Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (4), 91.218.38.132, 91.202.73.55, 50.31.1.188, 213.22.63.238, 91.224.160.192, 71.187.0.178 (2), 178.168.52.78 (2), 91.121.60.42 Resource List: Observed Start: 02/21/2013 13:19:33.012 PST Gen. Time: 02/21/2013 13:21:11.030 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (4) (13:20:45.524 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59700->6969 (13:20:45.524 PST) ------------------------- event=1:2011699 (3) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 59769->80 (13:20:54.505 PST) 59866->80 (13:20:58.861 PST) 59919->80 (13:21:07.967 PST) 91.218.38.132 (13:20:45.524 PST) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59262->2710 (13:20:45.524 PST) 91.202.73.55 (13:20:45.524 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 59713->80 (13:20:45.524 PST) 50.31.1.188 (13:20:54.505 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF%FFNz%FFIM6%FF%95%F7%11%A0Um] MAC_Src: 00:01:64:FF:CE:EA 59753->80 (13:20:54.505 PST) 213.22.63.238 (13:20:34.151 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (13:20:34.151 PST) 91.224.160.192 (13:20:45.524 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59711->2710 (13:20:45.524 PST) 71.187.0.178 (2) (13:20:12.900 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58919->6969 (13:20:12.900 PST) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:01:64:FF:CE:EA 58919->6969 (13:20:12.900 PST) 178.168.52.78 (2) (13:19:33.012 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59293 (13:19:33.012 PST) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59293 (13:19:33.012 PST) 91.121.60.42 (13:19:36.640 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 58911->80 (13:19:36.640 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:21:11.030 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:21:11.030 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361481573.012 1361481573.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (5), 91.218.38.132, 91.202.73.55, 50.31.1.188, 132.248.66.18, 213.22.63.238, 91.224.160.192, 71.187.0.178 (2), 178.168.52.78 (2), 91.121.60.42 Resource List: Observed Start: 02/21/2013 13:19:33.012 PST Gen. Time: 02/21/2013 13:23:34.589 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (5) (13:20:45.524 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59700->6969 (13:20:45.524 PST) 61050->6969 (13:23:12.836 PST) ------------------------- event=1:2011699 (3) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 59769->80 (13:20:54.505 PST) 59866->80 (13:20:58.861 PST) 59919->80 (13:21:07.967 PST) 91.218.38.132 (13:20:45.524 PST) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59262->2710 (13:20:45.524 PST) 91.202.73.55 (13:20:45.524 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 59713->80 (13:20:45.524 PST) 50.31.1.188 (13:20:54.505 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF%FFNz%FFIM6%FF%95%F7%11%A0Um] MAC_Src: 00:01:64:FF:CE:EA 59753->80 (13:20:54.505 PST) 132.248.66.18 (13:21:35.126 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52216 (13:21:35.126 PST) 213.22.63.238 (13:20:34.151 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (13:20:34.151 PST) 91.224.160.192 (13:20:45.524 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59711->2710 (13:20:45.524 PST) 71.187.0.178 (2) (13:20:12.900 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58919->6969 (13:20:12.900 PST) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:01:64:FF:CE:EA 58919->6969 (13:20:12.900 PST) 178.168.52.78 (2) (13:19:33.012 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59293 (13:19:33.012 PST) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59293 (13:19:33.012 PST) 91.121.60.42 (13:19:36.640 PST) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 58911->80 (13:19:36.640 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:21:11.030 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:21:11.030 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361481573.012 1361481573.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================