Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 201.75.188.132, 178.207.16.88, 208.83.20.164 Resource List: Observed Start: 01/26/2013 00:57:19.462 PST Gen. Time: 01/26/2013 00:57:50.587 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (00:57:31.177 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58139->2710 (00:57:31.179 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58136->2710 (00:57:31.177 PST) 201.75.188.132 (00:57:46.915 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43308 (00:57:46.915 PST) 178.207.16.88 (00:57:19.462 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58046->16881 (00:57:19.462 PST) 208.83.20.164 (00:57:31.072 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58134->6969 (00:57:31.072 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:57:50.587 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:57:50.587 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359190639.462 1359190639.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (3), 201.75.188.132, 208.95.173.194 (2), 78.251.217.230, 97.86.227.86, 178.207.16.88, 94.242.221.123, 92.19.110.8, 190.192.18.152 Resource List: Observed Start: 01/26/2013 00:57:19.462 PST Gen. Time: 01/26/2013 01:01:23.979 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (3) (00:57:31.072 PST) event=1:1100016 (3) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58134->6969 (00:57:31.072 PST) 58620->6969 (00:58:32.120 PST) 59111->80 (00:59:51.084 PST) 201.75.188.132 (00:57:46.915 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43308 (00:57:46.915 PST) 208.95.173.194 (2) (00:57:31.177 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58139->2710 (00:57:31.179 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58136->2710 (00:57:31.177 PST) 78.251.217.230 (01:01:23.979 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59906->6891 (01:01:23.979 PST) 97.86.227.86 (01:00:46.204 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (01:00:46.204 PST) 178.207.16.88 (00:57:19.462 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58046->16881 (00:57:19.462 PST) 94.242.221.123 (01:01:11.175 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59677->80 (01:01:11.175 PST) 92.19.110.8 (00:59:46.008 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (00:59:46.008 PST) 190.192.18.152 (00:58:46.949 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55366 (00:58:46.949 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:57:50.587 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:57:50.587 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359190639.462 1359190639.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.143.94.48, 91.224.160.192, 91.202.73.55, 145.99.175.89 Resource List: Observed Start: 01/26/2013 02:57:44.602 PST Gen. Time: 01/26/2013 02:59:11.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.143.94.48 (02:58:28.162 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63529 (02:58:28.162 PST) 91.224.160.192 (02:57:44.602 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62790->2710 (02:57:44.602 PST) 91.202.73.55 (02:59:00.806 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/index.php/Special:WhatLinksHere/Projects_related_to_PVS] MAC_Src: 00:01:64:FF:CE:EA 63388->80 (02:59:00.806 PST) 145.99.175.89 (02:58:19.593 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63077->51413 (02:58:19.593 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:59:11.002 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63508->6099 (02:59:11.002 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359197864.602 1359197864.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.143.94.48, 24.50.196.96, 58.35.166.38, 91.224.160.192, 208.83.20.164, 2.192.224.184, 91.202.73.55, 145.99.175.89 (2) Resource List: Observed Start: 01/26/2013 02:57:44.602 PST Gen. Time: 01/26/2013 03:01:31.449 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.143.94.48 (02:58:28.162 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63529 (02:58:28.162 PST) 24.50.196.96 (03:01:31.449 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26839 (03:01:31.449 PST) 58.35.166.38 (03:00:31.963 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56795 (03:00:31.963 PST) 91.224.160.192 (02:57:44.602 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62790->2710 (02:57:44.602 PST) 208.83.20.164 (03:00:40.799 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64398->80 (03:00:40.799 PST) 2.192.224.184 (02:59:30.241 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60453 (02:59:30.241 PST) 91.202.73.55 (02:59:00.806 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/index.php/Special:WhatLinksHere/Projects_related_to_PVS] MAC_Src: 00:01:64:FF:CE:EA 63388->80 (02:59:00.806 PST) 145.99.175.89 (2) (02:58:19.593 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63077->51413 (02:58:19.593 PST) 63799->51413 (02:59:33.105 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:59:11.002 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63508->6099 (02:59:11.002 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359197864.602 1359197864.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.18.180.246 Resource List: Observed Start: 01/26/2013 04:59:50.206 PST Gen. Time: 01/26/2013 05:00:10.214 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.18.180.246 (04:59:50.206 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21251 (04:59:50.206 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:00:10.214 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:00:10.214 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359205190.206 1359205190.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.239.49.2, 79.41.237.20, 77.31.149.246, 91.224.160.192, 79.97.134.77, 24.18.180.246, 145.99.175.89, 91.202.73.55 Resource List: Observed Start: 01/26/2013 04:59:50.206 PST Gen. Time: 01/26/2013 05:03:50.047 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.239.49.2 (05:01:50.563 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31256 (05:01:50.563 PST) 79.41.237.20 (05:00:50.082 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (05:00:50.082 PST) 77.31.149.246 (05:03:50.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37642 (05:03:50.047 PST) 91.224.160.192 (05:03:01.172 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58251->2710 (05:03:01.172 PST) 79.97.134.77 (05:02:50.508 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55813 (05:02:50.508 PST) 24.18.180.246 (04:59:50.206 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21251 (04:59:50.206 PST) 145.99.175.89 (05:02:23.611 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57992->51413 (05:02:23.611 PST) 91.202.73.55 (05:00:10.663 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56883->80 (05:00:10.663 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:00:10.214 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:00:10.214 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359205190.206 1359205190.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 125.128.156.151, 91.218.38.132, 88.140.211.99, 91.202.73.55, 145.99.175.89 Resource List: Observed Start: 01/26/2013 07:00:20.591 PST Gen. Time: 01/26/2013 07:01:40.919 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 125.128.156.151 (07:01:27.705 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35885 (07:01:27.705 PST) 91.218.38.132 (07:00:20.591 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59468->2710 (07:00:20.591 PST) 88.140.211.99 (07:00:27.671 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40718 (07:00:27.671 PST) 91.202.73.55 (07:00:40.995 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59624->80 (07:00:40.995 PST) 145.99.175.89 (07:00:28.534 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59572->51413 (07:00:28.534 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:01:40.919 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60027->6099 (07:01:40.919 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359212420.591 1359212420.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250, 91.218.38.132, 145.99.175.89, 91.202.73.55, 88.140.211.99, 94.71.196.211, 91.224.160.192, 89.71.37.43, 78.12.85.243, 82.170.252.104, 125.128.156.151 Resource List: Observed Start: 01/26/2013 07:00:20.591 PST Gen. Time: 01/26/2013 07:04:27.590 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (07:01:41.083 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60028->2710 (07:01:41.083 PST) 89.227.248.250 (07:03:11.891 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60679->6346 (07:03:11.891 PST) 91.218.38.132 (07:00:20.591 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59468->2710 (07:00:20.591 PST) 145.99.175.89 (07:00:28.534 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59572->51413 (07:00:28.534 PST) 91.202.73.55 (07:00:40.995 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59624->80 (07:00:40.995 PST) 88.140.211.99 (07:00:27.671 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40718 (07:00:27.671 PST) 94.71.196.211 (07:04:27.590 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:04:27.590 PST) 91.224.160.192 (07:03:33.081 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60891->2710 (07:03:33.081 PST) 89.71.37.43 (07:02:27.955 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43574 (07:02:27.955 PST) 78.12.85.243 (07:02:09.625 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60245->6890 (07:02:09.625 PST) 82.170.252.104 (07:03:27.412 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20090 (07:03:27.412 PST) 125.128.156.151 (07:01:27.705 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35885 (07:01:27.705 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:01:40.919 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60027->6099 (07:01:40.919 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359212420.591 1359212420.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.28.77.124, 85.23.239.104, 87.241.99.41, 91.202.73.55 Resource List: Observed Start: 01/26/2013 09:00:33.306 PST Gen. Time: 01/26/2013 09:01:50.157 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.28.77.124 (09:01:34.913 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59348 (09:01:34.913 PST) 85.23.239.104 (09:00:33.306 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56383 (09:00:33.306 PST) 87.241.99.41 (09:01:20.979 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60395->2710 (09:01:20.979 PST) 91.202.73.55 (09:01:20.994 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%01%E5jX%B4%D5%E1R%E4%A1%BC,\%D9%04%A6%03%C6%16,%93%EF.'%D4%DA%82%89%A5@%99%C9"q%D8%DB%AB%A0%ACr%CE%F3%96%C5%E1%067%94l%B6yMx%8C%DD%B1O0%D5$%8D%9AG%C0%10y%FE%C4%DEC%BC%EC%A3%DC$r%EAHd%822%F0+%C8Lo%D6W%A7%93%DD/%F2%EB`N] MAC_Src: 00:01:64:FF:CE:EA 60394->80 (09:01:20.994 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:01:50.157 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:01:50.157 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359219633.306 1359219633.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.28.77.124, 85.23.239.104, 197.27.80.114, 61.91.88.43, 58.35.162.118, 87.241.99.41, 91.202.73.55 Resource List: Observed Start: 01/26/2013 09:00:33.306 PST Gen. Time: 01/26/2013 09:04:34.767 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.28.77.124 (09:01:34.913 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59348 (09:01:34.913 PST) 85.23.239.104 (09:00:33.306 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56383 (09:00:33.306 PST) 197.27.80.114 (09:03:35.419 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50153 (09:03:35.419 PST) 61.91.88.43 (09:03:20.399 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61063->16884 (09:03:20.399 PST) 58.35.162.118 (09:02:34.865 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56795 (09:02:34.865 PST) 87.241.99.41 (09:01:20.979 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60395->2710 (09:01:20.979 PST) 91.202.73.55 (09:01:20.994 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%01%E5jX%B4%D5%E1R%E4%A1%BC,\%D9%04%A6%03%C6%16,%93%EF.'%D4%DA%82%89%A5@%99%C9"q%D8%DB%AB%A0%ACr%CE%F3%96%C5%E1%067%94l%B6yMx%8C%DD%B1O0%D5$%8D%9AG%C0%10y%FE%C4%DEC%BC%EC%A3%DC$r%EAHd%822%F0+%C8Lo%D6W%A7%93%DD/%F2%EB`N] MAC_Src: 00:01:64:FF:CE:EA 60394->80 (09:01:20.994 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:01:50.157 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:01:50.157 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359219633.306 1359219633.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.126.60.36, 188.138.32.243, 89.227.248.250 (2), 85.17.143.16, 107.194.27.74, 81.156.35.67, 91.202.73.55 Resource List: Observed Start: 01/26/2013 11:01:40.658 PST Gen. Time: 01/26/2013 11:04:20.551 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.126.60.36 (11:02:52.125 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47842 (11:02:52.125 PST) 188.138.32.243 (11:01:40.658 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56692->2710 (11:01:40.658 PST) 89.227.248.250 (2) (11:02:32.912 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56909->6346 (11:02:32.912 PST) 57466->6346 (11:04:01.922 PST) 85.17.143.16 (11:02:50.379 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57030->6969 (11:02:50.379 PST) 107.194.27.74 (11:03:52.661 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32336 (11:03:52.661 PST) 81.156.35.67 (11:01:52.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11969 (11:01:52.022 PST) 91.202.73.55 (11:02:01.018 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56774->80 (11:02:01.018 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:04:20.551 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57688->6099 (11:04:20.551 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359226900.658 1359226900.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250 (2), 91.202.73.55, 107.194.27.74, 85.17.143.16, 87.241.99.41, 24.126.60.36, 41.234.130.228, 81.156.35.67 Resource List: Observed Start: 01/26/2013 11:01:40.658 PST Gen. Time: 01/26/2013 11:05:42.055 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (11:01:40.658 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56692->2710 (11:01:40.658 PST) 89.227.248.250 (2) (11:02:32.912 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56909->6346 (11:02:32.912 PST) 57466->6346 (11:04:01.922 PST) 91.202.73.55 (11:02:01.018 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56774->80 (11:02:01.018 PST) 107.194.27.74 (11:03:52.661 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32336 (11:03:52.661 PST) 85.17.143.16 (11:02:50.379 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57030->6969 (11:02:50.379 PST) 87.241.99.41 (11:04:33.760 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57762->2710 (11:04:33.760 PST) 24.126.60.36 (11:02:52.125 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47842 (11:02:52.125 PST) 41.234.130.228 (11:04:53.708 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (11:04:53.708 PST) 81.156.35.67 (11:01:52.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11969 (11:01:52.022 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:04:20.551 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57688->6099 (11:04:20.551 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359226900.658 1359226900.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89 Resource List: Observed Start: 01/26/2013 13:04:33.168 PST Gen. Time: 01/26/2013 13:04:40.037 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (13:04:33.168 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55200->51413 (13:04:33.168 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:04:40.037 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:04:40.037 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359234273.168 1359234273.169 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.7.92.13, 31.151.125.75, 91.224.160.192, 174.113.252.211, 208.83.20.164, 61.91.88.134, 87.241.99.41, 145.99.175.89 Resource List: Observed Start: 01/26/2013 13:04:33.168 PST Gen. Time: 01/26/2013 13:07:21.076 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.7.92.13 (13:04:49.843 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46561 (13:04:49.843 PST) 31.151.125.75 (13:06:49.063 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37642 (13:06:49.063 PST) 91.224.160.192 (13:05:51.580 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55822->2710 (13:05:51.580 PST) 174.113.252.211 (13:05:49.237 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45073 (13:05:49.237 PST) 208.83.20.164 (13:07:21.076 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56380->6969 (13:07:21.076 PST) 61.91.88.134 (13:07:01.020 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56242->16883 (13:07:01.020 PST) 87.241.99.41 (13:05:11.257 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55503->2710 (13:05:11.257 PST) 145.99.175.89 (13:04:33.168 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55200->51413 (13:04:33.168 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:04:40.037 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:04:40.037 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359234273.168 1359234273.169 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.103.71.213, 91.218.38.132, 91.224.160.192, 89.227.248.250, 86.149.213.253, 201.172.84.87, 91.202.73.55 Resource List: Observed Start: 01/26/2013 15:03:21.829 PST Gen. Time: 01/26/2013 15:06:41.758 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.103.71.213 (15:05:12.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49094 (15:05:12.182 PST) 91.218.38.132 (15:03:21.829 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59843->2710 (15:03:21.829 PST) 91.224.160.192 (15:05:31.608 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60796->2710 (15:05:31.608 PST) 89.227.248.250 (15:05:24.618 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60772->6346 (15:05:24.618 PST) 86.149.213.253 (15:06:14.295 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32860 (15:06:14.295 PST) 201.172.84.87 (15:04:11.053 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37772 (15:04:11.053 PST) 91.202.73.55 (15:04:01.234 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%05n%97%C6M%D8%0F%A5hIY7%FC%0B3%19%C2w%7F%CC%10-%954%1C%E6%EBM%09%A7%1C%D2%B8%C9%976%02%B7%89%D4$] MAC_Src: 00:01:64:FF:CE:EA 59973->80 (15:04:01.234 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:06:41.758 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61302->6099 (15:06:41.758 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359241401.829 1359241401.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.103.71.213, 91.218.38.132, 91.224.160.192, 89.227.248.250, 112.209.184.229, 86.149.213.253, 201.172.84.87, 91.202.73.55 Resource List: Observed Start: 01/26/2013 15:03:21.829 PST Gen. Time: 01/26/2013 15:07:23.137 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.103.71.213 (15:05:12.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49094 (15:05:12.182 PST) 91.218.38.132 (15:03:21.829 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59843->2710 (15:03:21.829 PST) 91.224.160.192 (15:05:31.608 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60796->2710 (15:05:31.608 PST) 89.227.248.250 (15:05:24.618 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60772->6346 (15:05:24.618 PST) 112.209.184.229 (15:07:15.183 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41609 (15:07:15.183 PST) 86.149.213.253 (15:06:14.295 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32860 (15:06:14.295 PST) 201.172.84.87 (15:04:11.053 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37772 (15:04:11.053 PST) 91.202.73.55 (15:04:01.234 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%05n%97%C6M%D8%0F%A5hIY7%FC%0B3%19%C2w%7F%CC%10-%954%1C%E6%EBM%09%A7%1C%D2%B8%C9%976%02%B7%89%D4$] MAC_Src: 00:01:64:FF:CE:EA 59973->80 (15:04:01.234 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:06:41.758 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61302->6099 (15:06:41.758 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359241401.829 1359241401.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.233.101.60, 91.218.38.132, 85.17.143.16, 78.22.28.248, 121.14.98.151 Resource List: Observed Start: 01/26/2013 17:04:21.836 PST Gen. Time: 01/26/2013 17:06:50.728 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.233.101.60 (17:04:50.588 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (17:04:50.588 PST) 91.218.38.132 (17:04:25.216 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50956->2710 (17:04:25.216 PST) 85.17.143.16 (17:04:51.574 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51153->6969 (17:04:51.574 PST) 78.22.28.248 (17:05:51.062 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (17:05:51.062 PST) 121.14.98.151 (17:04:21.836 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50946->9090 (17:04:21.836 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:06:50.728 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:06:50.728 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359248661.836 1359248661.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.233.101.60, 91.218.38.132, 85.17.143.16 (3), 78.22.28.248, 121.14.98.151, 24.18.180.246 (2) Resource List: Observed Start: 01/26/2013 17:04:21.836 PST Gen. Time: 01/26/2013 17:08:23.964 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.233.101.60 (17:04:50.588 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (17:04:50.588 PST) 91.218.38.132 (17:04:25.216 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50956->2710 (17:04:25.216 PST) 85.17.143.16 (3) (17:04:51.574 PST) event=1:1100010 (2) {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52370->6969 (17:07:00.977 PST) 51153->6969 (17:04:51.574 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52370->6969 (17:07:00.977 PST) 78.22.28.248 (17:05:51.062 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (17:05:51.062 PST) 121.14.98.151 (17:04:21.836 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50946->9090 (17:04:21.836 PST) 24.18.180.246 (2) (17:06:51.476 PST-17:07:51.459 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->21251 (17:06:51.476 PST-17:07:51.459 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:06:50.728 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:06:50.728 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359248661.836 1359248871.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.136.150.113, 142.68.185.132, 91.224.160.192 (2), 89.227.248.250, 85.17.143.16 (2), 59.149.53.192 Resource List: Observed Start: 01/26/2013 19:06:07.461 PST Gen. Time: 01/26/2013 19:08:00.696 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.136.150.113 (19:07:11.158 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49906 (19:07:11.158 PST) 142.68.185.132 (19:06:10.670 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51547 (19:06:10.670 PST) 91.224.160.192 (2) (19:06:14.796 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57911->2710 (19:06:41.908 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57812->2710 (19:06:14.796 PST) 89.227.248.250 (19:06:07.461 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57781->6346 (19:06:07.461 PST) 85.17.143.16 (2) (19:07:41.535 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58320->6969 (19:07:41.535 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58320->6969 (19:07:41.535 PST) 59.149.53.192 (19:07:35.973 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58294->28743 (19:07:35.973 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:08:00.696 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58604->6099 (19:08:00.696 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359255967.461 1359255967.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.136.150.113, 142.68.185.132, 201.199.15.130, 91.224.160.192 (2), 89.227.248.250, 85.17.143.16 (2), 142.177.85.209, 59.149.53.192 (2) Resource List: Observed Start: 01/26/2013 19:06:07.461 PST Gen. Time: 01/26/2013 19:09:11.815 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.136.150.113 (19:07:11.158 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49906 (19:07:11.158 PST) 142.68.185.132 (19:06:10.670 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51547 (19:06:10.670 PST) 201.199.15.130 (19:09:11.815 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28037 (19:09:11.815 PST) 91.224.160.192 (2) (19:06:14.796 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57911->2710 (19:06:41.908 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57812->2710 (19:06:14.796 PST) 89.227.248.250 (19:06:07.461 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57781->6346 (19:06:07.461 PST) 85.17.143.16 (2) (19:07:41.535 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58320->6969 (19:07:41.535 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58320->6969 (19:07:41.535 PST) 142.177.85.209 (19:08:11.440 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25159 (19:08:11.440 PST) 59.149.53.192 (2) (19:07:35.973 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58294->28743 (19:07:35.973 PST) 59042->28743 (19:09:07.981 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:08:00.696 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58604->6099 (19:08:00.696 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359255967.461 1359255967.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:08:20.312 PST Gen. Time: 01/26/2013 21:08:20.312 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:08:20.312 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:08:20.312 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359263300.312 1359263300.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.219.85.150, 89.227.248.250, 208.83.20.164, 85.17.143.16 (2), 91.224.160.192, 178.164.138.232, 78.22.28.248, 59.149.53.192, 41.251.18.182 Resource List: Observed Start: 01/26/2013 21:08:20.312 PST Gen. Time: 01/26/2013 21:12:05.505 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.219.85.150 (21:10:47.151 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41603 (21:10:47.151 PST) 89.227.248.250 (21:11:08.248 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64739->6346 (21:11:08.248 PST) 208.83.20.164 (21:10:20.781 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64334->80 (21:10:20.781 PST) 85.17.143.16 (2) (21:08:21.160 PST) event=1:1100010 (2) {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63485->6969 (21:08:21.160 PST) 64844->6969 (21:11:41.160 PST) 91.224.160.192 (21:11:20.222 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64710->2710 (21:11:20.222 PST) 178.164.138.232 (21:11:47.644 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18262 (21:11:47.644 PST) 78.22.28.248 (21:08:45.692 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (21:08:45.692 PST) 59.149.53.192 (21:10:07.738 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64235->28743 (21:10:07.738 PST) 41.251.18.182 (21:09:47.629 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (21:09:47.629 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:08:20.312 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:08:20.312 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359263300.312 1359263300.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================