Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.3.137.27, 108.208.217.91, 91.132.60.189 Resource List: Observed Start: 03/15/2013 02:03:16.055 PDT Gen. Time: 03/15/2013 02:04:51.267 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.3.137.27 (02:03:38.917 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62594->51413 (02:03:38.917 PDT) 108.208.217.91 (02:04:19.001 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30276 (02:04:19.001 PDT) 91.132.60.189 (02:03:16.055 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62338 (02:03:16.055 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:04:51.267 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62844->6099 (02:04:51.267 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363338196.055 1363338196.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.99.161, 82.3.137.27, 178.207.16.88, 202.103.67.135, 108.208.217.91, 91.132.60.189, 177.143.156.114 Resource List: Observed Start: 03/15/2013 02:03:16.055 PDT Gen. Time: 03/15/2013 02:07:15.688 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.99.161 (02:05:20.426 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (02:05:20.426 PDT) 82.3.137.27 (02:03:38.917 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62594->51413 (02:03:38.917 PDT) 178.207.16.88 (02:06:17.985 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63191->16881 (02:06:17.985 PDT) 202.103.67.135 (02:06:51.481 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63374->8080 (02:06:51.481 PDT) 108.208.217.91 (02:04:19.001 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30276 (02:04:19.001 PDT) 91.132.60.189 (02:03:16.055 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62338 (02:03:16.055 PDT) 177.143.156.114 (02:06:21.171 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20698 (02:06:21.171 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:04:51.267 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62844->6099 (02:04:51.267 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363338196.055 1363338196.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 212.182.163.3, 189.132.87.24 Resource List: Observed Start: 03/15/2013 04:03:57.339 PDT Gen. Time: 03/15/2013 04:05:20.704 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 212.182.163.3 (04:04:57.747 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10760 (04:04:57.747 PDT) 189.132.87.24 (04:03:57.339 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18292 (04:03:57.339 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:05:20.704 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:05:20.704 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363345437.339 1363345437.340 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 212.182.163.3, 189.132.87.24, 37.153.12.154 (3), 130.208.129.77, 85.73.204.61, 82.161.69.109, 82.74.170.163 Resource List: Observed Start: 03/15/2013 04:03:57.339 PDT Gen. Time: 03/15/2013 04:07:58.318 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 212.182.163.3 (04:04:57.747 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10760 (04:04:57.747 PDT) 189.132.87.24 (04:03:57.339 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18292 (04:03:57.339 PDT) 37.153.12.154 (3) (04:07:10.605 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51915->6881 (04:07:10.605 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 51915->6881 (04:07:10.605 PDT) 51960->6881 (04:07:20.116 PDT) 130.208.129.77 (04:06:58.991 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57471 (04:06:58.991 PDT) 85.73.204.61 (04:05:58.013 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (04:05:58.013 PDT) 82.161.69.109 (04:07:58.318 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (04:07:58.318 PDT) 82.74.170.163 (04:06:03.577 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51580->51413 (04:06:03.577 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:05:20.704 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:05:20.704 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363345437.339 1363345437.340 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.144.139.114, 85.73.204.61 Resource List: Observed Start: 03/15/2013 06:05:00.293 PDT Gen. Time: 03/15/2013 06:06:50.365 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.144.139.114 (06:05:00.293 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10068 (06:05:00.293 PDT) 85.73.204.61 (06:06:00.832 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (06:06:00.832 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:06:50.365 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63804->6099 (06:06:50.365 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363352700.293 1363352700.294 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 116.88.84.109, 109.67.110.226, 82.3.137.27, 89.144.139.114, 76.5.128.72, 85.73.204.61 Resource List: Observed Start: 03/15/2013 06:05:00.293 PDT Gen. Time: 03/15/2013 06:09:01.074 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 116.88.84.109 (06:09:01.074 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32791 (06:09:01.074 PDT) 109.67.110.226 (06:08:00.212 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43627 (06:08:00.212 PDT) 82.3.137.27 (06:07:20.537 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64231->51413 (06:07:20.537 PDT) 89.144.139.114 (06:05:00.293 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10068 (06:05:00.293 PDT) 76.5.128.72 (06:07:00.957 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33090 (06:07:00.957 PDT) 85.73.204.61 (06:06:00.832 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (06:06:00.832 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:06:50.365 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63804->6099 (06:06:50.365 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363352700.293 1363352700.294 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.8.223.168, 95.76.241.215, 87.2.119.47, 37.0.70.188, 71.225.47.135, 14.198.69.132 Resource List: Observed Start: 03/15/2013 08:04:18.418 PDT Gen. Time: 03/15/2013 08:07:41.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.8.223.168 (08:06:18.911 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60973->16881 (08:06:18.911 PDT) 95.76.241.215 (08:06:19.650 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14421 (08:06:19.650 PDT) 87.2.119.47 (08:05:18.035 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19489 (08:05:18.035 PDT) 37.0.70.188 (08:07:19.475 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22710 (08:07:19.475 PDT) 71.225.47.135 (08:04:18.418 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45917 (08:04:18.418 PDT) 14.198.69.132 (08:07:30.927 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61429->46881 (08:07:30.927 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:07:41.010 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:07:41.010 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363359858.418 1363359858.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.12.71.13, 188.158.17.247, 119.46.206.86, 89.227.204.88, 88.24.243.22 Resource List: Observed Start: 03/15/2013 10:06:08.014 PDT Gen. Time: 03/15/2013 10:08:50.694 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.12.71.13 (10:06:08.014 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45628 (10:06:08.014 PDT) 188.158.17.247 (10:07:11.074 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24256 (10:07:11.074 PDT) 119.46.206.86 (10:08:19.796 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54582->16882 (10:08:19.796 PDT) 89.227.204.88 (10:06:17.044 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53547->6346 (10:06:17.044 PDT) 88.24.243.22 (10:08:11.599 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (10:08:11.599 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:08:50.694 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54711->6099 (10:08:50.694 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363367168.014 1363367168.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.12.71.13, 201.82.247.83, 188.158.17.247, 119.46.206.86, 89.227.204.88, 88.24.243.22 Resource List: Observed Start: 03/15/2013 10:06:08.014 PDT Gen. Time: 03/15/2013 10:09:57.036 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.12.71.13 (10:06:08.014 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45628 (10:06:08.014 PDT) 201.82.247.83 (10:09:11.301 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46557 (10:09:11.301 PDT) 188.158.17.247 (10:07:11.074 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24256 (10:07:11.074 PDT) 119.46.206.86 (10:08:19.796 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54582->16882 (10:08:19.796 PDT) 89.227.204.88 (10:06:17.044 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53547->6346 (10:06:17.044 PDT) 88.24.243.22 (10:08:11.599 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (10:08:11.599 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:08:50.694 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54711->6099 (10:08:50.694 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363367168.014 1363367168.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.17.114.179, 89.227.204.88 (2), 190.160.43.50, 109.224.64.230, 87.19.232.55, 59.149.53.192 Resource List: Observed Start: 03/15/2013 12:06:05.115 PDT Gen. Time: 03/15/2013 12:09:40.387 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.17.114.179 (12:06:05.115 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50469 (12:06:05.115 PDT) 89.227.204.88 (2) (12:06:45.130 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50119->6346 (12:06:45.130 PDT) 51471->6346 (12:09:26.653 PDT) 190.160.43.50 (12:08:05.373 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64835 (12:08:05.373 PDT) 109.224.64.230 (12:07:05.234 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16912 (12:07:05.234 PDT) 87.19.232.55 (12:09:06.189 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14191 (12:09:06.189 PDT) 59.149.53.192 (12:07:55.140 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50630->28743 (12:07:55.140 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:09:40.387 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:09:40.387 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363374365.115 1363374365.116 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.96.152.248, 88.189.236.123, 89.227.204.88, 62.203.69.34, 203.113.15.204 Resource List: Observed Start: 03/15/2013 14:08:24.904 PDT Gen. Time: 03/15/2013 14:11:20.987 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.96.152.248 (14:08:24.904 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15605 (14:08:24.904 PDT) 88.189.236.123 (14:10:25.877 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20793 (14:10:25.877 PDT) 89.227.204.88 (14:11:10.930 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63270->6346 (14:11:10.930 PDT) 62.203.69.34 (14:09:25.525 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58560 (14:09:25.525 PDT) 203.113.15.204 (14:09:23.921 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62476->16882 (14:09:23.921 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:11:20.987 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63387->6099 (14:11:20.987 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363381704.904 1363381704.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.99.161, 94.96.152.248, 88.189.236.123, 89.227.204.88, 174.25.110.221, 62.203.69.34, 203.113.15.204 Resource List: Observed Start: 03/15/2013 14:08:24.904 PDT Gen. Time: 03/15/2013 14:12:25.239 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.99.161 (14:12:25.239 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (14:12:25.239 PDT) 94.96.152.248 (14:08:24.904 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15605 (14:08:24.904 PDT) 88.189.236.123 (14:10:25.877 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20793 (14:10:25.877 PDT) 89.227.204.88 (14:11:10.930 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63270->6346 (14:11:10.930 PDT) 174.25.110.221 (14:11:25.238 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64275 (14:11:25.238 PDT) 62.203.69.34 (14:09:25.525 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58560 (14:09:25.525 PDT) 203.113.15.204 (14:09:23.921 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62476->16882 (14:09:23.921 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:11:20.987 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63387->6099 (14:11:20.987 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363381704.904 1363381704.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.51.2.125, 71.95.165.202, 89.227.204.88, 176.15.232.169 Resource List: Observed Start: 03/15/2013 16:09:16.105 PDT Gen. Time: 03/15/2013 16:11:41.029 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.51.2.125 (16:09:16.105 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (16:09:16.105 PDT) 71.95.165.202 (16:11:20.507 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20803 (16:11:20.507 PDT) 89.227.204.88 (16:11:01.925 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54624->6346 (16:11:01.925 PDT) 176.15.232.169 (16:10:17.344 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39004 (16:10:17.344 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:11:41.029 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:11:41.029 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363388956.105 1363388956.106 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.24.182.91, 2.51.2.125, 71.95.165.202, 89.227.204.88, 176.15.232.169 Resource List: Observed Start: 03/15/2013 16:09:16.105 PDT Gen. Time: 03/15/2013 16:13:08.095 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.24.182.91 (16:12:21.051 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (16:12:21.051 PDT) 2.51.2.125 (16:09:16.105 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (16:09:16.105 PDT) 71.95.165.202 (16:11:20.507 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20803 (16:11:20.507 PDT) 89.227.204.88 (16:11:01.925 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54624->6346 (16:11:01.925 PDT) 176.15.232.169 (16:10:17.344 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39004 (16:10:17.344 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:11:41.029 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:11:41.029 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363388956.105 1363388956.106 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================