Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.182.212.164 Resource List: Observed Start: 02/17/2013 01:52:06.760 PST Gen. Time: 02/17/2013 01:52:30.442 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.182.212.164 (01:52:06.760 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63966 (01:52:06.760 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:52:30.442 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:52:30.442 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361094726.760 1361094726.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 91.218.38.132, 212.59.28.49, 119.46.206.54, 85.99.195.3, 109.182.212.164, 222.185.229.217, 93.182.188.11, 177.32.99.161 Resource List: Observed Start: 02/17/2013 01:52:06.760 PST Gen. Time: 02/17/2013 01:55:30.607 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (01:53:51.008 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49629->9090 (01:53:51.008 PST) 91.218.38.132 (01:55:11.201 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50249->2710 (01:55:11.201 PST) 212.59.28.49 (01:54:31.640 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49989->2710 (01:54:31.640 PST) 119.46.206.54 (01:54:37.227 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50018->16884 (01:54:37.227 PST) 85.99.195.3 (01:55:07.231 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61740 (01:55:07.231 PST) 109.182.212.164 (01:52:06.760 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63966 (01:52:06.760 PST) 222.185.229.217 (01:53:34.217 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49598->27031 (01:53:34.217 PST) 93.182.188.11 (01:53:06.743 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43611 (01:53:06.743 PST) 177.32.99.161 (01:54:06.511 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (01:54:06.511 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:52:30.442 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:52:30.442 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361094726.760 1361094726.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.10.134.236, 91.218.38.132 (2), 79.126.6.30, 208.83.20.164 (2) Resource List: Observed Start: 02/17/2013 03:52:10.516 PST Gen. Time: 02/17/2013 03:54:20.955 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.10.134.236 (03:53:00.551 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32935 (03:53:00.551 PST) 91.218.38.132 (2) (03:54:20.955 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65082->2710 (03:54:20.955 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 65082->2710 (03:54:20.955 PST) 79.126.6.30 (03:54:00.274 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45137 (03:54:00.274 PST) 208.83.20.164 (2) (03:52:10.516 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64494->80 (03:52:10.516 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 64494->80 (03:52:10.516 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:54:20.955 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65417->6099 (03:54:20.955 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361101930.516 1361101930.517 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.155.187.191, 84.10.134.236, 188.138.32.243, 91.218.38.132 (2), 79.126.6.30, 208.83.20.164 (2) Resource List: Observed Start: 02/17/2013 03:52:10.516 PST Gen. Time: 02/17/2013 03:55:58.155 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.155.187.191 (03:55:00.347 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12325 (03:55:00.347 PST) 84.10.134.236 (03:53:00.551 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32935 (03:53:00.551 PST) 188.138.32.243 (03:55:01.332 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49193->2710 (03:55:01.332 PST) 91.218.38.132 (2) (03:54:20.955 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65082->2710 (03:54:20.955 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 65082->2710 (03:54:20.955 PST) 79.126.6.30 (03:54:00.274 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45137 (03:54:00.274 PST) 208.83.20.164 (2) (03:52:10.516 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64494->80 (03:52:10.516 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 64494->80 (03:52:10.516 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:54:20.955 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65417->6099 (03:54:20.955 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361101930.516 1361101930.517 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 14.97.20.82, 91.218.38.132 (2), 95.180.90.3, 208.83.20.164 (2), 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 05:52:31.464 PST Gen. Time: 02/17/2013 05:54:40.529 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 14.97.20.82 (05:53:24.802 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11282 (05:53:24.802 PST) 91.218.38.132 (2) (05:52:49.767 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51527->2710 (05:52:49.767 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51527->2710 (05:52:49.767 PST) 95.180.90.3 (05:54:25.777 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (05:54:25.777 PST) 208.83.20.164 (2) (05:52:31.464 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51487->80 (05:52:31.464 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 51487->80 (05:52:31.464 PST) 145.99.175.89 (2) (05:53:18.469 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51793->51413 (05:53:18.469 PST) 52318->51413 (05:54:22.478 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:54:40.529 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:54:40.529 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361109151.464 1361109151.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.99.223.89, 208.83.20.164 (3), 91.218.38.132 (2), 14.97.20.82, 145.99.175.89 (2), 212.59.28.49 (2), 95.180.90.3, 109.182.212.164, 89.227.82.74 Resource List: Observed Start: 02/17/2013 05:52:31.464 PST Gen. Time: 02/17/2013 05:56:33.283 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.99.223.89 (05:56:28.398 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60870 (05:56:28.398 PST) 208.83.20.164 (3) (05:52:31.464 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51487->80 (05:52:31.464 PST) 53328->6969 (05:56:31.417 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 51487->80 (05:52:31.464 PST) 91.218.38.132 (2) (05:52:49.767 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51527->2710 (05:52:49.767 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51527->2710 (05:52:49.767 PST) 14.97.20.82 (05:53:24.802 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11282 (05:53:24.802 PST) 145.99.175.89 (2) (05:53:18.469 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51793->51413 (05:53:18.469 PST) 52318->51413 (05:54:22.478 PST) 212.59.28.49 (2) (05:55:31.369 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52872->2710 (05:55:31.369 PST) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52885->2710 (05:55:36.831 PST) 95.180.90.3 (05:54:25.777 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (05:54:25.777 PST) 109.182.212.164 (05:55:28.318 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63966 (05:55:28.318 PST) 89.227.82.74 (05:56:04.334 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52969->6346 (05:56:04.334 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:54:40.529 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:54:40.529 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361109151.464 1361109151.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.226.69.237, 89.227.82.74, 188.142.222.146, 109.224.64.230, 208.83.20.164, 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 07:53:01.311 PST Gen. Time: 02/17/2013 07:56:20.932 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.226.69.237 (07:56:01.325 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26748 (07:56:01.325 PST) 89.227.82.74 (07:54:07.975 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59090->6346 (07:54:07.975 PST) 188.142.222.146 (07:55:00.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24341 (07:55:00.065 PST) 109.224.64.230 (07:54:00.740 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16912 (07:54:00.740 PST) 208.83.20.164 (07:53:01.311 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 58562->80 (07:53:01.311 PST) 145.99.175.89 (2) (07:55:09.154 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59557->51413 (07:55:09.154 PST) 60099->51413 (07:56:14.163 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:56:20.932 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60152->6099 (07:56:20.932 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361116381.311 1361116381.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.226.69.237, 89.227.82.74, 173.212.56.250 (2), 188.142.222.146, 109.224.64.230, 208.83.20.164, 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 07:53:01.311 PST Gen. Time: 02/17/2013 07:57:01.424 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.226.69.237 (07:56:01.325 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26748 (07:56:01.325 PST) 89.227.82.74 (07:54:07.975 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59090->6346 (07:54:07.975 PST) 173.212.56.250 (2) (07:56:20.978 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%C8%1B+t$j%F5%0B%AB] MAC_Src: 00:01:64:FF:CE:EA 60154->80 (07:56:20.978 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 60154->80 (07:56:20.978 PST) 188.142.222.146 (07:55:00.065 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24341 (07:55:00.065 PST) 109.224.64.230 (07:54:00.740 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16912 (07:54:00.740 PST) 208.83.20.164 (07:53:01.311 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 58562->80 (07:53:01.311 PST) 145.99.175.89 (2) (07:55:09.154 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59557->51413 (07:55:09.154 PST) 60099->51413 (07:56:14.163 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:56:20.932 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60152->6099 (07:56:20.932 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361116381.311 1361116381.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.95.156.162, 92.39.202.40, 41.233.117.19, 91.218.38.132 (2), 189.104.219.144, 109.162.210.241, 208.83.20.164 (2), 212.59.28.49 Resource List: Observed Start: 02/17/2013 09:53:35.770 PST Gen. Time: 02/17/2013 09:57:00.823 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.95.156.162 (09:55:34.185 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49698->22631 (09:55:34.185 PST) 92.39.202.40 (09:53:35.770 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63205 (09:53:35.770 PST) 41.233.117.19 (09:55:38.813 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (09:55:38.813 PST) 91.218.38.132 (2) (09:56:23.881 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50012->2710 (09:56:23.881 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50012->2710 (09:56:23.881 PST) 189.104.219.144 (09:56:38.695 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53630 (09:56:38.695 PST) 109.162.210.241 (09:54:37.440 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48581 (09:54:37.440 PST) 208.83.20.164 (2) (09:53:41.527 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65158->80 (09:53:41.527 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 65158->80 (09:53:41.527 PST) 212.59.28.49 (09:54:25.272 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49230->2710 (09:54:25.272 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:57:00.823 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:57:00.823 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361123615.770 1361123615.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 124.95.156.162, 208.83.20.164 (2), 91.218.38.132 (2), 92.39.202.40, 212.59.28.49, 189.104.219.144, 41.233.117.19, 109.162.210.241, 89.227.82.74 Resource List: Observed Start: 02/17/2013 09:53:35.770 PST Gen. Time: 02/17/2013 09:57:36.183 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (09:57:11.293 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50221->2710 (09:57:11.293 PST) 124.95.156.162 (09:55:34.185 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49698->22631 (09:55:34.185 PST) 208.83.20.164 (2) (09:53:41.527 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65158->80 (09:53:41.527 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 65158->80 (09:53:41.527 PST) 91.218.38.132 (2) (09:56:23.881 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50012->2710 (09:56:23.881 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50012->2710 (09:56:23.881 PST) 92.39.202.40 (09:53:35.770 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63205 (09:53:35.770 PST) 212.59.28.49 (09:54:25.272 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49230->2710 (09:54:25.272 PST) 189.104.219.144 (09:56:38.695 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53630 (09:56:38.695 PST) 41.233.117.19 (09:55:38.813 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (09:55:38.813 PST) 109.162.210.241 (09:54:37.440 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48581 (09:54:37.440 PST) 89.227.82.74 (09:57:12.196 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50228->6346 (09:57:12.196 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:57:00.823 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:57:00.823 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361123615.770 1361123615.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.230.251.252 Resource List: Observed Start: 02/17/2013 11:58:02.004 PST Gen. Time: 02/17/2013 11:59:01.016 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.230.251.252 (11:58:02.004 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56713 (11:58:02.004 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:59:01.016 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57341->6099 (11:59:01.016 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361131082.004 1361131082.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 145.99.175.89 (2), 91.202.73.55, 91.224.160.192, 74.76.148.53, 213.100.160.48, 151.49.181.126, 24.230.251.252, 89.227.82.74 Resource List: Observed Start: 02/17/2013 11:58:02.004 PST Gen. Time: 02/17/2013 12:02:02.628 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (12:01:23.229 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58495->6969 (12:01:23.229 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 58496->80 (12:01:23.229 PST) 145.99.175.89 (2) (12:00:41.136 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58133->51413 (12:00:41.136 PST) 58703->51413 (12:01:42.150 PST) 91.202.73.55 (12:02:01.551 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58809->80 (12:02:01.551 PST) 91.224.160.192 (12:02:01.470 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58807->2710 (12:02:01.470 PST) 74.76.148.53 (12:01:03.252 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50053 (12:01:03.252 PST) 213.100.160.48 (11:59:02.129 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31591 (11:59:02.129 PST) 151.49.181.126 (12:00:03.573 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51015 (12:00:03.573 PST) 24.230.251.252 (11:58:02.004 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56713 (11:58:02.004 PST) 89.227.82.74 (11:59:34.959 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57606->6346 (11:59:34.959 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:59:01.016 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57341->6099 (11:59:01.016 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361131082.004 1361131082.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 91.218.38.132 (2), 41.237.245.214, 109.242.245.97, 202.103.67.135, 145.99.175.89 Resource List: Observed Start: 02/17/2013 13:58:16.452 PST Gen. Time: 02/17/2013 14:00:01.102 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (13:58:50.425 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52521->2710 (13:58:50.425 PST) 91.218.38.132 (2) (13:58:50.500 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52524->2710 (13:58:50.500 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52524->2710 (13:58:50.500 PST) 41.237.245.214 (13:58:16.452 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (13:58:16.452 PST) 109.242.245.97 (13:59:16.277 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57922 (13:59:16.277 PST) 202.103.67.135 (13:59:50.955 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/FEEDS/AGENT14/2013-01-01/DailyFeed.2013-01-01.tar.gz] MAC_Src: 00:01:64:FF:CE:EA 52915->8080 (13:59:50.955 PST) 145.99.175.89 (13:58:53.876 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52530->51413 (13:58:53.876 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:00:01.102 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:00:01.102 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361138296.452 1361138296.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.138.32.243, 109.242.245.97, 124.95.156.162, 91.218.38.132 (2), 145.99.175.89 (2), 202.103.67.135, 41.237.245.214, 90.218.161.52, 189.123.198.55 Resource List: Observed Start: 02/17/2013 13:58:16.452 PST Gen. Time: 02/17/2013 14:01:59.772 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.138.32.243 (13:58:50.425 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52521->2710 (13:58:50.425 PST) 109.242.245.97 (13:59:16.277 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57922 (13:59:16.277 PST) 124.95.156.162 (14:00:04.728 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53011->22631 (14:00:04.728 PST) 91.218.38.132 (2) (13:58:50.500 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52524->2710 (13:58:50.500 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52524->2710 (13:58:50.500 PST) 145.99.175.89 (2) (13:58:53.876 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52530->51413 (13:58:53.876 PST) 53765->51413 (14:01:39.400 PST) 202.103.67.135 (13:59:50.955 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/FEEDS/AGENT14/2013-01-01/DailyFeed.2013-01-01.tar.gz] MAC_Src: 00:01:64:FF:CE:EA 52915->8080 (13:59:50.955 PST) 41.237.245.214 (13:58:16.452 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (13:58:16.452 PST) 90.218.161.52 (14:00:16.015 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17059 (14:00:16.015 PST) 189.123.198.55 (14:01:16.219 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45685 (14:01:16.219 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:00:01.102 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:00:01.102 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361138296.452 1361138296.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.129.3.8 Resource List: Observed Start: 02/17/2013 16:01:13.281 PST Gen. Time: 02/17/2013 16:01:21.132 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.129.3.8 (16:01:13.281 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44111 (16:01:13.281 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:01:21.132 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50937->6099 (16:01:21.132 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361145673.281 1361145673.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.95.156.162, 78.129.3.8, 190.57.205.195, 91.224.160.192, 99.166.106.191, 126.31.175.99, 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 16:01:13.281 PST Gen. Time: 02/17/2013 16:05:09.258 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.95.156.162 (16:04:17.421 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51829->22631 (16:04:17.421 PST) 78.129.3.8 (16:01:13.281 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44111 (16:01:13.281 PST) 190.57.205.195 (16:04:16.505 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49797 (16:04:16.505 PST) 91.224.160.192 (16:04:23.340 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51878->2710 (16:04:23.340 PST) 99.166.106.191 (16:02:13.703 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48842 (16:02:13.703 PST) 126.31.175.99 (16:03:15.241 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59198 (16:03:15.241 PST) 145.99.175.89 (2) (16:02:08.572 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51170->51413 (16:02:08.572 PST) 51511->51413 (16:03:10.080 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:01:21.132 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50937->6099 (16:01:21.132 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361145673.281 1361145673.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.129.16.101, 145.99.175.89 Resource List: Observed Start: 02/17/2013 18:01:54.574 PST Gen. Time: 02/17/2013 18:02:10.906 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.129.16.101 (18:01:54.574 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31895 (18:01:54.574 PST) 145.99.175.89 (18:02:07.052 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56357->51413 (18:02:07.052 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:02:10.906 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:02:10.906 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361152914.574 1361152914.575 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.156.172.40, 81.105.198.19, 46.129.56.78, 89.89.145.3, 186.129.16.101, 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 18:01:54.574 PST Gen. Time: 02/17/2013 18:05:29.728 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.156.172.40 (18:03:19.891 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56717->57431 (18:03:19.891 PST) 81.105.198.19 (18:02:55.066 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35935 (18:02:55.066 PST) 46.129.56.78 (18:04:57.030 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:04:57.030 PST) 89.89.145.3 (18:03:56.536 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12297 (18:03:56.536 PST) 186.129.16.101 (18:01:54.574 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31895 (18:01:54.574 PST) 145.99.175.89 (2) (18:02:07.052 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56357->51413 (18:02:07.052 PST) 57246->51413 (18:05:06.082 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:02:10.906 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:02:10.906 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361152914.574 1361152914.575 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.106.169.59 Resource List: Observed Start: 02/17/2013 20:03:11.763 PST Gen. Time: 02/17/2013 20:03:21.221 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.106.169.59 (20:03:11.763 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26476 (20:03:11.763 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:03:21.221 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59701->6099 (20:03:21.221 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361160191.763 1361160191.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.106.169.59, 213.98.4.17, 126.31.175.99, 37.153.12.154 (2), 180.191.85.88, 208.83.20.164, 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 20:03:11.763 PST Gen. Time: 02/17/2013 20:07:02.105 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.106.169.59 (20:03:11.763 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26476 (20:03:11.763 PST) 213.98.4.17 (20:06:17.087 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13186 (20:06:17.087 PST) 126.31.175.99 (20:04:13.592 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59198 (20:04:13.592 PST) 37.153.12.154 (2) (20:06:17.038 PST) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 60492->6881 (20:06:17.038 PST) 60529->6881 (20:06:27.039 PST) 180.191.85.88 (20:05:17.202 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21139 (20:05:17.202 PST) 208.83.20.164 (20:06:51.097 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60595->6969 (20:06:51.097 PST) 145.99.175.89 (2) (20:04:05.489 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59888->51413 (20:04:05.489 PST) 60463->51413 (20:06:11.002 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:03:21.221 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59701->6099 (20:03:21.221 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361160191.763 1361160191.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 67.45.249.165, 114.47.203.158, 202.103.67.135, 177.40.48.107, 145.99.175.89 Resource List: Observed Start: 02/17/2013 22:02:01.288 PST Gen. Time: 02/17/2013 22:04:11.024 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 67.45.249.165 (22:03:14.685 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54393->32431 (22:03:14.685 PST) 114.47.203.158 (22:02:34.275 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (22:02:34.275 PST) 202.103.67.135 (22:02:01.288 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54063->8080 (22:02:01.288 PST) 177.40.48.107 (22:03:34.321 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32005 (22:03:34.321 PST) 145.99.175.89 (22:02:10.852 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54165->51413 (22:02:10.852 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:04:11.024 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:04:11.024 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361167321.288 1361167321.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.233.117.19, 67.45.249.165, 117.254.253.231, 188.190.98.38, 114.47.203.158, 202.103.67.135, 177.40.48.107, 145.99.175.89 (2) Resource List: Observed Start: 02/17/2013 22:02:01.288 PST Gen. Time: 02/17/2013 22:06:02.683 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.233.117.19 (22:04:38.401 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (22:04:38.401 PST) 67.45.249.165 (22:03:14.685 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54393->32431 (22:03:14.685 PST) 117.254.253.231 (22:05:39.059 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26821 (22:05:39.059 PST) 188.190.98.38 (22:04:20.697 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54641->2810 (22:04:20.697 PST) 114.47.203.158 (22:02:34.275 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49814 (22:02:34.275 PST) 202.103.67.135 (22:02:01.288 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54063->8080 (22:02:01.288 PST) 177.40.48.107 (22:03:34.321 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32005 (22:03:34.321 PST) 145.99.175.89 (2) (22:02:10.852 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54165->51413 (22:02:10.852 PST) 54909->51413 (22:05:50.389 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:04:11.024 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:04:11.024 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361167321.288 1361167321.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================