Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.78.92.91, 83.149.86.133, 145.99.175.89 Resource List: Observed Start: 01/24/2013 00:30:04.399 PST Gen. Time: 01/24/2013 00:31:00.358 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.78.92.91 (00:30:50.419 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22912 (00:30:50.419 PST) 83.149.86.133 (00:30:41.353 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49652->6969 (00:30:41.353 PST) 145.99.175.89 (00:30:04.399 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49464->51413 (00:30:04.399 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:31:00.358 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:31:00.358 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359016204.399 1359016204.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 188.138.32.243, 151.28.235.73, 178.78.92.91, 83.149.86.133, 145.99.175.89 Resource List: Observed Start: 01/24/2013 00:30:04.399 PST Gen. Time: 01/24/2013 00:32:21.389 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (00:32:21.389 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50347->3310 (00:32:21.389 PST) 188.138.32.243 (00:32:19.030 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50337->2710 (00:32:19.030 PST) 151.28.235.73 (00:31:50.108 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (00:31:50.108 PST) 178.78.92.91 (00:30:50.419 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22912 (00:30:50.419 PST) 83.149.86.133 (00:30:41.353 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49652->6969 (00:30:41.353 PST) 145.99.175.89 (00:30:04.399 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49464->51413 (00:30:04.399 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:31:00.358 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:31:00.358 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359016204.399 1359016204.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250, 208.83.20.164, 145.99.175.89, 203.113.15.209, 83.9.183.90, 91.224.160.192, 87.0.138.251, 184.66.71.51, 105.230.18.180 Resource List: Observed Start: 01/24/2013 02:28:52.515 PST Gen. Time: 01/24/2013 02:32:10.482 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (02:29:00.468 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53588->2710 (02:29:00.468 PST) 89.227.248.250 (02:30:45.002 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54301->6346 (02:30:45.002 PST) 208.83.20.164 (02:31:50.282 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54826->6969 (02:31:50.282 PST) 145.99.175.89 (02:32:09.172 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54903->51413 (02:32:09.172 PST) 203.113.15.209 (02:29:14.208 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53732->16882 (02:29:14.208 PST) 83.9.183.90 (02:29:52.837 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22424 (02:29:52.837 PST) 91.224.160.192 (02:30:22.200 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54254->2710 (02:30:22.200 PST) 87.0.138.251 (02:28:52.515 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18663 (02:28:52.515 PST) 184.66.71.51 (02:31:52.321 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54056 (02:31:52.321 PST) 105.230.18.180 (02:30:52.440 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38833 (02:30:52.440 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:32:10.482 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54922->6099 (02:32:10.482 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359023332.515 1359023332.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250, 208.83.20.164, 145.99.175.89, 203.113.15.209, 83.9.183.90, 91.224.160.192, 87.0.138.251, 178.239.54.153, 184.66.71.51, 105.230.18.180 Resource List: Observed Start: 01/24/2013 02:28:52.515 PST Gen. Time: 01/24/2013 02:32:50.677 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (02:29:00.468 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53588->2710 (02:29:00.468 PST) 89.227.248.250 (02:30:45.002 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54301->6346 (02:30:45.002 PST) 208.83.20.164 (02:31:50.282 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54826->6969 (02:31:50.282 PST) 145.99.175.89 (02:32:09.172 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54903->51413 (02:32:09.172 PST) 203.113.15.209 (02:29:14.208 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53732->16882 (02:29:14.208 PST) 83.9.183.90 (02:29:52.837 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22424 (02:29:52.837 PST) 91.224.160.192 (02:30:22.200 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54254->2710 (02:30:22.200 PST) 87.0.138.251 (02:28:52.515 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18663 (02:28:52.515 PST) 178.239.54.153 (02:32:50.677 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55331->3310 (02:32:50.677 PST) 184.66.71.51 (02:31:52.321 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54056 (02:31:52.321 PST) 105.230.18.180 (02:30:52.440 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38833 (02:30:52.440 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:32:10.482 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54922->6099 (02:32:10.482 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359023332.515 1359023332.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.68.185.132, 92.241.224.106, 208.83.20.164, 78.134.28.226, 212.59.28.49, 145.99.175.89 Resource List: Observed Start: 01/24/2013 04:31:05.562 PST Gen. Time: 01/24/2013 04:33:10.933 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.68.185.132 (04:33:06.147 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51547 (04:33:06.147 PST) 92.241.224.106 (04:33:00.899 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64585->35883 (04:33:00.899 PST) 208.83.20.164 (04:32:11.018 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64314->6969 (04:32:11.018 PST) 78.134.28.226 (04:32:05.514 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (04:32:05.514 PST) 212.59.28.49 (04:31:20.751 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63899->2710 (04:31:20.751 PST) 145.99.175.89 (04:31:05.562 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63757->51413 (04:31:05.562 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:33:10.933 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:33:10.933 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359030665.562 1359030665.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.68.185.132, 91.224.160.192, 92.241.224.106, 208.83.20.164, 78.134.28.226, 212.59.28.49, 145.99.175.89 Resource List: Observed Start: 01/24/2013 04:31:05.562 PST Gen. Time: 01/24/2013 04:33:21.457 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.68.185.132 (04:33:06.147 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51547 (04:33:06.147 PST) 91.224.160.192 (04:33:21.457 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64825->2710 (04:33:21.457 PST) 92.241.224.106 (04:33:00.899 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64585->35883 (04:33:00.899 PST) 208.83.20.164 (04:32:11.018 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64314->6969 (04:32:11.018 PST) 78.134.28.226 (04:32:05.514 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (04:32:05.514 PST) 212.59.28.49 (04:31:20.751 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63899->2710 (04:31:20.751 PST) 145.99.175.89 (04:31:05.562 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63757->51413 (04:31:05.562 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:33:10.933 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:33:10.933 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359030665.562 1359030665.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 06:34:51.343 PST Gen. Time: 01/24/2013 06:34:51.343 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:34:51.343 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63072->6099 (06:34:51.343 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359038091.343 1359038091.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.165.206.82, 208.95.173.194, 202.103.67.135, 119.46.206.107, 2.231.101.52, 83.149.86.133, 178.239.54.153, 203.113.15.205, 95.250.156.121, 95.20.51.112 (2), 177.133.32.44 Resource List: Observed Start: 01/24/2013 06:34:51.343 PST Gen. Time: 01/24/2013 06:38:53.419 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.165.206.82 (06:36:58.486 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55455 (06:36:58.486 PST) 208.95.173.194 (06:36:31.170 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64099->2710 (06:36:31.170 PST) 202.103.67.135 (06:37:11.274 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%C3%A6d%E2\F8%A1%01%01%05%0A%88#%07%AC%88#%0D%04F/y2uRwZ8xd9LR+tYATAiMA] MAC_Src: 00:01:64:FF:CE:EA 64520->8080 (06:37:11.274 PST) 119.46.206.107 (06:38:09.080 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64977->16884 (06:38:09.080 PST) 2.231.101.52 (06:35:58.629 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24233 (06:35:58.629 PST) 83.149.86.133 (06:36:01.859 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63836->6969 (06:36:01.859 PST) 178.239.54.153 (06:34:51.513 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63071->3310 (06:34:51.513 PST) 203.113.15.205 (06:37:07.055 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64439->16884 (06:37:07.055 PST) 95.250.156.121 (06:37:58.162 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10201 (06:37:58.162 PST) 95.20.51.112 (2) (06:34:52.046 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63073->37059 (06:34:52.046 PST) 63888->37059 (06:36:04.550 PST) 177.133.32.44 (06:34:57.296 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13486 (06:34:57.296 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:34:51.343 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63072->6099 (06:34:51.343 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359038091.343 1359038091.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 175.143.197.162, 121.14.98.151 Resource List: Observed Start: 01/24/2013 08:34:22.080 PST Gen. Time: 01/24/2013 08:35:01.881 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 175.143.197.162 (08:34:22.080 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (08:34:22.080 PST) 121.14.98.151 (08:34:41.016 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64519->9090 (08:34:41.016 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:35:01.881 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:35:01.881 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359045262.080 1359045262.081 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 89.102.8.130, 145.99.175.89, 208.95.173.194, 217.121.181.86, 2.35.190.144, 83.149.86.133, 213.80.241.70, 175.143.197.162 Resource List: Observed Start: 01/24/2013 08:34:22.080 PST Gen. Time: 01/24/2013 08:37:21.987 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (08:34:41.016 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64519->9090 (08:34:41.016 PST) 89.102.8.130 (08:36:30.138 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42760 (08:36:30.138 PST) 145.99.175.89 (08:37:06.956 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49437->51413 (08:37:06.956 PST) 208.95.173.194 (08:37:21.917 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49675->2710 (08:37:21.917 PST) 217.121.181.86 (08:35:04.274 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64695->18606 (08:35:04.274 PST) 2.35.190.144 (08:35:23.491 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48898 (08:35:23.491 PST) 83.149.86.133 (08:36:31.469 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65526->6969 (08:36:31.469 PST) 213.80.241.70 (08:36:05.547 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65412->6881 (08:36:05.547 PST) 175.143.197.162 (08:34:22.080 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (08:34:22.080 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:35:01.881 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:35:01.881 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359045262.080 1359045262.081 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 10:37:00.858 PST Gen. Time: 01/24/2013 10:37:00.858 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:37:00.858 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56770->6099 (10:37:00.858 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359052620.858 1359052620.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 68.12.123.77, 139.228.129.95, 208.95.173.194, 81.136.150.113, 91.218.38.132, 83.149.86.133 Resource List: Observed Start: 01/24/2013 10:37:00.858 PST Gen. Time: 01/24/2013 10:39:12.659 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.12.123.77 (10:39:02.277 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57500->6890 (10:39:02.277 PST) 139.228.129.95 (10:38:53.492 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21668 (10:38:53.492 PST) 208.95.173.194 (10:38:11.878 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57186->2710 (10:38:11.878 PST) 81.136.150.113 (10:37:53.393 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49906 (10:37:53.393 PST) 91.218.38.132 (10:37:12.074 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56817->2710 (10:37:12.074 PST) 83.149.86.133 (10:37:31.432 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56963->6969 (10:37:31.432 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:37:00.858 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56770->6099 (10:37:00.858 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359052620.858 1359052620.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 86.148.47.29, 217.121.181.86, 89.227.248.250, 74.138.208.204, 119.46.206.97, 189.132.95.87 Resource List: Observed Start: 01/24/2013 12:34:27.456 PST Gen. Time: 01/24/2013 12:37:30.909 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (12:36:51.109 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50764->3310 (12:36:51.109 PST) 86.148.47.29 (12:34:27.456 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12710 (12:34:27.456 PST) 217.121.181.86 (12:37:14.736 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50959->18606 (12:37:14.736 PST) 89.227.248.250 (12:34:37.713 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50158->6346 (12:34:37.713 PST) 74.138.208.204 (12:35:27.018 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58330 (12:35:27.018 PST) 119.46.206.97 (12:36:13.435 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50654->16881 (12:36:13.435 PST) 189.132.95.87 (12:36:28.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18292 (12:36:28.065 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:37:30.909 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:37:30.909 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359059667.456 1359059667.457 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.248.250, 217.121.181.86, 141.217.46.17, 87.241.99.41, 178.239.54.153, 189.132.95.87, 119.46.206.97, 86.148.47.29, 74.138.208.204 Resource List: Observed Start: 01/24/2013 12:34:27.456 PST Gen. Time: 01/24/2013 12:37:52.119 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.248.250 (12:34:37.713 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50158->6346 (12:34:37.713 PST) 217.121.181.86 (12:37:14.736 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50959->18606 (12:37:14.736 PST) 141.217.46.17 (12:37:32.624 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21085 (12:37:32.624 PST) 87.241.99.41 (12:37:41.473 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51006->2710 (12:37:41.473 PST) 178.239.54.153 (12:36:51.109 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50764->3310 (12:36:51.109 PST) 189.132.95.87 (12:36:28.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18292 (12:36:28.065 PST) 119.46.206.97 (12:36:13.435 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50654->16881 (12:36:13.435 PST) 86.148.47.29 (12:34:27.456 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12710 (12:34:27.456 PST) 74.138.208.204 (12:35:27.018 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58330 (12:35:27.018 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:37:30.909 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:37:30.909 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359059667.456 1359059667.457 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 2.216.102.113, 186.134.39.21, 46.141.12.183, 83.149.86.133, 87.241.99.41 Resource List: Observed Start: 01/24/2013 14:37:12.505 PST Gen. Time: 01/24/2013 14:39:01.008 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (14:37:21.397 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50585->3310 (14:37:21.397 PST) 2.216.102.113 (14:38:29.210 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (14:38:29.210 PST) 186.134.39.21 (14:37:29.270 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56583 (14:37:29.270 PST) 46.141.12.183 (14:38:21.247 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51019->6890 (14:38:21.247 PST) 83.149.86.133 (14:38:41.743 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51094->6969 (14:38:41.743 PST) 87.241.99.41 (14:37:12.505 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50504->2710 (14:37:12.505 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:39:01.008 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51174->6099 (14:39:01.008 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359067032.505 1359067032.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/24/2013 16:40:00.766 PST Gen. Time: 01/24/2013 16:40:00.766 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:40:00.766 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:40:00.766 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359074400.766 1359074400.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 208.95.173.194, 24.202.61.116, 189.60.17.149, 66.108.107.178, 82.201.169.1, 85.17.143.16, 202.103.67.135 Resource List: Observed Start: 01/24/2013 16:40:00.766 PST Gen. Time: 01/24/2013 16:43:47.147 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (16:43:11.172 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54567->3310 (16:43:11.172 PST) 208.95.173.194 (16:40:10.967 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53143->2710 (16:40:10.967 PST) 24.202.61.116 (16:40:47.247 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10416 (16:40:47.247 PST) 189.60.17.149 (16:42:47.216 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21268 (16:42:47.216 PST) 66.108.107.178 (16:43:47.147 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20116 (16:43:47.147 PST) 82.201.169.1 (16:41:47.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58509 (16:41:47.155 PST) 85.17.143.16 (16:41:01.358 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53573->6969 (16:41:01.358 PST) 202.103.67.135 (16:42:01.101 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54051->8080 (16:42:01.101 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:40:00.766 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:40:00.766 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359074400.766 1359074400.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 2.216.102.113, 145.99.175.89 Resource List: Observed Start: 01/24/2013 18:40:50.779 PST Gen. Time: 01/24/2013 18:41:20.744 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (18:40:50.779 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57657->2710 (18:40:50.779 PST) 2.216.102.113 (18:40:54.554 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (18:40:54.554 PST) 145.99.175.89 (18:41:05.673 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57926->51413 (18:41:05.673 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:41:20.744 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57993->6099 (18:41:20.744 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359081650.779 1359081650.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 2.216.102.113, 123.2.143.155, 119.224.64.52, 202.103.67.135, 24.18.180.246, 206.47.94.75, 145.99.175.89 Resource List: Observed Start: 01/24/2013 18:40:50.779 PST Gen. Time: 01/24/2013 18:43:54.443 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (18:40:50.779 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57657->2710 (18:40:50.779 PST) 2.216.102.113 (18:40:54.554 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (18:40:54.554 PST) 123.2.143.155 (18:42:54.043 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44194 (18:42:54.043 PST) 119.224.64.52 (18:42:14.513 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58380->9001 (18:42:14.513 PST) 202.103.67.135 (18:43:11.369 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58724->8080 (18:43:11.369 PST) 24.18.180.246 (18:43:54.443 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21251 (18:43:54.443 PST) 206.47.94.75 (18:41:54.012 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40301 (18:41:54.012 PST) 145.99.175.89 (18:41:05.673 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57926->51413 (18:41:05.673 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:41:20.744 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57993->6099 (18:41:20.744 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359081650.779 1359081650.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 91.218.38.132, 208.95.173.194 (2), 115.84.149.43, 70.81.249.56, 91.224.160.192, 93.144.12.168, 62.31.127.226, 188.190.98.38 Resource List: Observed Start: 01/24/2013 20:39:27.828 PST Gen. Time: 01/24/2013 20:42:10.484 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (20:40:30.873 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60720->2710 (20:40:30.873 PST) 91.218.38.132 (20:41:52.637 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61175->2710 (20:41:52.637 PST) 208.95.173.194 (2) (20:41:51.222 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61169->2710 (20:41:51.222 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61169->2710 (20:41:51.222 PST) 115.84.149.43 (20:41:30.849 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10236 (20:41:30.849 PST) 70.81.249.56 (20:40:29.046 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53398 (20:40:29.046 PST) 91.224.160.192 (20:39:51.705 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60366->2710 (20:39:51.705 PST) 93.144.12.168 (20:39:27.828 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48592 (20:39:27.828 PST) 62.31.127.226 (20:42:09.848 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61352->6890 (20:42:09.848 PST) 188.190.98.38 (20:40:06.332 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60625->2810 (20:40:06.332 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:42:10.484 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:42:10.484 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359088767.828 1359088767.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 91.218.38.132, 208.95.173.194 (2), 115.84.149.43, 70.81.249.56, 173.11.243.162, 91.224.160.192, 93.144.12.168, 62.31.127.226, 188.190.98.38 Resource List: Observed Start: 01/24/2013 20:39:27.828 PST Gen. Time: 01/24/2013 20:43:29.200 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (20:40:30.873 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60720->2710 (20:40:30.873 PST) 91.218.38.132 (20:41:52.637 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61175->2710 (20:41:52.637 PST) 208.95.173.194 (2) (20:41:51.222 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61169->2710 (20:41:51.222 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61169->2710 (20:41:51.222 PST) 115.84.149.43 (20:41:30.849 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10236 (20:41:30.849 PST) 70.81.249.56 (20:40:29.046 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53398 (20:40:29.046 PST) 173.11.243.162 (20:42:33.677 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (20:42:33.677 PST) 91.224.160.192 (20:39:51.705 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60366->2710 (20:39:51.705 PST) 93.144.12.168 (20:39:27.828 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48592 (20:39:27.828 PST) 62.31.127.226 (20:42:09.848 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61352->6890 (20:42:09.848 PST) 188.190.98.38 (20:40:06.332 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60625->2810 (20:40:06.332 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:42:10.484 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:42:10.484 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359088767.828 1359088767.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.36.178.9 Resource List: Observed Start: 01/24/2013 22:44:11.286 PST Gen. Time: 01/24/2013 22:44:40.492 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.36.178.9 (22:44:11.286 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (22:44:11.286 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:44:40.492 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57501->6099 (22:44:40.492 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359096251.286 1359096251.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.201.148.249, 94.36.178.9, 72.17.184.170, 85.17.143.16, 87.3.99.126, 145.99.175.89 (2) Resource List: Observed Start: 01/24/2013 22:44:11.286 PST Gen. Time: 01/24/2013 22:46:41.504 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.201.148.249 (22:44:40.658 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57500->2710 (22:44:40.658 PST) 94.36.178.9 (22:44:11.286 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (22:44:11.286 PST) 72.17.184.170 (22:45:13.415 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37104 (22:45:13.415 PST) 85.17.143.16 (22:44:40.660 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57502->6969 (22:44:40.660 PST) 87.3.99.126 (22:46:16.983 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18472 (22:46:16.983 PST) 145.99.175.89 (2) (22:44:47.941 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57528->51413 (22:44:47.941 PST) 57917->51413 (22:45:50.442 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:44:40.492 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57501->6099 (22:44:40.492 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359096251.286 1359096251.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================