Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.84.2.143, 86.176.31.118, 188.138.32.243, 41.233.113.1, 91.224.160.192, 58.169.152.14, 90.220.42.145 Resource List: Observed Start: 01/19/2013 01:16:34.283 PST Gen. Time: 01/19/2013 01:19:40.338 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.84.2.143 (01:18:01.290 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40143 (01:18:01.290 PST) 86.176.31.118 (01:16:48.776 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53638->6890 (01:16:48.776 PST) 188.138.32.243 (01:17:59.168 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54278->2710 (01:17:59.168 PST) 41.233.113.1 (01:19:01.710 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (01:19:01.710 PST) 91.224.160.192 (01:16:34.283 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53495->2710 (01:16:34.283 PST) 58.169.152.14 (01:17:01.219 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44255 (01:17:01.219 PST) 90.220.42.145 (01:19:03.299 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54754->19151 (01:19:03.299 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:19:40.338 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54991->6099 (01:19:40.338 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358586994.283 1358586994.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 71.84.2.143, 121.14.98.151, 41.233.113.1, 91.224.160.192, 90.220.42.145, 86.176.31.118, 78.179.2.79, 58.169.152.14 Resource List: Observed Start: 01/19/2013 01:16:34.283 PST Gen. Time: 01/19/2013 01:20:34.765 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (01:17:59.168 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54278->2710 (01:17:59.168 PST) 71.84.2.143 (01:18:01.290 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40143 (01:18:01.290 PST) 121.14.98.151 (01:20:31.534 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55477->9090 (01:20:31.534 PST) 41.233.113.1 (01:19:01.710 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (01:19:01.710 PST) 91.224.160.192 (01:16:34.283 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53495->2710 (01:16:34.283 PST) 90.220.42.145 (01:19:03.299 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54754->19151 (01:19:03.299 PST) 86.176.31.118 (01:16:48.776 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53638->6890 (01:16:48.776 PST) 78.179.2.79 (01:20:01.314 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52022 (01:20:01.314 PST) 58.169.152.14 (01:17:01.219 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44255 (01:17:01.219 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:19:40.338 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54991->6099 (01:19:40.338 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358586994.283 1358586994.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.76.227.205, 88.167.187.20, 91.224.160.192 (2), 90.220.42.145, 84.123.182.107, 87.241.99.41 Resource List: Observed Start: 01/19/2013 03:17:33.217 PST Gen. Time: 01/19/2013 03:20:10.052 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.76.227.205 (03:18:47.133 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52191 (03:18:47.133 PST) 88.167.187.20 (03:19:47.406 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60014 (03:19:47.406 PST) 91.224.160.192 (2) (03:17:34.186 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61419->2710 (03:17:34.186 PST) 62320->2710 (03:19:23.153 PST) 90.220.42.145 (03:18:12.786 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61743->19151 (03:18:12.786 PST) 84.123.182.107 (03:17:47.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60904 (03:17:47.677 PST) 87.241.99.41 (03:17:33.217 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61428->2710 (03:17:33.217 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:20:10.052 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:20:10.052 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358594253.217 1358594253.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 88.167.187.20, 91.224.160.192 (2), 90.220.42.145, 86.176.31.118, 87.241.99.41, 86.76.227.205, 96.49.232.241, 84.123.182.107 Resource List: Observed Start: 01/19/2013 03:17:33.217 PST Gen. Time: 01/19/2013 03:21:28.169 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (03:21:28.169 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63214->2710 (03:21:28.169 PST) 88.167.187.20 (03:19:47.406 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60014 (03:19:47.406 PST) 91.224.160.192 (2) (03:17:34.186 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61419->2710 (03:17:34.186 PST) 62320->2710 (03:19:23.153 PST) 90.220.42.145 (03:18:12.786 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61743->19151 (03:18:12.786 PST) 86.176.31.118 (03:20:33.308 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62889->6890 (03:20:33.308 PST) 87.241.99.41 (03:17:33.217 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61428->2710 (03:17:33.217 PST) 86.76.227.205 (03:18:47.133 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52191 (03:18:47.133 PST) 96.49.232.241 (03:20:47.583 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (03:20:47.583 PST) 84.123.182.107 (03:17:47.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60904 (03:17:47.677 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:20:10.052 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:20:10.052 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358594253.217 1358594253.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.42.124.103, 91.218.38.132, 83.36.200.175, 91.224.160.192 (4), 69.118.19.218, 90.220.42.145 (2), 46.141.12.193, 178.117.24.160 Resource List: Observed Start: 01/19/2013 05:17:37.936 PST Gen. Time: 01/19/2013 05:21:20.274 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.42.124.103 (05:20:37.744 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61387 (05:20:37.744 PST) 91.218.38.132 (05:18:59.018 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50956->2710 (05:18:59.018 PST) 83.36.200.175 (05:18:37.729 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61699 (05:18:37.729 PST) 91.224.160.192 (4) (05:18:15.526 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 50783->2710 (05:18:27.635 PST) ------------------------- event=1:1100016 (3) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50756->2710 (05:18:15.526 PST) 51100->2710 (05:19:21.357 PST) 51991->2710 (05:21:13.127 PST) 69.118.19.218 (05:17:37.936 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (05:17:37.936 PST) 90.220.42.145 (2) (05:18:03.310 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50686->19151 (05:18:03.310 PST) 51630->19151 (05:20:16.833 PST) 46.141.12.193 (05:19:16.824 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51231->6890 (05:19:16.824 PST) 178.117.24.160 (05:19:37.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49110 (05:19:37.182 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:21:20.274 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52168->6099 (05:21:20.274 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358601457.936 1358601457.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.141.12.193, 91.218.38.132, 178.117.24.160, 91.224.160.192 (4), 86.176.31.118, 90.220.42.145 (2), 69.118.19.218, 41.42.124.103, 83.36.200.175 Resource List: Observed Start: 01/19/2013 05:17:37.936 PST Gen. Time: 01/19/2013 05:21:36.788 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.141.12.193 (05:19:16.824 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51231->6890 (05:19:16.824 PST) 91.218.38.132 (05:18:59.018 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50956->2710 (05:18:59.018 PST) 178.117.24.160 (05:19:37.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49110 (05:19:37.182 PST) 91.224.160.192 (4) (05:18:15.526 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 50783->2710 (05:18:27.635 PST) ------------------------- event=1:1100016 (3) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50756->2710 (05:18:15.526 PST) 51100->2710 (05:19:21.357 PST) 51991->2710 (05:21:13.127 PST) 86.176.31.118 (05:21:31.341 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52197->6890 (05:21:31.341 PST) 90.220.42.145 (2) (05:18:03.310 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50686->19151 (05:18:03.310 PST) 51630->19151 (05:20:16.833 PST) 69.118.19.218 (05:17:37.936 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52739 (05:17:37.936 PST) 41.42.124.103 (05:20:37.744 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61387 (05:20:37.744 PST) 83.36.200.175 (05:18:37.729 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61699 (05:18:37.729 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:21:20.274 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52168->6099 (05:21:20.274 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358601457.936 1358601457.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.7.92.13 (2), 31.8.37.86, 101.165.52.82, 90.220.42.145 (2), 121.14.98.151, 145.99.175.89 Resource List: Observed Start: 01/19/2013 07:18:21.731 PST Gen. Time: 01/19/2013 07:21:50.974 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.7.92.13 (2) (07:18:21.731 PST-07:19:21.715 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->46561 (07:18:21.731 PST-07:19:21.715 PST) 31.8.37.86 (07:21:21.320 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37707 (07:21:21.320 PST) 101.165.52.82 (07:20:21.254 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:20:21.254 PST) 90.220.42.145 (2) (07:18:22.309 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52284->19151 (07:20:59.833 PST) 51346->19151 (07:18:22.309 PST) 121.14.98.151 (07:19:52.071 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51899->9090 (07:19:52.071 PST) 145.99.175.89 (07:19:50.996 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51888->51413 (07:19:50.996 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:21:50.974 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:21:50.974 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358608701.731 1358608761.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.176.31.118, 91.218.38.132, 2.84.22.80, 24.65.230.239, 90.220.42.145, 88.175.169.151 Resource List: Observed Start: 01/19/2013 09:21:16.216 PST Gen. Time: 01/19/2013 09:23:31.379 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.176.31.118 (09:22:36.880 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56275->6890 (09:22:36.880 PST) 91.218.38.132 (09:22:10.231 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56063->2710 (09:22:10.231 PST) 2.84.22.80 (09:22:16.667 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (09:22:16.667 PST) 24.65.230.239 (09:21:16.216 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55008 (09:21:16.216 PST) 90.220.42.145 (09:21:30.369 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55835->19151 (09:21:30.369 PST) 88.175.169.151 (09:23:16.442 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (09:23:16.442 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:23:31.379 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56616->6099 (09:23:31.379 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358616076.216 1358616076.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.84.22.80, 177.16.246.46, 208.83.20.164, 91.218.38.132, 145.99.175.89, 24.65.230.239, 90.220.42.145, 86.176.31.118, 88.175.169.151 Resource List: Observed Start: 01/19/2013 09:21:16.216 PST Gen. Time: 01/19/2013 09:24:34.575 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.84.22.80 (09:22:16.667 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (09:22:16.667 PST) 177.16.246.46 (09:24:16.200 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38637 (09:24:16.200 PST) 208.83.20.164 (09:23:31.449 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%04%EF1%A1%BB%17^%B0%17%03%01%04%F4%0C%01q%C5%FF&%B9%D4%15%B2-%F7%D81+t%E1C%11%D0%8Fw%B8%87Q%D7]>%9E%DCf%14%19%07%03%8A#%C6%B6%88a] MAC_Src: 00:01:64:FF:CE:EA 56615->80 (09:23:31.449 PST) 91.218.38.132 (09:22:10.231 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56063->2710 (09:22:10.231 PST) 145.99.175.89 (09:24:34.575 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57022->51413 (09:24:34.575 PST) 24.65.230.239 (09:21:16.216 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55008 (09:21:16.216 PST) 90.220.42.145 (09:21:30.369 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55835->19151 (09:21:30.369 PST) 86.176.31.118 (09:22:36.880 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56275->6890 (09:22:36.880 PST) 88.175.169.151 (09:23:16.442 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (09:23:16.442 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:23:31.379 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56616->6099 (09:23:31.379 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358616076.216 1358616076.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.48.177.192, 114.32.131.48 Resource List: Observed Start: 01/19/2013 11:23:36.076 PST Gen. Time: 01/19/2013 11:24:20.277 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.48.177.192 (11:24:06.457 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13017 (11:24:06.457 PST) 114.32.131.48 (11:23:36.076 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59262->22000 (11:23:36.076 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:24:20.277 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:24:20.277 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358623416.076 1358623416.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.48.177.192, 99.0.36.255, 212.59.28.49 (2), 99.231.87.162, 202.4.79.138, 90.220.42.145, 94.242.221.123, 114.32.131.48, 86.173.129.133 Resource List: Observed Start: 01/19/2013 11:23:36.076 PST Gen. Time: 01/19/2013 11:27:41.287 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.48.177.192 (11:24:06.457 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13017 (11:24:06.457 PST) 99.0.36.255 (11:27:08.045 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (11:27:08.045 PST) 212.59.28.49 (2) (11:26:20.869 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60207->2710 (11:26:20.869 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60538->2710 (11:27:09.249 PST) 99.231.87.162 (11:25:06.637 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50020 (11:25:06.637 PST) 202.4.79.138 (11:26:06.397 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12420 (11:26:06.397 PST) 90.220.42.145 (11:24:58.585 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59657->19151 (11:24:58.585 PST) 94.242.221.123 (11:25:00.502 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/FEEDS/AGENT19/2013-01-18/BOTNET_CC_FEED.2013-01-18.TXT] MAC_Src: 00:01:64:FF:CE:EA 59670->80 (11:25:00.502 PST) 114.32.131.48 (11:23:36.076 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59262->22000 (11:23:36.076 PST) 86.173.129.133 (11:26:47.097 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60408->6890 (11:26:47.097 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:24:20.277 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:24:20.277 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358623416.076 1358623416.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 141.134.4.203, 86.173.129.133, 174.113.252.211, 85.17.143.16 (2), 94.242.221.123, 90.220.42.145 Resource List: Observed Start: 01/19/2013 13:24:10.609 PST Gen. Time: 01/19/2013 13:26:11.201 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 141.134.4.203 (13:25:03.279 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58305 (13:25:03.279 PST) 86.173.129.133 (13:25:37.683 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60090->6890 (13:25:37.683 PST) 174.113.252.211 (13:26:03.415 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45073 (13:26:03.415 PST) 85.17.143.16 (2) (13:24:10.609 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59417->6969 (13:24:10.609 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59417->6969 (13:24:10.609 PST) 94.242.221.123 (13:25:50.942 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%00%B7%F5n%91%BAF%FE%8B%98%E7%80.+;%A1b%E7%BFL%E5%18X%15a%1A%AE%F6%D7H%CF%D1I=%1F%D08%F0%A9%E9%F7%998&%B0%97%9D%05%E5%EF%CA%E1%C9%04] MAC_Src: 00:01:64:FF:CE:EA 60149->80 (13:25:50.942 PST) 90.220.42.145 (13:24:31.671 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59537->19151 (13:24:31.671 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:26:11.201 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60271->6099 (13:26:11.201 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358630650.609 1358630650.610 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 141.134.4.203, 86.173.129.133, 31.151.125.75, 174.113.252.211, 85.17.143.16 (2), 94.242.221.123, 90.220.42.145 Resource List: Observed Start: 01/19/2013 13:24:10.609 PST Gen. Time: 01/19/2013 13:27:26.228 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 141.134.4.203 (13:25:03.279 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58305 (13:25:03.279 PST) 86.173.129.133 (13:25:37.683 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60090->6890 (13:25:37.683 PST) 31.151.125.75 (13:27:03.330 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37642 (13:27:03.330 PST) 174.113.252.211 (13:26:03.415 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45073 (13:26:03.415 PST) 85.17.143.16 (2) (13:24:10.609 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59417->6969 (13:24:10.609 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59417->6969 (13:24:10.609 PST) 94.242.221.123 (13:25:50.942 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%00%B7%F5n%91%BAF%FE%8B%98%E7%80.+;%A1b%E7%BFL%E5%18X%15a%1A%AE%F6%D7H%CF%D1I=%1F%D08%F0%A9%E9%F7%998&%B0%97%9D%05%E5%EF%CA%E1%C9%04] MAC_Src: 00:01:64:FF:CE:EA 60149->80 (13:25:50.942 PST) 90.220.42.145 (13:24:31.671 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59537->19151 (13:24:31.671 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:26:11.201 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60271->6099 (13:26:11.201 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358630650.609 1358630650.610 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 85.17.143.16, 93.97.234.142, 109.144.170.210, 87.241.99.41 Resource List: Observed Start: 01/19/2013 15:25:05.037 PST Gen. Time: 01/19/2013 15:26:20.501 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:26:18.658 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65054->13407 (15:26:18.658 PST) 85.17.143.16 (15:25:17.149 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64411->6969 (15:25:17.149 PST) 93.97.234.142 (15:25:05.037 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31433 (15:25:05.037 PST) 109.144.170.210 (15:26:06.755 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41514 (15:26:06.755 PST) 87.241.99.41 (15:26:11.195 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64900->2710 (15:26:11.195 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:26:20.501 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:26:20.501 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358637905.037 1358637905.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 93.97.234.142, 124.232.148.149, 213.22.63.238, 85.17.143.16, 91.224.160.192, 90.220.42.145, 87.241.99.41, 109.144.170.210, 94.242.221.123, 95.248.237.80 Resource List: Observed Start: 01/19/2013 15:25:05.037 PST Gen. Time: 01/19/2013 15:28:44.870 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (15:27:28.976 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49277->2710 (15:27:28.976 PST) 93.97.234.142 (15:25:05.037 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31433 (15:25:05.037 PST) 124.232.148.149 (15:26:18.658 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65054->13407 (15:26:18.658 PST) 213.22.63.238 (15:28:08.343 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (15:28:08.343 PST) 85.17.143.16 (15:25:17.149 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64411->6969 (15:25:17.149 PST) 91.224.160.192 (15:27:51.170 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49344->2710 (15:27:51.170 PST) 90.220.42.145 (15:28:05.171 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49496->19151 (15:28:05.171 PST) 87.241.99.41 (15:26:11.195 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64900->2710 (15:26:11.195 PST) 109.144.170.210 (15:26:06.755 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41514 (15:26:06.755 PST) 94.242.221.123 (15:26:31.546 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/safebrowsing/downloads?client=navclient-auto-ffox&appver=16.0.2&pver=2.2&wrkey=AKEgNitzp-nhi_NFu5jGj0iCUSG1dubRDZpgSppk_7uxQcH] MAC_Src: 00:01:64:FF:CE:EA 65204->80 (15:26:31.546 PST) 95.248.237.80 (15:27:07.912 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (15:27:07.912 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:26:20.501 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:26:20.501 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358637905.037 1358637905.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 188.138.32.243, 109.67.111.175, 85.17.143.16 (2), 90.220.42.145, 24.226.87.62, 145.99.175.89 Resource List: Observed Start: 01/19/2013 17:26:05.873 PST Gen. Time: 01/19/2013 17:28:30.798 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:26:41.181 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57540->3310 (17:26:41.181 PST) 188.138.32.243 (17:27:11.947 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57874->2710 (17:27:11.947 PST) 109.67.111.175 (17:26:44.105 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30759 (17:26:44.105 PST) 85.17.143.16 (2) (17:28:01.636 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58278->6969 (17:28:01.636 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58278->6969 (17:28:01.636 PST) 90.220.42.145 (17:27:19.722 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57960->19151 (17:27:19.722 PST) 24.226.87.62 (17:27:46.152 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54821 (17:27:46.152 PST) 145.99.175.89 (17:26:05.873 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57335->51413 (17:26:05.873 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:28:30.798 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58529->6099 (17:28:30.798 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358645165.873 1358645165.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 188.138.32.243, 109.67.111.175, 85.17.143.16 (2), 176.42.183.206, 90.220.42.145, 24.226.87.62, 145.99.175.89 (2) Resource List: Observed Start: 01/19/2013 17:26:05.873 PST Gen. Time: 01/19/2013 17:29:17.652 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:26:41.181 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57540->3310 (17:26:41.181 PST) 188.138.32.243 (17:27:11.947 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57874->2710 (17:27:11.947 PST) 109.67.111.175 (17:26:44.105 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30759 (17:26:44.105 PST) 85.17.143.16 (2) (17:28:01.636 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58278->6969 (17:28:01.636 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58278->6969 (17:28:01.636 PST) 176.42.183.206 (17:28:48.093 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45736 (17:28:48.093 PST) 90.220.42.145 (17:27:19.722 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57960->19151 (17:27:19.722 PST) 24.226.87.62 (17:27:46.152 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54821 (17:27:46.152 PST) 145.99.175.89 (2) (17:26:05.873 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57335->51413 (17:26:05.873 PST) 58583->51413 (17:28:44.401 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:28:30.798 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58529->6099 (17:28:30.798 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358645165.873 1358645165.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.114.196.65, 41.233.113.1, 94.242.221.123, 189.114.229.144, 145.99.175.89 (2) Resource List: Observed Start: 01/19/2013 19:27:01.313 PST Gen. Time: 01/19/2013 19:29:10.379 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.114.196.65 (19:28:34.129 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21284 (19:28:34.129 PST) 41.233.113.1 (19:27:31.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (19:27:31.065 PST) 94.242.221.123 (19:27:31.168 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%E51%C4%F6%11`5%BD+}1ZmA%89N}s1w%04%92/H%E8B%97,%FCH%97%ADkq%EA%A1M%C9%B4%CC6a%D3y%BF%A0%9B%D4Q%8D%97%CB%EE|] MAC_Src: 00:01:64:FF:CE:EA 65505->80 (19:27:31.168 PST) 189.114.229.144 (19:28:01.863 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49359->16884 (19:28:01.863 PST) 145.99.175.89 (2) (19:27:01.313 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65239->51413 (19:27:01.313 PST) 49916->51413 (19:29:01.822 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:29:10.379 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:29:10.379 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358652421.313 1358652421.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 216.221.72.112, 79.114.196.65, 41.233.113.1, 94.242.221.123, 189.114.229.144, 87.241.99.41, 145.99.175.89 (2) Resource List: Observed Start: 01/19/2013 19:27:01.313 PST Gen. Time: 01/19/2013 19:29:59.852 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 216.221.72.112 (19:29:41.254 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (19:29:41.254 PST) 79.114.196.65 (19:28:34.129 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21284 (19:28:34.129 PST) 41.233.113.1 (19:27:31.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (19:27:31.065 PST) 94.242.221.123 (19:27:31.168 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%E51%C4%F6%11`5%BD+}1ZmA%89N}s1w%04%92/H%E8B%97,%FCH%97%ADkq%EA%A1M%C9%B4%CC6a%D3y%BF%A0%9B%D4Q%8D%97%CB%EE|] MAC_Src: 00:01:64:FF:CE:EA 65505->80 (19:27:31.168 PST) 189.114.229.144 (19:28:01.863 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49359->16884 (19:28:01.863 PST) 87.241.99.41 (19:29:20.623 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50012->2710 (19:29:20.623 PST) 145.99.175.89 (2) (19:27:01.313 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65239->51413 (19:27:01.313 PST) 49916->51413 (19:29:01.822 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:29:10.379 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:29:10.379 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358652421.313 1358652421.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.22.28.248, 90.220.42.145, 212.59.28.49 Resource List: Observed Start: 01/19/2013 21:30:43.007 PST Gen. Time: 01/19/2013 21:31:10.748 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.22.28.248 (21:30:52.564 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (21:30:52.564 PST) 90.220.42.145 (21:30:43.007 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56401->19151 (21:30:43.007 PST) 212.59.28.49 (21:30:51.559 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56419->2710 (21:30:51.559 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:31:10.748 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56730->6099 (21:31:10.748 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358659843.007 1358659843.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 201.251.97.13, 24.22.122.147, 208.95.173.194 (2), 212.59.28.49, 2.29.62.100, 90.220.42.145 (2), 84.223.16.170, 87.241.99.41, 78.22.28.248 Resource List: Observed Start: 01/19/2013 21:30:43.007 PST Gen. Time: 01/19/2013 21:34:32.464 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 201.251.97.13 (21:32:09.014 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57061->16884 (21:32:09.014 PST) 24.22.122.147 (21:32:55.376 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53921 (21:32:55.376 PST) 208.95.173.194 (2) (21:34:30.337 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58072->2710 (21:34:30.337 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58072->2710 (21:34:30.337 PST) 212.59.28.49 (21:30:51.559 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56419->2710 (21:30:51.559 PST) 2.29.62.100 (21:33:56.025 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14738 (21:33:56.025 PST) 90.220.42.145 (2) (21:30:43.007 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56401->19151 (21:30:43.007 PST) 57570->19151 (21:33:17.021 PST) 84.223.16.170 (21:31:53.559 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21906 (21:31:53.559 PST) 87.241.99.41 (21:33:18.967 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57592->2710 (21:33:18.967 PST) 78.22.28.248 (21:30:52.564 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (21:30:52.564 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:31:10.748 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56730->6099 (21:31:10.748 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358659843.007 1358659843.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================