Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 62.199.204.78, 91.120.66.27 (2), 58.169.152.14, 208.83.20.164 (2), 145.99.175.89 (2) Resource List: Observed Start: 01/29/2013 01:33:41.471 PST Gen. Time: 01/29/2013 01:37:10.842 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (01:35:41.433 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56232->3310 (01:35:41.433 PST) 62.199.204.78 (01:33:58.736 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55513->6890 (01:33:58.736 PST) 91.120.66.27 (2) (01:34:17.818 PST-01:36:17.819 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->14663 (01:34:17.818 PST-01:36:17.819 PST) 58.169.152.14 (01:35:17.293 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44255 (01:35:17.293 PST) 208.83.20.164 (2) (01:33:41.471 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56662->80 (01:36:41.215 PST) 55371->6969 (01:33:41.471 PST) 145.99.175.89 (2) (01:35:11.428 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56918->51413 (01:37:00.438 PST) 56138->51413 (01:35:11.428 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:37:10.842 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:37:10.842 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359452021.471 1359452177.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 117.193.174.235 Resource List: Observed Start: 01/29/2013 03:38:47.312 PST Gen. Time: 01/29/2013 03:38:51.499 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 117.193.174.235 (03:38:47.312 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26105 (03:38:47.312 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:38:51.499 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59921->6099 (03:38:51.499 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359459527.312 1359459527.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.245.233.168, 62.199.204.78, 85.17.143.16, 94.209.46.10, 81.84.87.184, 92.236.180.51, 117.193.174.235 Resource List: Observed Start: 01/29/2013 03:38:47.312 PST Gen. Time: 01/29/2013 03:41:49.281 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.245.233.168 (03:39:08.406 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60113->6881 (03:39:08.406 PST) 62.199.204.78 (03:40:09.418 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60546->6890 (03:40:09.418 PST) 85.17.143.16 (03:39:01.675 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60016->6969 (03:39:01.675 PST) 94.209.46.10 (03:40:47.984 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16335 (03:40:47.984 PST) 81.84.87.184 (03:41:49.281 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28384 (03:41:49.281 PST) 92.236.180.51 (03:39:47.138 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23104 (03:39:47.138 PST) 117.193.174.235 (03:38:47.312 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26105 (03:38:47.312 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:38:51.499 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59921->6099 (03:38:51.499 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359459527.312 1359459527.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.176.184.165, 119.46.206.54, 91.218.38.132, 72.27.154.206, 92.236.180.51, 208.83.20.164, 145.99.175.89 Resource List: Observed Start: 01/29/2013 05:36:40.336 PST Gen. Time: 01/29/2013 05:39:20.092 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.176.184.165 (05:38:49.257 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26708 (05:38:49.257 PST) 119.46.206.54 (05:38:10.757 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50427->16884 (05:38:10.757 PST) 91.218.38.132 (05:36:40.336 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49809->2710 (05:36:40.336 PST) 72.27.154.206 (05:37:49.827 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48524 (05:37:49.827 PST) 92.236.180.51 (05:36:48.230 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23104 (05:36:48.230 PST) 208.83.20.164 (05:37:10.608 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/papers/srt-long/] MAC_Src: 00:01:64:FF:CE:EA 50090->80 (05:37:10.608 PST) 145.99.175.89 (05:39:15.719 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51116->51413 (05:39:15.719 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:39:20.092 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:39:20.092 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359466600.336 1359466600.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 91.218.38.132, 95.176.184.165, 145.99.175.89, 92.236.180.51, 119.46.206.54, 109.242.18.254, 79.22.64.254, 61.91.88.26, 72.27.154.206 Resource List: Observed Start: 01/29/2013 05:36:40.336 PST Gen. Time: 01/29/2013 05:40:49.369 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (05:37:10.608 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/papers/srt-long/] MAC_Src: 00:01:64:FF:CE:EA 50090->80 (05:37:10.608 PST) 91.218.38.132 (05:36:40.336 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49809->2710 (05:36:40.336 PST) 95.176.184.165 (05:38:49.257 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26708 (05:38:49.257 PST) 145.99.175.89 (05:39:15.719 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51116->51413 (05:39:15.719 PST) 92.236.180.51 (05:36:48.230 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23104 (05:36:48.230 PST) 119.46.206.54 (05:38:10.757 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50427->16884 (05:38:10.757 PST) 109.242.18.254 (05:39:49.147 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61073 (05:39:49.147 PST) 79.22.64.254 (05:40:49.369 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57119 (05:40:49.369 PST) 61.91.88.26 (05:40:19.562 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51484->16882 (05:40:19.562 PST) 72.27.154.206 (05:37:49.827 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48524 (05:37:49.827 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:39:20.092 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:39:20.092 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359466600.336 1359466600.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 62.199.204.78 (2), 119.74.32.176, 85.75.98.53, 87.241.99.41 Resource List: Observed Start: 01/29/2013 07:38:35.226 PST Gen. Time: 01/29/2013 07:40:50.967 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 62.199.204.78 (2) (07:38:35.226 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63027->6890 (07:38:35.226 PST) 64007->6890 (07:40:33.745 PST) 119.74.32.176 (07:39:07.215 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38348 (07:39:07.215 PST) 85.75.98.53 (07:40:08.485 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55297 (07:40:08.485 PST) 87.241.99.41 (07:39:24.377 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63386->2710 (07:39:24.377 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:40:50.967 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64121->6099 (07:40:50.967 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359473915.226 1359473915.227 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 62.199.204.78 (2), 91.224.160.192 (2), 78.101.12.245, 119.74.32.176, 85.75.98.53, 87.241.99.41, 82.50.123.190 Resource List: Observed Start: 01/29/2013 07:38:35.226 PST Gen. Time: 01/29/2013 07:42:55.379 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (07:41:48.173 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64566->2710 (07:41:48.173 PST) 62.199.204.78 (2) (07:38:35.226 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63027->6890 (07:38:35.226 PST) 64007->6890 (07:40:33.745 PST) 91.224.160.192 (2) (07:40:51.147 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64120->2710 (07:40:51.147 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64120->2710 (07:40:51.147 PST) 78.101.12.245 (07:41:10.336 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63681 (07:41:10.336 PST) 119.74.32.176 (07:39:07.215 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38348 (07:39:07.215 PST) 85.75.98.53 (07:40:08.485 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55297 (07:40:08.485 PST) 87.241.99.41 (07:39:24.377 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63386->2710 (07:39:24.377 PST) 82.50.123.190 (07:42:12.189 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39340 (07:42:12.189 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:40:50.967 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64121->6099 (07:40:50.967 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359473915.226 1359473915.227 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 91.218.38.132, 91.224.160.192, 173.11.133.34, 190.205.68.252, 98.238.212.90, 121.14.98.151, 95.231.39.169 Resource List: Observed Start: 01/29/2013 09:38:41.346 PST Gen. Time: 01/29/2013 09:41:50.478 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (09:38:41.346 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63487->3310 (09:38:41.346 PST) 91.218.38.132 (09:40:11.462 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64160->2710 (09:40:11.462 PST) 91.224.160.192 (09:39:02.113 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63564->2710 (09:39:02.113 PST) 173.11.133.34 (09:38:55.193 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:38:55.193 PST) 190.205.68.252 (09:40:56.019 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39447 (09:40:56.019 PST) 98.238.212.90 (09:40:27.354 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64342->6890 (09:40:27.354 PST) 121.14.98.151 (09:40:50.841 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64568->9090 (09:40:50.841 PST) 95.231.39.169 (09:39:56.542 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48334 (09:39:56.542 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:41:50.478 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:41:50.478 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359481121.346 1359481121.347 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.205.68.252, 121.14.98.151, 91.218.38.132, 81.225.174.231, 173.11.133.34, 91.224.160.192, 178.239.54.153, 98.238.212.90, 95.231.39.169 Resource List: Observed Start: 01/29/2013 09:38:41.346 PST Gen. Time: 01/29/2013 09:41:59.433 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.205.68.252 (09:40:56.019 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39447 (09:40:56.019 PST) 121.14.98.151 (09:40:50.841 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64568->9090 (09:40:50.841 PST) 91.218.38.132 (09:40:11.462 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64160->2710 (09:40:11.462 PST) 81.225.174.231 (09:41:59.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17936 (09:41:59.433 PST) 173.11.133.34 (09:38:55.193 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:38:55.193 PST) 91.224.160.192 (09:39:02.113 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63564->2710 (09:39:02.113 PST) 178.239.54.153 (09:38:41.346 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63487->3310 (09:38:41.346 PST) 98.238.212.90 (09:40:27.354 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64342->6890 (09:40:27.354 PST) 95.231.39.169 (09:39:56.542 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48334 (09:39:56.542 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:41:50.478 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:41:50.478 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359481121.346 1359481121.347 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/29/2013 11:43:00.691 PST Gen. Time: 01/29/2013 11:43:00.691 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:43:00.691 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51142->6099 (11:43:00.691 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359488580.691 1359488580.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 91.224.160.192, 97.86.227.86, 208.83.20.164, 82.161.69.109 Resource List: Observed Start: 01/29/2013 11:43:00.691 PST Gen. Time: 01/29/2013 11:45:00.344 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (11:44:22.133 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51792->2710 (11:44:22.133 PST) 91.224.160.192 (11:43:41.179 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51505->2710 (11:43:41.179 PST) 97.86.227.86 (11:43:32.499 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (11:43:32.499 PST) 208.83.20.164 (11:44:41.415 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%EFI%CFH%B6%18%BB%85%81Yx%CC%C8P%D4%1Ehz%7F%A8%EB] MAC_Src: 00:01:64:FF:CE:EA 51964->80 (11:44:41.415 PST) 82.161.69.109 (11:44:32.156 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (11:44:32.156 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:43:00.691 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51142->6099 (11:43:00.691 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359488580.691 1359488580.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.179.238.236, 67.164.118.225 Resource List: Observed Start: 01/29/2013 13:42:29.970 PST Gen. Time: 01/29/2013 13:43:11.831 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.179.238.236 (13:42:29.970 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49263->49567 (13:42:29.970 PST) 67.164.118.225 (13:43:01.990 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (13:43:01.990 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:43:11.831 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:43:11.831 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359495749.970 1359495749.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.179.238.236, 2.124.98.32, 67.164.118.225, 91.218.38.132, 58.169.152.14, 24.171.202.29, 208.83.20.164, 212.59.28.49 Resource List: Observed Start: 01/29/2013 13:42:29.970 PST Gen. Time: 01/29/2013 13:46:06.760 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.179.238.236 (13:42:29.970 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49263->49567 (13:42:29.970 PST) 2.124.98.32 (13:44:01.331 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16285 (13:44:01.331 PST) 67.164.118.225 (13:43:01.990 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (13:43:01.990 PST) 91.218.38.132 (13:43:43.722 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49722->2710 (13:43:43.722 PST) 58.169.152.14 (13:46:06.760 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44255 (13:46:06.760 PST) 24.171.202.29 (13:45:04.311 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57832 (13:45:04.311 PST) 208.83.20.164 (13:44:30.995 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49954->80 (13:44:30.995 PST) 212.59.28.49 (13:44:45.511 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50085->2710 (13:44:45.511 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:43:11.831 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:43:11.831 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359495749.970 1359495749.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/29/2013 15:44:51.456 PST Gen. Time: 01/29/2013 15:44:51.456 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:44:51.456 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51330->6099 (15:44:51.456 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359503091.456 1359503091.457 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 2.84.22.80, 94.15.19.176, 78.146.191.122, 24.171.202.29, 208.83.20.164, 212.59.28.49 Resource List: Observed Start: 01/29/2013 15:44:51.456 PST Gen. Time: 01/29/2013 15:47:51.619 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (15:46:20.915 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52318->3310 (15:46:20.915 PST) 2.84.22.80 (15:47:51.619 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (15:47:51.619 PST) 94.15.19.176 (15:46:59.266 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52557->6890 (15:46:59.266 PST) 78.146.191.122 (15:46:51.996 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60864 (15:46:51.996 PST) 24.171.202.29 (15:45:51.306 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57832 (15:45:51.306 PST) 208.83.20.164 (15:45:11.300 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51705->80 (15:45:11.300 PST) 212.59.28.49 (15:44:54.037 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51362->2710 (15:44:54.037 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:44:51.456 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51330->6099 (15:44:51.456 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359503091.456 1359503091.457 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.18.25.212 Resource List: Observed Start: 01/29/2013 19:45:06.197 PST Gen. Time: 01/29/2013 19:45:20.102 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.18.25.212 (19:45:06.197 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43364 (19:45:06.197 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:45:20.102 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65005->6099 (19:45:20.102 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359517506.197 1359517506.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 151.27.96.255, 94.15.19.176, 79.18.25.212 (2), 212.59.28.49, 69.35.66.145, 91.224.160.192, 97.86.227.86, 178.239.54.153 Resource List: Observed Start: 01/29/2013 19:45:06.197 PST Gen. Time: 01/29/2013 19:48:09.341 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (19:45:33.282 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65035->2710 (19:45:33.282 PST) 151.27.96.255 (19:48:07.277 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (19:48:07.277 PST) 94.15.19.176 (19:46:03.435 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65275->6890 (19:46:03.435 PST) 79.18.25.212 (2) (19:45:06.197 PST-19:47:06.244 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->43364 (19:45:06.197 PST-19:47:06.244 PST) 212.59.28.49 (19:46:30.642 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65440->2710 (19:46:30.642 PST) 69.35.66.145 (19:47:03.942 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49390->60254 (19:47:03.942 PST) 91.224.160.192 (19:47:15.639 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49435->2710 (19:47:15.639 PST) 97.86.227.86 (19:46:06.629 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (19:46:06.629 PST) 178.239.54.153 (19:48:01.154 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49791->3310 (19:48:01.154 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:45:20.102 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65005->6099 (19:45:20.102 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359517506.197 1359517626.245 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.224.160.192, 75.159.50.159, 98.238.212.90, 61.91.88.42 Resource List: Observed Start: 01/29/2013 21:44:57.207 PST Gen. Time: 01/29/2013 21:46:00.808 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.224.160.192 (21:45:13.591 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62099->2710 (21:45:13.591 PST) 75.159.50.159 (21:45:01.177 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (21:45:01.177 PST) 98.238.212.90 (21:44:57.207 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61907->6890 (21:44:57.207 PST) 61.91.88.42 (21:45:58.221 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62360->16881 (21:45:58.221 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:46:00.808 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:46:00.808 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359524697.207 1359524697.208 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.202.73.55, 58.169.71.131, 216.221.72.112, 91.224.160.192, 109.106.243.41, 94.209.46.10, 178.239.54.153, 98.238.212.90, 61.91.88.42, 75.159.50.159 Resource List: Observed Start: 01/29/2013 21:44:57.207 PST Gen. Time: 01/29/2013 21:49:02.619 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.202.73.55 (21:46:41.805 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [P@%89.%BF%07lx%F8%00@W E%9E%A2%82%10%A4%F4%17%C3%92%C3] MAC_Src: 00:01:64:FF:CE:EA 62504->80 (21:46:41.805 PST) 58.169.71.131 (21:46:01.241 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29286 (21:46:01.241 PST) 216.221.72.112 (21:47:02.143 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (21:47:02.143 PST) 91.224.160.192 (21:45:13.591 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62099->2710 (21:45:13.591 PST) 109.106.243.41 (21:49:02.619 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15422 (21:49:02.619 PST) 94.209.46.10 (21:48:02.347 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16335 (21:48:02.347 PST) 178.239.54.153 (21:47:51.711 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62906->3310 (21:47:51.711 PST) 98.238.212.90 (21:44:57.207 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61907->6890 (21:44:57.207 PST) 61.91.88.42 (21:45:58.221 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62360->16881 (21:45:58.221 PST) 75.159.50.159 (21:45:01.177 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (21:45:01.177 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:46:00.808 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:46:00.808 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359524697.207 1359524697.208 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================