Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.121.14.61, 91.224.160.192, 145.99.175.89 Resource List: Observed Start: 01/16/2013 00:37:10.917 PST Gen. Time: 01/16/2013 00:38:31.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.121.14.61 (00:37:51.421 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44473 (00:37:51.421 PST) 91.224.160.192 (00:37:10.917 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56818->2710 (00:37:10.917 PST) 145.99.175.89 (00:37:59.812 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57166->51413 (00:37:59.812 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:38:31.001 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57289->6099 (00:38:31.001 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358325430.917 1358325430.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.121.14.61, 91.224.160.192, 88.207.43.209, 208.83.20.164, 145.99.175.89 Resource List: Observed Start: 01/16/2013 00:37:10.917 PST Gen. Time: 01/16/2013 00:39:00.111 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.121.14.61 (00:37:51.421 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44473 (00:37:51.421 PST) 91.224.160.192 (00:37:10.917 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56818->2710 (00:37:10.917 PST) 88.207.43.209 (00:38:51.152 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46387 (00:38:51.152 PST) 208.83.20.164 (00:39:00.111 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [>%9B%9F>n%FE%CB%E5%03I =%86%C9}%99%15%8B%F9%9E%F4%A1%E1%1B%FE%9A%D3%88%13!f%D6%D9%DE.s%8F[+%EC_%0Dx%85D%E7H%DF=C%E1%13(%BD] MAC_Src: 00:01:64:FF:CE:EA 57590->80 (00:39:00.111 PST) 145.99.175.89 (00:37:59.812 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57166->51413 (00:37:59.812 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:38:31.001 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57289->6099 (00:38:31.001 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358325430.917 1358325430.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 197.237.59.156, 91.224.160.192, 184.18.202.139, 145.99.175.89 Resource List: Observed Start: 01/16/2013 02:37:00.648 PST Gen. Time: 01/16/2013 02:39:20.239 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 197.237.59.156 (02:38:46.036 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33560 (02:38:46.036 PST) 91.224.160.192 (02:37:22.603 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58474->2710 (02:37:22.603 PST) 184.18.202.139 (02:37:46.387 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (02:37:46.387 PST) 145.99.175.89 (02:37:00.648 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58406->51413 (02:37:00.648 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:39:20.239 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:39:20.239 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358332620.648 1358332620.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 197.237.59.156, 188.138.32.243, 143.176.16.96, 91.224.160.192, 184.18.202.139, 145.99.175.89 (2) Resource List: Observed Start: 01/16/2013 02:37:00.648 PST Gen. Time: 01/16/2013 02:40:06.372 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 197.237.59.156 (02:38:46.036 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33560 (02:38:46.036 PST) 188.138.32.243 (02:39:51.166 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59492->2710 (02:39:51.166 PST) 143.176.16.96 (02:39:46.059 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16354 (02:39:46.059 PST) 91.224.160.192 (02:37:22.603 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58474->2710 (02:37:22.603 PST) 184.18.202.139 (02:37:46.387 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (02:37:46.387 PST) 145.99.175.89 (2) (02:37:00.648 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58406->51413 (02:37:00.648 PST) 59413->51413 (02:39:42.160 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:39:20.239 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:39:20.239 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358332620.648 1358332620.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.227.94.127, 27.82.0.12, 129.241.131.252, 90.231.164.57, 208.83.20.164, 151.95.235.133 Resource List: Observed Start: 01/16/2013 04:37:20.771 PST Gen. Time: 01/16/2013 04:41:20.997 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.227.94.127 (04:39:22.179 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51532->51413 (04:39:22.179 PST) 27.82.0.12 (04:39:29.694 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45283 (04:39:29.694 PST) 129.241.131.252 (04:37:20.771 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61788 (04:37:20.771 PST) 90.231.164.57 (04:40:30.539 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42776 (04:40:30.539 PST) 208.83.20.164 (04:39:41.126 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51582->80 (04:39:41.126 PST) 151.95.235.133 (04:38:29.760 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52986 (04:38:29.760 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:41:20.997 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52535->6099 (04:41:20.997 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358339840.771 1358339840.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.59.8.105, 177.157.127.81, 80.57.72.105 Resource List: Observed Start: 01/16/2013 06:40:57.173 PST Gen. Time: 01/16/2013 06:42:20.100 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.59.8.105 (06:41:07.962 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64696->16881 (06:41:07.962 PST) 177.157.127.81 (06:40:57.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19980 (06:40:57.173 PST) 80.57.72.105 (06:41:57.539 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39899 (06:41:57.539 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:42:20.100 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:42:20.100 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358347257.173 1358347257.174 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.59.8.105, 177.157.127.81, 173.62.121.99, 173.49.217.170, 208.83.20.164 (2), 80.57.72.105 (2) Resource List: Observed Start: 01/16/2013 06:40:57.173 PST Gen. Time: 01/16/2013 06:44:20.862 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.59.8.105 (06:41:07.962 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64696->16881 (06:41:07.962 PST) 177.157.127.81 (06:40:57.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19980 (06:40:57.173 PST) 173.62.121.99 (06:42:57.404 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20347 (06:42:57.404 PST) 173.49.217.170 (06:43:02.778 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49488->6890 (06:43:02.778 PST) 208.83.20.164 (2) (06:42:31.085 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/distro.alt/BotHunter-Windows-Distribution-v1.0.4a.exe] MAC_Src: 00:01:64:FF:CE:EA 65503->80 (06:42:31.085 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [%90%AB%13%F5%C3%CFu%E3%F9%F9%8B%B6`q%14%E6%DCK%C1%98p%17] MAC_Src: 00:01:64:FF:CE:EA 49315->80 (06:42:54.079 PST) 80.57.72.105 (2) (06:41:57.539 PST-06:43:58.541 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->39899 (06:41:57.539 PST-06:43:58.541 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:42:20.100 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:42:20.100 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358347257.173 1358347438.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.49.232.241, 50.66.49.92, 145.99.175.89 Resource List: Observed Start: 01/16/2013 08:42:06.170 PST Gen. Time: 01/16/2013 08:43:41.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.49.232.241 (08:42:06.170 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (08:42:06.170 PST) 50.66.49.92 (08:43:06.223 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14533 (08:43:06.223 PST) 145.99.175.89 (08:43:26.529 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56287->51413 (08:43:26.529 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:43:41.005 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56335->6099 (08:43:41.005 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358354526.170 1358354526.171 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 96.49.232.241, 91.218.38.132, 178.125.130.216, 24.118.247.122, 95.211.162.90, 50.66.49.92, 145.99.175.89 (2) Resource List: Observed Start: 01/16/2013 08:42:06.170 PST Gen. Time: 01/16/2013 08:46:02.639 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (08:46:00.337 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57834->2710 (08:46:00.337 PST) 96.49.232.241 (08:42:06.170 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (08:42:06.170 PST) 91.218.38.132 (08:44:15.206 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56665->2710 (08:44:15.206 PST) 178.125.130.216 (08:44:06.738 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62604 (08:44:06.738 PST) 24.118.247.122 (08:45:09.278 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (08:45:09.278 PST) 95.211.162.90 (08:45:51.000 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57689->2710 (08:45:51.000 PST) 50.66.49.92 (08:43:06.223 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14533 (08:43:06.223 PST) 145.99.175.89 (2) (08:43:26.529 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56287->51413 (08:43:26.529 PST) 57191->51413 (08:45:06.547 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:43:41.005 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56335->6099 (08:43:41.005 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358354526.170 1358354526.171 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 213.225.210.236, 88.189.125.131 Resource List: Observed Start: 01/16/2013 10:42:46.781 PST Gen. Time: 01/16/2013 10:44:40.534 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 213.225.210.236 (10:43:50.645 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (10:43:50.645 PST) 88.189.125.131 (10:42:46.781 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25962 (10:42:46.781 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:44:40.534 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:44:40.534 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358361766.781 1358361766.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.91.198, 109.222.154.85, 213.225.210.236, 88.189.125.131 Resource List: Observed Start: 01/16/2013 10:42:46.781 PST Gen. Time: 01/16/2013 10:45:54.188 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.91.198 (10:45:54.188 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (10:45:54.188 PST) 109.222.154.85 (10:44:54.741 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15674 (10:44:54.741 PST) 213.225.210.236 (10:43:50.645 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (10:43:50.645 PST) 88.189.125.131 (10:42:46.781 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25962 (10:42:46.781 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:44:40.534 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:44:40.534 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358361766.781 1358361766.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.1.54.207 Resource List: Observed Start: 01/16/2013 12:45:59.069 PST Gen. Time: 01/16/2013 12:46:31.094 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.1.54.207 (12:45:59.069 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55555 (12:45:59.069 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:46:31.094 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51154->6099 (12:46:31.094 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358369159.069 1358369159.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 124.232.148.149, 95.175.158.179, 92.138.139.60, 70.77.199.174, 93.1.54.207, 95.211.162.90 Resource List: Observed Start: 01/16/2013 12:45:59.069 PST Gen. Time: 01/16/2013 12:49:00.269 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (12:48:13.236 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52071->2710 (12:48:13.236 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52071->2710 (12:48:13.236 PST) 124.232.148.149 (12:47:29.592 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51754->11897 (12:47:29.592 PST) 95.175.158.179 (12:47:59.616 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41028 (12:47:59.616 PST) 92.138.139.60 (12:46:59.153 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (12:46:59.153 PST) 70.77.199.174 (12:49:00.269 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (12:49:00.269 PST) 93.1.54.207 (12:45:59.069 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55555 (12:45:59.069 PST) 95.211.162.90 (12:46:41.425 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51251->2710 (12:46:41.425 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:46:31.094 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51154->6099 (12:46:31.094 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358369159.069 1358369159.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 89.251.41.65, 90.22.151.42, 85.17.143.16 (2), 208.83.20.164 Resource List: Observed Start: 01/16/2013 14:44:55.653 PST Gen. Time: 01/16/2013 14:47:00.660 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (14:44:55.653 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49193->11897 (14:44:55.653 PST) 89.251.41.65 (14:45:38.802 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48812 (14:45:38.802 PST) 90.22.151.42 (14:46:39.702 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12560 (14:46:39.702 PST) 85.17.143.16 (2) (14:45:01.703 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49347->6969 (14:45:01.703 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49347->6969 (14:45:01.703 PST) 208.83.20.164 (14:45:10.963 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [/search?q= 222.66.202.245 attack&go=&qs=n&form=QBLH&pq= 222.66.202.245 attack&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 49421->80 (14:45:10.963 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:47:00.660 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:47:00.660 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358376295.653 1358376295.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149 (2), 89.251.41.65, 90.22.151.42, 85.17.143.16 (2), 124.79.150.68, 95.211.162.90, 87.241.99.41, 208.83.20.164 Resource List: Observed Start: 01/16/2013 14:44:55.653 PST Gen. Time: 01/16/2013 14:48:35.488 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (2) (14:44:55.653 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49193->11897 (14:44:55.653 PST) 50693->11897 (14:47:12.208 PST) 89.251.41.65 (14:45:38.802 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48812 (14:45:38.802 PST) 90.22.151.42 (14:46:39.702 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12560 (14:46:39.702 PST) 85.17.143.16 (2) (14:45:01.703 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49347->6969 (14:45:01.703 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49347->6969 (14:45:01.703 PST) 124.79.150.68 (14:47:39.392 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56795 (14:47:39.392 PST) 95.211.162.90 (14:47:21.706 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50730->2710 (14:47:21.706 PST) 87.241.99.41 (14:47:09.367 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50646->2710 (14:47:09.367 PST) 208.83.20.164 (14:45:10.963 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [/search?q= 222.66.202.245 attack&go=&qs=n&form=QBLH&pq= 222.66.202.245 attack&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 49421->80 (14:45:10.963 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:47:00.660 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:47:00.660 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358376295.653 1358376295.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/16/2013 16:48:41.200 PST Gen. Time: 01/16/2013 16:48:41.200 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:48:41.200 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63429->6099 (16:48:41.200 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358383721.200 1358383721.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 24.126.60.36, 193.232.159.144, 85.17.143.16, 188.190.98.38, 99.28.177.254, 174.96.31.138, 145.99.175.89 Resource List: Observed Start: 01/16/2013 16:48:41.200 PST Gen. Time: 01/16/2013 16:52:41.526 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (16:52:00.812 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (16:52:00.812 PST) 24.126.60.36 (16:48:57.602 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47842 (16:48:57.602 PST) 193.232.159.144 (16:50:43.537 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64379->80 (16:50:43.537 PST) 85.17.143.16 (16:50:43.694 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64385->6969 (16:50:43.694 PST) 188.190.98.38 (16:49:19.796 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63803->2810 (16:49:19.796 PST) 99.28.177.254 (16:49:57.813 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44538 (16:49:57.813 PST) 174.96.31.138 (16:50:58.307 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31370 (16:50:58.307 PST) 145.99.175.89 (16:51:03.971 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64666->51413 (16:51:03.971 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:48:41.200 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63429->6099 (16:48:41.200 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358383721.200 1358383721.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.164.118.84, 91.218.38.132, 24.118.247.122, 91.224.160.192, 189.114.229.148, 98.110.76.25, 145.99.175.89 Resource List: Observed Start: 01/16/2013 18:46:46.182 PST Gen. Time: 01/16/2013 18:49:41.954 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.164.118.84 (18:48:50.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25154 (18:48:50.155 PST) 91.218.38.132 (18:47:03.973 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53150->2710 (18:47:03.973 PST) 24.118.247.122 (18:47:50.249 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (18:47:50.249 PST) 91.224.160.192 (18:47:02.775 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53116->2710 (18:47:02.775 PST) 189.114.229.148 (18:49:06.910 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54093->16882 (18:49:06.910 PST) 98.110.76.25 (18:46:46.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14607 (18:46:46.182 PST) 145.99.175.89 (18:47:07.864 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53191->51413 (18:47:07.864 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:49:41.954 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:49:41.954 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358390806.182 1358390806.183 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.164.118.84, 91.218.38.132, 24.118.247.122, 91.224.160.192, 189.114.229.148, 98.110.76.25, 101.174.147.132, 145.99.175.89 Resource List: Observed Start: 01/16/2013 18:46:46.182 PST Gen. Time: 01/16/2013 18:50:26.997 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.164.118.84 (18:48:50.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25154 (18:48:50.155 PST) 91.218.38.132 (18:47:03.973 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53150->2710 (18:47:03.973 PST) 24.118.247.122 (18:47:50.249 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (18:47:50.249 PST) 91.224.160.192 (18:47:02.775 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53116->2710 (18:47:02.775 PST) 189.114.229.148 (18:49:06.910 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54093->16882 (18:49:06.910 PST) 98.110.76.25 (18:46:46.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14607 (18:46:46.182 PST) 101.174.147.132 (18:49:50.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24401 (18:49:50.022 PST) 145.99.175.89 (18:47:07.864 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53191->51413 (18:47:07.864 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:49:41.954 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:49:41.954 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358390806.182 1358390806.183 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.11.161.254, 208.95.173.194, 154.45.216.166, 2.40.12.19, 188.138.32.243, 69.118.19.218 Resource List: Observed Start: 01/16/2013 20:48:57.777 PST Gen. Time: 01/16/2013 20:51:21.157 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.11.161.254 (20:49:57.389 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33462 (20:49:57.389 PST) 208.95.173.194 (20:49:00.120 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60101->2710 (20:49:00.120 PST) 154.45.216.166 (20:50:31.502 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60691->1055 (20:50:31.502 PST) 2.40.12.19 (20:50:57.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48592 (20:50:57.173 PST) 188.138.32.243 (20:50:28.953 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60687->2710 (20:50:28.953 PST) 69.118.19.218 (20:48:57.777 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (20:48:57.777 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:51:21.157 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61077->6099 (20:51:21.157 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358398137.777 1358398137.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.11.161.254, 208.95.173.194, 154.45.216.166, 2.40.12.19, 188.138.32.243, 193.232.159.144, 69.118.19.218, 87.241.99.41 Resource List: Observed Start: 01/16/2013 20:48:57.777 PST Gen. Time: 01/16/2013 20:51:53.765 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.11.161.254 (20:49:57.389 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33462 (20:49:57.389 PST) 208.95.173.194 (20:49:00.120 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60101->2710 (20:49:00.120 PST) 154.45.216.166 (20:50:31.502 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60691->1055 (20:50:31.502 PST) 2.40.12.19 (20:50:57.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48592 (20:50:57.173 PST) 188.138.32.243 (20:50:28.953 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60687->2710 (20:50:28.953 PST) 193.232.159.144 (20:51:31.372 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61113->80 (20:51:31.372 PST) 69.118.19.218 (20:48:57.777 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (20:48:57.777 PST) 87.241.99.41 (20:51:53.765 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61316->2710 (20:51:53.765 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:51:21.157 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61077->6099 (20:51:21.157 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358398137.777 1358398137.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 112.201.186.94 Resource List: Observed Start: 01/16/2013 22:51:16.725 PST Gen. Time: 01/16/2013 22:51:50.100 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 112.201.186.94 (22:51:16.725 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22954 (22:51:16.725 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:51:50.100 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:51:50.100 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358405476.725 1358405476.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 82.3.137.27, 91.218.38.132, 112.201.186.94, 186.214.102.127, 83.45.186.87, 87.241.99.41, 145.99.175.89 Resource List: Observed Start: 01/16/2013 22:51:16.725 PST Gen. Time: 01/16/2013 22:54:10.640 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (22:52:10.810 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58629->2710 (22:52:10.810 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58629->2710 (22:52:10.810 PST) 82.3.137.27 (22:53:42.028 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59115->51413 (22:53:42.028 PST) 91.218.38.132 (22:52:09.399 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58625->2710 (22:52:09.399 PST) 112.201.186.94 (22:51:16.725 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22954 (22:51:16.725 PST) 186.214.102.127 (22:53:20.251 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42176 (22:53:20.251 PST) 83.45.186.87 (22:52:19.414 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47682 (22:52:19.414 PST) 87.241.99.41 (22:54:10.640 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59312->2710 (22:54:10.640 PST) 145.99.175.89 (22:51:57.016 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58522->51413 (22:51:57.016 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:51:50.100 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:51:50.100 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358405476.725 1358405476.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================