Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 173.11.243.162, 177.140.146.198, 145.99.175.89 (2) Resource List: Observed Start: 02/16/2013 01:34:49.388 PST Gen. Time: 02/16/2013 01:36:20.593 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 173.11.243.162 (01:35:54.233 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (01:35:54.233 PST) 177.140.146.198 (01:34:49.388 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40419 (01:34:49.388 PST) 145.99.175.89 (2) (01:35:01.342 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59599->51413 (01:35:01.342 PST) 59895->51413 (01:36:08.852 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:36:20.593 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:36:20.593 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361007289.388 1361007289.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 68.49.251.141, 91.218.38.132 (2), 149.126.156.111, 173.11.243.162, 177.140.146.198, 95.211.162.90, 145.99.175.89 (3) Resource List: Observed Start: 02/16/2013 01:34:49.388 PST Gen. Time: 02/16/2013 01:38:48.542 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.49.251.141 (01:37:55.444 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23160 (01:37:55.444 PST) 91.218.38.132 (2) (01:36:24.425 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60002->2710 (01:36:24.425 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 60002->2710 (01:36:24.425 PST) 149.126.156.111 (01:36:55.913 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63966 (01:36:55.913 PST) 173.11.243.162 (01:35:54.233 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (01:35:54.233 PST) 177.140.146.198 (01:34:49.388 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40419 (01:34:49.388 PST) 95.211.162.90 (01:36:21.063 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59981->2710 (01:36:21.063 PST) 145.99.175.89 (3) (01:35:01.342 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59599->51413 (01:35:01.342 PST) 59895->51413 (01:36:08.852 PST) 60255->51413 (01:37:17.856 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:36:20.593 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:36:20.593 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361007289.388 1361007289.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.34 Resource List: Observed Start: 02/16/2013 03:38:33.211 PST Gen. Time: 02/16/2013 03:39:01.278 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.34 (03:38:33.211 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50869->16882 (03:38:33.211 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:39:01.278 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50974->6099 (03:39:01.278 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361014713.211 1361014713.212 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 110.74.40.159, 91.218.38.132 (2), 145.99.175.89, 77.230.204.4, 98.210.25.220 (2), 61.91.88.34, 213.93.87.236, 87.219.43.14 Resource List: Observed Start: 02/16/2013 03:38:33.211 PST Gen. Time: 02/16/2013 03:42:36.947 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (03:40:01.475 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51416->9090 (03:40:01.475 PST) 110.74.40.159 (03:41:33.402 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (03:41:33.402 PST) 91.218.38.132 (2) (03:40:01.502 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51417->2710 (03:40:01.502 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51417->2710 (03:40:01.502 PST) 145.99.175.89 (03:41:04.918 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51916->51413 (03:41:04.918 PST) 77.230.204.4 (03:42:36.947 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (03:42:36.947 PST) 98.210.25.220 (2) (03:40:03.224 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51430->6890 (03:40:03.224 PST) 52325->6890 (03:42:05.254 PST) 61.91.88.34 (03:38:33.211 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50869->16882 (03:38:33.211 PST) 213.93.87.236 (03:39:33.786 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17255 (03:39:33.786 PST) 87.219.43.14 (03:40:33.011 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:40:33.011 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:39:01.278 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50974->6099 (03:39:01.278 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361014713.211 1361014713.212 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/16/2013 05:39:30.135 PST Gen. Time: 02/16/2013 05:39:30.135 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:39:30.135 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:39:30.135 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361021970.135 1361021970.136 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 82.54.106.199, 202.103.67.135, 121.6.10.117, 201.186.13.244, 83.77.36.32, 145.99.175.89, 98.210.25.220 Resource List: Observed Start: 02/16/2013 05:39:30.135 PST Gen. Time: 02/16/2013 05:43:51.709 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (05:39:43.163 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53349->2710 (05:39:43.163 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 53349->2710 (05:39:43.163 PST) 82.54.106.199 (05:43:02.003 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (05:43:02.003 PST) 202.103.67.135 (05:43:51.709 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [[%CAp%A3m%D1%D2%A2%BE%EB%9E%913L%BA%05%05%C4%85A%93A%E5%0E%CE%0F%10%A5%CFN%D0] MAC_Src: 00:01:64:FF:CE:EA 55135->8080 (05:43:51.709 PST) 121.6.10.117 (05:42:01.367 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12048 (05:42:01.367 PST) 201.186.13.244 (05:41:01.372 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42079 (05:41:01.372 PST) 83.77.36.32 (05:40:00.974 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10905 (05:40:00.974 PST) 145.99.175.89 (05:42:20.575 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54611->51413 (05:42:20.575 PST) 98.210.25.220 (05:40:11.882 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53557->6890 (05:40:11.882 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:39:30.135 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:39:30.135 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361021970.135 1361021970.136 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.243.123.67, 89.227.82.74, 85.17.143.16 (2), 98.210.25.220 Resource List: Observed Start: 02/16/2013 07:40:13.183 PST Gen. Time: 02/16/2013 07:41:30.327 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.243.123.67 (07:41:06.021 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:41:06.021 PST) 89.227.82.74 (07:40:13.183 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61712->6346 (07:40:13.183 PST) 85.17.143.16 (2) (07:40:51.163 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 62096->6969 (07:40:51.163 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62096->6969 (07:40:51.163 PST) 98.210.25.220 (07:41:23.194 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62439->6890 (07:41:23.194 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:41:30.327 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62520->6099 (07:41:30.327 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361029213.183 1361029213.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.243.123.67, 151.16.110.52, 89.227.82.74, 85.17.143.16 (2), 79.18.73.100, 98.210.25.220 Resource List: Observed Start: 02/16/2013 07:40:13.183 PST Gen. Time: 02/16/2013 07:43:06.852 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.243.123.67 (07:41:06.021 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:41:06.021 PST) 151.16.110.52 (07:42:06.052 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30640 (07:42:06.052 PST) 89.227.82.74 (07:40:13.183 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61712->6346 (07:40:13.183 PST) 85.17.143.16 (2) (07:40:51.163 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 62096->6969 (07:40:51.163 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62096->6969 (07:40:51.163 PST) 79.18.73.100 (07:43:06.852 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43364 (07:43:06.852 PST) 98.210.25.220 (07:41:23.194 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62439->6890 (07:41:23.194 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:41:30.327 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62520->6099 (07:41:30.327 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361029213.183 1361029213.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/16/2013 09:41:40.066 PST Gen. Time: 02/16/2013 09:41:40.066 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:41:40.066 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:41:40.066 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361036500.066 1361036500.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.100.173.129, 124.95.156.162, 177.141.198.167, 74.141.182.183, 91.218.38.132 (2), 62.98.20.16, 2.84.22.80, 145.99.175.89 Resource List: Observed Start: 02/16/2013 09:41:40.066 PST Gen. Time: 02/16/2013 09:45:20.101 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.100.173.129 (09:44:20.215 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31396 (09:44:20.215 PST) 124.95.156.162 (09:42:38.918 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55931->10298 (09:42:38.918 PST) 177.141.198.167 (09:42:19.160 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62943 (09:42:19.160 PST) 74.141.182.183 (09:42:06.914 PST) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 55675->6881 (09:42:06.914 PST) 91.218.38.132 (2) (09:42:58.153 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56023->2710 (09:42:58.153 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56023->2710 (09:42:58.153 PST) 62.98.20.16 (09:45:20.101 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30695 (09:45:20.101 PST) 2.84.22.80 (09:43:19.589 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (09:43:19.589 PST) 145.99.175.89 (09:44:05.097 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56600->51413 (09:44:05.097 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:41:40.066 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:41:40.066 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361036500.066 1361036500.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.95.156.162, 176.61.92.93, 108.35.182.217, 77.230.204.4, 145.99.175.89 Resource List: Observed Start: 02/16/2013 11:40:30.437 PST Gen. Time: 02/16/2013 11:43:30.750 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.95.156.162 (11:42:20.100 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51671->10298 (11:42:20.100 PST) 176.61.92.93 (11:40:30.437 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46561 (11:40:30.437 PST) 108.35.182.217 (11:42:31.032 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (11:42:31.032 PST) 77.230.204.4 (11:41:30.319 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (11:41:30.319 PST) 145.99.175.89 (11:41:14.256 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51129->51413 (11:41:14.256 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:43:30.750 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52233->6099 (11:43:30.750 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361043630.437 1361043630.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.95.156.162, 176.61.92.93, 108.35.182.217, 121.1.52.25, 77.230.204.4, 145.99.175.89 Resource List: Observed Start: 02/16/2013 11:40:30.437 PST Gen. Time: 02/16/2013 11:44:30.495 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.95.156.162 (11:42:20.100 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51671->10298 (11:42:20.100 PST) 176.61.92.93 (11:40:30.437 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46561 (11:40:30.437 PST) 108.35.182.217 (11:42:31.032 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (11:42:31.032 PST) 121.1.52.25 (11:43:32.285 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42810 (11:43:32.285 PST) 77.230.204.4 (11:41:30.319 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (11:41:30.319 PST) 145.99.175.89 (11:41:14.256 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51129->51413 (11:41:14.256 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:43:30.750 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52233->6099 (11:43:30.750 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361043630.437 1361043630.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 218.33.196.119 Resource List: Observed Start: 02/16/2013 13:43:01.303 PST Gen. Time: 02/16/2013 13:44:00.998 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 218.33.196.119 (13:43:01.303 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49152 (13:43:01.303 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:44:00.998 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:44:00.998 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361050981.303 1361050981.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.12.4.85, 24.52.246.99, 37.143.76.214, 145.99.175.89 (2), 218.33.196.119 Resource List: Observed Start: 02/16/2013 13:43:01.303 PST Gen. Time: 02/16/2013 13:46:39.660 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.12.4.85 (13:44:01.456 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44494 (13:44:01.456 PST) 24.52.246.99 (13:46:01.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46857 (13:46:01.047 PST) 37.143.76.214 (13:45:01.014 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54338 (13:45:01.014 PST) 145.99.175.89 (2) (13:44:05.894 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62115->51413 (13:44:05.894 PST) 62719->51413 (13:45:10.911 PST) 218.33.196.119 (13:43:01.303 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49152 (13:43:01.303 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:44:00.998 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:44:00.998 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361050981.303 1361050981.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.26.255.231, 220.208.243.46, 99.0.36.64, 145.99.175.89 (3) Resource List: Observed Start: 02/16/2013 15:44:06.563 PST Gen. Time: 02/16/2013 15:46:31.182 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.26.255.231 (15:44:18.655 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (15:44:18.655 PST) 220.208.243.46 (15:46:20.014 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64219 (15:46:20.014 PST) 99.0.36.64 (15:45:18.255 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (15:45:18.255 PST) 145.99.175.89 (3) (15:44:06.563 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64267->51413 (15:44:06.563 PST) 64673->51413 (15:45:10.572 PST) 65137->51413 (15:46:17.082 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:46:31.182 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65280->6099 (15:46:31.182 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361058246.563 1361058246.564 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.26.255.231, 220.208.243.46, 99.0.36.64, 77.230.204.4, 145.99.175.89 (4) Resource List: Observed Start: 02/16/2013 15:44:06.563 PST Gen. Time: 02/16/2013 15:48:12.210 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.26.255.231 (15:44:18.655 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (15:44:18.655 PST) 220.208.243.46 (15:46:20.014 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64219 (15:46:20.014 PST) 99.0.36.64 (15:45:18.255 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (15:45:18.255 PST) 77.230.204.4 (15:47:20.583 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (15:47:20.583 PST) 145.99.175.89 (4) (15:44:06.563 PST) event=1:1100012 (4) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64267->51413 (15:44:06.563 PST) 64673->51413 (15:45:10.572 PST) 65137->51413 (15:46:17.082 PST) 49169->51413 (15:47:18.085 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:46:31.182 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65280->6099 (15:46:31.182 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361058246.563 1361058246.564 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 93.144.3.156, 212.59.28.49, 2.83.132.98, 79.18.73.100, 145.99.175.89 (2) Resource List: Observed Start: 02/16/2013 17:45:07.096 PST Gen. Time: 02/16/2013 17:47:30.664 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (17:46:03.403 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60805->2710 (17:46:03.403 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 60805->2710 (17:46:03.403 PST) 93.144.3.156 (17:47:21.417 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45559 (17:47:21.417 PST) 212.59.28.49 (17:47:11.799 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61212->2710 (17:47:11.799 PST) 2.83.132.98 (17:46:21.789 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32276 (17:46:21.789 PST) 79.18.73.100 (17:45:15.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43364 (17:45:15.666 PST) 145.99.175.89 (2) (17:45:07.096 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60483->51413 (17:45:07.096 PST) 61161->51413 (17:47:04.619 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:47:30.664 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:47:30.664 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361065507.096 1361065507.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 93.144.3.156, 79.18.73.100 (2), 145.99.175.89 (3), 212.59.28.49 (2), 2.83.132.98 Resource List: Observed Start: 02/16/2013 17:45:07.096 PST Gen. Time: 02/16/2013 17:49:07.634 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (17:46:03.403 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60805->2710 (17:46:03.403 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 60805->2710 (17:46:03.403 PST) 93.144.3.156 (17:47:21.417 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45559 (17:47:21.417 PST) 79.18.73.100 (2) (17:45:15.666 PST-17:48:22.583 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->43364 (17:45:15.666 PST-17:48:22.583 PST) 145.99.175.89 (3) (17:45:07.096 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61161->51413 (17:47:04.619 PST) 61896->51413 (17:49:07.634 PST) 60483->51413 (17:45:07.096 PST) 212.59.28.49 (2) (17:47:11.799 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61212->2710 (17:47:11.799 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61717->2710 (17:48:31.308 PST) 2.83.132.98 (17:46:21.789 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32276 (17:46:21.789 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:47:30.664 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:47:30.664 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361065507.096 1361065702.584 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/16/2013 19:49:30.625 PST Gen. Time: 02/16/2013 19:49:30.625 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:49:30.625 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49518->6099 (19:49:30.625 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361072970.625 1361072970.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 187.56.165.6, 120.60.130.68, 46.129.56.78, 202.103.67.135, 145.99.175.89 (3) Resource List: Observed Start: 02/16/2013 19:49:30.625 PST Gen. Time: 02/16/2013 19:53:17.418 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (19:49:34.999 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (19:49:34.999 PST) 187.56.165.6 (19:51:42.806 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50237 (19:51:42.806 PST) 120.60.130.68 (19:50:39.048 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41161 (19:50:39.048 PST) 46.129.56.78 (19:52:45.917 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (19:52:45.917 PST) 202.103.67.135 (19:52:01.089 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50021->8080 (19:52:01.089 PST) 145.99.175.89 (3) (19:49:58.554 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49583->51413 (19:49:58.554 PST) 49923->51413 (19:51:27.066 PST) 50331->51413 (19:53:16.414 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:49:30.625 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49518->6099 (19:49:30.625 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361072970.625 1361072970.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 98.251.17.162 Resource List: Observed Start: 02/16/2013 21:49:54.371 PST Gen. Time: 02/16/2013 21:50:10.076 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP