Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.201.148.249, 216.232.138.13, 188.138.32.243, 81.105.198.19, 89.227.248.250, 85.17.143.16, 77.230.204.4, 92.251.96.156 Resource List: Observed Start: 01/28/2013 01:19:27.017 PST Gen. Time: 01/28/2013 01:23:40.131 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.201.148.249 (01:21:40.586 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63622->2710 (01:21:40.586 PST) 216.232.138.13 (01:21:00.443 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58166 (01:21:00.443 PST) 188.138.32.243 (01:21:00.265 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63526->2710 (01:21:00.265 PST) 81.105.198.19 (01:23:00.080 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35935 (01:23:00.080 PST) 89.227.248.250 (01:22:02.531 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63908->6346 (01:22:02.531 PST) 85.17.143.16 (01:19:27.017 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62807->6969 (01:19:27.017 PST) 77.230.204.4 (01:22:00.161 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (01:22:00.161 PST) 92.251.96.156 (01:20:00.489 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44281 (01:20:00.489 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:23:40.131 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:23:40.131 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359364767.017 1359364767.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/28/2013 03:25:20.247 PST Gen. Time: 01/28/2013 03:25:20.247 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:25:20.247 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54588->6099 (03:25:20.247 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359372320.247 1359372320.248 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250, 208.83.20.164, 91.218.38.132, 188.85.221.73, 82.3.137.27, 78.22.28.248 (2), 119.74.32.176, 178.239.54.160, 122.167.250.15, 79.21.239.181 Resource List: Observed Start: 01/28/2013 03:25:20.247 PST Gen. Time: 01/28/2013 03:29:50.517 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (03:28:45.520 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56111->2710 (03:28:45.520 PST) 89.227.248.250 (03:28:59.486 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56356->6346 (03:28:59.486 PST) 208.83.20.164 (03:27:20.111 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%DD%99%8B%A99%C8/%87%FD%17%88.%B0%90%85l%BE] MAC_Src: 00:01:64:FF:CE:EA 55560->80 (03:27:20.111 PST) 91.218.38.132 (03:26:10.834 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55031->2710 (03:26:10.834 PST) 188.85.221.73 (03:27:50.815 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49032 (03:27:50.815 PST) 82.3.137.27 (03:27:33.476 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55591->51413 (03:27:33.476 PST) 78.22.28.248 (2) (03:26:49.519 PST-03:29:50.517 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->14297 (03:26:49.519 PST-03:29:50.517 PST) 119.74.32.176 (03:28:50.338 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38348 (03:28:50.338 PST) 178.239.54.160 (03:28:41.180 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56080->3310 (03:28:41.180 PST) 122.167.250.15 (03:25:49.648 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17341 (03:25:49.648 PST) 79.21.239.181 (03:25:59.469 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54864->6881 (03:25:59.469 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:25:20.247 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54588->6099 (03:25:20.247 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359372320.247 1359372590.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 76.3.98.248, 89.227.248.250, 208.83.20.164 Resource List: Observed Start: 01/28/2013 05:25:01.852 PST Gen. Time: 01/28/2013 05:26:00.956 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 76.3.98.248 (05:25:51.798 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20475 (05:25:51.798 PST) 89.227.248.250 (05:25:06.861 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63515->6346 (05:25:06.861 PST) 208.83.20.164 (05:25:01.852 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63425->6969 (05:25:01.852 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:26:00.956 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:26:00.956 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359379501.852 1359379501.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 27.4.227.189, 76.3.98.248, 91.224.160.192 (2), 89.227.248.250 (2), 208.83.20.164 Resource List: Observed Start: 01/28/2013 05:25:01.852 PST Gen. Time: 01/28/2013 05:27:32.104 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 27.4.227.189 (05:26:51.041 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62637 (05:26:51.041 PST) 76.3.98.248 (05:25:51.798 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20475 (05:25:51.798 PST) 91.224.160.192 (2) (05:26:16.068 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64043->2710 (05:26:16.068 PST) 64562->2710 (05:27:21.421 PST) 89.227.248.250 (2) (05:25:06.861 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63515->6346 (05:25:06.861 PST) 64443->6346 (05:27:02.874 PST) 208.83.20.164 (05:25:01.852 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63425->6969 (05:25:01.852 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:26:00.956 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:26:00.956 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359379501.852 1359379501.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 219.84.215.201 Resource List: Observed Start: 01/28/2013 07:27:27.773 PST Gen. Time: 01/28/2013 07:27:31.680 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 219.84.215.201 (07:27:27.773 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63010->16881 (07:27:27.773 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:27:31.680 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63028->6099 (07:27:31.680 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359386847.773 1359386847.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.7.92.13, 188.223.172.114, 5.14.3.233, 219.84.215.201, 87.241.99.41, 208.83.20.164 Resource List: Observed Start: 01/28/2013 07:27:27.773 PST Gen. Time: 01/28/2013 07:30:24.644 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.7.92.13 (07:28:22.818 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46561 (07:28:22.818 PST) 188.223.172.114 (07:29:24.150 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59961 (07:29:24.150 PST) 5.14.3.233 (07:30:24.644 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64373 (07:30:24.644 PST) 219.84.215.201 (07:27:27.773 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63010->16881 (07:27:27.773 PST) 87.241.99.41 (07:29:11.892 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63874->2710 (07:29:11.892 PST) 208.83.20.164 (07:29:11.779 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63872->80 (07:29:11.779 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:27:31.680 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63028->6099 (07:27:31.680 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359386847.773 1359386847.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 146.251.140.233, 92.26.255.231, 208.83.20.164 Resource List: Observed Start: 01/28/2013 09:26:21.047 PST Gen. Time: 01/28/2013 09:27:50.884 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 146.251.140.233 (09:27:21.732 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33228 (09:27:21.732 PST) 92.26.255.231 (09:26:21.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (09:26:21.047 PST) 208.83.20.164 (09:27:01.501 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57896->6969 (09:27:01.501 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:27:50.884 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:27:50.884 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359393981.047 1359393981.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 89.227.248.250, 208.83.20.164, 92.236.180.51, 5.14.160.172, 91.224.160.192, 119.46.206.29, 92.26.255.231, 95.176.134.118, 146.251.140.233 Resource List: Observed Start: 01/28/2013 09:26:21.047 PST Gen. Time: 01/28/2013 09:30:21.457 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (09:27:51.740 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58346->2710 (09:27:51.740 PST) 89.227.248.250 (09:28:23.223 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58578->6346 (09:28:23.223 PST) 208.83.20.164 (09:27:01.501 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57896->6969 (09:27:01.501 PST) 92.236.180.51 (09:30:21.457 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23104 (09:30:21.457 PST) 5.14.160.172 (09:29:21.477 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36542 (09:29:21.477 PST) 91.224.160.192 (09:28:54.009 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58733->2710 (09:28:54.009 PST) 119.46.206.29 (09:30:09.239 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59175->16882 (09:30:09.239 PST) 92.26.255.231 (09:26:21.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (09:26:21.047 PST) 95.176.134.118 (09:28:21.978 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26708 (09:28:21.978 PST) 146.251.140.233 (09:27:21.732 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33228 (09:27:21.732 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:27:50.884 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:27:50.884 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359393981.047 1359393981.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 46.107.133.163, 89.227.248.250 Resource List: Observed Start: 01/28/2013 11:29:07.030 PST Gen. Time: 01/28/2013 11:29:51.012 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.107.133.163 (11:29:07.030 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17956 (11:29:07.030 PST) 89.227.248.250 (11:29:36.216 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60915->6346 (11:29:36.216 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:29:51.012 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60970->6099 (11:29:51.012 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359401347.030 1359401347.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 76.3.98.248, 46.107.133.163, 89.227.248.250, 72.27.154.206, 2.103.152.16, 208.83.20.164 Resource List: Observed Start: 01/28/2013 11:29:07.030 PST Gen. Time: 01/28/2013 11:33:14.056 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 76.3.98.248 (11:32:13.207 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20475 (11:32:13.207 PST) 46.107.133.163 (11:29:07.030 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17956 (11:29:07.030 PST) 89.227.248.250 (11:29:36.216 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60915->6346 (11:29:36.216 PST) 72.27.154.206 (11:31:09.020 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48524 (11:31:09.020 PST) 2.103.152.16 (11:30:07.809 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12605 (11:30:07.809 PST) 208.83.20.164 (11:29:51.082 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60969->80 (11:29:51.082 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:29:51.012 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60970->6099 (11:29:51.012 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359401347.030 1359401347.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 92.19.109.29, 109.201.148.249, 91.178.216.20, 81.57.226.154, 90.217.171.236, 77.49.40.90, 208.83.20.164 Resource List: Observed Start: 01/28/2013 13:26:21.448 PST Gen. Time: 01/28/2013 13:30:11.043 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (13:27:58.794 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61660->2710 (13:27:58.794 PST) 92.19.109.29 (13:28:23.307 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (13:28:23.307 PST) 109.201.148.249 (13:26:21.448 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61148->2710 (13:26:21.448 PST) 91.178.216.20 (13:27:07.149 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61393->9034 (13:27:07.149 PST) 81.57.226.154 (13:26:23.291 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46249 (13:26:23.291 PST) 90.217.171.236 (13:29:24.380 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10407 (13:29:24.380 PST) 77.49.40.90 (13:27:23.132 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12923 (13:27:23.132 PST) 208.83.20.164 (13:29:21.052 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62209->6969 (13:29:21.052 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:30:11.043 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:30:11.043 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359408381.448 1359408381.449 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 92.19.109.29, 109.201.148.249, 91.178.216.20, 81.57.226.154, 90.217.171.236, 77.49.40.90, 208.83.20.164 (2) Resource List: Observed Start: 01/28/2013 13:26:21.448 PST Gen. Time: 01/28/2013 13:30:23.542 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (13:27:58.794 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61660->2710 (13:27:58.794 PST) 92.19.109.29 (13:28:23.307 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16358 (13:28:23.307 PST) 109.201.148.249 (13:26:21.448 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61148->2710 (13:26:21.448 PST) 91.178.216.20 (13:27:07.149 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61393->9034 (13:27:07.149 PST) 81.57.226.154 (13:26:23.291 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46249 (13:26:23.291 PST) 90.217.171.236 (13:29:24.380 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10407 (13:29:24.380 PST) 77.49.40.90 (13:27:23.132 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12923 (13:27:23.132 PST) 208.83.20.164 (2) (13:29:21.052 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62209->6969 (13:29:21.052 PST) 62400->80 (13:30:21.357 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:30:11.043 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:30:11.043 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359408381.448 1359408381.449 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 187.39.9.236, 208.83.20.164 Resource List: Observed Start: 01/28/2013 15:30:41.770 PST Gen. Time: 01/28/2013 15:31:51.250 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (15:31:14.724 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52925->2710 (15:31:14.724 PST) 187.39.9.236 (15:30:54.204 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13084 (15:30:54.204 PST) 208.83.20.164 (15:30:41.770 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52688->6969 (15:30:41.770 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:31:51.250 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53307->6099 (15:31:51.250 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359415841.770 1359415841.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 187.39.9.236, 50.19.95.119, 62.199.204.78, 109.67.111.175, 58.169.152.14, 109.242.247.234, 208.83.20.164 (2) Resource List: Observed Start: 01/28/2013 15:30:41.770 PST Gen. Time: 01/28/2013 15:34:43.403 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (15:31:14.724 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52925->2710 (15:31:14.724 PST) 187.39.9.236 (15:30:54.204 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13084 (15:30:54.204 PST) 50.19.95.119 (15:33:31.355 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54241->80 (15:33:31.355 PST) 62.199.204.78 (15:32:35.211 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53734->6890 (15:32:35.211 PST) 109.67.111.175 (15:31:54.938 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30759 (15:31:54.938 PST) 58.169.152.14 (15:32:54.153 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44255 (15:32:54.153 PST) 109.242.247.234 (15:33:54.362 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57922 (15:33:54.362 PST) 208.83.20.164 (2) (15:30:41.770 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52688->6969 (15:30:41.770 PST) 54239->80 (15:33:31.349 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:31:51.250 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53307->6099 (15:31:51.250 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359415841.770 1359415841.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 71.174.62.26, 219.78.204.162, 89.227.248.250, 208.83.20.164 Resource List: Observed Start: 01/28/2013 19:32:01.735 PST Gen. Time: 01/28/2013 19:33:41.552 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (19:32:01.837 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65326->2710 (19:32:01.837 PST) 71.174.62.26 (19:33:16.695 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55086 (19:33:16.695 PST) 219.78.204.162 (19:32:16.160 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18535 (19:32:16.160 PST) 89.227.248.250 (19:32:28.653 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65441->6346 (19:32:28.653 PST) 208.83.20.164 (19:32:01.735 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65327->6969 (19:32:01.735 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:33:41.552 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49535->6099 (19:33:41.552 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359430321.735 1359430321.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 208.95.173.194, 71.174.62.26, 219.78.204.162, 62.199.204.78, 89.227.248.250, 208.83.20.164, 90.244.249.110 Resource List: Observed Start: 01/28/2013 19:32:01.735 PST Gen. Time: 01/28/2013 19:34:17.989 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (19:33:41.734 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49534->3310 (19:33:41.734 PST) 208.95.173.194 (19:32:01.837 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65326->2710 (19:32:01.837 PST) 71.174.62.26 (19:33:16.695 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55086 (19:33:16.695 PST) 219.78.204.162 (19:32:16.160 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18535 (19:32:16.160 PST) 62.199.204.78 (19:33:58.354 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49737->6890 (19:33:58.354 PST) 89.227.248.250 (19:32:28.653 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65441->6346 (19:32:28.653 PST) 208.83.20.164 (19:32:01.735 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65327->6969 (19:32:01.735 PST) 90.244.249.110 (19:34:17.989 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18425 (19:34:17.989 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:33:41.552 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49535->6099 (19:33:41.552 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359430321.735 1359430321.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.17.143.16 (2), 119.74.32.176, 77.85.241.94 Resource List: Observed Start: 01/28/2013 21:32:41.755 PST Gen. Time: 01/28/2013 21:34:40.769 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.17.143.16 (2) (21:34:11.695 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64264->6969 (21:34:11.695 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64264->6969 (21:34:11.695 PST) 119.74.32.176 (21:32:41.755 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38348 (21:32:41.755 PST) 77.85.241.94 (21:33:42.216 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (21:33:42.216 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:34:40.769 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:34:40.769 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359437561.755 1359437561.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 62.199.204.78, 91.224.160.192, 88.147.172.98, 85.17.143.16 (2), 119.74.32.176, 77.85.241.94 Resource List: Observed Start: 01/28/2013 21:32:41.755 PST Gen. Time: 01/28/2013 21:35:18.365 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 62.199.204.78 (21:34:55.189 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64446->6890 (21:34:55.189 PST) 91.224.160.192 (21:35:18.365 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64596->2710 (21:35:18.365 PST) 88.147.172.98 (21:34:42.792 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10009 (21:34:42.792 PST) 85.17.143.16 (2) (21:34:11.695 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64264->6969 (21:34:11.695 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64264->6969 (21:34:11.695 PST) 119.74.32.176 (21:32:41.755 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38348 (21:32:41.755 PST) 77.85.241.94 (21:33:42.216 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (21:33:42.216 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:34:40.769 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:34:40.769 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359437561.755 1359437561.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================