Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 (2), 99.237.28.144 Resource List: Observed Start: 01/20/2013 01:33:01.191 PST Gen. Time: 01/20/2013 01:33:11.762 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (2) (01:33:01.191 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52736->3310 (01:33:01.191 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52738->3310 (01:33:01.191 PST) 99.237.28.144 (01:33:02.058 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10633 (01:33:02.058 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:33:11.762 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52938->6099 (01:33:11.762 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358674381.191 1358674381.192 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.165.162.1, 91.224.160.192, 90.220.42.145, 178.239.54.153 (2), 99.237.28.144, 77.67.84.226, 206.47.30.80, 188.190.98.38, 2.237.40.101 Resource List: Observed Start: 01/20/2013 01:33:01.191 PST Gen. Time: 01/20/2013 01:36:36.164 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.165.162.1 (01:36:02.866 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11370 (01:36:02.866 PST) 91.224.160.192 (01:36:15.156 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54619->2710 (01:36:15.156 PST) 90.220.42.145 (01:33:17.309 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53019->19151 (01:33:17.309 PST) 178.239.54.153 (2) (01:33:01.191 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52736->3310 (01:33:01.191 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52738->3310 (01:33:01.191 PST) 99.237.28.144 (01:33:02.058 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10633 (01:33:02.058 PST) 77.67.84.226 (01:35:55.973 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54304->16881 (01:35:55.973 PST) 206.47.30.80 (01:34:02.318 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (01:34:02.318 PST) 188.190.98.38 (01:34:24.821 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53594->2810 (01:34:24.821 PST) 2.237.40.101 (01:35:02.327 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42747 (01:35:02.327 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:33:11.762 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52938->6099 (01:33:11.762 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358674381.191 1358674381.192 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 188.138.32.243, 110.164.254.58, 94.210.19.100, 81.84.87.184, 87.241.99.41, 145.99.175.89, 95.211.188.52 Resource List: Observed Start: 01/20/2013 03:30:34.557 PST Gen. Time: 01/20/2013 03:33:40.848 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (03:31:01.900 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50254->3310 (03:31:01.900 PST) 188.138.32.243 (03:30:34.557 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49930->2710 (03:30:34.557 PST) 110.164.254.58 (03:33:13.546 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51408->16881 (03:33:13.546 PST) 94.210.19.100 (03:32:57.614 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62376 (03:32:57.614 PST) 81.84.87.184 (03:31:57.107 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28384 (03:31:57.107 PST) 87.241.99.41 (03:32:41.194 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51162->2710 (03:32:41.194 PST) 145.99.175.89 (03:32:10.978 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50794->51413 (03:32:10.978 PST) 95.211.188.52 (03:30:57.030 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43883 (03:30:57.030 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:33:40.848 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:33:40.848 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358681434.557 1358681434.558 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 110.164.254.58, 145.99.175.89, 101.160.129.157, 95.211.188.52, 94.210.19.100, 87.241.99.41, 81.84.87.184, 178.239.54.153 Resource List: Observed Start: 01/20/2013 03:30:34.557 PST Gen. Time: 01/20/2013 03:34:00.858 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (03:30:34.557 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49930->2710 (03:30:34.557 PST) 110.164.254.58 (03:33:13.546 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51408->16881 (03:33:13.546 PST) 145.99.175.89 (03:32:10.978 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50794->51413 (03:32:10.978 PST) 101.160.129.157 (03:33:59.165 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53448 (03:33:59.165 PST) 95.211.188.52 (03:30:57.030 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43883 (03:30:57.030 PST) 94.210.19.100 (03:32:57.614 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62376 (03:32:57.614 PST) 87.241.99.41 (03:32:41.194 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51162->2710 (03:32:41.194 PST) 81.84.87.184 (03:31:57.107 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28384 (03:31:57.107 PST) 178.239.54.153 (03:31:01.900 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50254->3310 (03:31:01.900 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:33:40.848 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:33:40.848 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358681434.557 1358681434.558 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 91.224.160.192 (2), 212.115.238.2, 95.180.90.3, 95.76.129.175, 86.130.33.204, 145.99.175.89 (2) Resource List: Observed Start: 01/20/2013 05:33:11.402 PST Gen. Time: 01/20/2013 05:35:40.767 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (05:33:30.250 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50778->2710 (05:33:30.250 PST) 91.224.160.192 (2) (05:33:22.072 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 50674->2710 (05:33:22.072 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50674->2710 (05:33:22.072 PST) 212.115.238.2 (05:34:21.454 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51330->32459 (05:34:21.454 PST) 95.180.90.3 (05:33:11.402 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (05:33:11.402 PST) 95.76.129.175 (05:35:14.532 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48881 (05:35:14.532 PST) 86.130.33.204 (05:34:13.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28303 (05:34:13.677 PST) 145.99.175.89 (2) (05:33:15.617 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50591->51413 (05:33:15.617 PST) 51772->51413 (05:35:21.126 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:35:40.767 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52074->6099 (05:35:40.767 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358688791.402 1358688791.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89 (2), 201.172.84.87, 208.95.173.194, 95.20.61.133, 95.180.90.3, 95.76.129.175, 91.224.160.192 (2), 86.130.33.204, 212.115.238.2 Resource List: Observed Start: 01/20/2013 05:33:11.402 PST Gen. Time: 01/20/2013 05:37:09.233 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (2) (05:33:15.617 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50591->51413 (05:33:15.617 PST) 51772->51413 (05:35:21.126 PST) 201.172.84.87 (05:36:15.571 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37772 (05:36:15.571 PST) 208.95.173.194 (05:33:30.250 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50778->2710 (05:33:30.250 PST) 95.20.61.133 (05:36:34.693 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52532->58784 (05:36:34.693 PST) 95.180.90.3 (05:33:11.402 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (05:33:11.402 PST) 95.76.129.175 (05:35:14.532 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48881 (05:35:14.532 PST) 91.224.160.192 (2) (05:33:22.072 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 50674->2710 (05:33:22.072 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50674->2710 (05:33:22.072 PST) 86.130.33.204 (05:34:13.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28303 (05:34:13.677 PST) 212.115.238.2 (05:34:21.454 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51330->32459 (05:34:21.454 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:35:40.767 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52074->6099 (05:35:40.767 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358688791.402 1358688791.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.224.160.192, 86.182.58.73, 95.180.90.3 Resource List: Observed Start: 01/20/2013 07:35:54.093 PST Gen. Time: 01/20/2013 07:36:30.418 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.224.160.192 (07:35:54.093 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49563->2710 (07:35:54.093 PST) 86.182.58.73 (07:36:16.054 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49905->6890 (07:36:16.054 PST) 95.180.90.3 (07:36:09.493 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (07:36:09.493 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:36:30.418 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:36:30.418 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358696154.093 1358696154.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.16.246.46, 91.224.160.192, 174.34.166.171, 86.182.58.73, 95.180.90.3, 50.66.49.92 Resource List: Observed Start: 01/20/2013 07:35:54.093 PST Gen. Time: 01/20/2013 07:38:33.121 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.16.246.46 (07:38:10.032 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38637 (07:38:10.032 PST) 91.224.160.192 (07:35:54.093 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49563->2710 (07:35:54.093 PST) 174.34.166.171 (07:37:59.572 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50831->43783 (07:37:59.572 PST) 86.182.58.73 (07:36:16.054 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49905->6890 (07:36:16.054 PST) 95.180.90.3 (07:36:09.493 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (07:36:09.493 PST) 50.66.49.92 (07:37:10.481 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14533 (07:37:10.481 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:36:30.418 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:36:30.418 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358696154.093 1358696154.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.84.22.80, 71.173.10.21, 74.138.208.204, 174.34.166.171, 90.220.42.145, 59.149.53.192 Resource List: Observed Start: 01/20/2013 09:35:46.066 PST Gen. Time: 01/20/2013 09:38:20.592 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.84.22.80 (09:36:52.691 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (09:36:52.691 PST) 71.173.10.21 (09:37:52.939 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:37:52.939 PST) 74.138.208.204 (09:35:51.391 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58330 (09:35:51.391 PST) 174.34.166.171 (09:38:20.087 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62815->43783 (09:38:20.087 PST) 90.220.42.145 (09:35:46.066 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61906->19151 (09:35:46.066 PST) 59.149.53.192 (09:37:04.575 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62298->28743 (09:37:04.575 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:38:20.592 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62831->6099 (09:38:20.592 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358703346.066 1358703346.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.248.237.80, 2.84.22.80, 71.173.10.21, 74.138.208.204, 174.34.166.171, 90.220.42.145, 208.83.20.164 (2), 59.149.53.192 Resource List: Observed Start: 01/20/2013 09:35:46.066 PST Gen. Time: 01/20/2013 09:39:03.807 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.248.237.80 (09:38:52.158 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:38:52.158 PST) 2.84.22.80 (09:36:52.691 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (09:36:52.691 PST) 71.173.10.21 (09:37:52.939 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:37:52.939 PST) 74.138.208.204 (09:35:51.391 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58330 (09:35:51.391 PST) 174.34.166.171 (09:38:20.087 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62815->43783 (09:38:20.087 PST) 90.220.42.145 (09:35:46.066 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61906->19151 (09:35:46.066 PST) 208.83.20.164 (2) (09:38:20.662 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/distro.alt/BotHunter-Windows-Distribution-v1.0.4a.exe] MAC_Src: 00:01:64:FF:CE:EA 62830->80 (09:38:20.662 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [/distro.alt/BotHunter-Windows-Distribution-v1.0.4a.exe] MAC_Src: 00:01:64:FF:CE:EA 62942->80 (09:39:03.807 PST) 59.149.53.192 (09:37:04.575 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62298->28743 (09:37:04.575 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:38:20.592 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62831->6099 (09:38:20.592 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358703346.066 1358703346.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 174.118.131.229 Resource List: Observed Start: 01/20/2013 11:38:28.067 PST Gen. Time: 01/20/2013 11:39:00.219 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 174.118.131.229 (11:38:28.067 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45485 (11:38:28.067 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:39:00.219 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:39:00.219 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358710708.067 1358710708.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.24.243.3, 74.90.28.106, 174.118.131.229, 84.236.100.184, 208.83.20.164, 76.22.230.45 Resource List: Observed Start: 01/20/2013 11:38:28.067 PST Gen. Time: 01/20/2013 11:42:30.481 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.24.243.3 (11:40:33.040 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (11:40:33.040 PST) 74.90.28.106 (11:39:57.240 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54241->10006 (11:39:57.240 PST) 174.118.131.229 (11:38:28.067 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45485 (11:38:28.067 PST) 84.236.100.184 (11:41:37.549 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21874 (11:41:37.549 PST) 208.83.20.164 (11:40:29.578 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [q%91BG%C5T%FF%AF%F7%11;%D9T}%13%82O%02%12%1AS%FC%AFNhe%A0%F3%D6)Z\%11VOJ%CAl%C1Y%DF%CFZ%F0rH%1Fp%AAY%E5S%96%CB] MAC_Src: 00:01:64:FF:CE:EA 54412->80 (11:40:29.578 PST) 76.22.230.45 (11:39:32.490 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29232 (11:39:32.490 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:39:00.219 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:39:00.219 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358710708.067 1358710708.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 91.224.160.192 (2), 124.232.148.144, 67.9.87.156, 213.89.147.93, 145.99.175.89 Resource List: Observed Start: 01/20/2013 13:37:56.165 PST Gen. Time: 01/20/2013 13:40:10.562 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (13:37:56.165 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50988->2710 (13:37:56.165 PST) 91.224.160.192 (2) (13:39:43.429 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51903->2710 (13:39:43.429 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51903->2710 (13:39:43.429 PST) 124.232.148.144 (13:38:07.333 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51014->21604 (13:38:07.333 PST) 67.9.87.156 (13:38:23.488 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42007 (13:38:23.488 PST) 213.89.147.93 (13:39:23.010 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17236 (13:39:23.010 PST) 145.99.175.89 (13:39:18.512 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51523->51413 (13:39:18.512 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:40:10.562 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52071->6099 (13:40:10.562 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358717876.165 1358717876.166 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 91.224.160.192 (2), 124.232.148.144, 24.65.230.239, 67.9.87.156, 208.83.20.164, 213.89.147.93, 145.99.175.89 Resource List: Observed Start: 01/20/2013 13:37:56.165 PST Gen. Time: 01/20/2013 13:41:09.565 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (13:37:56.165 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50988->2710 (13:37:56.165 PST) 91.224.160.192 (2) (13:39:43.429 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51903->2710 (13:39:43.429 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51903->2710 (13:39:43.429 PST) 124.232.148.144 (13:38:07.333 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51014->21604 (13:38:07.333 PST) 24.65.230.239 (13:40:23.083 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55008 (13:40:23.083 PST) 67.9.87.156 (13:38:23.488 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42007 (13:38:23.488 PST) 208.83.20.164 (13:40:50.655 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52259->80 (13:40:50.655 PST) 213.89.147.93 (13:39:23.010 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17236 (13:39:23.010 PST) 145.99.175.89 (13:39:18.512 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51523->51413 (13:39:18.512 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:40:10.562 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52071->6099 (13:40:10.562 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358717876.165 1358717876.166 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149 Resource List: Observed Start: 01/20/2013 15:40:20.042 PST Gen. Time: 01/20/2013 15:40:30.158 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:40:20.042 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62375->13407 (15:40:20.042 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:40:30.158 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:40:30.158 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358725220.042 1358725220.043 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 2.84.22.80, 177.142.60.177, 145.99.175.89 (2), 212.59.28.49, 124.232.148.149, 90.219.7.45, 91.224.160.192, 87.241.99.41, 123.2.143.155 Resource List: Observed Start: 01/20/2013 15:40:20.042 PST Gen. Time: 01/20/2013 15:44:24.969 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (15:44:01.169 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63854->2710 (15:44:01.169 PST) 2.84.22.80 (15:41:50.816 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (15:41:50.816 PST) 177.142.60.177 (15:40:50.580 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52551 (15:40:50.580 PST) 145.99.175.89 (2) (15:42:05.225 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63131->51413 (15:42:05.225 PST) 63682->51413 (15:43:13.737 PST) 212.59.28.49 (15:42:40.801 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63305->2710 (15:42:40.801 PST) 124.232.148.149 (15:40:20.042 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62375->13407 (15:40:20.042 PST) 90.219.7.45 (15:43:50.280 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (15:43:50.280 PST) 91.224.160.192 (15:41:11.474 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62689->2710 (15:41:11.474 PST) 87.241.99.41 (15:41:10.533 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62690->2710 (15:41:10.533 PST) 123.2.143.155 (15:42:50.034 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44194 (15:42:50.034 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:40:30.158 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:40:30.158 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358725220.042 1358725220.043 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.218.168.230, 201.74.88.69, 145.99.175.89 Resource List: Observed Start: 01/20/2013 17:41:03.234 PST Gen. Time: 01/20/2013 17:42:30.397 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.218.168.230 (17:42:03.000 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47405 (17:42:03.000 PST) 201.74.88.69 (17:41:03.234 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32711 (17:41:03.234 PST) 145.99.175.89 (17:42:16.637 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51706->51413 (17:42:16.637 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:42:30.397 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51736->6099 (17:42:30.397 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358732463.234 1358732463.235 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 202.4.79.138, 24.171.232.126, 71.218.168.230, 208.83.20.164, 201.74.88.69, 145.99.175.89 (2) Resource List: Observed Start: 01/20/2013 17:41:03.234 PST Gen. Time: 01/20/2013 17:44:57.694 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 202.4.79.138 (17:43:03.691 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12420 (17:43:03.691 PST) 24.171.232.126 (17:44:04.125 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20500 (17:44:04.125 PST) 71.218.168.230 (17:42:03.000 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47405 (17:42:03.000 PST) 208.83.20.164 (17:44:11.079 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52535->80 (17:44:11.079 PST) 201.74.88.69 (17:41:03.234 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32711 (17:41:03.234 PST) 145.99.175.89 (2) (17:42:16.637 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51706->51413 (17:42:16.637 PST) 52469->51413 (17:44:01.158 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:42:30.397 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51736->6099 (17:42:30.397 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358732463.234 1358732463.235 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 216.221.72.112, 188.138.32.243, 114.47.193.193, 91.224.160.192, 190.192.26.179, 145.99.175.89 (2) Resource List: Observed Start: 01/20/2013 19:39:58.182 PST Gen. Time: 01/20/2013 19:42:50.313 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 216.221.72.112 (19:42:01.895 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (19:42:01.895 PST) 188.138.32.243 (19:41:44.252 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55885->2710 (19:41:44.252 PST) 114.47.193.193 (19:39:58.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (19:39:58.182 PST) 91.224.160.192 (19:40:54.083 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55579->2710 (19:40:54.083 PST) 190.192.26.179 (19:40:58.031 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55366 (19:40:58.031 PST) 145.99.175.89 (2) (19:40:07.958 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55384->51413 (19:40:07.958 PST) 56186->51413 (19:42:04.970 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:42:50.313 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:42:50.313 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358739598.182 1358739598.183 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 208.83.20.164, 190.16.115.184, 145.99.175.89 (2), 190.192.26.179, 216.221.72.112, 91.224.160.192 (3), 203.113.15.213, 114.47.193.193 Resource List: Observed Start: 01/20/2013 19:39:58.182 PST Gen. Time: 01/20/2013 19:43:58.943 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (19:41:44.252 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55885->2710 (19:41:44.252 PST) 208.83.20.164 (19:43:58.943 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [%02X%17I%98;%0E%F8]%11%A6%DFpV^%C8%B8%E1%FF%AA%8Dj=%F1%8AN%E5%82%ACDS%19%FA%DC%03D%A8%10%09%95%9F%03%02a%D0m%9D%CESL1;%B6%11] MAC_Src: 00:01:64:FF:CE:EA 56962->80 (19:43:58.943 PST) 190.16.115.184 (19:43:01.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46307 (19:43:01.017 PST) 145.99.175.89 (2) (19:40:07.958 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55384->51413 (19:40:07.958 PST) 56186->51413 (19:42:04.970 PST) 190.192.26.179 (19:40:58.031 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55366 (19:40:58.031 PST) 216.221.72.112 (19:42:01.895 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (19:42:01.895 PST) 91.224.160.192 (3) (19:40:54.083 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56739->2710 (19:43:27.566 PST) ------------------------- event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55579->2710 (19:40:54.083 PST) 56739->2710 (19:43:27.566 PST) 203.113.15.213 (19:43:25.018 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56743->16882 (19:43:25.018 PST) 114.47.193.193 (19:39:58.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (19:39:58.182 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:42:50.313 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:42:50.313 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358739598.182 1358739598.183 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.182.238.173, 68.147.210.222, 24.236.129.145, 91.224.160.192, 178.78.92.91, 87.241.99.41, 101.103.173.95, 212.59.28.49 Resource List: Observed Start: 01/20/2013 21:40:51.192 PST Gen. Time: 01/20/2013 21:44:40.928 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.182.238.173 (21:41:54.374 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57000->6890 (21:41:54.374 PST) 68.147.210.222 (21:41:47.481 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45266 (21:41:47.481 PST) 24.236.129.145 (21:43:53.899 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57710->6890 (21:43:53.899 PST) 91.224.160.192 (21:41:30.544 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56835->2710 (21:41:30.544 PST) 178.78.92.91 (21:43:47.276 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22912 (21:43:47.276 PST) 87.241.99.41 (21:43:04.735 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57455->2710 (21:43:04.735 PST) 101.103.173.95 (21:42:47.988 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26386 (21:42:47.988 PST) 212.59.28.49 (21:40:51.192 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56579->2710 (21:40:51.192 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:44:40.928 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57954->6099 (21:44:40.928 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358746851.192 1358746851.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================