Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89 Resource List: Observed Start: 01/23/2013 00:15:05.016 PST Gen. Time: 01/23/2013 00:15:40.875 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (00:15:05.016 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52582->51413 (00:15:05.016 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:15:40.875 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:15:40.875 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358928905.016 1358928905.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 98.197.171.221, 109.201.148.249, 188.138.32.243, 188.218.133.70, 109.217.12.134, 151.28.235.73, 145.99.175.89 (3) Resource List: Observed Start: 01/23/2013 00:15:05.016 PST Gen. Time: 01/23/2013 00:19:02.532 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (00:15:41.339 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52795->2711 (00:15:41.339 PST) 98.197.171.221 (00:19:02.532 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25822 (00:19:02.532 PST) 109.201.148.249 (00:18:11.026 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53798->2710 (00:18:11.026 PST) 188.138.32.243 (00:16:21.691 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53137->2710 (00:16:21.691 PST) 188.218.133.70 (00:16:02.175 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->2734 (00:16:02.175 PST) 109.217.12.134 (00:18:02.180 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27265 (00:18:02.180 PST) 151.28.235.73 (00:17:02.223 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (00:17:02.223 PST) 145.99.175.89 (3) (00:15:05.016 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52582->51413 (00:15:05.016 PST) 53401->51413 (00:17:03.022 PST) 53805->51413 (00:18:11.528 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:15:40.875 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:15:40.875 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358928905.016 1358928905.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.233.253.189, 208.83.20.164 Resource List: Observed Start: 01/23/2013 02:16:20.958 PST Gen. Time: 01/23/2013 02:17:31.575 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.233.253.189 (02:16:58.190 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14556 (02:16:58.190 PST) 208.83.20.164 (02:16:20.958 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/projects/tihi/] MAC_Src: 00:01:64:FF:CE:EA 52554->80 (02:16:20.958 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:17:31.575 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53038->6099 (02:17:31.575 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358936180.958 1358936180.959 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 91.218.38.132, 145.99.175.89, 92.233.253.189, 109.201.148.249, 24.118.247.122, 176.254.150.6, 99.230.104.255, 115.207.113.191 Resource List: Observed Start: 01/23/2013 02:16:20.958 PST Gen. Time: 01/23/2013 02:20:21.901 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (02:16:20.958 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/projects/tihi/] MAC_Src: 00:01:64:FF:CE:EA 52554->80 (02:16:20.958 PST) 91.218.38.132 (02:19:20.201 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53946->2710 (02:19:20.201 PST) 145.99.175.89 (02:19:04.283 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53827->51413 (02:19:04.283 PST) 92.233.253.189 (02:16:58.190 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14556 (02:16:58.190 PST) 109.201.148.249 (02:19:01.761 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53773->2710 (02:19:01.761 PST) 24.118.247.122 (02:18:01.644 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (02:18:01.644 PST) 176.254.150.6 (02:20:01.396 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14249 (02:20:01.396 PST) 99.230.104.255 (02:19:01.146 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (02:19:01.146 PST) 115.207.113.191 (02:20:11.128 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54390->10471 (02:20:11.128 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:17:31.575 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53038->6099 (02:17:31.575 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358936180.958 1358936180.959 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/23/2013 04:17:50.555 PST Gen. Time: 01/23/2013 04:17:50.555 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:17:50.555 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:17:50.555 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358943470.555 1358943470.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.1.185.184, 188.138.32.243, 184.18.202.139, 178.239.54.151, 151.28.235.73, 84.29.151.129 (2) Resource List: Observed Start: 01/23/2013 04:17:50.555 PST Gen. Time: 01/23/2013 04:21:31.172 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.1.185.184 (04:19:30.220 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28476 (04:19:30.220 PST) 188.138.32.243 (04:19:51.000 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58397->2710 (04:19:51.000 PST) 184.18.202.139 (04:18:27.276 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (04:18:27.276 PST) 178.239.54.151 (04:18:01.663 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57701->2710 (04:18:01.663 PST) 151.28.235.73 (04:20:31.910 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (04:20:31.910 PST) 84.29.151.129 (2) (04:17:57.973 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57640->27377 (04:17:57.973 PST) 58488->27377 (04:19:55.983 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:17:50.555 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:17:50.555 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358943470.555 1358943470.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/23/2013 06:20:11.010 PST Gen. Time: 01/23/2013 06:20:11.010 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:20:11.010 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52045->6099 (06:20:11.010 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358950811.010 1358950811.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 114.93.169.159, 81.57.226.154, 177.99.24.203, 213.22.63.238, 85.17.143.16 (2) Resource List: Observed Start: 01/23/2013 06:20:11.010 PST Gen. Time: 01/23/2013 06:23:05.291 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (06:20:21.190 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52201->2710 (06:20:21.190 PST) 114.93.169.159 (06:22:18.379 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53228->56795 (06:22:18.379 PST) 81.57.226.154 (06:21:05.228 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46249 (06:21:05.228 PST) 177.99.24.203 (06:23:05.291 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38637 (06:23:05.291 PST) 213.22.63.238 (06:22:05.288 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (06:22:05.288 PST) 85.17.143.16 (2) (06:21:21.600 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52786->6969 (06:21:21.600 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52786->6969 (06:21:21.600 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:20:11.010 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52045->6099 (06:20:11.010 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358950811.010 1358950811.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89 Resource List: Observed Start: 01/23/2013 08:20:23.920 PST Gen. Time: 01/23/2013 08:20:30.357 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (08:20:23.920 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52821->51413 (08:20:23.920 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:20:30.357 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:20:30.357 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358958023.920 1358958023.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.244.16.33, 91.218.38.132, 85.17.143.16, 67.80.14.169, 69.35.66.145, 85.243.161.7, 126.119.50.205, 145.99.175.89 (2) Resource List: Observed Start: 01/23/2013 08:20:23.920 PST Gen. Time: 01/23/2013 08:23:52.612 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.244.16.33 (08:22:51.280 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59605 (08:22:51.280 PST) 91.218.38.132 (08:21:21.476 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53310->2710 (08:21:21.476 PST) 85.17.143.16 (08:22:00.832 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53703->6969 (08:22:00.832 PST) 67.80.14.169 (08:23:52.612 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42180 (08:23:52.612 PST) 69.35.66.145 (08:22:34.273 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54120->60254 (08:22:34.273 PST) 85.243.161.7 (08:21:50.463 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41141 (08:21:50.463 PST) 126.119.50.205 (08:20:49.151 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15973 (08:20:49.151 PST) 145.99.175.89 (2) (08:20:23.920 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52821->51413 (08:20:23.920 PST) 53417->51413 (08:21:26.431 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:20:30.357 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:20:30.357 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358958023.920 1358958023.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.142.60.177 Resource List: Observed Start: 01/23/2013 10:21:47.059 PST Gen. Time: 01/23/2013 10:22:00.810 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.142.60.177 (10:21:47.059 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52551 (10:21:47.059 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:22:00.810 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55674->6099 (10:22:00.810 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358965307.059 1358965307.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.248.250, 177.142.60.177, 91.218.38.132 (2), 145.99.175.89, 83.177.196.90, 208.95.173.194, 190.160.2.163, 85.17.143.16, 83.149.86.133, 109.53.80.110, 50.19.95.119, 87.241.99.41, 79.11.240.93, 110.175.201.97 Resource List: Observed Start: 01/23/2013 10:21:47.059 PST Gen. Time: 01/23/2013 10:25:48.263 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.248.250 (10:24:17.183 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56929->6346 (10:24:17.183 PST) 177.142.60.177 (10:21:47.059 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52551 (10:21:47.059 PST) 91.218.38.132 (2) (10:22:01.007 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55673->2710 (10:22:01.007 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55709->2710 (10:22:08.404 PST) 145.99.175.89 (10:22:39.338 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56028->51413 (10:22:39.338 PST) 83.177.196.90 (10:25:48.263 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64503 (10:25:48.263 PST) 208.95.173.194 (10:24:40.831 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57265->2710 (10:24:40.831 PST) 190.160.2.163 (10:25:20.838 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57655->16884 (10:25:20.838 PST) 85.17.143.16 (10:22:10.766 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55743->6969 (10:22:10.766 PST) 83.149.86.133 (10:24:40.816 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57266->6969 (10:24:40.816 PST) 109.53.80.110 (10:22:47.221 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56846 (10:22:47.221 PST) 50.19.95.119 (10:24:40.731 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [%90%06%FF%BA4S%F4E%00%00%00%8C%06%1E%00%00%00%80*%B5c%FB%B8'%BD%9A%D4|%C8%C4k%E2%EE%14%FC%08%A7%C9o+%FBi%98%A3%C0B%07%F8%92eF%91%E9eT%F2|%C2_Z%03%CB%EB%FC%B8%02N0%AA%9B%01%8BG%13%F5n[%85%12E%067%EB%B2%DB%96] MAC_Src: 00:01:64:FF:CE:EA 57263->80 (10:24:40.731 PST) 87.241.99.41 (10:23:31.458 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56598->2710 (10:23:31.458 PST) 79.11.240.93 (10:23:48.172 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47708 (10:23:48.172 PST) 110.175.201.97 (10:24:48.840 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61146 (10:24:48.840 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:22:00.810 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55674->6099 (10:22:00.810 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358965307.059 1358965307.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.134.28.164, 24.202.61.116, 87.126.150.59, 114.246.147.46, 171.7.130.6, 208.83.20.164, 145.99.175.89, 82.161.69.109 Resource List: Observed Start: 01/23/2013 12:19:30.677 PST Gen. Time: 01/23/2013 12:23:00.267 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.134.28.164 (12:22:00.498 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52657 (12:22:00.498 PST) 24.202.61.116 (12:21:00.596 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10416 (12:21:00.596 PST) 87.126.150.59 (12:23:00.205 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (12:23:00.205 PST) 114.246.147.46 (12:22:40.679 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62835->11531 (12:22:40.679 PST) 171.7.130.6 (12:19:45.646 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61169->7547 (12:19:45.646 PST) 208.83.20.164 (12:19:30.677 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61100->80 (12:19:30.677 PST) 145.99.175.89 (12:21:29.335 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62191->51413 (12:21:29.335 PST) 82.161.69.109 (12:20:00.559 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (12:20:00.559 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:23:00.267 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:23:00.267 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358972370.677 1358972370.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 87.126.150.59, 91.218.38.132, 208.83.20.164, 145.99.175.89, 82.161.69.109, 171.7.130.6, 142.134.28.164, 114.246.147.46, 24.202.61.116 Resource List: Observed Start: 01/23/2013 12:19:30.677 PST Gen. Time: 01/23/2013 12:23:11.224 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 87.126.150.59 (12:23:00.205 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (12:23:00.205 PST) 91.218.38.132 (12:23:11.224 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63151->2710 (12:23:11.224 PST) 208.83.20.164 (12:19:30.677 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61100->80 (12:19:30.677 PST) 145.99.175.89 (12:21:29.335 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62191->51413 (12:21:29.335 PST) 82.161.69.109 (12:20:00.559 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (12:20:00.559 PST) 171.7.130.6 (12:19:45.646 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61169->7547 (12:19:45.646 PST) 142.134.28.164 (12:22:00.498 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52657 (12:22:00.498 PST) 114.246.147.46 (12:22:40.679 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62835->11531 (12:22:40.679 PST) 24.202.61.116 (12:21:00.596 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10416 (12:21:00.596 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:23:00.267 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:23:00.267 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358972370.677 1358972370.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.74.135.228, 91.218.38.132, 173.254.227.67, 121.1.46.110, 85.17.143.16, 132.248.66.18 Resource List: Observed Start: 01/23/2013 14:22:37.649 PST Gen. Time: 01/23/2013 14:24:40.567 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.74.135.228 (14:23:39.066 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37939 (14:23:39.066 PST) 91.218.38.132 (14:24:11.046 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58124->2710 (14:24:11.046 PST) 173.254.227.67 (14:24:09.661 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58103->43611 (14:24:09.661 PST) 121.1.46.110 (14:24:39.968 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (14:24:39.968 PST) 85.17.143.16 (14:22:37.649 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57359->6969 (14:22:37.649 PST) 132.248.66.18 (14:22:38.135 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50841 (14:22:38.135 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:24:40.567 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58238->6099 (14:24:40.567 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358979757.649 1358979757.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.1.46.110, 91.218.38.132, 173.254.227.67, 91.202.73.55, 132.248.66.18, 85.17.143.16, 119.74.135.228, 124.232.148.178, 181.163.139.176 Resource List: Observed Start: 01/23/2013 14:22:37.649 PST Gen. Time: 01/23/2013 14:26:10.796 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.1.46.110 (14:24:39.968 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (14:24:39.968 PST) 91.218.38.132 (14:24:11.046 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58124->2710 (14:24:11.046 PST) 173.254.227.67 (14:24:09.661 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58103->43611 (14:24:09.661 PST) 91.202.73.55 (14:26:10.796 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59042->80 (14:26:10.796 PST) 132.248.66.18 (14:22:38.135 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50841 (14:22:38.135 PST) 85.17.143.16 (14:22:37.649 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57359->6969 (14:22:37.649 PST) 119.74.135.228 (14:23:39.066 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37939 (14:23:39.066 PST) 124.232.148.178 (14:25:29.672 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58820->27105 (14:25:29.672 PST) 181.163.139.176 (14:25:39.922 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58744 (14:25:39.922 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:24:40.567 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58238->6099 (14:24:40.567 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358979757.649 1358979757.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 69.140.198.192, 181.163.139.176 Resource List: Observed Start: 01/23/2013 16:23:50.086 PST Gen. Time: 01/23/2013 16:25:40.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (16:25:20.930 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56212->2710 (16:25:20.930 PST) 69.140.198.192 (16:25:00.248 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22554 (16:25:00.248 PST) 181.163.139.176 (16:23:50.086 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58744 (16:23:50.086 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:25:40.507 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:25:40.507 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358987030.086 1358987030.087 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.210.193.8, 188.138.32.243, 69.140.198.192, 181.163.139.176, 177.99.24.203, 91.202.73.55, 212.59.28.49, 145.99.175.89 Resource List: Observed Start: 01/23/2013 16:23:50.086 PST Gen. Time: 01/23/2013 16:27:10.750 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.210.193.8 (16:26:01.389 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32955 (16:26:01.389 PST) 188.138.32.243 (16:25:20.930 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56212->2710 (16:25:20.930 PST) 69.140.198.192 (16:25:00.248 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22554 (16:25:00.248 PST) 181.163.139.176 (16:23:50.086 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58744 (16:23:50.086 PST) 177.99.24.203 (16:27:01.275 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38637 (16:27:01.275 PST) 91.202.73.55 (16:27:10.750 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57367->80 (16:27:10.750 PST) 212.59.28.49 (16:26:21.362 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56813->2710 (16:26:21.362 PST) 145.99.175.89 (16:26:19.283 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56766->51413 (16:26:19.283 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:25:40.507 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:25:40.507 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358987030.086 1358987030.087 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/23/2013 18:27:10.727 PST Gen. Time: 01/23/2013 18:27:10.727 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:27:10.727 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63413->6099 (18:27:10.727 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358994430.727 1358994430.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.91.198, 145.99.175.89 (2), 91.202.73.55, 202.103.67.135, 2.40.9.198, 77.67.84.190, 87.241.99.41, 178.239.54.153, 114.47.200.103 Resource List: Observed Start: 01/23/2013 18:27:10.727 PST Gen. Time: 01/23/2013 18:30:46.491 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.91.198 (18:27:50.240 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (18:27:50.240 PST) 145.99.175.89 (2) (18:27:17.640 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63460->51413 (18:27:17.640 PST) 64756->51413 (18:30:01.164 PST) 91.202.73.55 (18:27:40.939 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63515->80 (18:27:40.939 PST) 202.103.67.135 (18:30:11.276 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%18%EE%0A%E1%C7%06 %1D-%84%D6%9A%B5p%BDa%F2%B5r%0D%CAzz%D1%FB%B1%C0%C5%92%E1%E8%1E%AFa%0C%C1%7F%1FF%FCH%CA%048080 (18:30:11.276 PST) 2.40.9.198 (18:29:50.043 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48592 (18:29:50.043 PST) 77.67.84.190 (18:28:37.127 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63977->16881 (18:28:37.127 PST) 87.241.99.41 (18:30:24.464 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64914->2710 (18:30:24.464 PST) 178.239.54.153 (18:29:00.306 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64262->3310 (18:29:00.306 PST) 114.47.200.103 (18:28:50.094 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (18:28:50.094 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:27:10.727 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63413->6099 (18:27:10.727 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358994430.727 1358994430.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/23/2013 20:28:10.907 PST Gen. Time: 01/23/2013 20:28:10.907 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:28:10.907 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:28:10.907 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359001690.907 1359001690.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.59.8.105, 115.84.149.43, 201.251.97.10, 151.28.235.73, 83.149.86.133, 212.59.28.49 Resource List: Observed Start: 01/23/2013 20:28:10.907 PST Gen. Time: 01/23/2013 20:30:38.330 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.59.8.105 (20:30:08.960 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65443->16881 (20:30:08.960 PST) 115.84.149.43 (20:29:09.130 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10236 (20:29:09.130 PST) 201.251.97.10 (20:29:02.758 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65059->16884 (20:29:02.758 PST) 151.28.235.73 (20:30:13.167 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (20:30:13.167 PST) 83.149.86.133 (20:29:31.525 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65177->6969 (20:29:31.525 PST) 212.59.28.49 (20:29:22.170 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65163->2710 (20:29:22.170 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:28:10.907 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:28:10.907 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359001690.907 1359001690.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/23/2013 22:30:00.650 PST Gen. Time: 01/23/2013 22:30:00.650 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:30:00.650 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56212->6099 (22:30:00.650 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359009000.650 1359009000.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.248.250 (2), 64.180.195.58, 145.99.175.89 (2), 208.95.173.194 (2), 109.201.148.249, 83.149.86.133, 97.86.227.86, 50.19.95.119, 178.239.54.153, 174.1.108.186, 67.9.87.156 Resource List: Observed Start: 01/23/2013 22:30:00.650 PST Gen. Time: 01/23/2013 22:34:02.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.248.250 (2) (22:30:02.482 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56225->6346 (22:30:02.482 PST) 57584->6346 (22:34:02.005 PST) 64.180.195.58 (22:32:47.604 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49052 (22:32:47.604 PST) 145.99.175.89 (2) (22:31:53.182 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56743->51413 (22:31:53.182 PST) 57177->51413 (22:33:01.693 PST) 208.95.173.194 (2) (22:30:44.198 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57446->2710 (22:33:51.191 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56305->2710 (22:30:44.198 PST) 109.201.148.249 (22:30:00.805 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56213->2710 (22:30:00.805 PST) 83.149.86.133 (22:33:51.169 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57449->6969 (22:33:51.169 PST) 97.86.227.86 (22:30:47.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (22:30:47.534 PST) 50.19.95.119 (22:33:41.082 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57307->80 (22:33:41.082 PST) 178.239.54.153 (22:31:41.714 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56637->3310 (22:31:41.714 PST) 174.1.108.186 (22:33:47.083 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22540 (22:33:47.083 PST) 67.9.87.156 (22:31:47.591 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42007 (22:31:47.591 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:30:00.650 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56212->6099 (22:30:00.650 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359009000.650 1359009000.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================