Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 216.232.138.13, 82.16.144.214, 88.80.29.6, 87.241.99.41, 145.99.175.89 Resource List: Observed Start: 01/18/2013 01:05:21.621 PST Gen. Time: 01/18/2013 01:07:31.247 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 216.232.138.13 (01:06:50.343 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58166 (01:06:50.343 PST) 82.16.144.214 (01:05:50.765 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22222 (01:05:50.765 PST) 88.80.29.6 (01:07:11.036 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64611->6969 (01:07:11.036 PST) 87.241.99.41 (01:05:21.621 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63749->2710 (01:05:21.621 PST) 145.99.175.89 (01:06:09.211 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64038->51413 (01:06:09.211 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:07:31.247 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64663->6099 (01:07:31.247 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358499921.621 1358499921.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 117.254.253.115, 216.232.138.13, 90.220.42.145, 82.16.144.214, 130.208.129.77, 88.80.29.6, 87.241.99.41 (2), 145.99.175.89 (2) Resource List: Observed Start: 01/18/2013 01:05:21.621 PST Gen. Time: 01/18/2013 01:09:15.622 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 117.254.253.115 (01:07:51.446 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55367 (01:07:51.446 PST) 216.232.138.13 (01:06:50.343 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58166 (01:06:50.343 PST) 90.220.42.145 (01:07:51.553 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64750->19151 (01:07:51.553 PST) 82.16.144.214 (01:05:50.765 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22222 (01:05:50.765 PST) 130.208.129.77 (01:08:51.372 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57471 (01:08:51.372 PST) 88.80.29.6 (01:07:11.036 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64611->6969 (01:07:11.036 PST) 87.241.99.41 (2) (01:05:21.621 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63749->2710 (01:05:21.621 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64874->2710 (01:08:01.468 PST) 145.99.175.89 (2) (01:06:09.211 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64038->51413 (01:06:09.211 PST) 65173->51413 (01:08:54.236 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:07:31.247 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64663->6099 (01:07:31.247 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358499921.621 1358499921.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.17.143.16, 90.220.42.145, 108.27.78.50, 88.80.29.6 Resource List: Observed Start: 01/18/2013 03:06:41.283 PST Gen. Time: 01/18/2013 03:07:50.721 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.17.143.16 (03:06:41.283 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55801->6969 (03:06:41.283 PST) 90.220.42.145 (03:07:07.935 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56149->19151 (03:07:07.935 PST) 108.27.78.50 (03:07:10.423 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33589 (03:07:10.423 PST) 88.80.29.6 (03:07:41.645 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56260->6969 (03:07:41.645 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:07:50.721 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:07:50.721 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358507201.283 1358507201.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 208.83.20.164, 85.17.143.16, 91.224.160.192, 180.191.117.54, 90.220.42.145 (2), 108.27.78.50, 90.42.5.197, 88.80.29.6, 200.120.145.127 Resource List: Observed Start: 01/18/2013 03:06:41.283 PST Gen. Time: 01/18/2013 03:10:41.490 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (03:08:04.009 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56527->2710 (03:08:04.009 PST) 208.83.20.164 (03:08:41.247 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56672->6969 (03:08:41.247 PST) 85.17.143.16 (03:06:41.283 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55801->6969 (03:06:41.283 PST) 91.224.160.192 (03:10:41.490 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57581->2710 (03:10:41.490 PST) 180.191.117.54 (03:09:13.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21139 (03:09:13.155 PST) 90.220.42.145 (2) (03:07:07.935 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56149->19151 (03:07:07.935 PST) 56909->19151 (03:09:03.950 PST) 108.27.78.50 (03:07:10.423 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33589 (03:07:10.423 PST) 90.42.5.197 (03:10:13.072 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54151 (03:10:13.072 PST) 88.80.29.6 (03:07:41.645 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56260->6969 (03:07:41.645 PST) 200.120.145.127 (03:08:10.469 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55504 (03:08:10.469 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:07:50.721 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:07:50.721 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358507201.283 1358507201.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 69.118.19.218, 78.22.28.248, 90.231.164.57, 88.80.29.6, 203.113.15.211 Resource List: Observed Start: 01/18/2013 05:07:49.041 PST Gen. Time: 01/18/2013 05:10:01.559 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (05:09:00.227 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50450->2710 (05:09:00.227 PST) 69.118.19.218 (05:07:49.041 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (05:07:49.041 PST) 78.22.28.248 (05:08:49.386 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (05:08:49.386 PST) 90.231.164.57 (05:09:49.750 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42776 (05:09:49.750 PST) 88.80.29.6 (05:08:21.851 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50190->6969 (05:08:21.851 PST) 203.113.15.211 (05:09:07.114 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50580->16881 (05:09:07.114 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:10:01.559 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51016->6099 (05:10:01.559 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358514469.041 1358514469.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 91.218.38.132, 208.95.173.194, 90.231.164.57, 78.22.28.248, 108.35.176.205, 69.118.19.218, 86.159.124.128, 203.113.15.211, 88.80.29.6 Resource List: Observed Start: 01/18/2013 05:07:49.041 PST Gen. Time: 01/18/2013 05:11:12.402 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (05:10:01.741 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51015->9090 (05:10:01.741 PST) 91.218.38.132 (05:11:06.348 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51622->2710 (05:11:06.348 PST) 208.95.173.194 (05:09:00.227 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50450->2710 (05:09:00.227 PST) 90.231.164.57 (05:09:49.750 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42776 (05:09:49.750 PST) 78.22.28.248 (05:08:49.386 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (05:08:49.386 PST) 108.35.176.205 (05:10:49.572 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38387 (05:10:49.572 PST) 69.118.19.218 (05:07:49.041 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (05:07:49.041 PST) 86.159.124.128 (05:10:09.377 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51092->6890 (05:10:09.377 PST) 203.113.15.211 (05:09:07.114 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50580->16881 (05:09:07.114 PST) 88.80.29.6 (05:08:21.851 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50190->6969 (05:08:21.851 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:10:01.559 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51016->6099 (05:10:01.559 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358514469.041 1358514469.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 200.87.157.250 Resource List: Observed Start: 01/18/2013 07:10:09.996 PST Gen. Time: 01/18/2013 07:10:30.638 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.87.157.250 (07:10:09.996 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32793 (07:10:09.996 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:10:30.638 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:10:30.638 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358521809.996 1358521809.997 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.225.153.32, 188.138.32.243, 200.87.157.250, 91.224.160.192, 92.26.255.231, 145.99.175.89 (2) Resource List: Observed Start: 01/18/2013 07:10:09.996 PST Gen. Time: 01/18/2013 07:13:08.806 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.225.153.32 (07:11:09.369 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18721 (07:11:09.369 PST) 188.138.32.243 (07:11:10.171 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64332->2710 (07:11:10.171 PST) 200.87.157.250 (07:10:09.996 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32793 (07:10:09.996 PST) 91.224.160.192 (07:12:36.424 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64995->2710 (07:12:36.424 PST) 92.26.255.231 (07:12:09.154 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (07:12:09.154 PST) 145.99.175.89 (2) (07:11:23.551 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64461->51413 (07:11:23.551 PST) 64940->51413 (07:12:28.092 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:10:30.638 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:10:30.638 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358521809.996 1358521809.997 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.225.124.65, 188.138.32.243, 46.127.18.225, 90.220.42.145, 87.3.56.86 Resource List: Observed Start: 01/18/2013 09:10:15.275 PST Gen. Time: 01/18/2013 09:12:21.116 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.225.124.65 (09:10:15.275 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12120 (09:10:15.275 PST) 188.138.32.243 (09:11:19.548 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64256->2710 (09:11:19.548 PST) 46.127.18.225 (09:11:15.165 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (09:11:15.165 PST) 90.220.42.145 (09:11:19.364 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64255->19151 (09:11:19.364 PST) 87.3.56.86 (09:12:17.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53100 (09:12:17.677 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:12:21.116 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64859->6099 (09:12:21.116 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358529015.275 1358529015.276 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.225.124.65, 188.138.32.243, 46.127.18.225, 61.91.88.54, 90.220.42.145, 46.196.117.241, 87.3.56.86 Resource List: Observed Start: 01/18/2013 09:10:15.275 PST Gen. Time: 01/18/2013 09:13:57.700 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.225.124.65 (09:10:15.275 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12120 (09:10:15.275 PST) 188.138.32.243 (09:11:19.548 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64256->2710 (09:11:19.548 PST) 46.127.18.225 (09:11:15.165 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (09:11:15.165 PST) 61.91.88.54 (09:13:29.378 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65526->16884 (09:13:29.378 PST) 90.220.42.145 (09:11:19.364 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64255->19151 (09:11:19.364 PST) 46.196.117.241 (09:13:18.714 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31443 (09:13:18.714 PST) 87.3.56.86 (09:12:17.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53100 (09:12:17.677 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:12:21.116 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64859->6099 (09:12:21.116 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358529015.275 1358529015.276 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.135.39.227 Resource List: Observed Start: 01/18/2013 11:12:18.174 PST Gen. Time: 01/18/2013 11:12:50.600 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.135.39.227 (11:12:18.174 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (11:12:18.174 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:12:50.600 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:12:50.600 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358536338.174 1358536338.175 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.135.39.227, 202.4.79.138, 98.118.153.90, 124.8.223.67, 87.241.99.41 Resource List: Observed Start: 01/18/2013 11:12:18.174 PST Gen. Time: 01/18/2013 11:14:48.413 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.135.39.227 (11:12:18.174 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (11:12:18.174 PST) 202.4.79.138 (11:14:18.033 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12420 (11:14:18.033 PST) 98.118.153.90 (11:13:18.102 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52798 (11:13:18.102 PST) 124.8.223.67 (11:12:55.392 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58506->16884 (11:12:55.392 PST) 87.241.99.41 (11:13:44.245 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58745->2710 (11:13:44.245 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:12:50.600 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:12:50.600 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358536338.174 1358536338.175 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 201.251.97.11, 72.70.182.242 Resource List: Observed Start: 01/18/2013 13:13:53.411 PST Gen. Time: 01/18/2013 13:14:21.013 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 201.251.97.11 (13:14:11.400 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63403->16884 (13:14:11.400 PST) 72.70.182.242 (13:13:53.411 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64895 (13:13:53.411 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:14:21.013 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63427->6099 (13:14:21.013 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358543633.411 1358543633.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 201.251.97.11, 86.176.31.118, 188.138.32.243, 94.71.207.62, 72.70.182.242, 91.224.160.192, 79.115.186.172 Resource List: Observed Start: 01/18/2013 13:13:53.411 PST Gen. Time: 01/18/2013 13:16:55.290 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 201.251.97.11 (13:14:11.400 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63403->16884 (13:14:11.400 PST) 86.176.31.118 (13:16:13.415 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64424->6890 (13:16:13.415 PST) 188.138.32.243 (13:16:21.180 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64457->2710 (13:16:21.180 PST) 94.71.207.62 (13:15:56.865 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50923 (13:15:56.865 PST) 72.70.182.242 (13:13:53.411 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64895 (13:13:53.411 PST) 91.224.160.192 (13:16:21.186 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64456->2710 (13:16:21.186 PST) 79.115.186.172 (13:14:56.284 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25442 (13:14:56.284 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:14:21.013 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63427->6099 (13:14:21.013 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358543633.411 1358543633.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 157.181.102.170, 200.87.157.250, 123.112.131.197, 58.164.143.210, 87.241.99.41 Resource List: Observed Start: 01/18/2013 15:11:58.747 PST Gen. Time: 01/18/2013 15:14:40.464 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:11:58.747 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49696->15398 (15:11:58.747 PST) 157.181.102.170 (15:14:16.165 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49371 (15:14:16.165 PST) 200.87.157.250 (15:12:16.414 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32793 (15:12:16.414 PST) 123.112.131.197 (15:13:16.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->7003 (15:13:16.538 PST) 58.164.143.210 (15:13:36.263 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50586->60206 (15:13:36.263 PST) 87.241.99.41 (15:14:33.209 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51048->2710 (15:14:33.209 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:14:40.464 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:14:40.464 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358550718.747 1358550718.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149 (2), 157.181.102.170, 200.87.157.250, 221.255.70.43, 123.112.131.197, 58.164.143.210, 87.241.99.41 Resource List: Observed Start: 01/18/2013 15:11:58.747 PST Gen. Time: 01/18/2013 15:15:35.038 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (2) (15:11:58.747 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49696->15398 (15:11:58.747 PST) 51178->15398 (15:15:00.274 PST) 157.181.102.170 (15:14:16.165 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49371 (15:14:16.165 PST) 200.87.157.250 (15:12:16.414 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32793 (15:12:16.414 PST) 221.255.70.43 (15:15:16.312 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52940 (15:15:16.312 PST) 123.112.131.197 (15:13:16.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->7003 (15:13:16.538 PST) 58.164.143.210 (15:13:36.263 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50586->60206 (15:13:36.263 PST) 87.241.99.41 (15:14:33.209 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51048->2710 (15:14:33.209 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:14:40.464 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:14:40.464 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358550718.747 1358550718.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.176.31.118, 109.64.165.248, 190.4.77.221, 90.202.41.89 Resource List: Observed Start: 01/18/2013 17:14:44.733 PST Gen. Time: 01/18/2013 17:16:51.694 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.176.31.118 (17:15:55.507 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61112->6890 (17:15:55.507 PST) 109.64.165.248 (17:15:45.167 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55952 (17:15:45.167 PST) 190.4.77.221 (17:16:46.951 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42892 (17:16:46.951 PST) 90.202.41.89 (17:14:44.733 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58433 (17:14:44.733 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:16:51.694 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61513->6099 (17:16:51.694 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358558084.733 1358558084.734 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 190.4.77.221, 90.202.41.89, 109.64.165.248 (2), 90.220.42.145, 86.176.31.118, 58.164.143.210, 71.8.10.37, 178.239.54.151 Resource List: Observed Start: 01/18/2013 17:14:44.733 PST Gen. Time: 01/18/2013 17:18:46.487 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (17:18:40.889 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62482->2710 (17:18:40.889 PST) 190.4.77.221 (17:16:46.951 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42892 (17:16:46.951 PST) 90.202.41.89 (17:14:44.733 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58433 (17:14:44.733 PST) 109.64.165.248 (2) (17:15:45.167 PST-17:18:46.487 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->55952 (17:15:45.167 PST-17:18:46.487 PST) 90.220.42.145 (17:17:09.011 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61782->19151 (17:17:09.011 PST) 86.176.31.118 (17:15:55.507 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61112->6890 (17:15:55.507 PST) 58.164.143.210 (17:18:12.021 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62348->60206 (17:18:12.021 PST) 71.8.10.37 (17:17:46.352 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40430 (17:17:46.352 PST) 178.239.54.151 (17:18:40.888 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62477->2710 (17:18:40.888 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:16:51.694 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61513->6099 (17:16:51.694 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358558084.733 1358558326.488 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 67.164.118.225, 82.3.137.27, 91.224.160.192, 173.72.54.132, 91.72.211.63 Resource List: Observed Start: 01/18/2013 19:14:36.138 PST Gen. Time: 01/18/2013 19:17:00.743 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 67.164.118.225 (19:16:52.026 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (19:16:52.026 PST) 82.3.137.27 (19:14:36.138 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55154->51413 (19:14:36.138 PST) 91.224.160.192 (19:14:58.146 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55290->2710 (19:14:58.146 PST) 173.72.54.132 (19:15:52.994 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11965 (19:15:52.994 PST) 91.72.211.63 (19:14:52.163 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45030 (19:14:52.163 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:17:00.743 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:17:00.743 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358565276.138 1358565276.139 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.176.31.118, 67.164.118.225, 82.3.137.27, 91.224.160.192, 173.72.54.132, 91.72.211.63 Resource List: Observed Start: 01/18/2013 19:14:36.138 PST Gen. Time: 01/18/2013 19:17:39.739 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.176.31.118 (19:17:08.150 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56491->6890 (19:17:08.150 PST) 67.164.118.225 (19:16:52.026 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (19:16:52.026 PST) 82.3.137.27 (19:14:36.138 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55154->51413 (19:14:36.138 PST) 91.224.160.192 (19:14:58.146 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55290->2710 (19:14:58.146 PST) 173.72.54.132 (19:15:52.994 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11965 (19:15:52.994 PST) 91.72.211.63 (19:14:52.163 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45030 (19:14:52.163 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:17:00.743 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:17:00.743 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358565276.138 1358565276.139 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.134.0.201, 82.3.137.27, 91.224.160.192, 62.30.48.143 Resource List: Observed Start: 01/18/2013 21:15:46.938 PST Gen. Time: 01/18/2013 21:18:10.326 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.134.0.201 (21:16:40.827 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56583 (21:16:40.827 PST) 82.3.137.27 (21:15:46.938 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63806->51413 (21:15:46.938 PST) 91.224.160.192 (21:16:12.166 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63926->2710 (21:16:12.166 PST) 62.30.48.143 (21:17:43.320 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26199 (21:17:43.320 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:18:10.326 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64936->6099 (21:18:10.326 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358572546.938 1358572546.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.134.0.201 (2), 82.3.137.27, 91.224.160.192, 90.220.42.145, 62.30.48.143 Resource List: Observed Start: 01/18/2013 21:15:46.938 PST Gen. Time: 01/18/2013 21:19:14.772 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.134.0.201 (2) (21:16:40.827 PST-21:18:44.657 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->56583 (21:16:40.827 PST-21:18:44.657 PST) 82.3.137.27 (21:15:46.938 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63806->51413 (21:15:46.938 PST) 91.224.160.192 (21:16:12.166 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63926->2710 (21:16:12.166 PST) 90.220.42.145 (21:18:28.785 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64984->19151 (21:18:28.785 PST) 62.30.48.143 (21:17:43.320 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26199 (21:17:43.320 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:18:10.326 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64936->6099 (21:18:10.326 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358572546.938 1358572724.658 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================