Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.71.148.165, 31.53.21.77, 91.218.38.132 (2), 79.52.109.227 (2), 183.136.156.21, 99.119.244.30, 202.103.67.135 Resource List: Observed Start: 03/24/2013 01:46:09.594 PDT Gen. Time: 03/24/2013 01:49:01.190 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.71.148.165 (01:48:09.512 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27022 (01:48:09.512 PDT) 31.53.21.77 (01:47:09.195 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46894 (01:47:09.195 PDT) 91.218.38.132 (2) (01:47:20.835 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63373->2710 (01:47:20.835 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63373->2710 (01:47:20.835 PDT) 79.52.109.227 (2) (01:46:44.402 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 63191->6882 (01:46:44.402 PDT) 63367->6882 (01:47:20.411 PDT) 183.136.156.21 (01:46:30.898 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63168->27834 (01:46:30.898 PDT) 99.119.244.30 (01:46:09.594 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13562 (01:46:09.594 PDT) 202.103.67.135 (01:47:20.907 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63372->8080 (01:47:20.907 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:49:01.190 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63799->6099 (01:49:01.190 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364114769.594 1364114769.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21 (2), 91.218.38.132 (2), 99.98.195.138, 86.59.152.111, 202.103.67.135, 31.53.21.77, 99.119.244.30, 79.52.109.227 (3), 85.71.148.165 Resource List: Observed Start: 03/24/2013 01:46:09.594 PDT Gen. Time: 03/24/2013 01:50:10.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (2) (01:46:30.898 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63168->27834 (01:46:30.898 PDT) 63839->27834 (01:49:08.939 PDT) 91.218.38.132 (2) (01:47:20.835 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63373->2710 (01:47:20.835 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63373->2710 (01:47:20.835 PDT) 99.98.195.138 (01:49:10.095 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63232 (01:49:10.095 PDT) 86.59.152.111 (01:50:10.578 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (01:50:10.578 PDT) 202.103.67.135 (01:47:20.907 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63372->8080 (01:47:20.907 PDT) 31.53.21.77 (01:47:09.195 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46894 (01:47:09.195 PDT) 99.119.244.30 (01:46:09.594 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13562 (01:46:09.594 PDT) 79.52.109.227 (3) (01:46:44.402 PDT) event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 63191->6882 (01:46:44.402 PDT) 63367->6882 (01:47:20.411 PDT) 63898->6882 (01:49:11.940 PDT) 85.71.148.165 (01:48:09.512 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27022 (01:48:09.512 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:49:01.190 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63799->6099 (01:49:01.190 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364114769.594 1364114769.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.70.251.55, 123.211.206.160, 180.153.115.172, 202.103.67.135, 62.147.138.137 Resource List: Observed Start: 03/24/2013 03:46:49.581 PDT Gen. Time: 03/24/2013 03:49:20.744 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.70.251.55 (03:47:53.010 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26096 (03:47:53.010 PDT) 123.211.206.160 (03:48:59.905 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25327 (03:48:59.905 PDT) 180.153.115.172 (03:47:36.383 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59517->28726 (03:47:36.383 PDT) 202.103.67.135 (03:47:41.190 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59539->8080 (03:47:41.190 PDT) 62.147.138.137 (03:46:49.581 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55555 (03:46:49.581 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:49:20.744 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:49:20.744 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364122009.581 1364122009.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.70.251.55, 188.54.134.72, 123.211.206.160, 180.153.115.172, 109.224.64.230, 202.103.67.135, 62.147.138.137 Resource List: Observed Start: 03/24/2013 03:46:49.581 PDT Gen. Time: 03/24/2013 03:50:59.996 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.70.251.55 (03:47:53.010 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26096 (03:47:53.010 PDT) 188.54.134.72 (03:50:59.996 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10810 (03:50:59.996 PDT) 123.211.206.160 (03:48:59.905 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25327 (03:48:59.905 PDT) 180.153.115.172 (03:47:36.383 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59517->28726 (03:47:36.383 PDT) 109.224.64.230 (03:49:59.090 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16912 (03:49:59.090 PDT) 202.103.67.135 (03:47:41.190 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59539->8080 (03:47:41.190 PDT) 62.147.138.137 (03:46:49.581 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55555 (03:46:49.581 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:49:20.744 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:49:20.744 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364122009.581 1364122009.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 178.239.54.153, 50.68.12.118 Resource List: Observed Start: 03/24/2013 05:50:21.729 PDT Gen. Time: 03/24/2013 05:51:10.263 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (05:50:47.729 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55690->51413 (05:50:47.729 PDT) 178.239.54.153 (05:50:21.729 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55515->3310 (05:50:21.729 PDT) 50.68.12.118 (05:50:24.315 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41942 (05:50:24.315 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:51:10.263 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55749->6099 (05:51:10.263 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364129421.729 1364129421.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21, 91.218.38.132 (2), 208.95.173.194, 96.242.181.36, 75.142.104.16, 87.2.168.137, 61.91.88.135, 178.239.54.153 (2), 50.68.12.118, 2.230.52.152 Resource List: Observed Start: 03/24/2013 05:50:21.729 PDT Gen. Time: 03/24/2013 05:54:13.780 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (05:52:29.549 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56696->27834 (05:52:29.549 PDT) 91.218.38.132 (2) (05:51:40.512 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56230->2710 (05:51:40.512 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56230->2710 (05:51:40.512 PDT) 208.95.173.194 (05:53:53.136 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57370->2710 (05:53:53.136 PDT) 96.242.181.36 (05:53:24.652 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38387 (05:53:24.652 PDT) 75.142.104.16 (05:51:24.025 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36245 (05:51:24.025 PDT) 87.2.168.137 (05:52:24.348 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43039 (05:52:24.348 PDT) 61.91.88.135 (05:53:51.786 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57357->16882 (05:53:51.786 PDT) 178.239.54.153 (2) (05:50:21.729 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55515->3310 (05:50:21.729 PDT) 57392->3310 (05:54:00.487 PDT) 50.68.12.118 (05:50:24.315 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41942 (05:50:24.315 PDT) 2.230.52.152 (05:50:47.729 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55690->51413 (05:50:47.729 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:51:10.263 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55749->6099 (05:51:10.263 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364129421.729 1364129421.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 178.239.54.153, 89.92.15.192, 86.24.127.196, 183.136.156.21 (2) Resource List: Observed Start: 03/24/2013 07:49:38.146 PDT Gen. Time: 03/24/2013 07:51:40.797 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (07:51:21.574 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57932->2710 (07:51:21.574 PDT) 178.239.54.153 (07:51:01.178 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57667->3310 (07:51:01.178 PDT) 89.92.15.192 (07:50:22.772 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46716 (07:50:22.772 PDT) 86.24.127.196 (07:51:22.091 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43489 (07:51:22.091 PDT) 183.136.156.21 (2) (07:49:38.146 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56966->27834 (07:49:38.146 PDT) 58110->27834 (07:51:36.684 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:51:40.797 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:51:40.797 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364136578.146 1364136578.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.85.178.110, 2.230.52.152, 208.95.173.194, 178.239.54.153, 89.92.15.192, 91.207.77.144, 86.24.127.196, 183.136.156.21 (2) Resource List: Observed Start: 03/24/2013 07:49:38.146 PDT Gen. Time: 03/24/2013 07:53:23.108 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.85.178.110 (07:53:23.108 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (07:53:23.108 PDT) 2.230.52.152 (07:52:44.202 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58675->51413 (07:52:44.202 PDT) 208.95.173.194 (07:51:21.574 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57932->2710 (07:51:21.574 PDT) 178.239.54.153 (07:51:01.178 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57667->3310 (07:51:01.178 PDT) 89.92.15.192 (07:50:22.772 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46716 (07:50:22.772 PDT) 91.207.77.144 (07:52:22.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24776 (07:52:22.200 PDT) 86.24.127.196 (07:51:22.091 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43489 (07:51:22.091 PDT) 183.136.156.21 (2) (07:49:38.146 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56966->27834 (07:49:38.146 PDT) 58110->27834 (07:51:36.684 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:51:40.797 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:51:40.797 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364136578.146 1364136578.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 86.24.127.196, 86.181.84.228, 83.77.205.156 Resource List: Observed Start: 03/24/2013 09:51:41.352 PDT Gen. Time: 03/24/2013 09:53:41.252 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (09:51:41.352 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61663->3310 (09:51:41.352 PDT) 86.24.127.196 (09:52:03.214 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43489 (09:52:03.214 PDT) 86.181.84.228 (09:51:44.419 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61703->58509 (09:51:44.419 PDT) 83.77.205.156 (09:53:03.103 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (09:53:03.103 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:53:41.252 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62843->6099 (09:53:41.252 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364143901.352 1364143901.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 208.95.173.194, 178.239.54.153, 86.18.214.169, 86.24.127.196, 5.14.20.160, 86.181.84.228, 83.77.205.156 Resource List: Observed Start: 03/24/2013 09:51:41.352 PDT Gen. Time: 03/24/2013 09:55:04.960 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (09:54:51.085 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63463->51413 (09:54:51.085 PDT) 208.95.173.194 (09:54:05.449 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63034->2710 (09:54:05.449 PDT) 178.239.54.153 (09:51:41.352 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61663->3310 (09:51:41.352 PDT) 86.18.214.169 (09:55:04.960 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43441 (09:55:04.960 PDT) 86.24.127.196 (09:52:03.214 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43489 (09:52:03.214 PDT) 5.14.20.160 (09:54:03.041 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64373 (09:54:03.041 PDT) 86.181.84.228 (09:51:44.419 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61703->58509 (09:51:44.419 PDT) 83.77.205.156 (09:53:03.103 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (09:53:03.103 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:53:41.252 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62843->6099 (09:53:41.252 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364143901.352 1364143901.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 50.156.56.149 Resource List: Observed Start: 03/24/2013 11:52:53.298 PDT Gen. Time: 03/24/2013 11:54:10.130 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (11:52:53.298 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54211->51413 (11:52:53.298 PDT) 50.156.56.149 (11:53:26.515 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (11:53:26.515 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:54:10.130 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:54:10.130 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364151173.298 1364151173.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 78.179.39.98, 189.101.100.209, 89.207.192.194, 208.83.20.164 (2), 50.156.56.149 Resource List: Observed Start: 03/24/2013 11:52:53.298 PDT Gen. Time: 03/24/2013 11:56:27.208 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (11:52:53.298 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54211->51413 (11:52:53.298 PDT) 78.179.39.98 (11:55:26.064 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45892 (11:55:26.064 PDT) 189.101.100.209 (11:54:26.525 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (11:54:26.525 PDT) 89.207.192.194 (11:56:27.208 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22710 (11:56:27.208 PDT) 208.83.20.164 (2) (11:55:50.938 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56017->6969 (11:55:50.938 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 56018->80 (11:55:50.939 PDT) 50.156.56.149 (11:53:26.515 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (11:53:26.515 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:54:10.130 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:54:10.130 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364151173.298 1364151173.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.183.13.40, 178.239.54.153, 112.164.165.22, 2.230.52.152, 85.17.143.16, 183.136.156.21, 71.7.248.168 Resource List: Observed Start: 03/24/2013 13:52:34.645 PDT Gen. Time: 03/24/2013 13:55:30.997 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.183.13.40 (13:53:40.593 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49259 (13:53:40.593 PDT) 178.239.54.153 (13:53:04.876 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54708->3310 (13:53:04.876 PDT) 112.164.165.22 (13:52:40.483 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58854 (13:52:40.483 PDT) 2.230.52.152 (13:52:34.645 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54593->51413 (13:52:34.645 PDT) 85.17.143.16 (13:53:51.665 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55339->6969 (13:53:51.665 PDT) 183.136.156.21 (13:55:12.691 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56129->27834 (13:55:12.691 PDT) 71.7.248.168 (13:54:40.512 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10648 (13:54:40.512 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:55:30.997 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56324->6099 (13:55:30.997 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364158354.645 1364158354.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21, 91.218.38.132, 88.183.13.40, 112.164.165.22, 89.206.2.33, 85.17.143.16, 178.239.54.153, 2.230.52.152, 71.7.248.168 Resource List: Observed Start: 03/24/2013 13:52:34.645 PDT Gen. Time: 03/24/2013 13:56:04.840 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (13:55:12.691 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56129->27834 (13:55:12.691 PDT) 91.218.38.132 (13:56:04.840 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55999->2710 (13:56:04.840 PDT) 88.183.13.40 (13:53:40.593 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49259 (13:53:40.593 PDT) 112.164.165.22 (13:52:40.483 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58854 (13:52:40.483 PDT) 89.206.2.33 (13:55:40.345 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52503 (13:55:40.345 PDT) 85.17.143.16 (13:53:51.665 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55339->6969 (13:53:51.665 PDT) 178.239.54.153 (13:53:04.876 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54708->3310 (13:53:04.876 PDT) 2.230.52.152 (13:52:34.645 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54593->51413 (13:52:34.645 PDT) 71.7.248.168 (13:54:40.512 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10648 (13:54:40.512 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:55:30.997 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56324->6099 (13:55:30.997 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364158354.645 1364158354.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 91.218.38.132, 79.140.7.108, 117.254.243.197 Resource List: Observed Start: 03/24/2013 15:54:30.199 PDT Gen. Time: 03/24/2013 15:56:30.936 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (15:54:41.067 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63022->51413 (15:54:41.067 PDT) 91.218.38.132 (15:54:30.199 PDT) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62881->2710 (15:54:30.199 PDT) 79.140.7.108 (15:56:05.055 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33566 (15:56:05.055 PDT) 117.254.243.197 (15:55:05.060 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43400 (15:55:05.060 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:56:30.936 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:56:30.936 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364165670.199 1364165670.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 91.218.38.132, 79.140.7.108, 90.217.171.236, 96.23.1.14, 208.83.20.164 (2), 117.254.243.197 Resource List: Observed Start: 03/24/2013 15:54:30.199 PDT Gen. Time: 03/24/2013 15:58:05.098 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (15:54:41.067 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63022->51413 (15:54:41.067 PDT) 91.218.38.132 (15:54:30.199 PDT) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62881->2710 (15:54:30.199 PDT) 79.140.7.108 (15:56:05.055 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33566 (15:56:05.055 PDT) 90.217.171.236 (15:58:05.098 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10407 (15:58:05.098 PDT) 96.23.1.14 (15:57:05.009 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (15:57:05.009 PDT) 208.83.20.164 (2) (15:56:41.195 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64111->6969 (15:56:41.195 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 64112->80 (15:56:41.195 PDT) 117.254.243.197 (15:55:05.060 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43400 (15:55:05.060 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:56:30.936 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:56:30.936 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364165670.199 1364165670.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.98.34.225, 2.230.52.152 (2), 178.239.54.153, 119.46.206.39, 89.206.2.33, 75.187.51.168, 78.134.98.21, 208.83.20.164 (2) Resource List: Observed Start: 03/24/2013 17:54:22.102 PDT Gen. Time: 03/24/2013 17:57:50.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.98.34.225 (17:55:22.593 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53854 (17:55:22.593 PDT) 2.230.52.152 (2) (17:55:19.403 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57147->51413 (17:55:19.403 PDT) 57637->51413 (17:56:31.130 PDT) 178.239.54.153 (17:54:51.254 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56950->3310 (17:54:51.254 PDT) 119.46.206.39 (17:57:31.158 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58018->16881 (17:57:31.158 PDT) 89.206.2.33 (17:57:22.386 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52503 (17:57:22.386 PDT) 75.187.51.168 (17:56:22.539 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54448 (17:56:22.539 PDT) 78.134.98.21 (17:54:22.102 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (17:54:22.102 PDT) 208.83.20.164 (2) (17:57:00.645 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57847->6969 (17:57:00.645 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 57848->80 (17:57:00.645 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:57:50.722 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58226->6099 (17:57:50.722 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364172862.102 1364172862.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 89.206.2.33, 119.46.206.39, 181.165.242.106, 94.98.34.225, 75.187.51.168, 78.134.98.21, 178.239.54.153, 2.230.52.152 (2) Resource List: Observed Start: 03/24/2013 17:54:22.102 PDT Gen. Time: 03/24/2013 17:58:22.674 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (17:57:00.645 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57847->6969 (17:57:00.645 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 57848->80 (17:57:00.645 PDT) 89.206.2.33 (17:57:22.386 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52503 (17:57:22.386 PDT) 119.46.206.39 (17:57:31.158 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58018->16881 (17:57:31.158 PDT) 181.165.242.106 (17:58:22.674 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18094 (17:58:22.674 PDT) 94.98.34.225 (17:55:22.593 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53854 (17:55:22.593 PDT) 75.187.51.168 (17:56:22.539 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54448 (17:56:22.539 PDT) 78.134.98.21 (17:54:22.102 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (17:54:22.102 PDT) 178.239.54.153 (17:54:51.254 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56950->3310 (17:54:51.254 PDT) 2.230.52.152 (2) (17:55:19.403 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57147->51413 (17:55:19.403 PDT) 57637->51413 (17:56:31.130 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:57:50.722 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58226->6099 (17:57:50.722 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364172862.102 1364172862.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.68.12.118, 85.17.143.16, 208.83.20.164 (2) Resource List: Observed Start: 03/24/2013 19:56:45.917 PDT Gen. Time: 03/24/2013 19:58:20.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.68.12.118 (19:57:34.166 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41942 (19:57:34.166 PDT) 85.17.143.16 (19:56:45.917 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61094->6969 (19:56:45.917 PDT) 208.83.20.164 (2) (19:57:10.968 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61235->6969 (19:57:10.968 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 61236->80 (19:57:10.968 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:58:20.650 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:58:20.650 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364180205.917 1364180205.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 50.68.12.118, 85.17.143.16, 99.230.104.255, 208.83.20.164 (2) Resource List: Observed Start: 03/24/2013 19:56:45.917 PDT Gen. Time: 03/24/2013 19:58:34.330 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (19:58:21.212 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61681->3310 (19:58:21.212 PDT) 50.68.12.118 (19:57:34.166 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41942 (19:57:34.166 PDT) 85.17.143.16 (19:56:45.917 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61094->6969 (19:56:45.917 PDT) 99.230.104.255 (19:58:34.330 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (19:58:34.330 PDT) 208.83.20.164 (2) (19:57:10.968 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61235->6969 (19:57:10.968 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 61236->80 (19:57:10.968 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:58:20.650 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:58:20.650 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364180205.917 1364180205.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 (2), 216.221.72.112, 200.114.132.30, 173.11.243.162, 208.83.20.164 (2), 112.201.190.91 Resource List: Observed Start: 03/24/2013 21:55:57.192 PDT Gen. Time: 03/24/2013 21:59:30.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (2) (21:56:30.457 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49931->3310 (21:56:30.457 PDT) 50419->3310 (21:59:01.177 PDT) 216.221.72.112 (21:55:57.192 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (21:55:57.192 PDT) 200.114.132.30 (21:56:58.643 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46515 (21:56:58.643 PDT) 173.11.243.162 (21:58:01.675 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:58:01.675 PDT) 208.83.20.164 (2) (21:57:41.018 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50143->6969 (21:57:41.018 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 50144->80 (21:57:41.018 PDT) 112.201.190.91 (21:59:04.467 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22954 (21:59:04.467 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:59:30.372 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50572->6099 (21:59:30.372 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364187357.192 1364187357.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 (2), 75.159.142.5, 216.221.72.112, 200.114.132.30, 173.11.243.162, 208.83.20.164 (2), 112.201.190.91 Resource List: Observed Start: 03/24/2013 21:55:57.192 PDT Gen. Time: 03/24/2013 22:00:04.464 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (2) (21:56:30.457 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49931->3310 (21:56:30.457 PDT) 50419->3310 (21:59:01.177 PDT) 75.159.142.5 (22:00:04.464 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62658 (22:00:04.464 PDT) 216.221.72.112 (21:55:57.192 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (21:55:57.192 PDT) 200.114.132.30 (21:56:58.643 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46515 (21:56:58.643 PDT) 173.11.243.162 (21:58:01.675 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:58:01.675 PDT) 208.83.20.164 (2) (21:57:41.018 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50143->6969 (21:57:41.018 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 50144->80 (21:57:41.018 PDT) 112.201.190.91 (21:59:04.467 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22954 (21:59:04.467 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:59:30.372 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50572->6099 (21:59:30.372 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364187357.192 1364187357.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================