Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 213.118.218.124, 97.86.227.86, 98.238.212.90, 91.202.73.55 Resource List: Observed Start: 01/30/2013 01:45:59.374 PST Gen. Time: 01/30/2013 01:48:01.299 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 213.118.218.124 (01:46:42.689 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19779 (01:46:42.689 PST) 97.86.227.86 (01:47:46.767 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (01:47:46.767 PST) 98.238.212.90 (01:45:59.374 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6890 (01:45:59.374 PST) 91.202.73.55 (01:47:51.199 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/papers/ftcs93/] MAC_Src: 00:01:64:FF:CE:EA 53589->80 (01:47:51.199 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:48:01.299 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:48:01.299 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359539159.374 1359539159.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 213.118.218.124, 97.86.227.86, 98.238.212.90 (2), 87.241.99.41, 78.151.191.178, 91.202.73.55 Resource List: Observed Start: 01/30/2013 01:45:59.374 PST Gen. Time: 01/30/2013 01:49:03.510 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (01:49:01.090 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54253->2711 (01:49:01.090 PST) 213.118.218.124 (01:46:42.689 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19779 (01:46:42.689 PST) 97.86.227.86 (01:47:46.767 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48937 (01:47:46.767 PST) 98.238.212.90 (2) (01:45:59.374 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6890 (01:45:59.374 PST) 54277->6890 (01:49:02.393 PST) 87.241.99.41 (01:48:17.583 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53918->2710 (01:48:17.583 PST) 78.151.191.178 (01:48:46.964 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64247 (01:48:46.964 PST) 91.202.73.55 (01:47:51.199 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/papers/ftcs93/] MAC_Src: 00:01:64:FF:CE:EA 53589->80 (01:47:51.199 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:48:01.299 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:48:01.299 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359539159.374 1359539159.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 108.172.230.146, 125.60.241.62, 91.202.73.55 Resource List: Observed Start: 01/30/2013 03:48:21.132 PST Gen. Time: 01/30/2013 03:50:01.201 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (03:49:40.653 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63744->2711 (03:49:40.653 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63820->2710 (03:49:51.024 PST) 108.172.230.146 (03:48:59.366 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42711 (03:48:59.366 PST) 125.60.241.62 (03:49:59.150 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59378 (03:49:59.150 PST) 91.202.73.55 (03:48:21.132 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/mail-archive/pvs/msg03870.html] MAC_Src: 00:01:64:FF:CE:EA 63173->80 (03:48:21.132 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:50:01.201 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64036->6099 (03:50:01.201 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359546501.132 1359546501.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 208.95.173.194 (3), 108.172.230.146, 125.60.241.62, 92.236.180.51, 91.202.73.55 Resource List: Observed Start: 01/30/2013 03:48:21.132 PST Gen. Time: 01/30/2013 03:51:29.243 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (03:50:41.394 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64232->3310 (03:50:41.394 PST) 208.95.173.194 (3) (03:49:40.653 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64653->2710 (03:51:20.661 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63744->2711 (03:49:40.653 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63820->2710 (03:49:51.024 PST) 108.172.230.146 (03:48:59.366 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42711 (03:48:59.366 PST) 125.60.241.62 (03:49:59.150 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59378 (03:49:59.150 PST) 92.236.180.51 (03:51:01.036 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23104 (03:51:01.036 PST) 91.202.73.55 (03:48:21.132 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/mail-archive/pvs/msg03870.html] MAC_Src: 00:01:64:FF:CE:EA 63173->80 (03:48:21.132 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:50:01.201 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64036->6099 (03:50:01.201 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359546501.132 1359546501.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.242.181.36, 91.218.38.132 Resource List: Observed Start: 01/30/2013 07:51:16.381 PST Gen. Time: 01/30/2013 07:52:00.599 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.242.181.36 (07:51:36.974 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38387 (07:51:36.974 PST) 91.218.38.132 (07:51:16.381 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63084->2710 (07:51:16.381 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:52:00.599 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63543->6099 (07:52:00.599 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359561076.381 1359561076.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 178.239.54.160, 96.242.181.36, 91.218.38.132, 182.55.8.152, 145.99.175.89 Resource List: Observed Start: 01/30/2013 07:51:16.381 PST Gen. Time: 01/30/2013 07:53:31.061 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (07:52:21.131 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63889->2710 (07:52:21.131 PST) 178.239.54.160 (07:52:00.778 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63541->3310 (07:52:00.778 PST) 96.242.181.36 (07:51:36.974 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38387 (07:51:36.974 PST) 91.218.38.132 (07:51:16.381 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63084->2710 (07:51:16.381 PST) 182.55.8.152 (07:52:40.734 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27663 (07:52:40.734 PST) 145.99.175.89 (07:52:13.617 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63796->51413 (07:52:13.617 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:52:00.599 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63543->6099 (07:52:00.599 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359561076.381 1359561076.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 176.63.90.45, 188.138.32.243, 178.204.51.178, 81.100.206.38, 87.241.99.41, 119.46.206.48 Resource List: Observed Start: 01/30/2013 09:50:00.379 PST Gen. Time: 01/30/2013 09:52:30.031 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (09:51:22.157 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51432->2711 (09:51:22.157 PST) 176.63.90.45 (09:50:00.379 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42560 (09:50:00.379 PST) 188.138.32.243 (09:51:52.503 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51694->2710 (09:51:52.503 PST) 178.204.51.178 (09:52:01.073 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24773 (09:52:01.073 PST) 81.100.206.38 (09:51:01.634 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52916 (09:51:01.634 PST) 87.241.99.41 (09:50:40.793 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51001->2710 (09:50:40.793 PST) 119.46.206.48 (09:50:04.898 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50732->16882 (09:50:04.898 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:52:30.031 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:52:30.031 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359568200.379 1359568200.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 119.46.206.48, 176.63.90.45, 83.50.141.55, 208.95.173.194 (2), 81.100.206.38, 201.82.134.53, 83.149.86.133, 87.241.99.41, 178.204.51.178, 98.238.212.90 Resource List: Observed Start: 01/30/2013 09:50:00.379 PST Gen. Time: 01/30/2013 09:54:01.533 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (09:51:52.503 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51694->2710 (09:51:52.503 PST) 119.46.206.48 (09:50:04.898 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50732->16882 (09:50:04.898 PST) 176.63.90.45 (09:50:00.379 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42560 (09:50:00.379 PST) 83.50.141.55 (09:54:01.533 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20329 (09:54:01.533 PST) 208.95.173.194 (2) (09:51:22.157 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52220->2710 (09:52:50.523 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51432->2711 (09:51:22.157 PST) 81.100.206.38 (09:51:01.634 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52916 (09:51:01.634 PST) 201.82.134.53 (09:53:01.607 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49102 (09:53:01.607 PST) 83.149.86.133 (09:52:50.503 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52222->6969 (09:52:50.503 PST) 87.241.99.41 (09:50:40.793 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51001->2710 (09:50:40.793 PST) 178.204.51.178 (09:52:01.073 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24773 (09:52:01.073 PST) 98.238.212.90 (09:52:31.915 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52042->6890 (09:52:31.915 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:52:30.031 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:52:30.031 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359568200.379 1359568200.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 82.50.127.64, 114.244.180.94, 67.9.87.156 Resource List: Observed Start: 01/30/2013 11:52:48.433 PST Gen. Time: 01/30/2013 11:54:21.434 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (11:53:21.173 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59746->2710 (11:53:21.173 PST) 82.50.127.64 (11:52:48.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (11:52:48.433 PST) 114.244.180.94 (11:53:11.369 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59703->21773 (11:53:11.369 PST) 67.9.87.156 (11:53:48.406 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42007 (11:53:48.406 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:54:21.434 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60206->6099 (11:54:21.434 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359575568.433 1359575568.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 82.50.127.64, 114.244.180.94, 67.9.87.156, 130.25.67.142, 212.59.28.49 Resource List: Observed Start: 01/30/2013 11:52:48.433 PST Gen. Time: 01/30/2013 11:54:48.740 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (11:53:21.173 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59746->2710 (11:53:21.173 PST) 82.50.127.64 (11:52:48.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (11:52:48.433 PST) 114.244.180.94 (11:53:11.369 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59703->21773 (11:53:11.369 PST) 67.9.87.156 (11:53:48.406 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42007 (11:53:48.406 PST) 130.25.67.142 (11:54:48.740 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56204 (11:54:48.740 PST) 212.59.28.49 (11:54:21.626 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60207->2710 (11:54:21.626 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:54:21.434 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60206->6099 (11:54:21.434 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359575568.433 1359575568.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================