Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.113.27.242, 71.196.16.49, 82.236.181.96, 112.201.166.226, 121.14.98.151, 145.99.175.89 (3) Resource List: Observed Start: 02/19/2013 00:15:42.280 PST Gen. Time: 02/19/2013 00:19:30.797 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.113.27.242 (00:17:02.696 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36436 (00:17:02.696 PST) 71.196.16.49 (00:18:03.704 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19397 (00:18:03.704 PST) 82.236.181.96 (00:19:03.623 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52648 (00:19:03.623 PST) 112.201.166.226 (00:16:02.597 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22954 (00:16:02.597 PST) 121.14.98.151 (00:15:42.280 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51789->9090 (00:15:42.280 PST) 145.99.175.89 (3) (00:16:10.127 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51902->51413 (00:16:10.127 PST) 52306->51413 (00:17:52.131 PST) 52742->51413 (00:19:06.152 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:19:30.797 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52828->6099 (00:19:30.797 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361261742.280 1361261742.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.113.27.242, 71.196.16.49, 177.143.65.87, 82.236.181.96, 112.201.166.226, 121.14.98.151, 145.99.175.89 (3) Resource List: Observed Start: 02/19/2013 00:15:42.280 PST Gen. Time: 02/19/2013 00:20:04.715 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.113.27.242 (00:17:02.696 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36436 (00:17:02.696 PST) 71.196.16.49 (00:18:03.704 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19397 (00:18:03.704 PST) 177.143.65.87 (00:20:04.715 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47702 (00:20:04.715 PST) 82.236.181.96 (00:19:03.623 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52648 (00:19:03.623 PST) 112.201.166.226 (00:16:02.597 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22954 (00:16:02.597 PST) 121.14.98.151 (00:15:42.280 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51789->9090 (00:15:42.280 PST) 145.99.175.89 (3) (00:16:10.127 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51902->51413 (00:16:10.127 PST) 52306->51413 (00:17:52.131 PST) 52742->51413 (00:19:06.152 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:19:30.797 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52828->6099 (00:19:30.797 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361261742.280 1361261742.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.95.156.162, 82.234.37.155, 85.241.245.16, 212.59.28.49 Resource List: Observed Start: 02/19/2013 02:18:12.390 PST Gen. Time: 02/19/2013 02:21:00.480 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.95.156.162 (02:18:12.390 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53817->2489 (02:18:12.390 PST) 82.234.37.155 (02:20:07.557 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52528 (02:20:07.557 PST) 85.241.245.16 (02:19:06.194 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26125 (02:19:06.194 PST) 212.59.28.49 (02:18:51.583 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53909->2710 (02:18:51.583 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:21:00.480 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:21:00.480 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361269092.390 1361269092.391 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.120.31.29, 124.95.156.162 (2), 82.234.37.155, 85.241.245.16, 46.129.56.78, 212.59.28.49 Resource List: Observed Start: 02/19/2013 02:18:12.390 PST Gen. Time: 02/19/2013 02:22:07.820 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.120.31.29 (02:22:07.820 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62334 (02:22:07.820 PST) 124.95.156.162 (2) (02:18:12.390 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53817->2489 (02:18:12.390 PST) 54615->2489 (02:21:19.414 PST) 82.234.37.155 (02:20:07.557 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52528 (02:20:07.557 PST) 85.241.245.16 (02:19:06.194 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26125 (02:19:06.194 PST) 46.129.56.78 (02:21:07.287 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (02:21:07.287 PST) 212.59.28.49 (02:18:51.583 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53909->2710 (02:18:51.583 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:21:00.480 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:21:00.480 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361269092.390 1361269092.391 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.242.181.36, 92.238.133.98, 201.210.148.218, 177.143.65.87, 121.14.98.151 Resource List: Observed Start: 02/19/2013 04:19:03.049 PST Gen. Time: 02/19/2013 04:22:30.771 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.242.181.36 (04:22:04.622 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38387 (04:22:04.622 PST) 92.238.133.98 (04:21:04.363 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35796 (04:21:04.363 PST) 201.210.148.218 (04:20:03.198 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50221 (04:20:03.198 PST) 177.143.65.87 (04:19:03.049 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47702 (04:19:03.049 PST) 121.14.98.151 (04:19:21.574 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58021->9090 (04:19:21.574 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:22:30.771 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59138->6099 (04:22:30.771 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361276343.049 1361276343.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.242.181.36, 92.238.133.98, 201.210.148.218, 46.129.56.78, 177.143.65.87, 121.14.98.151 Resource List: Observed Start: 02/19/2013 04:19:03.049 PST Gen. Time: 02/19/2013 04:23:04.105 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.242.181.36 (04:22:04.622 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38387 (04:22:04.622 PST) 92.238.133.98 (04:21:04.363 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35796 (04:21:04.363 PST) 201.210.148.218 (04:20:03.198 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50221 (04:20:03.198 PST) 46.129.56.78 (04:23:04.105 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:23:04.105 PST) 177.143.65.87 (04:19:03.049 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47702 (04:19:03.049 PST) 121.14.98.151 (04:19:21.574 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58021->9090 (04:19:21.574 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:22:30.771 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59138->6099 (04:22:30.771 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361276343.049 1361276343.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119 (2), 91.218.38.132 (2), 200.117.237.25, 121.1.46.110, 220.208.243.46, 208.83.20.164, 99.98.195.138, 59.149.53.192 Resource List: Observed Start: 02/19/2013 06:20:38.887 PST Gen. Time: 02/19/2013 06:23:30.573 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (2) (06:23:21.488 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [http:/pastebin.com/raw.php?i=ffJjykbk] MAC_Src: 00:01:64:FF:CE:EA 58725->80 (06:23:21.488 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 58725->80 (06:23:21.488 PST) 91.218.38.132 (2) (06:23:11.212 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58637->2710 (06:23:11.212 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58637->2710 (06:23:11.212 PST) 200.117.237.25 (06:22:07.189 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58048->16881 (06:22:07.189 PST) 121.1.46.110 (06:20:38.887 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (06:20:38.887 PST) 220.208.243.46 (06:21:39.905 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64219 (06:21:39.905 PST) 208.83.20.164 (06:23:21.482 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58726->6969 (06:23:21.482 PST) 99.98.195.138 (06:22:44.857 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60090 (06:22:44.857 PST) 59.149.53.192 (06:23:13.500 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58683->28743 (06:23:13.500 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:23:30.573 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:23:30.573 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361283638.887 1361283638.888 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.1.46.110, 208.83.20.164, 91.218.38.132 (2), 99.98.195.138, 91.224.160.192, 220.208.243.46, 50.19.95.119 (2), 200.117.237.25, 59.149.53.192, 59.190.117.190 Resource List: Observed Start: 02/19/2013 06:20:38.887 PST Gen. Time: 02/19/2013 06:24:49.287 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.1.46.110 (06:20:38.887 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (06:20:38.887 PST) 208.83.20.164 (06:23:21.482 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58726->6969 (06:23:21.482 PST) 91.218.38.132 (2) (06:23:11.212 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58637->2710 (06:23:11.212 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58637->2710 (06:23:11.212 PST) 99.98.195.138 (06:22:44.857 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60090 (06:22:44.857 PST) 91.224.160.192 (06:24:21.162 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59055->2710 (06:24:21.162 PST) 220.208.243.46 (06:21:39.905 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64219 (06:21:39.905 PST) 50.19.95.119 (2) (06:23:21.488 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [http:/pastebin.com/raw.php?i=ffJjykbk] MAC_Src: 00:01:64:FF:CE:EA 58725->80 (06:23:21.488 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 58725->80 (06:23:21.488 PST) 200.117.237.25 (06:22:07.189 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58048->16881 (06:22:07.189 PST) 59.149.53.192 (06:23:13.500 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58683->28743 (06:23:13.500 PST) 59.190.117.190 (06:23:46.383 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11496 (06:23:46.383 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:23:30.573 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:23:30.573 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361283638.887 1361283638.888 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.23.232.131, 50.19.95.119 (2), 180.182.148.172, 208.83.20.164 Resource List: Observed Start: 02/19/2013 08:23:46.227 PST Gen. Time: 02/19/2013 08:24:51.011 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.23.232.131 (08:24:16.328 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (08:24:16.328 PST) 50.19.95.119 (2) (08:24:10.499 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63069->80 (08:24:10.499 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 63069->80 (08:24:10.499 PST) 180.182.148.172 (08:23:46.227 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62755->51413 (08:23:46.227 PST) 208.83.20.164 (08:24:10.496 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63070->6969 (08:24:10.496 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:24:51.011 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63243->6099 (08:24:51.011 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361291026.227 1361291026.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 186.129.16.101, 91.218.38.132 (2), 78.10.54.150 (2), 85.17.143.16, 180.182.148.172, 50.19.95.119 (2), 78.23.232.131, 109.242.40.69, 121.235.209.78 Resource List: Observed Start: 02/19/2013 08:23:46.227 PST Gen. Time: 02/19/2013 08:28:17.198 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (08:24:10.496 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63070->6969 (08:24:10.496 PST) 186.129.16.101 (08:27:16.110 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31895 (08:27:16.110 PST) 91.218.38.132 (2) (08:25:35.615 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63597->2710 (08:25:35.615 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63597->2710 (08:25:35.615 PST) 78.10.54.150 (2) (08:25:16.100 PST-08:28:17.198 PST) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->60501 (08:25:16.100 PST-08:28:17.198 PST) 85.17.143.16 (08:25:31.074 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63579->6969 (08:25:31.074 PST) 180.182.148.172 (08:23:46.227 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62755->51413 (08:23:46.227 PST) 50.19.95.119 (2) (08:24:10.499 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63069->80 (08:24:10.499 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 63069->80 (08:24:10.499 PST) 78.23.232.131 (08:24:16.328 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14297 (08:24:16.328 PST) 109.242.40.69 (08:26:16.388 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61073 (08:26:16.388 PST) 121.235.209.78 (08:27:27.091 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64539->12386 (08:27:27.091 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:24:51.011 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63243->6099 (08:24:51.011 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361291026.227 1361291297.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.99.161, 50.19.95.119 (2), 91.218.38.132 (2), 91.224.160.192, 77.250.12.152 (2), 208.83.20.164 Resource List: Observed Start: 02/19/2013 10:24:22.331 PST Gen. Time: 02/19/2013 10:25:50.290 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.99.161 (10:25:02.229 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (10:25:02.229 PST) 50.19.95.119 (2) (10:24:40.680 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55828->80 (10:24:40.680 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 55828->80 (10:24:40.680 PST) 91.218.38.132 (2) (10:25:20.985 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56263->2710 (10:25:20.985 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56263->2710 (10:25:20.985 PST) 91.224.160.192 (10:25:41.371 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56403->2710 (10:25:41.371 PST) 77.250.12.152 (2) (10:24:22.331 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55640->51413 (10:24:22.331 PST) 56389->51413 (10:25:33.832 PST) 208.83.20.164 (10:24:40.675 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55829->6969 (10:24:40.675 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:25:50.290 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:25:50.290 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361298262.331 1361298262.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152 (3), 208.83.20.164, 91.218.38.132 (2), 62.252.164.12, 94.113.27.242, 91.224.160.192, 50.19.95.119 (2), 24.67.141.71, 177.32.99.161, 95.78.106.246 Resource List: Observed Start: 02/19/2013 10:24:22.331 PST Gen. Time: 02/19/2013 10:28:45.068 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (3) (10:24:22.331 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55640->51413 (10:24:22.331 PST) 56389->51413 (10:25:33.832 PST) 57716->51413 (10:28:08.357 PST) 208.83.20.164 (10:24:40.675 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55829->6969 (10:24:40.675 PST) 91.218.38.132 (2) (10:25:20.985 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56263->2710 (10:25:20.985 PST) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56263->2710 (10:25:20.985 PST) 62.252.164.12 (10:28:03.518 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41264 (10:28:03.518 PST) 94.113.27.242 (10:27:03.028 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36436 (10:27:03.028 PST) 91.224.160.192 (10:25:41.371 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56403->2710 (10:25:41.371 PST) 50.19.95.119 (2) (10:24:40.680 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55828->80 (10:24:40.680 PST) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 55828->80 (10:24:40.680 PST) 24.67.141.71 (10:26:03.655 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (10:26:03.655 PST) 177.32.99.161 (10:25:02.229 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (10:25:02.229 PST) 95.78.106.246 (10:26:35.157 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56908->6890 (10:26:35.157 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:25:50.290 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:25:50.290 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361298262.331 1361298262.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================