Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 71.225.156.35, 188.134.14.71, 145.99.175.89 Resource List: Observed Start: 01/21/2013 23:59:49.650 PST Gen. Time: 01/22/2013 00:01:00.386 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (23:59:49.650 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64243->2710 (23:59:49.650 PST) 71.225.156.35 (00:00:56.289 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36296 (00:00:56.289 PST) 188.134.14.71 (23:59:55.505 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28463 (23:59:55.505 PST) 145.99.175.89 (23:59:59.493 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64356->51413 (23:59:59.493 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:01:00.386 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:01:00.386 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358841589.650 1358841589.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 145.99.175.89 (2), 188.134.14.71, 46.141.12.183, 37.153.12.154, 85.17.143.16, 91.224.160.192, 71.225.156.35, 24.118.247.122, 92.19.110.8 Resource List: Observed Start: 01/21/2013 23:59:49.650 PST Gen. Time: 01/22/2013 00:03:56.730 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (23:59:49.650 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64243->2710 (23:59:49.650 PST) 145.99.175.89 (2) (23:59:59.493 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64356->51413 (23:59:59.493 PST) 49224->51413 (00:03:07.012 PST) 188.134.14.71 (23:59:55.505 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28463 (23:59:55.505 PST) 46.141.12.183 (00:01:56.034 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (00:01:56.034 PST) 37.153.12.154 (00:01:18.530 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64911->6881 (00:01:18.530 PST) 85.17.143.16 (00:02:21.209 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65301->6969 (00:02:21.209 PST) 91.224.160.192 (00:02:14.914 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65265->2710 (00:02:14.914 PST) 71.225.156.35 (00:00:56.289 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36296 (00:00:56.289 PST) 24.118.247.122 (00:03:56.730 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (00:03:56.730 PST) 92.19.110.8 (00:02:56.005 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (00:02:56.005 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:01:00.386 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:01:00.386 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358841589.650 1358841589.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.36.180.206 Resource List: Observed Start: 01/22/2013 02:01:57.639 PST Gen. Time: 01/22/2013 02:02:21.528 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.36.180.206 (02:01:57.639 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (02:01:57.639 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:02:21.528 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52244->6099 (02:02:21.528 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358848917.639 1358848917.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 208.83.20.164, 213.240.241.199, 145.99.175.89, 67.80.14.169, 85.17.143.16 (2), 94.36.180.206, 84.29.151.129, 2.216.102.113 Resource List: Observed Start: 01/22/2013 02:01:57.639 PST Gen. Time: 01/22/2013 02:06:04.372 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (02:03:41.336 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52735->2710 (02:03:41.336 PST) 208.83.20.164 (02:03:51.600 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/index.php/Special:WhatLinksHere/Porting_to_another_Lisp] MAC_Src: 00:01:64:FF:CE:EA 52807->80 (02:03:51.600 PST) 213.240.241.199 (02:02:57.188 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57998 (02:02:57.188 PST) 145.99.175.89 (02:04:56.908 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53422->51413 (02:04:56.908 PST) 67.80.14.169 (02:04:02.307 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42180 (02:04:02.307 PST) 85.17.143.16 (2) (02:02:21.687 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52243->6969 (02:02:21.687 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52243->6969 (02:02:21.687 PST) 94.36.180.206 (02:01:57.639 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (02:01:57.639 PST) 84.29.151.129 (02:03:16.228 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52661->27377 (02:03:16.228 PST) 2.216.102.113 (02:05:04.676 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (02:05:04.676 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:02:21.528 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52244->6099 (02:02:21.528 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358848917.639 1358848917.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.234.138.48, 84.29.151.129, 94.36.180.206 Resource List: Observed Start: 01/22/2013 04:01:52.272 PST Gen. Time: 01/22/2013 04:03:00.834 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.234.138.48 (04:01:52.272 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47562 (04:01:52.272 PST) 84.29.151.129 (04:02:44.419 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59456->27377 (04:02:44.419 PST) 94.36.180.206 (04:02:52.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (04:02:52.433 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:03:00.834 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:03:00.834 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358856112.272 1358856112.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 109.234.138.48, 124.122.247.107, 86.161.223.160, 84.29.151.129, 208.83.20.164, 94.36.180.206 Resource List: Observed Start: 01/22/2013 04:01:52.272 PST Gen. Time: 01/22/2013 04:04:51.735 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (04:03:05.575 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59726->2710 (04:03:05.575 PST) 109.234.138.48 (04:01:52.272 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47562 (04:01:52.272 PST) 124.122.247.107 (04:03:52.294 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39012 (04:03:52.294 PST) 86.161.223.160 (04:04:04.928 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60177->6890 (04:04:04.928 PST) 84.29.151.129 (04:02:44.419 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59456->27377 (04:02:44.419 PST) 208.83.20.164 (04:04:01.813 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%F1W]%F1%12%97(%B4%83%18fN%81%D0`2%E1!%06%E2%EA.%%C3%EF%A0H%090K%0A%15%E7z8%B5%08J3%8B%F6%DA%9F:%C5%FA%D18)%05h'%87N] MAC_Src: 00:01:64:FF:CE:EA 60097->80 (04:04:01.813 PST) 94.36.180.206 (04:02:52.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (04:02:52.433 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:03:00.834 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:03:00.834 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358856112.272 1358856112.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.19.110.8, 84.236.44.199, 91.224.160.192, 85.17.143.16, 93.146.165.183, 87.241.99.41, 190.255.166.189 Resource List: Observed Start: 01/22/2013 06:01:18.002 PST Gen. Time: 01/22/2013 06:04:40.848 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.19.110.8 (06:03:19.279 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (06:03:19.279 PST) 84.236.44.199 (06:04:26.871 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21874 (06:04:26.871 PST) 91.224.160.192 (06:02:00.180 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56475->2710 (06:02:00.180 PST) 85.17.143.16 (06:02:00.607 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56659->6969 (06:02:00.607 PST) 93.146.165.183 (06:01:18.002 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21350 (06:01:18.002 PST) 87.241.99.41 (06:01:41.207 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56476->2710 (06:01:41.207 PST) 190.255.166.189 (06:02:19.465 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18449 (06:02:19.465 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:04:40.848 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58204->6099 (06:04:40.848 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358863278.002 1358863278.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 72.27.90.153, 5.14.3.46, 83.82.211.239, 145.99.175.89 Resource List: Observed Start: 01/22/2013 08:02:54.074 PST Gen. Time: 01/22/2013 08:05:10.026 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (08:04:44.647 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58253->2710 (08:04:44.647 PST) 72.27.90.153 (08:03:54.122 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22334 (08:03:54.122 PST) 5.14.3.46 (08:02:54.074 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64373 (08:02:54.074 PST) 83.82.211.239 (08:04:54.615 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38607 (08:04:54.615 PST) 145.99.175.89 (08:03:22.502 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57613->51413 (08:03:22.502 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:05:10.026 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:05:10.026 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358870574.074 1358870574.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 72.27.90.153, 5.14.3.46, 83.82.211.239, 145.99.175.89 (2) Resource List: Observed Start: 01/22/2013 08:02:54.074 PST Gen. Time: 01/22/2013 08:05:26.292 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (08:04:44.647 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58253->2710 (08:04:44.647 PST) 72.27.90.153 (08:03:54.122 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22334 (08:03:54.122 PST) 5.14.3.46 (08:02:54.074 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64373 (08:02:54.074 PST) 83.82.211.239 (08:04:54.615 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38607 (08:04:54.615 PST) 145.99.175.89 (2) (08:03:22.502 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57613->51413 (08:03:22.502 PST) 58606->51413 (08:05:23.527 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:05:10.026 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:05:10.026 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358870574.074 1358870574.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 86.161.223.160, 181.47.147.164, 83.149.86.133 Resource List: Observed Start: 01/22/2013 10:05:28.442 PST Gen. Time: 01/22/2013 10:06:50.069 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (10:06:17.561 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58878->2710 (10:06:17.561 PST) 86.161.223.160 (10:05:28.442 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58555->6890 (10:05:28.442 PST) 181.47.147.164 (10:06:23.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58485 (10:06:23.226 PST) 83.149.86.133 (10:06:20.882 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58970->6969 (10:06:20.882 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:06:50.069 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59200->6099 (10:06:50.069 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358877928.442 1358877928.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 86.161.223.160 (2), 181.47.147.164, 93.145.89.6, 177.97.148.86, 91.75.132.214, 83.149.86.133, 145.99.175.89 Resource List: Observed Start: 01/22/2013 10:05:28.442 PST Gen. Time: 01/22/2013 10:09:29.042 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (10:06:17.561 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58878->2710 (10:06:17.561 PST) 86.161.223.160 (2) (10:05:28.442 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58555->6890 (10:05:28.442 PST) 60119->6890 (10:08:30.480 PST) 181.47.147.164 (10:06:23.226 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58485 (10:06:23.226 PST) 93.145.89.6 (10:09:29.042 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->2743 (10:09:29.042 PST) 177.97.148.86 (10:08:26.064 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42176 (10:08:26.064 PST) 91.75.132.214 (10:07:26.404 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64422 (10:07:26.404 PST) 83.149.86.133 (10:06:20.882 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58970->6969 (10:06:20.882 PST) 145.99.175.89 (10:06:52.127 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59234->51413 (10:06:52.127 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:06:50.069 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59200->6099 (10:06:50.069 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358877928.442 1358877928.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.131.15.184, 83.149.86.133, 188.78.87.215 (2) Resource List: Observed Start: 01/22/2013 12:06:13.875 PST Gen. Time: 01/22/2013 12:07:40.944 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.131.15.184 (12:06:54.722 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55888 (12:06:54.722 PST) 83.149.86.133 (12:06:51.466 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52088->6969 (12:06:51.466 PST) 188.78.87.215 (2) (12:06:13.875 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51813->16334 (12:06:13.875 PST) 52379->16334 (12:07:19.891 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:07:40.944 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:07:40.944 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358885173.875 1358885173.876 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 82.131.15.184, 108.172.230.146, 85.74.172.112, 37.153.12.154, 201.239.210.8, 83.149.86.133, 188.78.87.215 (2) Resource List: Observed Start: 01/22/2013 12:06:13.875 PST Gen. Time: 01/22/2013 12:09:56.389 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (12:08:50.185 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53143->51413 (12:08:50.185 PST) 82.131.15.184 (12:06:54.722 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55888 (12:06:54.722 PST) 108.172.230.146 (12:08:56.121 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42711 (12:08:56.121 PST) 85.74.172.112 (12:09:56.389 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23643 (12:09:56.389 PST) 37.153.12.154 (12:09:51.916 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53633->6881 (12:09:51.916 PST) 201.239.210.8 (12:07:54.543 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38566 (12:07:54.543 PST) 83.149.86.133 (12:06:51.466 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52088->6969 (12:06:51.466 PST) 188.78.87.215 (2) (12:06:13.875 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51813->16334 (12:06:13.875 PST) 52379->16334 (12:07:19.891 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:07:40.944 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:07:40.944 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358885173.875 1358885173.876 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.243.237.163, 24.118.247.122, 78.22.28.248, 83.149.86.133, 98.81.95.254, 145.99.175.89, 188.78.87.215 Resource List: Observed Start: 01/22/2013 14:06:21.510 PST Gen. Time: 01/22/2013 14:09:31.488 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.243.237.163 (14:08:25.354 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (14:08:25.354 PST) 24.118.247.122 (14:07:22.664 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (14:07:22.664 PST) 78.22.28.248 (14:09:25.522 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (14:09:25.522 PST) 83.149.86.133 (14:07:22.061 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61153->6969 (14:07:22.061 PST) 98.81.95.254 (14:06:21.510 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64242 (14:06:21.510 PST) 145.99.175.89 (14:08:31.027 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61762->51413 (14:08:31.027 PST) 188.78.87.215 (14:07:17.564 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61021->16334 (14:07:17.564 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:09:31.488 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62264->6099 (14:09:31.488 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358892381.510 1358892381.511 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 95.243.237.163, 121.14.98.151, 98.81.95.254, 145.99.175.89, 188.78.87.215, 83.149.86.133, 78.22.28.248, 24.118.247.122 Resource List: Observed Start: 01/22/2013 14:06:21.510 PST Gen. Time: 01/22/2013 14:10:22.977 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (14:10:03.939 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62395->2710 (14:10:03.939 PST) 95.243.237.163 (14:08:25.354 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (14:08:25.354 PST) 121.14.98.151 (14:10:02.593 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62387->9090 (14:10:02.593 PST) 98.81.95.254 (14:06:21.510 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64242 (14:06:21.510 PST) 145.99.175.89 (14:08:31.027 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61762->51413 (14:08:31.027 PST) 188.78.87.215 (14:07:17.564 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61021->16334 (14:07:17.564 PST) 83.149.86.133 (14:07:22.061 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61153->6969 (14:07:22.061 PST) 78.22.28.248 (14:09:25.522 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (14:09:25.522 PST) 24.118.247.122 (14:07:22.664 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (14:07:22.664 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:09:31.488 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62264->6099 (14:09:31.488 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358892381.510 1358892381.511 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.18.73.175, 91.224.160.192 (2), 46.141.12.183, 151.48.112.199 Resource List: Observed Start: 01/22/2013 16:08:52.064 PST Gen. Time: 01/22/2013 16:10:30.889 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.18.73.175 (16:09:57.469 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43037 (16:09:57.469 PST) 91.224.160.192 (2) (16:08:52.064 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50898->2710 (16:08:52.064 PST) 51554->2710 (16:10:23.311 PST) 46.141.12.183 (16:09:53.250 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51308->6890 (16:09:53.250 PST) 151.48.112.199 (16:08:57.321 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43096 (16:08:57.321 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:10:30.889 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:10:30.889 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358899732.064 1358899732.065 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.18.73.175, 91.224.160.192 (2), 46.120.119.208, 46.141.12.183, 86.176.84.115, 41.237.225.207, 151.48.112.199, 145.99.175.89 (2) Resource List: Observed Start: 01/22/2013 16:08:52.064 PST Gen. Time: 01/22/2013 16:12:58.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.18.73.175 (16:09:57.469 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43037 (16:09:57.469 PST) 91.224.160.192 (2) (16:08:52.064 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50898->2710 (16:08:52.064 PST) 51554->2710 (16:10:23.311 PST) 46.120.119.208 (16:11:57.080 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14110 (16:11:57.080 PST) 46.141.12.183 (16:09:53.250 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51308->6890 (16:09:53.250 PST) 86.176.84.115 (16:10:57.533 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61137 (16:10:57.533 PST) 41.237.225.207 (16:12:58.002 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (16:12:58.002 PST) 151.48.112.199 (16:08:57.321 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43096 (16:08:57.321 PST) 145.99.175.89 (2) (16:10:54.259 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51679->51413 (16:10:54.259 PST) 52132->51413 (16:12:01.437 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:10:30.889 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:10:30.889 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358899732.064 1358899732.065 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.49.232.241, 97.86.227.86, 124.8.223.89, 83.77.36.32, 145.99.175.89 Resource List: Observed Start: 01/22/2013 18:10:21.013 PST Gen. Time: 01/22/2013 18:12:51.685 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.49.232.241 (18:11:23.889 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (18:11:23.889 PST) 97.86.227.86 (18:10:21.013 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (18:10:21.013 PST) 124.8.223.89 (18:11:56.277 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50416->16881 (18:11:56.277 PST) 83.77.36.32 (18:12:23.607 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10905 (18:12:23.607 PST) 145.99.175.89 (18:10:39.279 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49981->51413 (18:10:39.279 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:12:51.685 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50777->6099 (18:12:51.685 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358907021.013 1358907021.014 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.49.232.241, 181.163.140.206, 97.86.227.86, 89.11.148.36, 124.8.223.89, 208.83.20.164, 83.77.36.32, 145.99.175.89 (2) Resource List: Observed Start: 01/22/2013 18:10:21.013 PST Gen. Time: 01/22/2013 18:14:27.861 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.49.232.241 (18:11:23.889 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (18:11:23.889 PST) 181.163.140.206 (18:13:23.651 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58744 (18:13:23.651 PST) 97.86.227.86 (18:10:21.013 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (18:10:21.013 PST) 89.11.148.36 (18:14:27.861 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16773 (18:14:27.861 PST) 124.8.223.89 (18:11:56.277 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50416->16881 (18:11:56.277 PST) 208.83.20.164 (18:14:01.784 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/download/malware_dns/01-20-2013/Get_Top-100_30-Day_WatchList.html] MAC_Src: 00:01:64:FF:CE:EA 51281->80 (18:14:01.784 PST) 83.77.36.32 (18:12:23.607 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10905 (18:12:23.607 PST) 145.99.175.89 (2) (18:10:39.279 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49981->51413 (18:10:39.279 PST) 50949->51413 (18:13:05.299 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:12:51.685 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50777->6099 (18:12:51.685 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358907021.013 1358907021.014 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 188.190.98.38, 46.141.12.183, 197.87.126.132, 206.47.30.80 Resource List: Observed Start: 01/22/2013 20:11:53.893 PST Gen. Time: 01/22/2013 20:13:20.499 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (20:13:13.244 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62385->2710 (20:13:13.244 PST) 188.190.98.38 (20:13:08.903 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62357->2810 (20:13:08.903 PST) 46.141.12.183 (20:11:55.393 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61764->6890 (20:11:55.393 PST) 197.87.126.132 (20:12:54.057 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30320 (20:12:54.057 PST) 206.47.30.80 (20:11:53.893 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (20:11:53.893 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:13:20.499 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:13:20.499 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358914313.893 1358914313.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 177.194.7.90, 145.99.175.89, 46.141.12.183, 91.224.160.192, 187.113.180.46, 206.47.30.80, 188.190.98.38, 80.117.98.21, 197.87.126.132 Resource List: Observed Start: 01/22/2013 20:11:53.893 PST Gen. Time: 01/22/2013 20:15:54.633 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (20:13:13.244 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62385->2710 (20:13:13.244 PST) 177.194.7.90 (20:14:54.013 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49102 (20:14:54.013 PST) 145.99.175.89 (20:15:02.089 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63040->51413 (20:15:02.089 PST) 46.141.12.183 (20:11:55.393 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61764->6890 (20:11:55.393 PST) 91.224.160.192 (20:13:23.542 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62398->2710 (20:13:23.542 PST) 187.113.180.46 (20:15:54.633 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38560 (20:15:54.633 PST) 206.47.30.80 (20:11:53.893 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (20:11:53.893 PST) 188.190.98.38 (20:13:08.903 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62357->2810 (20:13:08.903 PST) 80.117.98.21 (20:13:54.144 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63287 (20:13:54.144 PST) 197.87.126.132 (20:12:54.057 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30320 (20:12:54.057 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:13:20.499 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:13:20.499 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358914313.893 1358914313.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.126.60.36, 190.244.16.33, 177.194.7.90, 91.224.160.192, 46.141.12.183, 87.241.99.41, 145.99.175.89 (2) Resource List: Observed Start: 01/22/2013 22:11:52.600 PST Gen. Time: 01/22/2013 22:15:01.020 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.126.60.36 (22:14:02.137 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47842 (22:14:02.137 PST) 190.244.16.33 (22:13:02.549 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59605 (22:13:02.549 PST) 177.194.7.90 (22:12:02.192 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49102 (22:12:02.192 PST) 91.224.160.192 (22:11:52.600 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56892->2710 (22:11:52.600 PST) 46.141.12.183 (22:14:00.631 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57862->6890 (22:14:00.631 PST) 87.241.99.41 (22:12:07.804 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57107->2710 (22:12:07.804 PST) 145.99.175.89 (2) (22:11:55.784 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56999->51413 (22:11:55.784 PST) 57408->51413 (22:12:58.801 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:15:01.020 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58174->6099 (22:15:01.020 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358921512.600 1358921512.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.243.237.163, 208.83.20.164, 177.194.7.90, 190.244.16.33, 145.99.175.89 (2), 46.141.12.183, 91.224.160.192, 87.241.99.41, 24.126.60.36 Resource List: Observed Start: 01/22/2013 22:11:52.600 PST Gen. Time: 01/22/2013 22:15:02.133 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.243.237.163 (22:15:02.133 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (22:15:02.133 PST) 208.83.20.164 (22:15:01.098 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58173->80 (22:15:01.098 PST) 177.194.7.90 (22:12:02.192 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49102 (22:12:02.192 PST) 190.244.16.33 (22:13:02.549 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59605 (22:13:02.549 PST) 145.99.175.89 (2) (22:11:55.784 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56999->51413 (22:11:55.784 PST) 57408->51413 (22:12:58.801 PST) 46.141.12.183 (22:14:00.631 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57862->6890 (22:14:00.631 PST) 91.224.160.192 (22:11:52.600 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56892->2710 (22:11:52.600 PST) 87.241.99.41 (22:12:07.804 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57107->2710 (22:12:07.804 PST) 24.126.60.36 (22:14:02.137 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47842 (22:14:02.137 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:15:01.020 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58174->6099 (22:15:01.020 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358921512.600 1358921512.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================