Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.18.195.29, 85.54.93.17 (2), 174.58.207.228, 154.45.216.153, 202.103.67.135, 91.121.60.42, 83.149.86.133, 88.80.6.5 Resource List: Observed Start: 03/14/2013 14:06:19.371 PDT Gen. Time: 03/14/2013 14:09:21.975 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.18.195.29 (14:08:46.802 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55676 (14:08:46.802 PDT) 85.54.93.17 (2) (14:06:45.347 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25744 (14:06:45.347 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25744 (14:06:45.347 PDT) 174.58.207.228 (14:07:46.039 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18798 (14:07:46.039 PDT) 154.45.216.153 (14:07:17.512 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->1038 (14:07:17.512 PDT) 202.103.67.135 (14:07:59.872 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56008->8080 (14:07:59.872 PDT) 91.121.60.42 (14:06:52.234 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 55145->80 (14:06:52.234 PDT) 83.149.86.133 (14:06:57.343 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55154->6969 (14:06:57.343 PDT) 88.80.6.5 (14:06:19.371 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55118->80 (14:06:19.371 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:09:21.975 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:09:21.975 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363295179.371 1363295179.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.80.6.5, 202.103.67.135, 85.54.93.17 (2), 186.18.195.29, 83.149.86.133, 87.18.188.122, 174.58.207.228, 154.45.216.153, 91.121.60.42 Resource List: Observed Start: 03/14/2013 14:06:19.371 PDT Gen. Time: 03/14/2013 14:10:19.970 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.80.6.5 (14:06:19.371 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55118->80 (14:06:19.371 PDT) 202.103.67.135 (14:07:59.872 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56008->8080 (14:07:59.872 PDT) 85.54.93.17 (2) (14:06:45.347 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25744 (14:06:45.347 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25744 (14:06:45.347 PDT) 186.18.195.29 (14:08:46.802 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55676 (14:08:46.802 PDT) 83.149.86.133 (14:06:57.343 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55154->6969 (14:06:57.343 PDT) 87.18.188.122 (14:09:46.939 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42020 (14:09:46.939 PDT) 174.58.207.228 (14:07:46.039 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18798 (14:07:46.039 PDT) 154.45.216.153 (14:07:17.512 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->1038 (14:07:17.512 PDT) 91.121.60.42 (14:06:52.234 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 55145->80 (14:06:52.234 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:09:21.975 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:09:21.975 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363295179.371 1363295179.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (3), 91.202.73.55, 202.171.254.30, 208.95.173.194, 119.46.206.15, 85.17.143.16, 94.242.221.123, 157.157.85.178, 85.103.58.215 Resource List: Observed Start: 03/14/2013 14:10:32.425 PDT Gen. Time: 03/14/2013 14:12:41.020 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (3) (14:10:33.023 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58300->6969 (14:10:33.023 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 58301->80 (14:10:33.024 PDT) 58324->80 (14:10:51.700 PDT) 91.202.73.55 (14:10:33.857 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58346->80 (14:10:33.857 PDT) 202.171.254.30 (14:10:32.425 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58294->16882 (14:10:32.425 PDT) 208.95.173.194 (14:10:33.857 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58341->2710 (14:10:33.857 PDT) 119.46.206.15 (14:11:32.932 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59541->16884 (14:11:32.932 PDT) 85.17.143.16 (14:10:33.024 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58319->6969 (14:10:33.024 PDT) 94.242.221.123 (14:10:33.857 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 58338->80 (14:10:33.857 PDT) 157.157.85.178 (14:11:48.073 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51110 (14:11:48.073 PDT) 85.103.58.215 (14:10:48.351 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60121 (14:10:48.351 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:12:41.020 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60651->6099 (14:12:41.020 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363295432.425 1363295432.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (6), 91.202.73.55, 202.171.254.30, 208.95.173.194 (2), 119.46.206.15, 85.17.143.16, 94.242.221.123, 79.40.15.47, 157.157.85.178, 85.103.58.215, 37.127.92.219 Resource List: Observed Start: 03/14/2013 14:10:32.425 PDT Gen. Time: 03/14/2013 14:14:32.465 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (6) (14:10:33.023 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58300->6969 (14:10:33.023 PDT) 61068->80 (14:13:26.199 PDT) ------------------------- event=1:2011699 (4) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 58301->80 (14:10:33.024 PDT) 58324->80 (14:10:51.700 PDT) 61068->80 (14:13:26.199 PDT) 61091->80 (14:13:34.492 PDT) 91.202.73.55 (14:10:33.857 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58346->80 (14:10:33.857 PDT) 202.171.254.30 (14:10:32.425 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58294->16882 (14:10:32.425 PDT) 208.95.173.194 (2) (14:10:33.857 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61510->2710 (14:14:10.743 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58341->2710 (14:10:33.857 PDT) 119.46.206.15 (14:11:32.932 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59541->16884 (14:11:32.932 PDT) 85.17.143.16 (14:10:33.024 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58319->6969 (14:10:33.024 PDT) 94.242.221.123 (14:10:33.857 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 58338->80 (14:10:33.857 PDT) 79.40.15.47 (14:12:49.590 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27017 (14:12:49.590 PDT) 157.157.85.178 (14:11:48.073 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51110 (14:11:48.073 PDT) 85.103.58.215 (14:10:48.351 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60121 (14:10:48.351 PDT) 37.127.92.219 (14:13:50.702 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39525 (14:13:50.702 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:12:41.020 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60651->6099 (14:12:41.020 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363295432.425 1363295432.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 139.228.129.95, 90.220.23.38 Resource List: Observed Start: 03/14/2013 14:22:58.279 PDT Gen. Time: 03/14/2013 14:24:50.858 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 139.228.129.95 (14:23:59.528 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21668 (14:23:59.528 PDT) 90.220.23.38 (14:22:58.279 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26321 (14:22:58.279 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:24:50.858 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50736->6099 (14:24:50.858 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363296178.279 1363296178.280 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 139.228.129.95, 151.41.104.32, 82.3.137.27, 91.218.38.132 (2), 41.237.199.147, 90.220.23.38 Resource List: Observed Start: 03/14/2013 14:22:58.279 PDT Gen. Time: 03/14/2013 14:26:58.585 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 139.228.129.95 (14:23:59.528 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21668 (14:23:59.528 PDT) 151.41.104.32 (14:26:02.078 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42516 (14:26:02.078 PDT) 82.3.137.27 (14:25:44.052 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51130->51413 (14:25:44.052 PDT) 91.218.38.132 (2) (14:25:05.078 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50889->2710 (14:25:05.078 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50889->2710 (14:25:05.078 PDT) 41.237.199.147 (14:24:59.131 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (14:24:59.131 PDT) 90.220.23.38 (14:22:58.279 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26321 (14:22:58.279 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:24:50.858 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50736->6099 (14:24:50.858 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363296178.279 1363296178.280 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 85.17.143.16, 94.242.221.123, 208.83.20.164, 91.202.73.55 Resource List: Observed Start: 03/14/2013 14:40:40.598 PDT Gen. Time: 03/14/2013 14:40:50.361 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (14:40:40.598 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57500->3310 (14:40:40.598 PDT) 85.17.143.16 (14:40:43.713 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57508->6969 (14:40:43.713 PDT) 94.242.221.123 (14:40:40.760 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 57507->80 (14:40:40.760 PDT) 208.83.20.164 (14:40:40.661 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 57504->80 (14:40:40.661 PDT) 91.202.73.55 (14:40:40.765 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57501->80 (14:40:40.765 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:40:50.361 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:40:50.361 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363297240.598 1363297240.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 208.83.20.164 (5), 208.95.173.194, 91.202.73.55, 83.80.175.172, 2.220.70.84, 85.17.143.16, 2.124.98.32, 178.239.54.153, 158.194.137.88, 94.242.221.123, 119.46.206.35, 119.46.206.12 Resource List: Observed Start: 03/14/2013 14:40:40.598 PDT Gen. Time: 03/14/2013 14:44:41.245 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (14:44:31.253 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59537->2710 (14:44:31.253 PDT) 208.83.20.164 (5) (14:40:40.661 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58709->80 (14:43:31.166 PDT) ------------------------- event=1:2011699 (4) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 57504->80 (14:40:40.661 PDT) 57654->80 (14:41:00.945 PDT) 58709->80 (14:43:31.166 PDT) 58733->80 (14:43:40.625 PDT) 208.95.173.194 (14:44:11.877 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59186->2710 (14:44:11.877 PDT) 91.202.73.55 (14:40:40.765 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57501->80 (14:40:40.765 PDT) 83.80.175.172 (14:41:06.624 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27379 (14:41:06.624 PDT) 2.220.70.84 (14:42:07.270 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (14:42:07.270 PDT) 85.17.143.16 (14:40:43.713 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57508->6969 (14:40:43.713 PDT) 2.124.98.32 (14:43:07.043 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16285 (14:43:07.043 PDT) 178.239.54.153 (14:40:40.598 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57500->3310 (14:40:40.598 PDT) 158.194.137.88 (14:44:08.886 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48728 (14:44:08.886 PDT) 94.242.221.123 (14:40:40.760 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 57507->80 (14:40:40.760 PDT) 119.46.206.35 (14:44:29.146 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59486->16884 (14:44:29.146 PDT) 119.46.206.12 (14:42:15.890 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58222->16884 (14:42:15.890 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:40:50.361 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:40:50.361 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363297240.598 1363297240.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.61.92.93, 90.220.23.38, 80.39.59.223, 181.160.8.249 Resource List: Observed Start: 03/14/2013 14:53:14.159 PDT Gen. Time: 03/14/2013 14:57:01.092 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.61.92.93 (14:55:19.115 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46561 (14:55:19.115 PDT) 90.220.23.38 (14:56:27.483 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26321 (14:56:27.483 PDT) 80.39.59.223 (14:54:18.531 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13465 (14:54:18.531 PDT) 181.160.8.249 (14:53:14.159 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42410 (14:53:14.159 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:57:01.092 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65296->6099 (14:57:01.092 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363297994.159 1363297994.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.172.53.81, 86.145.63.13 Resource List: Observed Start: 03/14/2013 15:26:02.201 PDT Gen. Time: 03/14/2013 15:28:00.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.172.53.81 (15:26:02.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16942 (15:26:02.201 PDT) 86.145.63.13 (15:27:03.150 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14772 (15:27:03.150 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:28:00.919 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:28:00.919 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363299962.201 1363299962.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.12.71.13, 187.172.53.81, 86.145.63.13, 37.153.12.154 (2), 87.4.148.182 Resource List: Observed Start: 03/14/2013 15:26:02.201 PDT Gen. Time: 03/14/2013 15:29:50.627 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.12.71.13 (15:28:03.575 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45628 (15:28:03.575 PDT) 187.172.53.81 (15:26:02.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16942 (15:26:02.201 PDT) 86.145.63.13 (15:27:03.150 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14772 (15:27:03.150 PDT) 37.153.12.154 (2) (15:29:10.662 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62818->6881 (15:29:10.662 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 62818->6881 (15:29:10.662 PDT) 87.4.148.182 (15:29:03.169 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43033 (15:29:03.169 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:28:00.919 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:28:00.919 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363299962.201 1363299962.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 62.203.195.132, 177.142.61.180, 67.142.227.103, 91.218.38.132 (2), 84.212.221.225, 190.4.76.127, 96.52.247.193, 37.153.12.154 (3) Resource List: Observed Start: 03/14/2013 15:56:08.054 PDT Gen. Time: 03/14/2013 15:59:51.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 62.203.195.132 (15:58:16.758 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58560 (15:58:16.758 PDT) 177.142.61.180 (15:57:16.282 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52551 (15:57:16.282 PDT) 67.142.227.103 (15:59:21.381 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60799->32431 (15:59:21.381 PDT) 91.218.38.132 (2) (15:58:41.300 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60394->2710 (15:58:41.300 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 60394->2710 (15:58:41.300 PDT) 84.212.221.225 (15:57:13.868 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59735->49234 (15:57:13.868 PDT) 190.4.76.127 (15:59:18.671 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42892 (15:59:18.671 PDT) 96.52.247.193 (15:56:14.667 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (15:56:14.667 PDT) 37.153.12.154 (3) (15:56:08.054 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59272->6881 (15:56:08.054 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 59272->6881 (15:56:08.054 PDT) 59334->6881 (15:56:18.065 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:59:51.664 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60899->6099 (15:59:51.664 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363301768.054 1363301768.055 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.149.168.88 Resource List: Observed Start: 03/14/2013 16:59:49.525 PDT Gen. Time: 03/14/2013 17:00:20.423 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.149.168.88 (16:59:49.525 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (16:59:49.525 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:00:20.423 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:00:20.423 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363305589.525 1363305589.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 87.97.255.116, 89.99.212.237, 88.149.168.88, 41.233.25.51 Resource List: Observed Start: 03/14/2013 16:59:49.525 PDT Gen. Time: 03/14/2013 17:03:53.633 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 87.97.255.116 (17:01:56.373 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47710 (17:01:56.373 PDT) 89.99.212.237 (17:00:50.795 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47717 (17:00:50.795 PDT) 88.149.168.88 (16:59:49.525 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (16:59:49.525 PDT) 41.233.25.51 (17:02:56.254 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (17:02:56.254 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:00:20.423 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:00:20.423 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363305589.525 1363305589.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 124.106.41.144 (2), 188.78.238.124, 69.142.96.40, 96.52.247.193 Resource List: Observed Start: 03/14/2013 17:57:33.147 PDT Gen. Time: 03/14/2013 18:01:31.697 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (18:00:41.217 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (18:00:41.217 PDT) 124.106.41.144 (2) (17:59:01.196 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65127->23742 (17:59:01.196 PDT) 49412->23742 (18:01:09.204 PDT) 188.78.238.124 (17:58:37.641 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:58:37.641 PDT) 69.142.96.40 (17:57:33.147 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (17:57:33.147 PDT) 96.52.247.193 (17:59:38.357 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (17:59:38.357 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:01:31.697 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49572->6099 (18:01:31.697 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363309053.147 1363309053.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 69.142.96.40, 91.218.38.132 (2), 96.52.247.193, 175.139.166.172 Resource List: Observed Start: 03/14/2013 19:59:15.478 PDT Gen. Time: 03/14/2013 20:02:02.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 69.142.96.40 (20:00:28.123 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (20:00:28.123 PDT) 91.218.38.132 (2) (20:00:25.567 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52598->2710 (20:00:25.567 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52598->2710 (20:00:25.567 PDT) 96.52.247.193 (20:01:29.194 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (20:01:29.194 PDT) 175.139.166.172 (19:59:15.478 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11662 (19:59:15.478 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:02:02.064 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:02:02.064 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363316355.478 1363316355.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 216.221.72.112, 69.142.96.40, 91.218.38.132 (2), 96.52.247.193, 175.139.166.172 Resource List: Observed Start: 03/14/2013 19:59:15.478 PDT Gen. Time: 03/14/2013 20:03:14.769 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 216.221.72.112 (20:02:39.169 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (20:02:39.169 PDT) 69.142.96.40 (20:00:28.123 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (20:00:28.123 PDT) 91.218.38.132 (2) (20:00:25.567 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52598->2710 (20:00:25.567 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52598->2710 (20:00:25.567 PDT) 96.52.247.193 (20:01:29.194 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (20:01:29.194 PDT) 175.139.166.172 (19:59:15.478 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11662 (19:59:15.478 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:02:02.064 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:02:02.064 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363316355.478 1363316355.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.24.182.91, 75.159.142.5, 190.189.43.18 Resource List: Observed Start: 03/14/2013 22:01:14.594 PDT Gen. Time: 03/14/2013 22:03:40.394 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.24.182.91 (22:03:17.043 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (22:03:17.043 PDT) 75.159.142.5 (22:01:14.594 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62658 (22:01:14.594 PDT) 190.189.43.18 (22:02:16.087 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18912 (22:02:16.087 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:03:40.394 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65016->6099 (22:03:40.394 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363323674.594 1363323674.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.24.182.91, 75.159.142.5, 190.189.43.18, 173.11.243.162 Resource List: Observed Start: 03/14/2013 22:01:14.594 PDT Gen. Time: 03/14/2013 22:04:48.061 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.24.182.91 (22:03:17.043 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (22:03:17.043 PDT) 75.159.142.5 (22:01:14.594 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62658 (22:01:14.594 PDT) 190.189.43.18 (22:02:16.087 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18912 (22:02:16.087 PDT) 173.11.243.162 (22:04:18.430 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (22:04:18.430 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:03:40.394 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 65016->6099 (22:03:40.394 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363323674.594 1363323674.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================