Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 91.224.160.192, 86.176.84.115, 93.50.136.44, 145.99.175.89, 89.122.192.187 Resource List: Observed Start: 01/25/2013 00:42:48.637 PST Gen. Time: 01/25/2013 00:45:00.860 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (00:43:41.003 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51334->2710 (00:43:41.003 PST) 91.224.160.192 (00:43:40.992 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51337->2710 (00:43:40.992 PST) 86.176.84.115 (00:44:48.366 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61137 (00:44:48.366 PST) 93.50.136.44 (00:43:48.726 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18720 (00:43:48.726 PST) 145.99.175.89 (00:44:00.748 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51594->51413 (00:44:00.748 PST) 89.122.192.187 (00:42:48.637 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50196 (00:42:48.637 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:45:00.860 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:45:00.860 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359103368.637 1359103368.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.248.250, 91.218.38.132, 89.122.192.187, 145.99.175.89, 86.176.84.115, 208.95.173.194, 109.201.148.249, 93.50.136.44, 85.17.143.16, 204.236.122.71, 91.224.160.192 (2), 69.142.88.251 Resource List: Observed Start: 01/25/2013 00:42:48.637 PST Gen. Time: 01/25/2013 00:46:49.141 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.248.250 (00:45:15.083 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51950->6346 (00:45:15.083 PST) 91.218.38.132 (00:45:51.757 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52220->2710 (00:45:51.757 PST) 89.122.192.187 (00:42:48.637 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50196 (00:42:48.637 PST) 145.99.175.89 (00:44:00.748 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51594->51413 (00:44:00.748 PST) 86.176.84.115 (00:44:48.366 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61137 (00:44:48.366 PST) 208.95.173.194 (00:43:41.003 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51334->2710 (00:43:41.003 PST) 109.201.148.249 (00:45:11.310 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51912->2710 (00:45:11.310 PST) 93.50.136.44 (00:43:48.726 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18720 (00:43:48.726 PST) 85.17.143.16 (00:45:11.316 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51911->6969 (00:45:11.316 PST) 204.236.122.71 (00:45:49.188 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46921 (00:45:49.188 PST) 91.224.160.192 (2) (00:43:40.992 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51337->2710 (00:43:40.992 PST) 52459->2710 (00:46:12.276 PST) 69.142.88.251 (00:46:49.141 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (00:46:49.141 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:45:00.860 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:45:00.860 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359103368.637 1359103368.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/25/2013 02:46:40.929 PST Gen. Time: 01/25/2013 02:46:40.929 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:46:40.929 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53539->6099 (02:46:40.929 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359110800.929 1359110800.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.96.237.131, 131.178.229.27, 91.224.160.192, 89.227.248.250, 83.149.86.133 Resource List: Observed Start: 01/25/2013 02:46:40.929 PST Gen. Time: 01/25/2013 02:49:04.656 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.96.237.131 (02:48:03.040 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (02:48:03.040 PST) 131.178.229.27 (02:47:03.146 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60555 (02:47:03.146 PST) 91.224.160.192 (02:47:01.651 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53637->2710 (02:47:01.651 PST) 89.227.248.250 (02:46:44.972 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53571->6346 (02:46:44.972 PST) 83.149.86.133 (02:48:31.159 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54422->6969 (02:48:31.159 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:46:40.929 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53539->6099 (02:46:40.929 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359110800.929 1359110800.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 109.201.148.249, 61.91.88.74, 186.249.6.137, 76.88.152.204, 87.241.99.41, 178.78.92.91, 145.99.175.89 Resource List: Observed Start: 01/25/2013 04:45:09.366 PST Gen. Time: 01/25/2013 04:47:20.537 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (04:45:11.255 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57904->2710 (04:45:11.255 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57904->2710 (04:45:11.255 PST) 109.201.148.249 (04:46:51.643 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58497->2710 (04:46:51.643 PST) 61.91.88.74 (04:45:09.366 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57853->16882 (04:45:09.366 PST) 186.249.6.137 (04:47:02.728 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:47:02.728 PST) 76.88.152.204 (04:46:10.459 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58355->55995 (04:46:10.459 PST) 87.241.99.41 (04:46:55.028 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58530->2710 (04:46:55.028 PST) 178.78.92.91 (04:46:02.128 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22912 (04:46:02.128 PST) 145.99.175.89 (04:47:14.048 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58830->51413 (04:47:14.048 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:47:20.537 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:47:20.537 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359117909.366 1359117909.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89 (2), 208.95.173.194 (2), 109.201.148.249, 94.108.109.170, 76.88.152.204, 186.249.6.137, 83.149.86.133, 61.91.88.74, 178.78.92.91, 87.241.99.41, 88.9.194.52 Resource List: Observed Start: 01/25/2013 04:45:09.366 PST Gen. Time: 01/25/2013 04:49:02.330 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (2) (04:47:14.048 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58830->51413 (04:47:14.048 PST) 59317->51413 (04:48:16.554 PST) 208.95.173.194 (2) (04:45:11.255 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57904->2710 (04:45:11.255 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57904->2710 (04:45:11.255 PST) 109.201.148.249 (04:46:51.643 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58497->2710 (04:46:51.643 PST) 94.108.109.170 (04:48:02.874 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43964 (04:48:02.874 PST) 76.88.152.204 (04:46:10.459 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58355->55995 (04:46:10.459 PST) 186.249.6.137 (04:47:02.728 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:47:02.728 PST) 83.149.86.133 (04:49:01.158 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59614->6969 (04:49:01.158 PST) 61.91.88.74 (04:45:09.366 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57853->16882 (04:45:09.366 PST) 178.78.92.91 (04:46:02.128 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22912 (04:46:02.128 PST) 87.241.99.41 (04:46:55.028 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58530->2710 (04:46:55.028 PST) 88.9.194.52 (04:49:02.330 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13030 (04:49:02.330 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:47:20.537 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:47:20.537 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359117909.366 1359117909.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 208.95.173.194 (2), 178.239.54.160, 188.138.32.243, 89.227.248.250, 41.143.230.27, 86.176.84.115, 89.242.73.5 Resource List: Observed Start: 01/25/2013 06:45:46.242 PST Gen. Time: 01/25/2013 06:49:21.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (06:47:58.747 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (06:47:58.747 PST) 208.95.173.194 (2) (06:45:51.188 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52658->2710 (06:45:51.188 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52658->2710 (06:45:51.188 PST) 178.239.54.160 (06:48:31.402 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54175->3310 (06:48:31.402 PST) 188.138.32.243 (06:46:51.036 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53197->2710 (06:46:51.036 PST) 89.227.248.250 (06:45:46.242 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52599->6346 (06:45:46.242 PST) 41.143.230.27 (06:49:00.114 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46654 (06:49:00.114 PST) 86.176.84.115 (06:46:58.430 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61137 (06:46:58.430 PST) 89.242.73.5 (06:45:56.924 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60864 (06:45:56.924 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:49:21.002 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54622->6099 (06:49:21.002 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359125146.242 1359125146.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250, 93.50.57.31, 86.176.84.115, 114.47.207.11, 208.95.173.194 (2), 83.149.86.133, 178.239.54.160, 89.242.73.5, 41.143.230.27 Resource List: Observed Start: 01/25/2013 06:45:46.242 PST Gen. Time: 01/25/2013 06:50:02.672 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (06:46:51.036 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53197->2710 (06:46:51.036 PST) 89.227.248.250 (06:45:46.242 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52599->6346 (06:45:46.242 PST) 93.50.57.31 (06:47:58.747 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (06:47:58.747 PST) 86.176.84.115 (06:46:58.430 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61137 (06:46:58.430 PST) 114.47.207.11 (06:50:02.672 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (06:50:02.672 PST) 208.95.173.194 (2) (06:45:51.188 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52658->2710 (06:45:51.188 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52658->2710 (06:45:51.188 PST) 83.149.86.133 (06:49:31.160 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54647->6969 (06:49:31.160 PST) 178.239.54.160 (06:48:31.402 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54175->3310 (06:48:31.402 PST) 89.242.73.5 (06:45:56.924 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60864 (06:45:56.924 PST) 41.143.230.27 (06:49:00.114 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46654 (06:49:00.114 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:49:21.002 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54622->6099 (06:49:21.002 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359125146.242 1359125146.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.160, 186.134.39.21, 79.147.86.34, 145.99.175.89 Resource List: Observed Start: 01/25/2013 08:48:17.261 PST Gen. Time: 01/25/2013 08:49:40.346 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.160 (08:49:12.388 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53584->3310 (08:49:12.388 PST) 186.134.39.21 (08:48:17.261 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56583 (08:48:17.261 PST) 79.147.86.34 (08:49:17.039 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29121 (08:49:17.039 PST) 145.99.175.89 (08:48:24.374 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53244->51413 (08:48:24.374 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:49:40.346 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:49:40.346 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359132497.261 1359132497.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 178.239.54.160, 176.251.140.245, 186.134.39.21, 79.147.86.34, 145.99.175.89 Resource List: Observed Start: 01/25/2013 08:48:17.261 PST Gen. Time: 01/25/2013 08:50:51.050 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (08:50:00.753 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54118->2710 (08:50:00.753 PST) 178.239.54.160 (08:49:12.388 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53584->3310 (08:49:12.388 PST) 176.251.140.245 (08:50:18.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53982 (08:50:18.173 PST) 186.134.39.21 (08:48:17.261 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56583 (08:48:17.261 PST) 79.147.86.34 (08:49:17.039 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29121 (08:49:17.039 PST) 145.99.175.89 (08:48:24.374 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53244->51413 (08:48:24.374 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:49:40.346 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:49:40.346 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359132497.261 1359132497.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 110.175.201.97, 91.218.38.132, 79.11.103.79, 188.190.98.38, 41.224.159.148, 83.149.86.133 Resource List: Observed Start: 01/25/2013 10:47:57.405 PST Gen. Time: 01/25/2013 10:51:01.202 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 110.175.201.97 (10:49:00.664 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61146 (10:49:00.664 PST) 91.218.38.132 (10:49:33.439 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61865->2710 (10:49:33.439 PST) 79.11.103.79 (10:47:57.405 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (10:47:57.405 PST) 188.190.98.38 (10:50:48.216 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62451->2810 (10:50:48.216 PST) 41.224.159.148 (10:50:01.233 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50153 (10:50:01.233 PST) 83.149.86.133 (10:50:20.801 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62143->6969 (10:50:20.801 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:51:01.202 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62602->6099 (10:51:01.202 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359139677.405 1359139677.406 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 110.175.201.97, 91.218.38.132, 79.11.103.79, 188.190.98.38, 41.234.131.109, 41.224.159.148, 208.83.20.164, 83.149.86.133 Resource List: Observed Start: 01/25/2013 10:47:57.405 PST Gen. Time: 01/25/2013 10:51:58.599 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 110.175.201.97 (10:49:00.664 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61146 (10:49:00.664 PST) 91.218.38.132 (10:49:33.439 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61865->2710 (10:49:33.439 PST) 79.11.103.79 (10:47:57.405 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (10:47:57.405 PST) 188.190.98.38 (10:50:48.216 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62451->2810 (10:50:48.216 PST) 41.234.131.109 (10:51:05.074 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (10:51:05.074 PST) 41.224.159.148 (10:50:01.233 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50153 (10:50:01.233 PST) 208.83.20.164 (10:51:21.291 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62645->80 (10:51:21.291 PST) 83.149.86.133 (10:50:20.801 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62143->6969 (10:50:20.801 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:51:01.202 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62602->6099 (10:51:01.202 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359139677.405 1359139677.406 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.95.36.71, 208.95.173.194 (3), 89.227.248.250, 24.118.247.122, 195.241.153.201, 83.149.86.133, 87.241.99.41 Resource List: Observed Start: 01/25/2013 12:48:20.508 PST Gen. Time: 01/25/2013 12:51:30.298 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.95.36.71 (12:51:08.626 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47999 (12:51:08.626 PST) 208.95.173.194 (3) (12:48:20.508 PST) event=1:1100010 (2) {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49855->2710 (12:48:20.508 PST) 50964->2710 (12:50:41.210 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49855->2710 (12:48:20.508 PST) 89.227.248.250 (12:50:18.620 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50725->6346 (12:50:18.620 PST) 24.118.247.122 (12:49:07.474 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (12:49:07.474 PST) 195.241.153.201 (12:50:07.916 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34536 (12:50:07.916 PST) 83.149.86.133 (12:50:41.188 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50965->6969 (12:50:41.188 PST) 87.241.99.41 (12:50:02.837 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50519->2710 (12:50:02.837 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:51:30.298 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:51:30.298 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359146900.508 1359146900.509 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.72, 107.203.132.242 Resource List: Observed Start: 01/25/2013 14:52:50.318 PST Gen. Time: 01/25/2013 14:53:41.012 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.72 (14:53:17.061 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61808->16881 (14:53:17.061 PST) 107.203.132.242 (14:52:50.318 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23470 (14:52:50.318 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:53:41.012 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61976->6099 (14:53:41.012 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359154370.318 1359154370.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 91.218.38.132, 2.84.22.80, 24.118.247.122, 177.32.91.198, 61.91.88.72, 107.203.132.242, 208.83.20.164 Resource List: Observed Start: 01/25/2013 14:52:50.318 PST Gen. Time: 01/25/2013 14:55:54.437 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (14:55:12.184 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62580->2710 (14:55:12.184 PST) 91.218.38.132 (14:53:41.214 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61977->2710 (14:53:41.214 PST) 2.84.22.80 (14:55:54.437 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (14:55:54.437 PST) 24.118.247.122 (14:54:54.414 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32907 (14:54:54.414 PST) 177.32.91.198 (14:53:50.160 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (14:53:50.160 PST) 61.91.88.72 (14:53:17.061 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61808->16881 (14:53:17.061 PST) 107.203.132.242 (14:52:50.318 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23470 (14:52:50.318 PST) 208.83.20.164 (14:53:41.082 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61974->80 (14:53:41.082 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:53:41.012 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61976->6099 (14:53:41.012 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359154370.318 1359154370.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.251.217.230, 69.142.88.251, 91.224.160.192, 151.40.121.161, 173.11.243.162, 202.103.67.135, 212.59.28.49, 145.99.175.89 Resource List: Observed Start: 01/25/2013 16:51:11.709 PST Gen. Time: 01/25/2013 16:54:10.090 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.251.217.230 (16:52:03.226 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62401->6891 (16:52:03.226 PST) 69.142.88.251 (16:53:43.217 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (16:53:43.217 PST) 91.224.160.192 (16:51:11.709 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62131->2710 (16:51:11.709 PST) 151.40.121.161 (16:51:43.078 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47545 (16:51:43.078 PST) 173.11.243.162 (16:52:43.116 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:52:43.116 PST) 202.103.67.135 (16:53:00.509 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62752->8080 (16:53:00.509 PST) 212.59.28.49 (16:53:50.970 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63030->2710 (16:53:50.970 PST) 145.99.175.89 (16:53:05.699 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62824->51413 (16:53:05.699 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:54:10.090 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:54:10.090 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359161471.709 1359161471.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.84.9.130, 145.99.175.89, 202.103.67.135, 151.40.121.161, 212.59.28.49, 78.251.217.230, 173.11.243.162, 91.224.160.192, 69.142.88.251, 2.230.52.152 Resource List: Observed Start: 01/25/2013 16:51:11.709 PST Gen. Time: 01/25/2013 16:54:45.907 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.84.9.130 (16:54:44.074 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40092 (16:54:44.074 PST) 145.99.175.89 (16:53:05.699 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62824->51413 (16:53:05.699 PST) 202.103.67.135 (16:53:00.509 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62752->8080 (16:53:00.509 PST) 151.40.121.161 (16:51:43.078 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47545 (16:51:43.078 PST) 212.59.28.49 (16:53:50.970 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63030->2710 (16:53:50.970 PST) 78.251.217.230 (16:52:03.226 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62401->6891 (16:52:03.226 PST) 173.11.243.162 (16:52:43.116 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:52:43.116 PST) 91.224.160.192 (16:51:11.709 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62131->2710 (16:51:11.709 PST) 69.142.88.251 (16:53:43.217 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (16:53:43.217 PST) 2.230.52.152 (16:54:12.846 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63317->51413 (16:54:12.846 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:54:10.090 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:54:10.090 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359161471.709 1359161471.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 37.6.26.117, 208.95.173.194, 212.59.28.49 (2), 83.149.86.133, 82.3.137.27, 87.241.99.41, 98.116.194.52, 190.192.18.152, 72.27.67.183, 91.177.15.88 Resource List: Observed Start: 01/25/2013 18:51:26.186 PST Gen. Time: 01/25/2013 18:55:21.742 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (18:52:53.849 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63161->2710 (18:52:53.849 PST) 37.6.26.117 (18:55:01.575 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15275 (18:55:01.575 PST) 208.95.173.194 (18:51:26.186 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62581->2710 (18:51:26.186 PST) 212.59.28.49 (2) (18:53:41.211 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63496->2710 (18:53:41.211 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63756->2710 (18:54:01.154 PST) 83.149.86.133 (18:52:41.526 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63027->6969 (18:52:41.526 PST) 82.3.137.27 (18:54:17.559 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63845->51413 (18:54:17.559 PST) 87.241.99.41 (18:55:03.546 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64195->2710 (18:55:03.546 PST) 98.116.194.52 (18:52:56.881 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63215->53227 (18:52:56.881 PST) 190.192.18.152 (18:54:01.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55366 (18:54:01.065 PST) 72.27.67.183 (18:53:01.077 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48524 (18:53:01.077 PST) 91.177.15.88 (18:52:01.513 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (18:52:01.513 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:55:21.742 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64262->6099 (18:55:21.742 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359168686.186 1359168686.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 37.6.26.117, 208.83.20.164, 208.95.173.194, 212.59.28.49 (2), 83.149.86.133, 82.3.137.27, 87.241.99.41, 98.116.194.52, 190.192.18.152, 72.27.67.183, 91.177.15.88 Resource List: Observed Start: 01/25/2013 18:51:26.186 PST Gen. Time: 01/25/2013 18:55:39.435 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (18:52:53.849 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63161->2710 (18:52:53.849 PST) 37.6.26.117 (18:55:01.575 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15275 (18:55:01.575 PST) 208.83.20.164 (18:55:21.811 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64260->80 (18:55:21.811 PST) 208.95.173.194 (18:51:26.186 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62581->2710 (18:51:26.186 PST) 212.59.28.49 (2) (18:53:41.211 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63496->2710 (18:53:41.211 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63756->2710 (18:54:01.154 PST) 83.149.86.133 (18:52:41.526 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63027->6969 (18:52:41.526 PST) 82.3.137.27 (18:54:17.559 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63845->51413 (18:54:17.559 PST) 87.241.99.41 (18:55:03.546 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64195->2710 (18:55:03.546 PST) 98.116.194.52 (18:52:56.881 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63215->53227 (18:52:56.881 PST) 190.192.18.152 (18:54:01.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55366 (18:54:01.065 PST) 72.27.67.183 (18:53:01.077 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48524 (18:53:01.077 PST) 91.177.15.88 (18:52:01.513 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (18:52:01.513 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:55:21.742 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64262->6099 (18:55:21.742 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359168686.186 1359168686.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.251.217.230, 126.31.175.99, 202.103.67.135, 31.192.104.68, 83.149.86.133 Resource List: Observed Start: 01/25/2013 20:53:51.309 PST Gen. Time: 01/25/2013 20:56:00.791 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.251.217.230 (20:54:53.190 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61436->6891 (20:54:53.190 PST) 126.31.175.99 (20:55:50.147 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59198 (20:55:50.147 PST) 202.103.67.135 (20:54:51.750 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%82%AAW%F2%08E%8AW%16%03%01%0C] MAC_Src: 00:01:64:FF:CE:EA 61399->8080 (20:54:51.750 PST) 31.192.104.68 (20:54:50.302 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37010 (20:54:50.302 PST) 83.149.86.133 (20:53:51.309 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60960->6969 (20:53:51.309 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:56:00.791 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:56:00.791 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359176031.309 1359176031.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.251.217.230, 41.233.101.60, 126.31.175.99, 151.49.181.200, 202.103.67.135, 31.192.104.68, 208.83.20.164 (2), 83.149.86.133 Resource List: Observed Start: 01/25/2013 20:53:51.309 PST Gen. Time: 01/25/2013 20:57:50.335 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.251.217.230 (20:54:53.190 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61436->6891 (20:54:53.190 PST) 41.233.101.60 (20:56:50.261 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (20:56:50.261 PST) 126.31.175.99 (20:55:50.147 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59198 (20:55:50.147 PST) 151.49.181.200 (20:57:50.335 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51015 (20:57:50.335 PST) 202.103.67.135 (20:54:51.750 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%82%AAW%F2%08E%8AW%16%03%01%0C] MAC_Src: 00:01:64:FF:CE:EA 61399->8080 (20:54:51.750 PST) 31.192.104.68 (20:54:50.302 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37010 (20:54:50.302 PST) 208.83.20.164 (2) (20:56:11.105 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62001->80 (20:56:11.105 PST) 62534->6969 (20:57:41.078 PST) 83.149.86.133 (20:53:51.309 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60960->6969 (20:53:51.309 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:56:00.791 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:56:00.791 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359176031.309 1359176031.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 Resource List: Observed Start: 01/25/2013 22:56:50.810 PST Gen. Time: 01/25/2013 22:57:30.796 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (22:56:50.810 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%CF%B7%9D%EB%8D%05%C4%1AF%BB%199%F7%05%01e>%0C%E1%AAN%95] MAC_Src: 00:01:64:FF:CE:EA 59193->80 (22:56:50.810 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:57:30.796 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59534->6099 (22:57:30.796 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359183410.810 1359183410.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================