Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.167.94.49, 89.227.248.250, 91.218.38.132, 70.77.199.174, 85.17.143.16 (2), 91.224.160.192, 79.54.65.187, 85.71.148.165, 109.134.115.127 Resource List: Observed Start: 01/27/2013 01:06:32.357 PST Gen. Time: 01/27/2013 01:10:02.537 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.167.94.49 (01:06:32.357 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50908 (01:06:32.357 PST) 89.227.248.250 (01:08:09.272 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63254->6346 (01:08:09.272 PST) 91.218.38.132 (01:06:53.242 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62520->2710 (01:06:53.242 PST) 70.77.199.174 (01:09:33.470 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (01:09:33.470 PST) 85.17.143.16 (2) (01:09:51.930 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63909->6969 (01:09:51.930 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63909->6969 (01:09:51.930 PST) 91.224.160.192 (01:07:11.620 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62763->2710 (01:07:11.620 PST) 79.54.65.187 (01:07:32.127 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25141 (01:07:32.127 PST) 85.71.148.165 (01:08:32.455 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27022 (01:08:32.455 PST) 109.134.115.127 (01:09:29.279 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63803->9034 (01:09:29.279 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:10:02.537 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:10:02.537 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359277592.357 1359277592.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.167.94.49, 89.227.248.250, 91.218.38.132, 70.77.199.174, 94.36.170.53, 85.17.143.16 (2), 91.224.160.192, 79.54.65.187, 85.71.148.165, 109.134.115.127 Resource List: Observed Start: 01/27/2013 01:06:32.357 PST Gen. Time: 01/27/2013 01:10:33.017 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.167.94.49 (01:06:32.357 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50908 (01:06:32.357 PST) 89.227.248.250 (01:08:09.272 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63254->6346 (01:08:09.272 PST) 91.218.38.132 (01:06:53.242 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62520->2710 (01:06:53.242 PST) 70.77.199.174 (01:09:33.470 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (01:09:33.470 PST) 94.36.170.53 (01:10:33.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (01:10:33.017 PST) 85.17.143.16 (2) (01:09:51.930 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63909->6969 (01:09:51.930 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63909->6969 (01:09:51.930 PST) 91.224.160.192 (01:07:11.620 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62763->2710 (01:07:11.620 PST) 79.54.65.187 (01:07:32.127 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25141 (01:07:32.127 PST) 85.71.148.165 (01:08:32.455 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27022 (01:08:32.455 PST) 109.134.115.127 (01:09:29.279 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63803->9034 (01:09:29.279 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:10:02.537 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:10:02.537 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359277592.357 1359277592.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 115.124.201.177, 89.227.248.250, 85.17.143.16 (2) Resource List: Observed Start: 01/27/2013 03:10:01.514 PST Gen. Time: 01/27/2013 03:11:51.684 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 115.124.201.177 (03:10:59.396 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51850 (03:10:59.396 PST) 89.227.248.250 (03:10:37.130 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56742->6346 (03:10:37.130 PST) 85.17.143.16 (2) (03:10:01.514 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56479->6969 (03:10:01.514 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56479->6969 (03:10:01.514 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:11:51.684 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57316->6099 (03:11:51.684 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359285001.514 1359285001.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.248.250, 208.83.20.164 (2), 188.153.1.123, 145.99.175.89, 190.103.71.213, 85.17.143.16 (2), 115.124.201.177, 87.241.99.41, 109.226.31.234 Resource List: Observed Start: 01/27/2013 03:10:01.514 PST Gen. Time: 01/27/2013 03:14:00.859 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.248.250 (03:10:37.130 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56742->6346 (03:10:37.130 PST) 208.83.20.164 (2) (03:11:51.753 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57314->6969 (03:11:51.753 PST) 57851->80 (03:12:51.103 PST) 188.153.1.123 (03:14:00.859 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51886 (03:14:00.859 PST) 145.99.175.89 (03:11:56.798 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57410->51413 (03:11:56.798 PST) 190.103.71.213 (03:13:00.550 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49094 (03:13:00.550 PST) 85.17.143.16 (2) (03:10:01.514 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56479->6969 (03:10:01.514 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56479->6969 (03:10:01.514 PST) 115.124.201.177 (03:10:59.396 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51850 (03:10:59.396 PST) 87.241.99.41 (03:13:31.367 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58292->2710 (03:13:31.367 PST) 109.226.31.234 (03:12:00.904 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24544 (03:12:00.904 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:11:51.684 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57316->6099 (03:11:51.684 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359285001.514 1359285001.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 07:13:51.163 PST Gen. Time: 01/27/2013 07:13:51.163 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:13:51.163 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54307->6099 (07:13:51.163 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359299631.163 1359299631.164 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.225.153.32, 50.19.95.119, 189.106.9.155, 94.242.221.123, 2.100.244.255, 85.27.14.81, 208.83.20.164, 212.59.28.49 Resource List: Observed Start: 01/27/2013 07:13:51.163 PST Gen. Time: 01/27/2013 07:17:39.049 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.225.153.32 (07:17:27.580 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18721 (07:17:27.580 PST) 50.19.95.119 (07:17:11.069 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55807->80 (07:17:11.069 PST) 189.106.9.155 (07:14:25.718 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58485 (07:14:25.718 PST) 94.242.221.123 (07:16:40.741 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55616->80 (07:16:40.741 PST) 2.100.244.255 (07:16:26.767 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53488 (07:16:26.767 PST) 85.27.14.81 (07:15:26.481 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44111 (07:15:26.481 PST) 208.83.20.164 (07:13:51.233 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54306->80 (07:13:51.233 PST) 212.59.28.49 (07:16:51.139 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55656->2710 (07:16:51.139 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:13:51.163 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54307->6099 (07:13:51.163 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359299631.163 1359299631.164 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.190.98.38 Resource List: Observed Start: 01/27/2013 09:14:26.641 PST Gen. Time: 01/27/2013 09:14:30.276 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.190.98.38 (09:14:26.641 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52896->2810 (09:14:26.641 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:14:30.276 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:14:30.276 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359306866.641 1359306866.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.197.98.169, 188.138.32.243, 208.83.20.164, 201.231.132.171, 212.59.28.49 (2), 174.45.240.202, 88.240.98.74, 50.19.95.119, 188.190.98.38 Resource List: Observed Start: 01/27/2013 09:14:26.641 PST Gen. Time: 01/27/2013 09:18:43.816 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.197.98.169 (09:18:00.128 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52820 (09:18:00.128 PST) 188.138.32.243 (09:14:58.012 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53110->2710 (09:14:58.012 PST) 208.83.20.164 (09:18:21.062 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54465->6969 (09:18:21.062 PST) 201.231.132.171 (09:15:00.736 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31526 (09:15:00.736 PST) 212.59.28.49 (2) (09:14:50.657 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53102->2710 (09:14:50.657 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53756->2710 (09:16:19.800 PST) 174.45.240.202 (09:17:00.002 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6882 (09:17:00.002 PST) 88.240.98.74 (09:16:00.832 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38214 (09:16:00.832 PST) 50.19.95.119 (09:17:41.074 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54204->80 (09:17:41.074 PST) 188.190.98.38 (09:14:26.641 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52896->2810 (09:14:26.641 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:14:30.276 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:14:30.276 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359306866.641 1359306866.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 Resource List: Observed Start: 01/27/2013 11:16:21.073 PST Gen. Time: 01/27/2013 11:16:40.438 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (11:16:21.073 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61237->80 (11:16:21.073 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:16:40.438 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61374->6099 (11:16:40.438 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359314181.073 1359314181.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.167.94.49, 89.227.248.250, 208.83.20.164 (2), 82.224.107.219 (2), 178.196.221.133, 91.224.160.192, 76.3.98.248, 50.19.95.119, 90.219.87.101 Resource List: Observed Start: 01/27/2013 11:16:21.073 PST Gen. Time: 01/27/2013 11:20:28.480 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.167.94.49 (11:20:06.098 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50908 (11:20:06.098 PST) 89.227.248.250 (11:18:06.091 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62193->6346 (11:18:06.091 PST) 208.83.20.164 (2) (11:16:21.073 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61237->80 (11:16:21.073 PST) 62770->80 (11:19:10.800 PST) 82.224.107.219 (2) (11:16:53.575 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61563->6890 (11:16:53.575 PST) 63197->6890 (11:20:17.105 PST) 178.196.221.133 (11:19:06.732 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49282 (11:19:06.732 PST) 91.224.160.192 (11:17:51.593 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61994->2710 (11:17:51.593 PST) 76.3.98.248 (11:17:06.583 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20475 (11:17:06.583 PST) 50.19.95.119 (11:19:10.840 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62780->80 (11:19:10.840 PST) 90.219.87.101 (11:18:06.327 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40731 (11:18:06.327 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:16:40.438 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61374->6099 (11:16:40.438 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359314181.073 1359314181.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 87.241.99.41, 208.83.20.164 Resource List: Observed Start: 01/27/2013 13:17:01.041 PST Gen. Time: 01/27/2013 13:17:40.120 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 87.241.99.41 (13:17:15.587 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62707->2710 (13:17:15.587 PST) 208.83.20.164 (13:17:01.041 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62413->80 (13:17:01.041 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:17:40.120 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:17:40.120 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359321421.041 1359321421.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 217.43.232.213, 188.3.59.8, 41.224.102.111, 89.136.72.173, 87.241.99.41, 208.83.20.164 (2), 94.15.12.107 (2) Resource List: Observed Start: 01/27/2013 13:17:01.041 PST Gen. Time: 01/27/2013 13:20:48.733 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (13:18:48.937 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63571->2710 (13:18:48.937 PST) 217.43.232.213 (13:19:48.642 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14651 (13:19:48.642 PST) 188.3.59.8 (13:18:47.640 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31966 (13:18:47.640 PST) 41.224.102.111 (13:20:48.733 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50153 (13:20:48.733 PST) 89.136.72.173 (13:17:43.539 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50196 (13:17:43.539 PST) 87.241.99.41 (13:17:15.587 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62707->2710 (13:17:15.587 PST) 208.83.20.164 (2) (13:17:01.041 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62413->80 (13:17:01.041 PST) 64503->6969 (13:20:30.184 PST) 94.15.12.107 (2) (13:18:29.029 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63444->6890 (13:18:29.029 PST) 64553->6890 (13:20:33.043 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:17:40.120 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:17:40.120 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359321421.041 1359321421.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.224.107.219, 188.138.32.243, 41.237.213.234, 89.227.248.250, 85.60.128.191 Resource List: Observed Start: 01/27/2013 15:18:00.100 PST Gen. Time: 01/27/2013 15:19:40.576 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.224.107.219 (15:19:18.478 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52439->6890 (15:19:18.478 PST) 188.138.32.243 (15:18:08.408 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51866->2710 (15:18:08.408 PST) 41.237.213.234 (15:18:00.100 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (15:18:00.100 PST) 89.227.248.250 (15:18:08.969 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51873->6346 (15:18:08.969 PST) 85.60.128.191 (15:19:01.533 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58976 (15:19:01.533 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:19:40.576 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52596->6099 (15:19:40.576 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359328680.100 1359328680.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 82.224.107.219, 41.237.213.234 (2), 89.227.248.250, 85.60.128.191, 190.253.13.73 Resource List: Observed Start: 01/27/2013 15:18:00.100 PST Gen. Time: 01/27/2013 15:21:01.108 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (15:18:08.408 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51866->2710 (15:18:08.408 PST) 82.224.107.219 (15:19:18.478 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52439->6890 (15:19:18.478 PST) 41.237.213.234 (2) (15:18:00.100 PST-15:21:01.108 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->28068 (15:18:00.100 PST-15:21:01.108 PST) 89.227.248.250 (15:18:08.969 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51873->6346 (15:18:08.969 PST) 85.60.128.191 (15:19:01.533 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58976 (15:19:01.533 PST) 190.253.13.73 (15:20:01.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18449 (15:20:01.155 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:19:40.576 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52596->6099 (15:19:40.576 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359328680.100 1359328861.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 17:20:30.971 PST Gen. Time: 01/27/2013 17:20:30.971 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:20:30.971 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:20:30.971 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359336030.971 1359336030.972 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.224.107.219 (2), 178.164.138.146, 89.227.248.250, 91.224.160.192 (2), 190.205.68.252, 98.236.81.24, 208.83.20.164 (2), 77.230.204.4 Resource List: Observed Start: 01/27/2013 17:20:30.971 PST Gen. Time: 01/27/2013 17:24:32.664 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.224.107.219 (2) (17:21:55.831 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62602->6890 (17:21:55.831 PST) 63599->6890 (17:24:00.841 PST) 178.164.138.146 (17:21:23.525 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18262 (17:21:23.525 PST) 89.227.248.250 (17:22:56.336 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63012->6346 (17:22:56.336 PST) 91.224.160.192 (2) (17:22:54.591 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63499->2710 (17:24:10.140 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62986->2710 (17:22:54.591 PST) 190.205.68.252 (17:22:28.316 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39447 (17:22:28.316 PST) 98.236.81.24 (17:23:30.566 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18868 (17:23:30.566 PST) 208.83.20.164 (2) (17:21:40.998 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62500->6969 (17:21:40.998 PST) 63613->80 (17:24:01.072 PST) 77.230.204.4 (17:24:32.664 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (17:24:32.664 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:20:30.971 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:20:30.971 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359336030.971 1359336030.972 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.224.64.52, 217.43.232.213, 89.227.248.250, 91.224.160.192 (2), 187.133.170.199, 212.59.28.49 Resource List: Observed Start: 01/27/2013 19:18:53.064 PST Gen. Time: 01/27/2013 19:21:41.643 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.224.64.52 (19:21:31.660 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54445->9001 (19:21:31.660 PST) 217.43.232.213 (19:19:48.090 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14651 (19:19:48.090 PST) 89.227.248.250 (19:19:36.148 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53557->6346 (19:19:36.148 PST) 91.224.160.192 (2) (19:18:54.020 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53528->2710 (19:19:31.446 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53144->2710 (19:18:54.020 PST) 187.133.170.199 (19:20:48.038 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41929 (19:20:48.038 PST) 212.59.28.49 (19:18:53.064 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53155->2710 (19:18:53.064 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:21:41.643 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54483->6099 (19:21:41.643 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359343133.064 1359343133.065 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 203.45.202.54, 89.227.248.250, 208.83.20.164, 212.59.28.49, 187.133.170.199, 217.43.232.213, 119.224.64.52, 91.224.160.192 (2), 199.126.153.223 Resource List: Observed Start: 01/27/2013 19:18:53.064 PST Gen. Time: 01/27/2013 19:22:49.551 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (19:22:28.975 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54954->2710 (19:22:28.975 PST) 203.45.202.54 (19:21:48.372 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53059 (19:21:48.372 PST) 89.227.248.250 (19:19:36.148 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53557->6346 (19:19:36.148 PST) 208.83.20.164 (19:22:21.739 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54944->6969 (19:22:21.739 PST) 212.59.28.49 (19:18:53.064 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53155->2710 (19:18:53.064 PST) 187.133.170.199 (19:20:48.038 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41929 (19:20:48.038 PST) 217.43.232.213 (19:19:48.090 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14651 (19:19:48.090 PST) 119.224.64.52 (19:21:31.660 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54445->9001 (19:21:31.660 PST) 91.224.160.192 (2) (19:18:54.020 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53528->2710 (19:19:31.446 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53144->2710 (19:18:54.020 PST) 199.126.153.223 (19:22:49.551 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41143 (19:22:49.551 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:21:41.643 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54483->6099 (19:21:41.643 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359343133.064 1359343133.065 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 82.224.107.219 (2), 91.224.160.192, 74.138.208.204, 78.22.28.248, 121.14.98.151 Resource List: Observed Start: 01/27/2013 21:19:27.811 PST Gen. Time: 01/27/2013 21:22:10.524 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (21:21:31.705 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (21:21:31.705 PST) 82.224.107.219 (2) (21:19:54.911 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54883->6890 (21:19:54.911 PST) 55557->6890 (21:21:56.928 PST) 91.224.160.192 (21:20:15.947 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55054->2710 (21:20:15.947 PST) 74.138.208.204 (21:20:29.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58330 (21:20:29.173 PST) 78.22.28.248 (21:19:27.811 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (21:19:27.811 PST) 121.14.98.151 (21:22:01.324 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55706->9090 (21:22:01.324 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:22:10.524 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:22:10.524 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359350367.811 1359350367.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.248.250, 121.14.98.151, 93.50.57.31, 208.83.20.164, 82.224.107.219 (2), 212.59.28.49, 91.224.160.192, 78.22.28.248, 176.40.80.17, 99.199.12.220, 74.138.208.204 Resource List: Observed Start: 01/27/2013 21:19:27.811 PST Gen. Time: 01/27/2013 21:23:34.548 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.248.250 (21:23:06.437 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56178->6346 (21:23:06.437 PST) 121.14.98.151 (21:22:01.324 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55706->9090 (21:22:01.324 PST) 93.50.57.31 (21:21:31.705 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (21:21:31.705 PST) 208.83.20.164 (21:23:20.705 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56223->6969 (21:23:20.705 PST) 82.224.107.219 (2) (21:19:54.911 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54883->6890 (21:19:54.911 PST) 55557->6890 (21:21:56.928 PST) 212.59.28.49 (21:22:39.436 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55895->2710 (21:22:39.436 PST) 91.224.160.192 (21:20:15.947 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55054->2710 (21:20:15.947 PST) 78.22.28.248 (21:19:27.811 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (21:19:27.811 PST) 176.40.80.17 (21:23:34.548 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45736 (21:23:34.548 PST) 99.199.12.220 (21:22:32.318 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30523 (21:22:32.318 PST) 74.138.208.204 (21:20:29.173 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58330 (21:20:29.173 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:22:10.524 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:22:10.524 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359350367.811 1359350367.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================