Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 82.3.137.27, 80.180.156.163, 82.161.69.109 Resource List: Observed Start: 01/17/2013 00:51:44.417 PST Gen. Time: 01/17/2013 00:53:00.495 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (00:52:49.310 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55827->2710 (00:52:49.310 PST) 82.3.137.27 (00:52:32.278 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55758->51413 (00:52:32.278 PST) 80.180.156.163 (00:52:44.193 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (00:52:44.193 PST) 82.161.69.109 (00:51:44.417 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (00:51:44.417 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:53:00.495 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55999->6099 (00:53:00.495 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358412704.417 1358412704.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 86.35.130.84, 82.3.137.27, 193.232.159.144, 31.192.104.80, 80.180.156.163, 87.241.99.41, 82.161.69.109 Resource List: Observed Start: 01/17/2013 00:51:44.417 PST Gen. Time: 01/17/2013 00:55:01.933 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (00:52:49.310 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56706->2710 (00:54:31.287 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55827->2710 (00:52:49.310 PST) 86.35.130.84 (00:53:44.738 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11171 (00:53:44.738 PST) 82.3.137.27 (00:52:32.278 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55758->51413 (00:52:32.278 PST) 193.232.159.144 (00:53:10.737 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [?%E8t%F0o%83%E9%18%D4%C1"%1A%107%C9%9D%D9%08%C7s%A5%D5=%AB%B7ti%E2p%E7%D8%F06%DDR8s%1B%C0k%9C%10)b%EC%01Q5N^%C3%9D%D8G] MAC_Src: 00:01:64:FF:CE:EA 56156->80 (00:53:10.737 PST) 31.192.104.80 (00:54:44.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37021 (00:54:44.534 PST) 80.180.156.163 (00:52:44.193 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (00:52:44.193 PST) 87.241.99.41 (00:54:31.287 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56704->2710 (00:54:31.287 PST) 82.161.69.109 (00:51:44.417 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (00:51:44.417 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:53:00.495 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55999->6099 (00:53:00.495 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358412704.417 1358412704.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.118.247.122, 91.224.160.192, 145.99.175.89 Resource List: Observed Start: 01/17/2013 02:52:43.229 PST Gen. Time: 01/17/2013 02:53:50.108 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.118.247.122 (02:52:59.233 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (02:52:59.233 PST) 91.224.160.192 (02:52:43.229 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59818->2710 (02:52:43.229 PST) 145.99.175.89 (02:52:57.446 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59928->51413 (02:52:57.446 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:53:50.108 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:53:50.108 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358419963.229 1358419963.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 91.218.38.132, 145.99.175.89 (2), 208.95.173.194, 193.232.159.144, 71.174.62.26, 91.224.160.192, 94.71.207.62, 24.118.247.122 Resource List: Observed Start: 01/17/2013 02:52:43.229 PST Gen. Time: 01/17/2013 02:55:41.342 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (02:55:30.602 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [7%A7%E3%D8A%A4%FD%DB%17%03%01%000^%F8%DB%FA)@%ACJR%CF%9D%AE%A9%90u%F38W%FB%16%C0%A6%0F%90c}%9B9>%0A%D3%D4$oR%D4{%08%F0rg] MAC_Src: 00:01:64:FF:CE:EA 61119->80 (02:55:30.602 PST) 91.218.38.132 (02:54:02.430 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60548->2710 (02:54:02.430 PST) 145.99.175.89 (2) (02:52:57.446 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59928->51413 (02:52:57.446 PST) 60578->51413 (02:54:04.953 PST) 208.95.173.194 (02:55:32.604 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61118->2710 (02:55:32.604 PST) 193.232.159.144 (02:54:11.202 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60615->80 (02:54:11.202 PST) 71.174.62.26 (02:54:59.575 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55086 (02:54:59.575 PST) 91.224.160.192 (02:52:43.229 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59818->2710 (02:52:43.229 PST) 94.71.207.62 (02:53:59.846 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50923 (02:53:59.846 PST) 24.118.247.122 (02:52:59.233 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (02:52:59.233 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:53:50.108 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:53:50.108 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358419963.229 1358419963.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 193.232.159.144, 80.88.102.239, 145.99.175.89 Resource List: Observed Start: 01/17/2013 04:55:11.193 PST Gen. Time: 01/17/2013 04:56:23.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 193.232.159.144 (04:55:11.193 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54576->80 (04:55:11.193 PST) 80.88.102.239 (04:55:25.394 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28018 (04:55:25.394 PST) 145.99.175.89 (04:55:54.860 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54958->51413 (04:55:54.860 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:56:23.001 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55229->6099 (04:56:23.001 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358427311.193 1358427311.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 193.232.159.144, 85.17.143.16 (2), 151.41.166.72, 151.65.146.48, 2.178.42.109, 80.88.102.239, 145.99.175.89 (2) Resource List: Observed Start: 01/17/2013 04:55:11.193 PST Gen. Time: 01/17/2013 04:58:30.612 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (04:56:23.230 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55226->2710 (04:56:23.230 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55226->2710 (04:56:23.230 PST) 193.232.159.144 (04:55:11.193 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54576->80 (04:55:11.193 PST) 85.17.143.16 (2) (04:58:01.996 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55944->6969 (04:58:01.996 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55944->6969 (04:58:01.996 PST) 151.41.166.72 (04:57:28.638 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34039 (04:57:28.638 PST) 151.65.146.48 (04:56:26.755 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62891 (04:56:26.755 PST) 2.178.42.109 (04:58:30.612 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20920 (04:58:30.612 PST) 80.88.102.239 (04:55:25.394 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28018 (04:55:25.394 PST) 145.99.175.89 (2) (04:55:54.860 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54958->51413 (04:55:54.860 PST) 55623->51413 (04:57:07.870 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:56:23.001 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55229->6099 (04:56:23.001 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358427311.193 1358427311.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.192.100.229, 193.232.159.144, 71.196.16.49, 90.220.42.145, 90.231.164.57 Resource List: Observed Start: 01/17/2013 06:54:44.878 PST Gen. Time: 01/17/2013 06:57:11.422 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.192.100.229 (06:54:44.878 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57712 (06:54:44.878 PST) 193.232.159.144 (06:55:40.604 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55161->80 (06:55:40.604 PST) 71.196.16.49 (06:56:45.250 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19398 (06:56:45.250 PST) 90.220.42.145 (06:55:03.337 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54756->19151 (06:55:03.337 PST) 90.231.164.57 (06:55:45.373 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42776 (06:55:45.373 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:57:11.422 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:57:11.422 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358434484.878 1358434484.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.212.221.225, 208.83.20.164, 92.233.253.189, 208.95.173.194, 193.232.159.144, 90.231.164.57, 90.220.42.145, 71.196.16.49, 177.192.100.229 Resource List: Observed Start: 01/17/2013 06:54:44.878 PST Gen. Time: 01/17/2013 06:57:51.619 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.212.221.225 (06:57:26.994 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56219->49234 (06:57:26.994 PST) 208.83.20.164 (06:57:13.070 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [B%80%1E'%B3%0D%E7%1Ea=g&pm=csl%0D%0Aa=g&pm=nsl%0D%0Acsl=?%0D%0Ac303.cloudmark.] MAC_Src: 00:01:64:FF:CE:EA 55972->80 (06:57:13.070 PST) 92.233.253.189 (06:57:45.038 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14556 (06:57:45.038 PST) 208.95.173.194 (06:57:13.070 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55977->2710 (06:57:13.070 PST) 193.232.159.144 (06:55:40.604 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55161->80 (06:55:40.604 PST) 90.231.164.57 (06:55:45.373 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42776 (06:55:45.373 PST) 90.220.42.145 (06:55:03.337 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54756->19151 (06:55:03.337 PST) 71.196.16.49 (06:56:45.250 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19398 (06:56:45.250 PST) 177.192.100.229 (06:54:44.878 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57712 (06:54:44.878 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:57:11.422 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:57:11.422 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358434484.878 1358434484.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 145.99.175.89, 208.95.173.194, 193.232.159.144, 200.87.154.194, 85.17.143.16, 90.22.151.42, 84.31.116.32, 90.220.42.145, 87.241.99.41, 178.204.123.184 Resource List: Observed Start: 01/17/2013 08:54:43.294 PST Gen. Time: 01/17/2013 08:58:20.326 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (08:56:00.619 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61910->2710 (08:56:00.619 PST) 145.99.175.89 (08:56:14.663 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62128->51413 (08:56:14.663 PST) 208.95.173.194 (08:57:52.338 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63087->2710 (08:57:52.338 PST) 193.232.159.144 (08:55:51.207 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61866->80 (08:55:51.207 PST) 200.87.154.194 (08:57:43.201 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32794 (08:57:43.201 PST) 85.17.143.16 (08:56:00.578 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61909->6969 (08:56:00.578 PST) 90.22.151.42 (08:54:43.294 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12560 (08:54:43.294 PST) 84.31.116.32 (08:55:43.525 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21547 (08:55:43.525 PST) 90.220.42.145 (08:57:19.502 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62894->19151 (08:57:19.502 PST) 87.241.99.41 (08:57:52.337 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63085->2710 (08:57:52.337 PST) 178.204.123.184 (08:56:43.717 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24773 (08:56:43.717 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:58:20.326 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63507->6099 (08:58:20.326 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358441683.294 1358441683.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 85.139.72.201, 145.99.175.89, 208.95.173.194, 193.232.159.144, 200.87.154.194, 85.17.143.16, 90.22.151.42, 84.31.116.32, 90.220.42.145, 87.241.99.41, 178.204.123.184 Resource List: Observed Start: 01/17/2013 08:54:43.294 PST Gen. Time: 01/17/2013 08:58:43.371 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (08:56:00.619 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61910->2710 (08:56:00.619 PST) 85.139.72.201 (08:58:43.371 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54962 (08:58:43.371 PST) 145.99.175.89 (08:56:14.663 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62128->51413 (08:56:14.663 PST) 208.95.173.194 (08:57:52.338 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63087->2710 (08:57:52.338 PST) 193.232.159.144 (08:55:51.207 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61866->80 (08:55:51.207 PST) 200.87.154.194 (08:57:43.201 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32794 (08:57:43.201 PST) 85.17.143.16 (08:56:00.578 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61909->6969 (08:56:00.578 PST) 90.22.151.42 (08:54:43.294 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12560 (08:54:43.294 PST) 84.31.116.32 (08:55:43.525 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21547 (08:55:43.525 PST) 90.220.42.145 (08:57:19.502 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62894->19151 (08:57:19.502 PST) 87.241.99.41 (08:57:52.337 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63085->2710 (08:57:52.337 PST) 178.204.123.184 (08:56:43.717 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24773 (08:56:43.717 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:58:20.326 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63507->6099 (08:58:20.326 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358441683.294 1358441683.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 67.164.118.225, 142.161.220.242, 85.17.143.16 (2), 24.84.207.107, 90.220.42.145, 208.83.20.164, 212.59.28.49 Resource List: Observed Start: 01/17/2013 10:56:31.063 PST Gen. Time: 01/17/2013 10:59:20.392 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (10:59:00.802 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49772->2710 (10:59:00.802 PST) 67.164.118.225 (10:56:40.630 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (10:56:40.630 PST) 142.161.220.242 (10:57:40.545 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12390 (10:57:40.545 PST) 85.17.143.16 (2) (10:56:31.063 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65045->6969 (10:56:31.063 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65045->6969 (10:56:31.063 PST) 24.84.207.107 (10:58:41.094 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21164 (10:58:41.094 PST) 90.220.42.145 (10:58:26.114 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49442->19151 (10:58:26.114 PST) 208.83.20.164 (10:58:21.082 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49395->80 (10:58:21.082 PST) 212.59.28.49 (10:58:27.371 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49456->2710 (10:58:27.371 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:59:20.392 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:59:20.392 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358448991.063 1358448991.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 67.164.118.225, 24.84.207.107, 208.95.173.194, 212.59.28.49, 85.17.143.16 (2), 90.220.42.145, 142.161.220.242 (2), 78.15.187.85 Resource List: Observed Start: 01/17/2013 10:56:31.063 PST Gen. Time: 01/17/2013 10:59:44.645 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (10:58:21.082 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49395->80 (10:58:21.082 PST) 67.164.118.225 (10:56:40.630 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (10:56:40.630 PST) 24.84.207.107 (10:58:41.094 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21164 (10:58:41.094 PST) 208.95.173.194 (10:59:00.802 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49772->2710 (10:59:00.802 PST) 212.59.28.49 (10:58:27.371 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49456->2710 (10:58:27.371 PST) 85.17.143.16 (2) (10:56:31.063 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65045->6969 (10:56:31.063 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65045->6969 (10:56:31.063 PST) 90.220.42.145 (10:58:26.114 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49442->19151 (10:58:26.114 PST) 142.161.220.242 (2) (10:57:40.545 PST-10:59:41.548 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->12390 (10:57:40.545 PST-10:59:41.548 PST) 78.15.187.85 (10:59:30.128 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49945->6881 (10:59:30.128 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:59:20.392 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:59:20.392 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358448991.063 1358449181.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119, 78.146.100.205, 61.91.88.106, 89.136.72.173, 83.149.86.133 Resource List: Observed Start: 01/17/2013 12:59:55.660 PST Gen. Time: 01/17/2013 13:01:01.152 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (13:00:52.077 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [%CC%DC%85%E7%CA]D%02%B8%94%AF%FEB%D3%EDr(%C9%DD%15%FC%89%17[%8D%A5_%A6%F7_Z"%DE%D8%02-X%16%89H%F1q%DC%EF%17%8A+%A2%DD%03%0BY_%F6%C4%EC'%B2:%A2%EF%B5%88%92+%EB{%F5%9A|)%F6%0A%9B%9E%AEp%C42!] MAC_Src: 00:01:64:FF:CE:EA 55132->80 (13:00:52.077 PST) 78.146.100.205 (12:59:56.593 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42743 (12:59:56.593 PST) 61.91.88.106 (12:59:55.660 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54571->16884 (12:59:55.660 PST) 89.136.72.173 (13:00:57.188 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50196 (13:00:57.188 PST) 83.149.86.133 (13:00:20.937 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54963->6969 (13:00:20.937 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:01:01.152 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55352->6099 (13:01:01.152 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358456395.660 1358456395.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.244.157.115, 208.95.173.194, 124.232.148.149, 61.91.88.106, 85.17.143.16, 171.7.130.6, 83.149.86.133, 78.22.28.248, 50.19.95.119, 78.146.100.205, 89.136.72.173 Resource List: Observed Start: 01/17/2013 12:59:55.660 PST Gen. Time: 01/17/2013 13:03:05.191 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.244.157.115 (13:02:58.056 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46921 (13:02:58.056 PST) 208.95.173.194 (13:02:41.189 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56296->2711 (13:02:41.189 PST) 124.232.148.149 (13:03:05.191 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56535->11897 (13:03:05.191 PST) 61.91.88.106 (12:59:55.660 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54571->16884 (12:59:55.660 PST) 85.17.143.16 (13:03:01.603 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56493->6969 (13:03:01.603 PST) 171.7.130.6 (13:01:37.181 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55693->7547 (13:01:37.181 PST) 83.149.86.133 (13:00:20.937 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54963->6969 (13:00:20.937 PST) 78.22.28.248 (13:01:57.061 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (13:01:57.061 PST) 50.19.95.119 (13:00:52.077 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [%CC%DC%85%E7%CA]D%02%B8%94%AF%FEB%D3%EDr(%C9%DD%15%FC%89%17[%8D%A5_%A6%F7_Z"%DE%D8%02-X%16%89H%F1q%DC%EF%17%8A+%A2%DD%03%0BY_%F6%C4%EC'%B2:%A2%EF%B5%88%92+%EB{%F5%9A|)%F6%0A%9B%9E%AEp%C42!] MAC_Src: 00:01:64:FF:CE:EA 55132->80 (13:00:52.077 PST) 78.146.100.205 (12:59:56.593 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42743 (12:59:56.593 PST) 89.136.72.173 (13:00:57.188 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50196 (13:00:57.188 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:01:01.152 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55352->6099 (13:01:01.152 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358456395.660 1358456395.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 50.19.95.119, 24.118.247.122, 85.17.143.16, 173.72.54.132, 90.220.42.145 (2), 83.149.86.133 Resource List: Observed Start: 01/17/2013 15:00:01.074 PST Gen. Time: 01/17/2013 15:01:30.378 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (15:00:11.342 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54342->2710 (15:00:11.342 PST) 50.19.95.119 (15:01:20.597 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [5,%AA.m%A6%95%B0%EF%8F%AE2%EC %B5%FC%FAF%F6%85%B4%0F%88'&%1C%9B[ln%9Er%D7%0DD%90%1A%C1I%A3%98%A7n%DE$G8T%E8Z#%F7%E1_] MAC_Src: 00:01:64:FF:CE:EA 55030->80 (15:01:20.597 PST) 24.118.247.122 (15:00:22.221 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (15:00:22.221 PST) 85.17.143.16 (15:01:20.681 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55031->6969 (15:01:20.681 PST) 173.72.54.132 (15:01:22.606 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11965 (15:01:22.606 PST) 90.220.42.145 (2) (15:00:01.074 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54281->19151 (15:00:01.074 PST) 55047->19151 (15:01:23.586 PST) 83.149.86.133 (15:01:20.680 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55029->6969 (15:01:20.680 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:01:30.378 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:01:30.378 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358463601.074 1358463601.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 177.52.225.7, 208.95.173.194, 85.17.143.16, 91.224.160.192, 83.149.86.133, 90.220.42.145 (2), 78.203.107.140, 50.19.95.119, 24.118.247.122, 85.220.115.6, 173.72.54.132, 46.232.228.138 Resource List: Observed Start: 01/17/2013 15:00:01.074 PST Gen. Time: 01/17/2013 15:04:01.312 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (15:03:19.579 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56035->2710 (15:03:19.579 PST) 177.52.225.7 (15:02:36.098 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55715->3666 (15:02:36.098 PST) 208.95.173.194 (15:00:11.342 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54342->2710 (15:00:11.342 PST) 85.17.143.16 (15:01:20.681 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55031->6969 (15:01:20.681 PST) 91.224.160.192 (15:02:42.013 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55718->2710 (15:02:42.013 PST) 83.149.86.133 (15:01:20.680 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55029->6969 (15:01:20.680 PST) 90.220.42.145 (2) (15:00:01.074 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54281->19151 (15:00:01.074 PST) 55047->19151 (15:01:23.586 PST) 78.203.107.140 (15:03:24.126 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47743 (15:03:24.126 PST) 50.19.95.119 (15:01:20.597 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [5,%AA.m%A6%95%B0%EF%8F%AE2%EC %B5%FC%FAF%F6%85%B4%0F%88'&%1C%9B[ln%9Er%D7%0DD%90%1A%C1I%A3%98%A7n%DE$G8T%E8Z#%F7%E1_] MAC_Src: 00:01:64:FF:CE:EA 55030->80 (15:01:20.597 PST) 24.118.247.122 (15:00:22.221 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (15:00:22.221 PST) 85.220.115.6 (15:02:24.318 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51110 (15:02:24.318 PST) 173.72.54.132 (15:01:22.606 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11965 (15:01:22.606 PST) 46.232.228.138 (15:03:51.607 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56414->6573 (15:03:51.607 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:01:30.378 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:01:30.378 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358463601.074 1358463601.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 114.47.207.25, 145.99.175.89 Resource List: Observed Start: 01/17/2013 17:02:55.630 PST Gen. Time: 01/17/2013 17:03:10.882 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 114.47.207.25 (17:02:55.630 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (17:02:55.630 PST) 145.99.175.89 (17:03:07.165 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49231->51413 (17:03:07.165 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:03:10.882 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49325->6099 (17:03:10.882 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358470975.630 1358470975.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 91.218.38.132, 91.224.160.192, 189.104.148.26, 70.67.86.185, 114.47.207.25, 50.66.49.92, 145.99.175.89 (2) Resource List: Observed Start: 01/17/2013 17:02:55.630 PST Gen. Time: 01/17/2013 17:06:13.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (17:04:01.078 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49647->2711 (17:04:01.078 PST) 91.218.38.132 (17:06:13.507 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50614->2710 (17:06:13.507 PST) 91.224.160.192 (17:05:55.166 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50349->2710 (17:05:55.166 PST) 189.104.148.26 (17:05:56.024 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53630 (17:05:56.024 PST) 70.67.86.185 (17:03:56.975 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15841 (17:03:56.975 PST) 114.47.207.25 (17:02:55.630 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (17:02:55.630 PST) 50.66.49.92 (17:04:56.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14533 (17:04:56.017 PST) 145.99.175.89 (2) (17:03:07.165 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49231->51413 (17:03:07.165 PST) 50119->51413 (17:05:04.173 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:03:10.882 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49325->6099 (17:03:10.882 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358470975.630 1358470975.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 173.11.243.162, 87.241.99.41 Resource List: Observed Start: 01/17/2013 19:03:21.428 PST Gen. Time: 01/17/2013 19:04:10.302 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 173.11.243.162 (19:03:21.428 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (19:03:21.428 PST) 87.241.99.41 (19:03:24.000 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50945->2710 (19:03:24.000 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:04:10.302 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:04:10.302 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358478201.428 1358478201.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.22.122.147, 41.233.113.157, 208.83.20.164, 69.35.66.145, 85.17.143.16 (2), 173.11.243.162, 90.220.42.145, 87.241.99.41, 68.53.182.6 Resource List: Observed Start: 01/17/2013 19:03:21.428 PST Gen. Time: 01/17/2013 19:06:28.525 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.22.122.147 (19:05:24.268 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53921 (19:05:24.268 PST) 41.233.113.157 (19:04:21.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (19:04:21.538 PST) 208.83.20.164 (19:06:20.912 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52261->6969 (19:06:20.912 PST) 69.35.66.145 (19:04:28.814 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51399->60254 (19:04:28.814 PST) 85.17.143.16 (2) (19:04:11.350 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51311->6969 (19:04:11.350 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51311->6969 (19:04:11.350 PST) 173.11.243.162 (19:03:21.428 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (19:03:21.428 PST) 90.220.42.145 (19:06:01.823 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51974->19151 (19:06:01.823 PST) 87.241.99.41 (19:03:24.000 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50945->2710 (19:03:24.000 PST) 68.53.182.6 (19:06:25.097 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53989 (19:06:25.097 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:04:10.302 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:04:10.302 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358478201.428 1358478201.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.159.124.128, 93.108.152.166, 50.19.95.119, 200.90.107.71, 90.220.42.145, 41.201.41.236, 83.149.86.133, 145.99.175.89 Resource List: Observed Start: 01/17/2013 21:02:54.271 PST Gen. Time: 01/17/2013 21:05:21.064 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.159.124.128 (21:02:54.271 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50293->6890 (21:02:54.271 PST) 93.108.152.166 (21:05:13.246 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50335 (21:05:13.246 PST) 50.19.95.119 (21:03:01.206 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [%89%0F%CD%FC%12'6%89v:%84@%DF%84%01%10U%AD%9B%EF&F%A8%EA:@n%BEL%96%92%F6%D2%A8%AF%B3=%C6/M%03%E5%CE%F5%EF%1B%06<*-%8E%EDJ%CD] MAC_Src: 00:01:64:FF:CE:EA 50326->80 (21:03:01.206 PST) 200.90.107.71 (21:03:12.697 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31055 (21:03:12.697 PST) 90.220.42.145 (21:03:54.277 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50597->19151 (21:03:54.277 PST) 41.201.41.236 (21:04:13.095 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32215 (21:04:13.095 PST) 83.149.86.133 (21:03:10.438 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50432->6969 (21:03:10.438 PST) 145.99.175.89 (21:04:58.954 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50995->51413 (21:04:58.954 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:05:21.064 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51124->6099 (21:05:21.064 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358485374.271 1358485374.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89, 93.108.152.166, 200.90.107.71, 41.201.41.236, 83.149.86.133, 90.220.42.145, 50.19.95.119, 86.159.124.128, 88.80.29.6 Resource List: Observed Start: 01/17/2013 21:02:54.271 PST Gen. Time: 01/17/2013 21:05:31.281 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (21:04:58.954 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50995->51413 (21:04:58.954 PST) 93.108.152.166 (21:05:13.246 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50335 (21:05:13.246 PST) 200.90.107.71 (21:03:12.697 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31055 (21:03:12.697 PST) 41.201.41.236 (21:04:13.095 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32215 (21:04:13.095 PST) 83.149.86.133 (21:03:10.438 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50432->6969 (21:03:10.438 PST) 90.220.42.145 (21:03:54.277 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50597->19151 (21:03:54.277 PST) 50.19.95.119 (21:03:01.206 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [%89%0F%CD%FC%12'6%89v:%84@%DF%84%01%10U%AD%9B%EF&F%A8%EA:@n%BEL%96%92%F6%D2%A8%AF%B3=%C6/M%03%E5%CE%F5%EF%1B%06<*-%8E%EDJ%CD] MAC_Src: 00:01:64:FF:CE:EA 50326->80 (21:03:01.206 PST) 86.159.124.128 (21:02:54.271 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50293->6890 (21:02:54.271 PST) 88.80.29.6 (21:05:31.281 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51152->6969 (21:05:31.281 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:05:21.064 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51124->6099 (21:05:21.064 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358485374.271 1358485374.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================