Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.101.89.103, 121.14.98.151, 145.99.175.89 Resource List: Observed Start: 01/21/2013 01:45:09.824 PST Gen. Time: 01/21/2013 01:46:31.747 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.101.89.103 (01:45:53.650 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31396 (01:45:53.650 PST) 121.14.98.151 (01:46:11.589 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65226->9090 (01:46:11.589 PST) 145.99.175.89 (01:45:09.824 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64721->51413 (01:45:09.824 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:46:31.747 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65295->6099 (01:46:31.747 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358761509.824 1358761509.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 79.48.177.192, 208.83.20.164 (2), 91.218.38.132, 145.99.175.89 (3), 91.224.160.192, 92.155.82.45, 130.208.129.77, 78.101.89.103 Resource List: Observed Start: 01/21/2013 01:45:09.824 PST Gen. Time: 01/21/2013 01:49:03.342 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (01:46:11.589 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65226->9090 (01:46:11.589 PST) 79.48.177.192 (01:46:53.019 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13017 (01:46:53.019 PST) 208.83.20.164 (2) (01:48:01.239 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49604->6969 (01:48:01.239 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50085->80 (01:49:01.091 PST) 91.218.38.132 (01:47:01.966 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65515->2710 (01:47:01.966 PST) 145.99.175.89 (3) (01:45:09.824 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64721->51413 (01:45:09.824 PST) 65399->51413 (01:46:56.842 PST) 49686->51413 (01:48:04.855 PST) 91.224.160.192 (01:49:01.188 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50084->2710 (01:49:01.188 PST) 92.155.82.45 (01:47:53.684 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64250 (01:47:53.684 PST) 130.208.129.77 (01:48:53.967 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57471 (01:48:53.967 PST) 78.101.89.103 (01:45:53.650 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31396 (01:45:53.650 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:46:31.747 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65295->6099 (01:46:31.747 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358761509.824 1358761509.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 145.99.175.89, 217.128.181.133, 212.59.28.49 (2), 121.44.178.252, 85.17.143.16, 91.224.160.192, 87.241.99.41, 203.113.15.213, 186.129.11.217, 71.104.200.213, 213.22.142.27 Resource List: Observed Start: 01/21/2013 03:43:24.075 PST Gen. Time: 01/21/2013 03:47:00.880 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (03:46:42.966 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59989->9090 (03:46:42.966 PST) 145.99.175.89 (03:45:04.322 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59275->51413 (03:45:04.322 PST) 217.128.181.133 (03:43:24.075 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49114 (03:43:24.075 PST) 212.59.28.49 (2) (03:43:51.105 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58572->2710 (03:43:51.105 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59943->2710 (03:46:23.458 PST) 121.44.178.252 (03:44:25.114 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64756 (03:44:25.114 PST) 85.17.143.16 (03:45:51.108 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59561->6969 (03:45:51.108 PST) 91.224.160.192 (03:44:54.785 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59060->2710 (03:44:54.785 PST) 87.241.99.41 (03:44:04.478 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58826->2710 (03:44:04.478 PST) 203.113.15.213 (03:43:24.854 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58448->16882 (03:43:24.854 PST) 186.129.11.217 (03:46:26.873 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31895 (03:46:26.873 PST) 71.104.200.213 (03:46:04.200 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59809->6890 (03:46:04.200 PST) 213.22.142.27 (03:45:25.311 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40096 (03:45:25.311 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:47:00.880 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:47:00.880 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358768604.075 1358768604.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 77.248.128.233, 145.99.175.89 Resource List: Observed Start: 01/21/2013 05:47:53.374 PST Gen. Time: 01/21/2013 05:48:51.573 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (05:48:12.949 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58640->3310 (05:48:12.949 PST) 77.248.128.233 (05:48:02.227 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (05:48:02.227 PST) 145.99.175.89 (05:47:53.374 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58510->51413 (05:47:53.374 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:48:51.573 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58921->6099 (05:48:51.573 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358776073.374 1358776073.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 91.218.38.132, 145.99.175.89 (2), 108.91.186.81, 212.59.28.49, 77.248.128.233, 187.59.29.141, 178.239.54.153, 46.120.217.20 Resource List: Observed Start: 01/21/2013 05:47:53.374 PST Gen. Time: 01/21/2013 05:51:46.497 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (05:48:51.642 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58918->80 (05:48:51.642 PST) 91.218.38.132 (05:49:42.812 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59339->2710 (05:49:42.812 PST) 145.99.175.89 (2) (05:47:53.374 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58510->51413 (05:47:53.374 PST) 60201->51413 (05:51:15.389 PST) 108.91.186.81 (05:50:11.278 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51411 (05:50:11.278 PST) 212.59.28.49 (05:50:02.135 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59558->2710 (05:50:02.135 PST) 77.248.128.233 (05:48:02.227 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (05:48:02.227 PST) 187.59.29.141 (05:49:09.107 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50344 (05:49:09.107 PST) 178.239.54.153 (05:48:12.949 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58640->3310 (05:48:12.949 PST) 46.120.217.20 (05:51:11.687 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30875 (05:51:11.687 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:48:51.573 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58921->6099 (05:48:51.573 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358776073.374 1358776073.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/21/2013 07:49:40.164 PST Gen. Time: 01/21/2013 07:49:40.164 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:49:40.164 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:49:40.164 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358783380.164 1358783380.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.58.219.118, 71.225.156.35, 86.179.64.111, 82.156.118.114, 119.46.206.111, 208.83.20.164 (2), 220.255.16.2 Resource List: Observed Start: 01/21/2013 07:49:40.164 PST Gen. Time: 01/21/2013 07:53:40.219 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.58.219.118 (07:50:48.253 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50637 (07:50:48.253 PST) 71.225.156.35 (07:49:48.942 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36296 (07:49:48.942 PST) 86.179.64.111 (07:52:20.500 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54384->6890 (07:52:20.500 PST) 82.156.118.114 (07:52:48.095 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41035 (07:52:48.095 PST) 119.46.206.111 (07:50:35.033 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53487->16881 (07:50:35.033 PST) 208.83.20.164 (2) (07:49:40.942 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53066->6969 (07:49:40.942 PST) 54431->6969 (07:52:40.241 PST) 220.255.16.2 (07:51:48.728 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13023 (07:51:48.728 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:49:40.164 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:49:40.164 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358783380.164 1358783380.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.241.94.245, 78.129.3.8, 178.207.16.232, 117.254.243.96, 86.179.64.111, 208.83.20.164, 87.241.99.41, 121.14.98.151 Resource List: Observed Start: 01/21/2013 09:48:40.669 PST Gen. Time: 01/21/2013 09:51:40.846 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.241.94.245 (09:51:26.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13276 (09:51:26.022 PST) 78.129.3.8 (09:49:26.386 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44111 (09:49:26.386 PST) 178.207.16.232 (09:49:06.089 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59442->16881 (09:49:06.089 PST) 117.254.243.96 (09:50:26.057 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12325 (09:50:26.057 PST) 86.179.64.111 (09:50:32.040 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60001->6890 (09:50:32.040 PST) 208.83.20.164 (09:50:00.535 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59817->6969 (09:50:00.535 PST) 87.241.99.41 (09:49:55.276 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59726->2710 (09:49:55.276 PST) 121.14.98.151 (09:48:40.669 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59225->9090 (09:48:40.669 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:51:40.846 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60617->6099 (09:51:40.846 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358790520.669 1358790520.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.179.64.111, 121.14.98.151, 208.83.20.164, 78.129.3.8, 88.120.28.250, 117.254.243.96, 87.241.99.41, 178.207.16.232, 81.241.94.245 Resource List: Observed Start: 01/21/2013 09:48:40.669 PST Gen. Time: 01/21/2013 09:52:30.969 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.179.64.111 (09:50:32.040 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60001->6890 (09:50:32.040 PST) 121.14.98.151 (09:48:40.669 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59225->9090 (09:48:40.669 PST) 208.83.20.164 (09:50:00.535 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59817->6969 (09:50:00.535 PST) 78.129.3.8 (09:49:26.386 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44111 (09:49:26.386 PST) 88.120.28.250 (09:52:27.779 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20267 (09:52:27.779 PST) 117.254.243.96 (09:50:26.057 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12325 (09:50:26.057 PST) 87.241.99.41 (09:49:55.276 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59726->2710 (09:49:55.276 PST) 178.207.16.232 (09:49:06.089 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59442->16881 (09:49:06.089 PST) 81.241.94.245 (09:51:26.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13276 (09:51:26.022 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:51:40.846 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60617->6099 (09:51:40.846 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358790520.669 1358790520.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 (2), 201.242.104.38, 188.190.98.38, 201.6.183.199 Resource List: Observed Start: 01/21/2013 11:51:00.106 PST Gen. Time: 01/21/2013 11:52:40.849 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (2) (11:51:21.522 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65380->3310 (11:51:21.522 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49537->3310 (11:52:40.662 PST) 201.242.104.38 (11:51:00.106 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50221 (11:51:00.106 PST) 188.190.98.38 (11:51:38.282 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49292->2810 (11:51:38.282 PST) 201.6.183.199 (11:52:03.962 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40419 (11:52:03.962 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:52:40.849 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:52:40.849 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358797860.106 1358797860.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 110.175.201.97, 178.239.54.153 (2), 201.242.104.38, 2.225.124.65, 188.190.98.38, 201.6.183.199, 208.83.20.164 Resource List: Observed Start: 01/21/2013 11:51:00.106 PST Gen. Time: 01/21/2013 11:54:11.617 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 110.175.201.97 (11:53:03.346 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61146 (11:53:03.346 PST) 178.239.54.153 (2) (11:51:21.522 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65380->3310 (11:51:21.522 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49537->3310 (11:52:40.662 PST) 201.242.104.38 (11:51:00.106 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50221 (11:51:00.106 PST) 2.225.124.65 (11:54:04.597 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12120 (11:54:04.597 PST) 188.190.98.38 (11:51:38.282 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49292->2810 (11:51:38.282 PST) 201.6.183.199 (11:52:03.962 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40419 (11:52:03.962 PST) 208.83.20.164 (11:53:30.915 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49798->6969 (11:53:30.915 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:52:40.849 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:52:40.849 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358797860.106 1358797860.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/21/2013 13:54:50.914 PST Gen. Time: 01/21/2013 13:54:50.914 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:54:50.914 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58060->6099 (13:54:50.914 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358805290.914 1358805290.915 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 68.61.50.42, 2.230.52.152, 61.91.88.23, 189.5.22.233, 91.218.38.132, 91.224.160.192, 178.239.54.151, 187.52.150.5 Resource List: Observed Start: 01/21/2013 13:54:50.914 PST Gen. Time: 01/21/2013 13:58:41.181 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.61.50.42 (13:56:40.273 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (13:56:40.273 PST) 2.230.52.152 (13:56:05.905 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58555->51413 (13:56:05.905 PST) 61.91.88.23 (13:57:56.423 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59548->16881 (13:57:56.423 PST) 189.5.22.233 (13:55:40.407 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30952 (13:55:40.407 PST) 91.218.38.132 (13:55:04.142 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58186->2710 (13:55:04.142 PST) 91.224.160.192 (13:55:41.195 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58367->2710 (13:55:41.195 PST) 178.239.54.151 (13:58:41.181 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59769->2710 (13:58:41.181 PST) 187.52.150.5 (13:57:41.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25062 (13:57:41.534 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:54:50.914 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58060->6099 (13:54:50.914 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358805290.914 1358805290.915 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 124.232.148.178, 91.218.38.132, 91.224.160.192, 67.80.14.169, 90.177.15.195 Resource List: Observed Start: 01/21/2013 15:53:57.990 PST Gen. Time: 01/21/2013 15:55:40.861 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:55:20.503 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54593->13407 (15:55:20.503 PST) 124.232.148.178 (15:53:57.990 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53787->6500 (15:53:57.990 PST) 91.218.38.132 (15:54:56.801 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54273->2710 (15:54:56.801 PST) 91.224.160.192 (15:54:12.282 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53970->2710 (15:54:12.282 PST) 67.80.14.169 (15:55:29.447 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42180 (15:55:29.447 PST) 90.177.15.195 (15:54:28.131 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48972 (15:54:28.131 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:55:40.861 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:55:40.861 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358812437.990 1358812437.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.232.148.149, 124.232.148.178 (2), 91.218.38.132, 91.224.160.192 (3), 121.1.46.110, 67.80.14.169, 90.177.15.195 Resource List: Observed Start: 01/21/2013 15:53:57.990 PST Gen. Time: 01/21/2013 15:57:14.150 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.232.148.149 (15:55:20.503 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54593->13407 (15:55:20.503 PST) 124.232.148.178 (2) (15:53:57.990 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53787->6500 (15:53:57.990 PST) 55508->6500 (15:57:03.619 PST) 91.218.38.132 (15:54:56.801 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54273->2710 (15:54:56.801 PST) 91.224.160.192 (3) (15:54:12.282 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55201->2710 (15:56:26.550 PST) ------------------------- event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53970->2710 (15:54:12.282 PST) 55201->2710 (15:56:26.550 PST) 121.1.46.110 (15:56:34.274 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (15:56:34.274 PST) 67.80.14.169 (15:55:29.447 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42180 (15:55:29.447 PST) 90.177.15.195 (15:54:28.131 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48972 (15:54:28.131 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:55:40.861 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:55:40.861 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358812437.990 1358812437.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 59.1.136.34, 91.224.160.192 (2), 85.17.143.16, 76.117.11.204, 151.32.213.91 Resource List: Observed Start: 01/21/2013 17:54:52.821 PST Gen. Time: 01/21/2013 17:57:41.358 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:56:07.337 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63545->3310 (17:56:07.337 PST) 59.1.136.34 (17:54:52.821 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45499 (17:54:52.821 PST) 91.224.160.192 (2) (17:56:22.590 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63780->2710 (17:56:22.590 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63780->2710 (17:56:22.590 PST) 85.17.143.16 (17:55:26.546 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63368->6969 (17:55:26.546 PST) 76.117.11.204 (17:56:53.528 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44166 (17:56:53.528 PST) 151.32.213.91 (17:55:53.066 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->2734 (17:55:53.066 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:57:41.358 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64337->6099 (17:57:41.358 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358819692.821 1358819692.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 59.1.136.34, 91.224.160.192 (2), 46.141.12.183, 85.17.143.16, 173.11.243.162, 76.117.11.204, 151.32.213.91 Resource List: Observed Start: 01/21/2013 17:54:52.821 PST Gen. Time: 01/21/2013 17:58:32.992 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:56:07.337 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63545->3310 (17:56:07.337 PST) 59.1.136.34 (17:54:52.821 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45499 (17:54:52.821 PST) 91.224.160.192 (2) (17:56:22.590 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63780->2710 (17:56:22.590 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63780->2710 (17:56:22.590 PST) 46.141.12.183 (17:58:17.569 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64740->6890 (17:58:17.569 PST) 85.17.143.16 (17:55:26.546 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63368->6969 (17:55:26.546 PST) 173.11.243.162 (17:57:53.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:57:53.666 PST) 76.117.11.204 (17:56:53.528 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44166 (17:56:53.528 PST) 151.32.213.91 (17:55:53.066 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->2734 (17:55:53.066 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:57:41.358 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64337->6099 (17:57:41.358 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358819692.821 1358819692.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 69.140.198.192, 117.254.243.96, 46.141.12.183, 64.69.46.217 Resource List: Observed Start: 01/21/2013 19:56:59.005 PST Gen. Time: 01/21/2013 19:58:40.060 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 69.140.198.192 (19:57:59.273 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22554 (19:57:59.273 PST) 117.254.243.96 (19:56:59.005 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39099 (19:56:59.005 PST) 46.141.12.183 (19:58:22.074 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54059->6890 (19:58:22.074 PST) 64.69.46.217 (19:57:02.057 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53547->43611 (19:57:02.057 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:58:40.060 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:58:40.060 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358827019.005 1358827019.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.133.110.180, 69.140.198.192, 91.218.38.132, 117.254.243.96, 46.141.12.183 (2), 64.69.46.217, 128.78.106.69 Resource List: Observed Start: 01/21/2013 19:56:59.005 PST Gen. Time: 01/21/2013 20:00:33.170 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.133.110.180 (20:00:00.689 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47414 (20:00:00.689 PST) 69.140.198.192 (19:57:59.273 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22554 (19:57:59.273 PST) 91.218.38.132 (19:59:36.000 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54540->2710 (19:59:36.000 PST) 117.254.243.96 (19:56:59.005 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39099 (19:56:59.005 PST) 46.141.12.183 (2) (19:58:22.074 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54059->6890 (19:58:22.074 PST) 54855->6890 (20:00:08.594 PST) 64.69.46.217 (19:57:02.057 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53547->43611 (19:57:02.057 PST) 128.78.106.69 (19:59:00.010 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24091 (19:59:00.010 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:58:40.060 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:58:40.060 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358827019.005 1358827019.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/21/2013 22:00:11.002 PST Gen. Time: 01/21/2013 22:00:11.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:00:11.002 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52524->6099 (22:00:11.002 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358834411.002 1358834411.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 49.145.73.107, 145.99.175.89, 46.141.12.183, 110.164.254.41, 85.17.143.16 (2), 87.241.99.41, 216.232.138.13, 80.184.53.16, 184.66.71.51 Resource List: Observed Start: 01/21/2013 22:00:11.002 PST Gen. Time: 01/21/2013 22:04:13.309 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 49.145.73.107 (22:04:13.309 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56225 (22:04:13.309 PST) 145.99.175.89 (22:03:56.671 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53960->51413 (22:03:56.671 PST) 46.141.12.183 (22:02:42.471 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53378->6890 (22:02:42.471 PST) 110.164.254.41 (22:00:22.173 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52568->16882 (22:00:22.173 PST) 85.17.143.16 (2) (22:01:40.922 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53001->6969 (22:01:40.922 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53001->6969 (22:01:40.922 PST) 87.241.99.41 (22:01:40.953 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53000->2710 (22:01:40.953 PST) 216.232.138.13 (22:02:08.598 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58166 (22:02:08.598 PST) 80.184.53.16 (22:03:08.159 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49561 (22:03:08.159 PST) 184.66.71.51 (22:01:07.963 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54056 (22:01:07.963 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:00:11.002 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52524->6099 (22:00:11.002 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358834411.002 1358834411.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================