121.14.61, 173.49.217.170 (3), 109.64.54.39, 173.11.243.162, 212.59.28.49 Resource List: Observed Start: 01/15/2013 20:33:57.294 PST Gen. Time: 01/15/2013 20:37:20.136 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.203.205.25 (20:36:58.778 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (20:36:58.778 PST) 62.31.127.226 (20:36:00.183 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57882->6890 (20:36:00.183 PST) 46.121.14.61 (20:33:58.389 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44473 (20:33:58.389 PST) 173.49.217.170 (3) (20:33:57.406 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57017->6890 (20:33:57.406 PST) 57556->6890 (20:34:58.130 PST) 58287->6890 (20:37:04.557 PST) 109.64.54.39 (20:34:58.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (20:34:58.226 PST) 173.11.243.162 (20:35:58.340 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (20:35:58.340 PST) 212.59.28.49 (20:33:57.294 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57018->2710 (20:33:57.294 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:36:00.924 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57899->6099 (20:36:00.924 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358310837.294 1358310837.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.97.153.52, 78.12.120.140, 85.54.119.19, 46.141.12.193, 212.59.28.49 Resource List: Observed Start: 01/15/2013 22:34:50.541 PST Gen. Time: 01/15/2013 22:36:50.662 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.97.153.52 (22:35:50.401 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37642 (22:35:50.401 PST) 78.12.120.140 (22:36:50.125 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27985 (22:36:50.125 PST) 85.54.119.19 (22:34:50.541 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43988 (22:34:50.541 PST) 46.141.12.193 (22:35:51.649 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54675->6890 (22:35:51.649 PST) 212.59.28.49 (22:36:31.648 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54959->2710 (22:36:31.648 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:36:50.662 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:36:50.662 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358318090.541 1358318090.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.97.153.52, 90.22.151.42, 91.224.160.192 (2), 78.12.120.140, 85.54.119.19, 46.141.12.193 (2), 212.59.28.49 (2) Resource List: Observed Start: 01/15/2013 22:34:50.541 PST Gen. Time: 01/15/2013 22:38:09.485 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.97.153.52 (22:35:50.401 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37642 (22:35:50.401 PST) 90.22.151.42 (22:37:50.767 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12560 (22:37:50.767 PST) 91.224.160.192 (2) (22:37:43.101 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55382->2710 (22:37:43.101 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55382->2710 (22:37:43.101 PST) 78.12.120.140 (22:36:50.125 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27985 (22:36:50.125 PST) 85.54.119.19 (22:34:50.541 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43988 (22:34:50.541 PST) 46.141.12.193 (2) (22:35:51.649 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54675->6890 (22:35:51.649 PST) 55548->6890 (22:37:55.157 PST) 212.59.28.49 (2) (22:36:31.648 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54959->2710 (22:36:31.648 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55336->2710 (22:37:25.058 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:36:50.662 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:36:50.662 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358318090.541 1358318090.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================