Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 116.15.39.241, 91.224.160.192 (2), 84.126.211.166, 212.59.28.49 Resource List: Observed Start: 02/15/2013 15:38:49.294 PST Gen. Time: 02/15/2013 15:40:40.511 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 116.15.39.241 (15:39:50.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18581 (15:39:50.433 PST) 91.224.160.192 (2) (15:40:15.352 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65093->2710 (15:40:15.352 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64907->2710 (15:40:15.352 PST) 84.126.211.166 (15:38:49.294 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14469 (15:38:49.294 PST) 212.59.28.49 (15:39:28.816 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64490->2710 (15:39:28.816 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:40:40.511 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:40:40.511 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360971529.294 1360971529.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 79.93.173.221, 189.60.17.149, 116.15.39.241, 91.224.160.192 (3), 84.126.211.166, 119.46.206.15, 212.59.28.49 Resource List: Observed Start: 02/15/2013 15:38:49.294 PST Gen. Time: 02/15/2013 15:42:24.087 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (15:41:24.729 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49778->2710 (15:41:24.729 PST) 79.93.173.221 (15:40:50.829 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26033 (15:40:50.829 PST) 189.60.17.149 (15:41:51.021 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21268 (15:41:51.021 PST) 116.15.39.241 (15:39:50.433 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18581 (15:39:50.433 PST) 91.224.160.192 (3) (15:40:15.352 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65093->2710 (15:40:15.352 PST) ------------------------- event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64907->2710 (15:40:15.352 PST) 49775->2710 (15:41:24.729 PST) 84.126.211.166 (15:38:49.294 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14469 (15:38:49.294 PST) 119.46.206.15 (15:41:53.214 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50352->16884 (15:41:53.214 PST) 212.59.28.49 (15:39:28.816 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64490->2710 (15:39:28.816 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:40:40.511 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:40:40.511 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360971529.294 1360971529.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 209.240.126.223 Resource List: Observed Start: 02/15/2013 15:42:51.776 PST Gen. Time: 02/15/2013 15:43:29.040 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (15:43:09.723 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51915->51413 (15:43:09.723 PST) 209.240.126.223 (15:42:51.776 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13569 (15:42:51.776 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:43:29.040 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52036->6099 (15:43:29.040 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360971771.776 1360971771.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 121.54.34.55, 91.218.38.132, 107.201.208.15, 78.203.107.140, 85.17.143.16 (2), 209.240.126.223, 145.99.175.89 Resource List: Observed Start: 02/15/2013 15:42:51.776 PST Gen. Time: 02/15/2013 15:45:51.551 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (15:43:09.723 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51915->51413 (15:43:09.723 PST) 121.54.34.55 (15:45:51.551 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43350 (15:45:51.551 PST) 91.218.38.132 (15:45:17.299 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52531->2710 (15:45:17.299 PST) 107.201.208.15 (15:44:51.301 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12895 (15:44:51.301 PST) 78.203.107.140 (15:43:51.650 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47743 (15:43:51.650 PST) 85.17.143.16 (2) (15:44:00.779 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52103->6969 (15:44:00.779 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52103->6969 (15:44:00.779 PST) 209.240.126.223 (15:42:51.776 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13569 (15:42:51.776 PST) 145.99.175.89 (15:44:11.680 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52187->51413 (15:44:11.680 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:43:29.040 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52036->6099 (15:43:29.040 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360971771.776 1360971771.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/15/2013 15:56:21.103 PST Gen. Time: 02/15/2013 15:56:21.103 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:56:21.103 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56942->6099 (15:56:21.103 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360972581.103 1360972581.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.82.74, 116.15.39.241, 188.49.4.38, 67.80.14.169, 83.14.146.83, 188.6.159.28, 145.99.175.89 (2) Resource List: Observed Start: 02/15/2013 15:56:21.103 PST Gen. Time: 02/15/2013 16:00:55.635 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.82.74 (15:58:06.613 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57322->6346 (15:58:06.613 PST) 116.15.39.241 (16:00:55.635 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18581 (16:00:55.635 PST) 188.49.4.38 (15:57:54.119 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10810 (15:57:54.119 PST) 67.80.14.169 (15:59:55.789 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42180 (15:59:55.789 PST) 83.14.146.83 (15:56:54.199 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13482 (15:56:54.199 PST) 188.6.159.28 (15:58:55.574 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11231 (15:58:55.574 PST) 145.99.175.89 (2) (15:57:03.775 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57089->51413 (15:57:03.775 PST) 57879->51413 (16:00:12.804 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:56:21.103 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56942->6099 (15:56:21.103 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360972581.103 1360972581.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.224.160.192 (2), 184.18.202.139, 145.99.175.89 Resource List: Observed Start: 02/15/2013 16:11:31.150 PST Gen. Time: 02/15/2013 16:12:20.597 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.224.160.192 (2) (16:11:31.150 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60827->2710 (16:11:31.150 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60827->2710 (16:11:31.150 PST) 184.18.202.139 (16:11:59.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (16:11:59.155 PST) 145.99.175.89 (16:12:05.879 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61041->51413 (16:12:05.879 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:12:20.597 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:12:20.597 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360973491.150 1360973491.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 145.99.175.89, 91.202.73.55, 208.95.173.194, 212.59.28.49, 213.22.63.238, 85.17.143.16 (2), 212.178.254.164, 184.18.202.139, 91.224.160.192 (2), 116.15.39.241, 89.227.82.74 Resource List: Observed Start: 02/15/2013 16:11:31.150 PST Gen. Time: 02/15/2013 16:15:04.325 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (16:13:01.167 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61224->6969 (16:13:01.167 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 61237->80 (16:13:01.206 PST) 145.99.175.89 (16:12:05.879 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61041->51413 (16:12:05.879 PST) 91.202.73.55 (16:13:01.319 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61233->80 (16:13:01.319 PST) 208.95.173.194 (16:13:01.312 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61236->2710 (16:13:01.312 PST) 212.59.28.49 (16:12:34.536 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61148->2710 (16:12:34.536 PST) 213.22.63.238 (16:13:59.522 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (16:13:59.522 PST) 85.17.143.16 (2) (16:14:02.032 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61488->6969 (16:14:02.032 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61488->6969 (16:14:02.032 PST) 212.178.254.164 (16:12:59.734 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15422 (16:12:59.734 PST) 184.18.202.139 (16:11:59.155 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (16:11:59.155 PST) 91.224.160.192 (2) (16:11:31.150 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60827->2710 (16:11:31.150 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60827->2710 (16:11:31.150 PST) 116.15.39.241 (16:14:59.393 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18581 (16:14:59.393 PST) 89.227.82.74 (16:14:04.725 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61532->6346 (16:14:04.725 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:12:20.597 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:12:20.597 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360973491.150 1360973491.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.175.89 Resource List: Observed Start: 02/15/2013 16:28:06.484 PST Gen. Time: 02/15/2013 16:28:41.420 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.175.89 (16:28:06.484 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50951->51413 (16:28:06.484 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:28:41.420 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51077->6099 (16:28:41.420 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360974486.484 1360974486.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.82.74, 69.142.88.251, 121.54.34.55, 145.99.175.89 (2) Resource List: Observed Start: 02/15/2013 16:28:06.484 PST Gen. Time: 02/15/2013 16:31:21.822 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.82.74 (16:31:03.868 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6346 (16:31:03.868 PST) 69.142.88.251 (16:30:03.535 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (16:30:03.535 PST) 121.54.34.55 (16:29:02.548 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43350 (16:29:02.548 PST) 145.99.175.89 (2) (16:28:06.484 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50951->51413 (16:28:06.484 PST) 51529->51413 (16:30:13.004 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:28:41.420 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51077->6099 (16:28:41.420 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360974486.484 1360974486.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.106.169.59, 145.99.175.89 Resource List: Observed Start: 02/15/2013 16:59:09.760 PST Gen. Time: 02/15/2013 16:59:30.871 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.106.169.59 (16:59:12.586 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26476 (16:59:12.586 PST) 145.99.175.89 (16:59:09.760 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60519->51413 (16:59:09.760 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:59:30.871 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:59:30.871 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360976349.760 1360976349.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.106.169.59, 188.49.4.38, 200.117.237.25, 175.136.162.149, 211.173.183.236, 189.54.243.179, 145.99.175.89 (2) Resource List: Observed Start: 02/15/2013 16:59:09.760 PST Gen. Time: 02/15/2013 17:03:12.182 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.106.169.59 (16:59:12.586 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26476 (16:59:12.586 PST) 188.49.4.38 (17:03:12.182 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10810 (17:03:12.182 PST) 200.117.237.25 (17:01:16.611 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61191->16881 (17:01:16.611 PST) 175.136.162.149 (17:02:12.080 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (17:02:12.080 PST) 211.173.183.236 (17:00:12.001 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11220 (17:00:12.001 PST) 189.54.243.179 (17:01:12.557 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43308 (17:01:12.557 PST) 145.99.175.89 (2) (16:59:09.760 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60519->51413 (16:59:09.760 PST) 60815->51413 (17:00:11.267 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:59:30.871 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:59:30.871 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360976349.760 1360976349.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 173.70.20.193, 145.99.175.89 Resource List: Observed Start: 02/15/2013 17:30:51.120 PST Gen. Time: 02/15/2013 17:31:30.896 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 173.70.20.193 (17:30:51.120 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28886 (17:30:51.120 PST) 145.99.175.89 (17:31:02.017 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54755->51413 (17:31:02.017 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:31:30.896 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54953->6099 (17:31:30.896 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360978251.120 1360978251.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 219.78.202.216, 99.37.184.125, 31.151.125.75, 126.31.175.99, 173.70.20.193, 95.211.162.90, 145.99.175.89 (3) Resource List: Observed Start: 02/15/2013 17:30:51.120 PST Gen. Time: 02/15/2013 17:34:53.476 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 219.78.202.216 (17:32:53.304 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18535 (17:32:53.304 PST) 99.37.184.125 (17:31:51.062 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15930 (17:31:51.062 PST) 31.151.125.75 (17:34:53.476 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37642 (17:34:53.476 PST) 126.31.175.99 (17:33:53.711 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59198 (17:33:53.711 PST) 173.70.20.193 (17:30:51.120 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28886 (17:30:51.120 PST) 95.211.162.90 (17:33:30.531 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55439->2710 (17:33:30.531 PST) 145.99.175.89 (3) (17:31:02.017 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54755->51413 (17:31:02.017 PST) 55179->51413 (17:32:09.529 PST) 55620->51413 (17:34:10.046 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:31:30.896 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54953->6099 (17:31:30.896 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360978251.120 1360978251.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 175.139.165.16, 99.0.36.64, 145.99.175.89 Resource List: Observed Start: 02/15/2013 18:31:05.282 PST Gen. Time: 02/15/2013 18:32:20.411 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 175.139.165.16 (18:32:05.593 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11662 (18:32:05.593 PST) 99.0.36.64 (18:31:05.282 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (18:31:05.282 PST) 145.99.175.89 (18:31:05.973 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54735->51413 (18:31:05.973 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:32:20.411 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:32:20.411 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360981865.282 1360981865.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 175.139.165.16, 71.196.16.49, 110.74.40.159, 99.0.36.64, 212.178.254.164, 145.99.175.89 (3) Resource List: Observed Start: 02/15/2013 18:31:05.282 PST Gen. Time: 02/15/2013 18:35:07.590 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 175.139.165.16 (18:32:05.593 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11662 (18:32:05.593 PST) 71.196.16.49 (18:35:07.590 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19397 (18:35:07.590 PST) 110.74.40.159 (18:33:06.129 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (18:33:06.129 PST) 99.0.36.64 (18:31:05.282 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (18:31:05.282 PST) 212.178.254.164 (18:34:06.836 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15422 (18:34:06.836 PST) 145.99.175.89 (3) (18:31:05.973 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54735->51413 (18:31:05.973 PST) 55182->51413 (18:33:03.985 PST) 55417->51413 (18:34:06.995 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:32:20.411 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:32:20.411 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360981865.282 1360981865.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/15/2013 19:33:51.807 PST Gen. Time: 02/15/2013 19:33:51.807 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:33:51.807 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56656->6099 (19:33:51.807 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360985631.807 1360985631.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 175.139.165.16, 89.227.82.74, 201.42.67.150, 202.183.188.215, 95.211.162.90, 145.99.175.89 Resource List: Observed Start: 02/15/2013 19:33:51.807 PST Gen. Time: 02/15/2013 19:37:51.415 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 175.139.165.16 (19:34:49.478 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11662 (19:34:49.478 PST) 89.227.82.74 (19:34:50.759 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56928->6346 (19:34:50.759 PST) 201.42.67.150 (19:35:49.484 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12364 (19:35:49.484 PST) 202.183.188.215 (19:36:51.285 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27812 (19:36:51.285 PST) 95.211.162.90 (19:34:21.194 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56868->2710 (19:34:21.194 PST) 145.99.175.89 (19:36:10.940 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57377->51413 (19:36:10.940 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:33:51.807 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56656->6099 (19:33:51.807 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360985631.807 1360985631.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.216.102.113, 89.227.82.74, 88.124.21.178, 145.99.175.89 Resource List: Observed Start: 02/15/2013 21:32:06.227 PST Gen. Time: 02/15/2013 21:34:30.432 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.216.102.113 (21:34:02.651 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (21:34:02.651 PST) 89.227.82.74 (21:33:19.568 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52346->6346 (21:33:19.568 PST) 88.124.21.178 (21:33:01.489 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25189 (21:33:01.489 PST) 145.99.175.89 (21:32:06.227 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52080->51413 (21:32:06.227 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:34:30.432 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:34:30.432 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360992726.227 1360992726.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.216.102.113, 78.85.67.134, 89.227.82.74, 187.72.132.97, 88.124.21.178, 95.211.162.90, 145.99.175.89 (2) Resource List: Observed Start: 02/15/2013 21:32:06.227 PST Gen. Time: 02/15/2013 21:36:02.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.216.102.113 (21:34:02.651 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (21:34:02.651 PST) 78.85.67.134 (21:35:02.082 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49001 (21:35:02.082 PST) 89.227.82.74 (21:33:19.568 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52346->6346 (21:33:19.568 PST) 187.72.132.97 (21:36:02.825 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34197 (21:36:02.825 PST) 88.124.21.178 (21:33:01.489 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25189 (21:33:01.489 PST) 95.211.162.90 (21:34:41.498 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52637->2710 (21:34:41.498 PST) 145.99.175.89 (2) (21:32:06.227 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52080->51413 (21:32:06.227 PST) 52738->51413 (21:35:04.752 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:34:30.432 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:34:30.432 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360992726.227 1360992726.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================