Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2013 13:38:10.983 PDT Gen. Time: 03/22/2013 13:38:10.983 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:38:10.983 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:38:10.983 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363984690.983 1363984690.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.105.198.19, 88.180.126.150, 79.56.84.100, 50.156.56.149, 85.17.143.16, 83.149.86.133, 50.19.95.119, 61.91.88.96, 119.46.206.58, 200.83.239.125 Resource List: Observed Start: 03/22/2013 13:38:10.983 PDT Gen. Time: 03/22/2013 13:42:01.724 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.105.198.19 (13:42:01.724 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35935 (13:42:01.724 PDT) 88.180.126.150 (13:39:07.291 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (13:39:07.291 PDT) 79.56.84.100 (13:40:00.182 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64572 (13:40:00.182 PDT) 50.156.56.149 (13:41:01.463 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (13:41:01.463 PDT) 85.17.143.16 (13:39:10.098 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59843->6969 (13:39:10.098 PDT) 83.149.86.133 (13:39:10.098 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59824->6969 (13:39:10.098 PDT) 50.19.95.119 (13:39:10.098 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59846->80 (13:39:10.098 PDT) 61.91.88.96 (13:41:30.907 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62232->16881 (13:41:30.907 PDT) 119.46.206.58 (13:39:24.109 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60555->16884 (13:39:24.109 PDT) 200.83.239.125 (13:38:59.228 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17591 (13:38:59.228 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (2) (13:38:10.983 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62330->6099 (13:41:43.152 PDT) ------------------------- event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:38:10.983 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363984690.983 1363984690.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.47.98.42 (3), 184.160.124.202 Resource List: Observed Start: 03/22/2013 13:52:21.458 PDT Gen. Time: 03/22/2013 13:53:51.022 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.47.98.42 (3) (13:52:21.458 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51078->6882 (13:52:21.458 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 51078->6882 (13:52:21.458 PDT) 51317->6882 (13:53:20.461 PDT) 184.160.124.202 (13:53:08.028 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29693 (13:53:08.028 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:53:51.022 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51497->6099 (13:53:51.022 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363985541.458 1363985541.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.35.204.221, 79.47.98.42 (4), 91.218.38.132 (2), 186.222.10.203, 223.206.73.34, 184.160.124.202, 98.211.246.3, 71.76.62.182 Resource List: Observed Start: 03/22/2013 13:52:21.458 PDT Gen. Time: 03/22/2013 13:57:10.377 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.35.204.221 (13:55:10.399 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27135 (13:55:10.399 PDT) 79.47.98.42 (4) (13:52:21.458 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51078->6882 (13:52:21.458 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 51078->6882 (13:52:21.458 PDT) 51317->6882 (13:53:20.461 PDT) 52088->6882 (13:55:23.480 PDT) 91.218.38.132 (2) (13:53:56.268 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51499->2710 (13:53:56.268 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51499->2710 (13:53:56.268 PDT) 186.222.10.203 (13:54:08.027 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10713 (13:54:08.027 PDT) 223.206.73.34 (13:54:27.968 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51813->7547 (13:54:27.968 PDT) 184.160.124.202 (13:53:08.028 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29693 (13:53:08.028 PDT) 98.211.246.3 (13:56:10.698 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15928 (13:56:10.698 PDT) 71.76.62.182 (13:57:10.377 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31886 (13:57:10.377 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:53:51.022 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51497->6099 (13:53:51.022 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363985541.458 1363985541.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.47.98.42 (2) Resource List: Observed Start: 03/22/2013 14:09:19.052 PDT Gen. Time: 03/22/2013 14:09:40.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.47.98.42 (2) (14:09:19.052 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56985->6882 (14:09:19.052 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 56985->6882 (14:09:19.052 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:09:40.998 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:09:40.998 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363986559.052 1363986559.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.18.214.169, 79.47.98.42 (4), 189.152.71.255, 208.83.20.164, 217.133.42.181, 78.222.217.180 Resource List: Observed Start: 03/22/2013 14:09:19.052 PDT Gen. Time: 03/22/2013 14:12:21.162 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.18.214.169 (14:12:15.005 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43441 (14:12:15.005 PDT) 79.47.98.42 (4) (14:09:19.052 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56985->6882 (14:09:19.052 PDT) 57357->6882 (14:10:22.062 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 56985->6882 (14:09:19.052 PDT) 57357->6882 (14:10:22.062 PDT) 189.152.71.255 (14:12:21.162 PDT) event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16942 (14:12:21.162 PDT) 208.83.20.164 (14:11:51.802 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57885->6969 (14:11:51.802 PDT) 217.133.42.181 (14:11:15.196 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20064 (14:11:15.196 PDT) 78.222.217.180 (14:10:15.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41287 (14:10:15.034 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:09:40.998 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:09:40.998 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363986559.052 1363986559.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.47.98.42, 117.254.241.186, 189.114.229.148 Resource List: Observed Start: 03/22/2013 14:25:25.386 PDT Gen. Time: 03/22/2013 14:26:20.539 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.47.98.42 (14:26:13.701 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 64703->6882 (14:26:13.701 PDT) 117.254.241.186 (14:25:27.163 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35093 (14:25:27.163 PDT) 189.114.229.148 (14:25:25.386 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64407->16882 (14:25:25.386 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:26:20.539 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64812->6099 (14:26:20.539 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363987525.386 1363987525.387 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.47.98.42 (4), 82.48.162.123, 88.0.247.56, 84.110.108.245, 117.254.241.186, 64.69.46.217, 189.114.229.148, 157.157.85.178 Resource List: Observed Start: 03/22/2013 14:25:25.386 PDT Gen. Time: 03/22/2013 14:29:30.354 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.47.98.42 (4) (14:26:13.701 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65503->6882 (14:28:23.721 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 64703->6882 (14:26:13.701 PDT) 65503->6882 (14:28:23.721 PDT) 49462->6882 (14:29:19.232 PDT) 82.48.162.123 (14:29:30.354 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (14:29:30.354 PDT) 88.0.247.56 (14:28:30.722 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->9090 (14:28:30.722 PDT) 84.110.108.245 (14:27:29.547 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (14:27:29.547 PDT) 117.254.241.186 (14:25:27.163 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35093 (14:25:27.163 PDT) 64.69.46.217 (14:26:50.209 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64918->43611 (14:26:50.209 PDT) 189.114.229.148 (14:25:25.386 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64407->16882 (14:25:25.386 PDT) 157.157.85.178 (14:26:29.816 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51110 (14:26:29.816 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:26:20.539 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64812->6099 (14:26:20.539 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363987525.386 1363987525.387 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 199.59.243.63 (2) Resource List: Observed Start: 03/22/2013 14:56:43.117 PDT Gen. Time: 03/22/2013 14:56:50.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 199.59.243.63 (2) (14:56:43.117 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58556->80 (14:56:43.117 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58556->80 (14:56:43.117 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:56:50.479 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:56:50.479 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363989403.117 1363989403.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.171.232.126, 93.50.57.31, 91.218.38.132 (2), 99.119.244.30, 83.149.86.133, 85.71.148.165, 79.47.98.42 (4), 119.46.206.104, 199.59.243.63 (2) Resource List: Observed Start: 03/22/2013 14:56:43.117 PDT Gen. Time: 03/22/2013 15:00:50.870 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.171.232.126 (14:57:03.018 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20500 (14:57:03.018 PDT) 93.50.57.31 (14:59:07.536 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (14:59:07.536 PDT) 91.218.38.132 (2) (14:59:47.490 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59587->2710 (14:59:47.490 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59587->2710 (14:59:47.490 PDT) 99.119.244.30 (14:58:05.711 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13562 (14:58:05.711 PDT) 83.149.86.133 (15:00:50.870 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59997->6969 (15:00:50.870 PDT) 85.71.148.165 (15:00:07.130 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27022 (15:00:07.130 PDT) 79.47.98.42 (4) (14:57:13.032 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58725->6882 (14:57:13.032 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 58725->6882 (14:57:13.032 PDT) 58930->6882 (14:58:12.049 PDT) 59865->6882 (15:00:21.082 PDT) 119.46.206.104 (14:59:34.284 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59541->16882 (14:59:34.284 PDT) 199.59.243.63 (2) (14:56:43.117 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58556->80 (14:56:43.117 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58556->80 (14:56:43.117 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:56:50.479 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:56:50.479 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363989403.117 1363989403.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 181.165.242.106, 79.47.98.42 (3), 199.59.243.63 (2), 68.102.24.54 Resource List: Observed Start: 03/22/2013 15:27:21.330 PDT Gen. Time: 03/22/2013 15:28:21.154 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 181.165.242.106 (15:28:21.154 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18094 (15:28:21.154 PDT) 79.47.98.42 (3) (15:27:21.330 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54005->6882 (15:27:21.330 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 54005->6882 (15:27:21.330 PDT) 54244->6882 (15:28:10.836 PDT) 199.59.243.63 (2) (15:27:32.071 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54001->80 (15:27:32.071 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 54001->80 (15:27:32.071 PDT) 68.102.24.54 (15:27:21.459 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17148 (15:27:21.459 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:28:21.005 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54363->6099 (15:28:21.005 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363991241.330 1363991241.331 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.126, 181.165.242.106, 79.47.98.42 (4), 203.106.65.16, 199.59.243.63 (2), 68.102.24.54 Resource List: Observed Start: 03/22/2013 15:27:21.330 PDT Gen. Time: 03/22/2013 15:30:19.447 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.126 (15:29:50.063 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54868->16882 (15:29:50.063 PDT) 181.165.242.106 (15:28:21.154 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18094 (15:28:21.154 PDT) 79.47.98.42 (4) (15:27:21.330 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54005->6882 (15:27:21.330 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 54005->6882 (15:27:21.330 PDT) 54244->6882 (15:28:10.836 PDT) 55022->6882 (15:30:11.854 PDT) 203.106.65.16 (15:29:21.488 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11311 (15:29:21.488 PDT) 199.59.243.63 (2) (15:27:32.071 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54001->80 (15:27:32.071 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 54001->80 (15:27:32.071 PDT) 68.102.24.54 (15:27:21.459 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17148 (15:27:21.459 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:28:21.005 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54363->6099 (15:28:21.005 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363991241.330 1363991241.331 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 82.200.165.138, 184.160.124.202, 37.153.12.154 (3), 217.133.42.181, 79.47.98.42 (2), 108.35.182.217, 79.50.11.244, 199.59.243.63 (2) Resource List: Observed Start: 03/22/2013 16:25:31.983 PDT Gen. Time: 03/22/2013 16:29:06.845 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (16:27:12.666 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58322->2710 (16:27:12.666 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58322->2710 (16:27:12.666 PDT) 82.200.165.138 (16:26:53.301 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58221->16884 (16:26:53.301 PDT) 184.160.124.202 (16:26:05.038 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29693 (16:26:05.038 PDT) 37.153.12.154 (3) (16:25:31.983 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57851->6881 (16:25:31.983 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57851->6881 (16:25:31.983 PDT) 57887->6881 (16:25:41.962 PDT) 217.133.42.181 (16:29:06.845 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20064 (16:29:06.845 PDT) 79.47.98.42 (2) (16:26:13.290 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 58079->6882 (16:26:13.290 PDT) 58316->6882 (16:27:12.306 PDT) 108.35.182.217 (16:28:06.586 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (16:28:06.586 PDT) 79.50.11.244 (16:27:06.492 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:27:06.492 PDT) 199.59.243.63 (2) (16:27:50.922 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58516->80 (16:27:50.922 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58516->80 (16:27:50.922 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:28:30.388 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:28:30.388 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363994731.983 1363994731.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 82.200.165.138, 184.160.124.202, 37.153.12.154 (3), 217.133.42.181, 79.47.98.42 (4), 108.35.182.217, 79.50.11.244, 199.59.243.63 (2) Resource List: Observed Start: 03/22/2013 16:25:31.983 PDT Gen. Time: 03/22/2013 16:29:38.491 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (16:27:12.666 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58322->2710 (16:27:12.666 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58322->2710 (16:27:12.666 PDT) 82.200.165.138 (16:26:53.301 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58221->16884 (16:26:53.301 PDT) 184.160.124.202 (16:26:05.038 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29693 (16:26:05.038 PDT) 37.153.12.154 (3) (16:25:31.983 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57851->6881 (16:25:31.983 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57851->6881 (16:25:31.983 PDT) 57887->6881 (16:25:41.962 PDT) 217.133.42.181 (16:29:06.845 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20064 (16:29:06.845 PDT) 79.47.98.42 (4) (16:26:13.290 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58979->6882 (16:29:16.339 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 58079->6882 (16:26:13.290 PDT) 58316->6882 (16:27:12.306 PDT) 58979->6882 (16:29:16.339 PDT) 108.35.182.217 (16:28:06.586 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (16:28:06.586 PDT) 79.50.11.244 (16:27:06.492 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:27:06.492 PDT) 199.59.243.63 (2) (16:27:50.922 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58516->80 (16:27:50.922 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58516->80 (16:27:50.922 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:28:30.388 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:28:30.388 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363994731.983 1363994731.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.69.193.169 Resource List: Observed Start: 03/22/2013 17:30:40.775 PDT Gen. Time: 03/22/2013 17:30:41.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.69.193.169 (17:30:40.775 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50590 (17:30:40.775 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:30:41.010 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63216->6099 (17:30:41.010 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363998640.775 1363998640.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 189.114.229.148, 91.202.73.55 (2), 202.171.254.30, 189.69.193.169, 190.31.91.133, 125.27.106.245, 71.187.0.178, 50.19.95.119 (2), 188.53.22.172, 79.47.98.42 (2), 177.32.99.161, 75.88.172.153 Resource List: Observed Start: 03/22/2013 17:30:40.775 PDT Gen. Time: 03/22/2013 17:34:57.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (17:34:24.482 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 64464->80 (17:34:24.482 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.114.229.148 (17:32:25.074 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63800->16882 (17:32:25.074 PDT) 91.202.73.55 (2) (17:33:51.198 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/search?q= 212.40.65.18 virus&go=&qs=n&form=QBLH&pq= 212.40.65.18 virus&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 64186->80 (17:33:51.198 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 64186->80 (17:33:51.198 PDT) 202.171.254.30 (17:33:25.384 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64122->16883 (17:33:25.384 PDT) 189.69.193.169 (17:30:40.775 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50590 (17:30:40.775 PDT) 190.31.91.133 (17:32:52.696 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28770 (17:32:52.696 PDT) 125.27.106.245 (17:34:57.016 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (17:34:57.016 PDT) 71.187.0.178 (17:32:10.520 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63633->6969 (17:32:10.520 PDT) 50.19.95.119 (2) (17:32:10.521 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63634->80 (17:32:10.521 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 63634->80 (17:32:10.521 PDT) 188.53.22.172 (17:33:53.696 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10810 (17:33:53.696 PDT) 79.47.98.42 (2) (17:32:32.369 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 63829->6882 (17:32:32.369 PDT) 64012->6882 (17:33:16.380 PDT) 177.32.99.161 (17:31:49.722 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (17:31:49.722 PDT) 75.88.172.153 (17:31:11.462 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63350->6890 (17:31:11.462 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:30:41.010 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63216->6099 (17:30:41.010 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363998640.775 1363998640.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 173.78.7.129, 75.88.172.153, 189.111.208.59, 199.59.243.63 (2), 70.77.199.174, 201.21.55.29, 80.180.124.1 Resource List: Observed Start: 03/22/2013 19:28:20.990 PDT Gen. Time: 03/22/2013 19:31:42.337 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 173.78.7.129 (19:28:37.563 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42621 (19:28:37.563 PDT) 75.88.172.153 (19:29:07.692 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65506->6890 (19:29:07.692 PDT) 189.111.208.59 (19:30:11.095 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49423->6890 (19:30:11.095 PDT) 199.59.243.63 (2) (19:28:20.990 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65386->80 (19:28:20.990 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 65386->80 (19:28:20.990 PDT) 70.77.199.174 (19:30:42.265 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (19:30:42.265 PDT) 201.21.55.29 (19:29:40.818 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45725 (19:29:40.818 PDT) 80.180.124.1 (19:31:42.337 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34580 (19:31:42.337 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:31:10.606 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:31:10.606 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364005700.990 1364005700.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.8.223.168 Resource List: Observed Start: 03/22/2013 21:32:21.221 PDT Gen. Time: 03/22/2013 21:32:41.186 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.8.223.168 (21:32:21.221 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62644->16881 (21:32:21.221 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:32:41.186 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62702->6099 (21:32:41.186 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364013141.221 1364013141.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.110.108.245, 189.114.229.148, 124.8.223.168, 91.202.73.55, 119.46.206.37, 71.187.0.178, 117.254.241.186, 50.19.95.119 (2), 151.55.135.117, 194.242.213.232, 188.153.65.155, 75.88.172.153 Resource List: Observed Start: 03/22/2013 21:32:21.221 PDT Gen. Time: 03/22/2013 21:36:56.967 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.110.108.245 (21:35:55.565 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (21:35:55.565 PDT) 189.114.229.148 (21:33:50.787 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62983->16882 (21:33:50.787 PDT) 124.8.223.168 (21:32:21.221 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62644->16881 (21:32:21.221 PDT) 91.202.73.55 (21:36:13.421 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63534->80 (21:36:13.421 PDT) 119.46.206.37 (21:36:18.851 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63579->16883 (21:36:18.851 PDT) 71.187.0.178 (21:32:41.274 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62699->6969 (21:32:41.274 PDT) 117.254.241.186 (21:34:55.427 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35093 (21:34:55.427 PDT) 50.19.95.119 (2) (21:32:41.259 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62700->80 (21:32:41.259 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62700->80 (21:32:41.259 PDT) 151.55.135.117 (21:36:56.967 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25506 (21:36:56.967 PDT) 194.242.213.232 (21:32:52.500 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41101 (21:32:52.500 PDT) 188.153.65.155 (21:33:52.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43541 (21:33:52.045 PDT) 75.88.172.153 (21:35:11.730 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63264->6890 (21:35:11.730 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:32:41.186 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62702->6099 (21:32:41.186 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364013141.221 1364013141.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================