Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21 Resource List: Observed Start: 03/26/2013 00:13:09.747 PDT Gen. Time: 03/26/2013 00:13:10.970 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (00:13:09.747 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62524->30039 (00:13:09.747 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:13:10.970 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:13:10.970 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364281989.747 1364281989.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.11.161.253, 203.106.65.16, 211.26.197.121, 183.136.156.21 (2), 68.150.224.48, 2.39.174.86 Resource List: Observed Start: 03/26/2013 00:13:09.747 PDT Gen. Time: 03/26/2013 00:16:59.248 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.11.161.253 (00:16:21.600 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33462 (00:16:21.600 PDT) 203.106.65.16 (00:14:21.859 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11311 (00:14:21.859 PDT) 211.26.197.121 (00:13:19.257 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45007 (00:13:19.257 PDT) 183.136.156.21 (2) (00:13:09.747 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62524->30039 (00:13:09.747 PDT) 63490->30039 (00:16:20.295 PDT) 68.150.224.48 (00:15:19.372 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63139->51413 (00:15:19.372 PDT) 2.39.174.86 (00:15:21.281 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->9910 (00:15:21.281 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:13:10.970 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:13:10.970 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364281989.747 1364281989.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89, 85.17.143.16, 78.80.8.101, 50.156.56.149, 85.73.204.61 Resource List: Observed Start: 03/26/2013 02:12:14.200 PDT Gen. Time: 03/26/2013 02:14:51.272 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (02:13:22.144 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 53215->6881 (02:13:22.144 PDT) 85.17.143.16 (02:12:40.634 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52867->6969 (02:12:40.634 PDT) 78.80.8.101 (02:13:14.511 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43262 (02:13:14.511 PDT) 50.156.56.149 (02:14:17.998 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (02:14:17.998 PDT) 85.73.204.61 (02:12:14.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (02:12:14.200 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:14:51.272 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53634->6099 (02:14:51.272 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364289134.200 1364289134.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (4), 218.231.222.245, 85.17.143.16, 78.80.8.101, 50.156.56.149, 85.73.204.61 Resource List: Observed Start: 03/26/2013 02:12:14.200 PDT Gen. Time: 03/26/2013 02:16:15.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (4) (02:13:22.144 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53733->6881 (02:15:12.172 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 53215->6881 (02:13:22.144 PDT) 53733->6881 (02:15:12.172 PDT) 54017->6881 (02:16:09.184 PDT) 218.231.222.245 (02:15:17.021 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49152 (02:15:17.021 PDT) 85.17.143.16 (02:12:40.634 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52867->6969 (02:12:40.634 PDT) 78.80.8.101 (02:13:14.511 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43262 (02:13:14.511 PDT) 50.156.56.149 (02:14:17.998 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (02:14:17.998 PDT) 85.73.204.61 (02:12:14.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (02:12:14.200 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:14:51.272 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53634->6099 (02:14:51.272 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364289134.200 1364289134.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89, 189.110.63.195, 87.58.10.225, 183.136.156.21 Resource List: Observed Start: 03/26/2013 04:13:03.972 PDT Gen. Time: 03/26/2013 04:15:00.654 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (04:13:17.097 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 50996->6881 (04:13:17.097 PDT) 189.110.63.195 (04:14:03.224 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50237 (04:14:03.224 PDT) 87.58.10.225 (04:13:03.972 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58156 (04:13:03.972 PDT) 183.136.156.21 (04:14:04.610 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51228->30039 (04:14:04.610 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:15:00.654 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:15:00.654 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364296383.972 1364296383.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.99.161, 79.43.109.89 (6), 94.255.14.225 (2), 150.101.100.2, 189.110.63.195, 87.58.10.225, 183.136.156.21, 37.153.12.154 (2) Resource List: Observed Start: 03/26/2013 04:13:03.972 PDT Gen. Time: 03/26/2013 04:16:56.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.99.161 (04:15:03.418 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (04:15:03.418 PDT) 79.43.109.89 (6) (04:13:17.097 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51831->6881 (04:15:19.134 PDT) 52356->6881 (04:16:19.152 PDT) ------------------------- event=1:2102181 (4) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 50996->6881 (04:13:17.097 PDT) 51831->6881 (04:15:19.134 PDT) 52356->6881 (04:16:19.152 PDT) 52490->6881 (04:16:29.154 PDT) 94.255.14.225 (2) (04:15:26.636 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 51946->6881 (04:15:26.636 PDT) 52013->6881 (04:15:36.138 PDT) 150.101.100.2 (04:16:03.747 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (04:16:03.747 PDT) 189.110.63.195 (04:14:03.224 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50237 (04:14:03.224 PDT) 87.58.10.225 (04:13:03.972 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58156 (04:13:03.972 PDT) 183.136.156.21 (04:14:04.610 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51228->30039 (04:14:04.610 PDT) 37.153.12.154 (2) (04:16:36.350 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 52518->6881 (04:16:36.350 PDT) 52533->6881 (04:16:45.862 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:15:00.654 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:15:00.654 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364296383.972 1364296383.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.24.182.91, 86.198.7.249, 79.43.109.89 (5), 91.218.38.132 (2), 94.8.209.61, 166.78.158.73 Resource List: Observed Start: 03/26/2013 06:13:19.652 PDT Gen. Time: 03/26/2013 06:16:10.692 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.24.182.91 (06:15:22.038 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (06:15:22.038 PDT) 86.198.7.249 (06:13:19.652 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59548 (06:13:19.652 PDT) 79.43.109.89 (5) (06:13:21.089 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56428->6881 (06:14:18.104 PDT) 57038->6881 (06:15:29.123 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 56102->6881 (06:13:21.089 PDT) 56428->6881 (06:14:18.104 PDT) 57038->6881 (06:15:29.123 PDT) 91.218.38.132 (2) (06:13:30.713 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56136->2710 (06:13:30.713 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56136->2710 (06:13:30.713 PDT) 94.8.209.61 (06:14:21.989 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62834 (06:14:21.989 PDT) 166.78.158.73 (06:15:30.985 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57043->6969 (06:15:30.985 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:16:10.692 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57190->6099 (06:16:10.692 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364303599.652 1364303599.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.24.182.91, 86.198.7.249, 79.43.109.89 (7), 91.218.38.132 (2), 94.8.209.61, 180.153.115.172, 166.78.158.73, 219.90.141.248 Resource List: Observed Start: 03/26/2013 06:13:19.652 PDT Gen. Time: 03/26/2013 06:17:21.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.24.182.91 (06:15:22.038 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (06:15:22.038 PDT) 86.198.7.249 (06:13:19.652 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59548 (06:13:19.652 PDT) 79.43.109.89 (7) (06:13:21.089 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56428->6881 (06:14:18.104 PDT) 57038->6881 (06:15:29.123 PDT) ------------------------- event=1:2102181 (5) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 56102->6881 (06:13:21.089 PDT) 56428->6881 (06:14:18.104 PDT) 57038->6881 (06:15:29.123 PDT) 57333->6881 (06:16:18.136 PDT) 57818->6881 (06:17:18.155 PDT) 91.218.38.132 (2) (06:13:30.713 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56136->2710 (06:13:30.713 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56136->2710 (06:13:30.713 PDT) 94.8.209.61 (06:14:21.989 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62834 (06:14:21.989 PDT) 180.153.115.172 (06:16:35.141 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57516->21599 (06:16:35.141 PDT) 166.78.158.73 (06:15:30.985 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57043->6969 (06:15:30.985 PDT) 219.90.141.248 (06:16:23.618 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63587 (06:16:23.618 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:16:10.692 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57190->6099 (06:16:10.692 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364303599.652 1364303599.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 79.43.109.89 (3), 82.3.137.27, 109.100.141.12, 150.101.100.2, 186.159.113.86, 151.247.123.95, 119.46.206.81 Resource List: Observed Start: 03/26/2013 08:13:21.294 PDT Gen. Time: 03/26/2013 08:16:42.997 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (08:16:11.197 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50095->3310 (08:16:11.197 PDT) 79.43.109.89 (3) (08:14:26.597 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49265->6881 (08:14:26.597 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 49265->6881 (08:14:26.597 PDT) 50496->6881 (08:16:34.134 PDT) 82.3.137.27 (08:16:36.301 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50523->51413 (08:16:36.301 PDT) 109.100.141.12 (08:15:35.336 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49854->51413 (08:15:35.336 PDT) 150.101.100.2 (08:15:12.058 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (08:15:12.058 PDT) 186.159.113.86 (08:14:11.597 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29227 (08:14:11.597 PDT) 151.247.123.95 (08:16:12.817 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21106 (08:16:12.817 PDT) 119.46.206.81 (08:13:21.294 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65116->16884 (08:13:21.294 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:16:42.997 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:16:42.997 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364310801.294 1364310801.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.100.141.12, 82.36.253.43, 151.247.123.95, 82.3.137.27, 150.101.100.2, 178.239.54.153, 119.46.206.81, 186.159.113.86, 79.43.109.89 (4) Resource List: Observed Start: 03/26/2013 08:13:21.294 PDT Gen. Time: 03/26/2013 08:17:26.469 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.100.141.12 (08:15:35.336 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49854->51413 (08:15:35.336 PDT) 82.36.253.43 (08:17:14.820 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49995 (08:17:14.820 PDT) 151.247.123.95 (08:16:12.817 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21106 (08:16:12.817 PDT) 82.3.137.27 (08:16:36.301 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50523->51413 (08:16:36.301 PDT) 150.101.100.2 (08:15:12.058 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (08:15:12.058 PDT) 178.239.54.153 (08:16:11.197 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50095->3310 (08:16:11.197 PDT) 119.46.206.81 (08:13:21.294 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65116->16884 (08:13:21.294 PDT) 186.159.113.86 (08:14:11.597 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29227 (08:14:11.597 PDT) 79.43.109.89 (4) (08:14:26.597 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49265->6881 (08:14:26.597 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 49265->6881 (08:14:26.597 PDT) 50496->6881 (08:16:34.134 PDT) 50746->6881 (08:17:19.646 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:16:42.997 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:16:42.997 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364310801.294 1364310801.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (2), 83.59.130.10, 24.67.141.71, 119.46.206.101, 166.78.158.73, 180.153.115.172, 82.50.125.177 Resource List: Observed Start: 03/26/2013 10:15:39.838 PDT Gen. Time: 03/26/2013 10:18:20.950 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (2) (10:16:35.638 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 50943->6881 (10:16:35.638 PDT) 51600->6881 (10:17:41.155 PDT) 83.59.130.10 (10:16:17.219 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55669 (10:16:17.219 PDT) 24.67.141.71 (10:17:17.150 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (10:17:17.150 PDT) 119.46.206.101 (10:15:39.838 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50436->16884 (10:15:39.838 PDT) 166.78.158.73 (10:16:50.760 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51184->6969 (10:16:50.760 PDT) 180.153.115.172 (10:16:45.642 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51138->21599 (10:16:45.642 PDT) 82.50.125.177 (10:18:18.315 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (10:18:18.315 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:18:20.950 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52007->6099 (10:18:20.950 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364318139.838 1364318139.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (4), 83.59.130.10, 24.67.141.71, 119.46.206.101, 166.78.158.73, 180.153.115.172 (2), 5.110.236.29, 82.50.125.177 Resource List: Observed Start: 03/26/2013 10:15:39.838 PDT Gen. Time: 03/26/2013 10:19:39.917 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (4) (10:16:35.638 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52591->6881 (10:19:31.684 PDT) ------------------------- event=1:2102181 (3) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 50943->6881 (10:16:35.638 PDT) 51600->6881 (10:17:41.155 PDT) 52591->6881 (10:19:31.684 PDT) 83.59.130.10 (10:16:17.219 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55669 (10:16:17.219 PDT) 24.67.141.71 (10:17:17.150 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (10:17:17.150 PDT) 119.46.206.101 (10:15:39.838 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50436->16884 (10:15:39.838 PDT) 166.78.158.73 (10:16:50.760 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51184->6969 (10:16:50.760 PDT) 180.153.115.172 (2) (10:16:45.642 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51138->21599 (10:16:45.642 PDT) 52130->21599 (10:18:29.168 PDT) 5.110.236.29 (10:19:19.316 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60580 (10:19:19.316 PDT) 82.50.125.177 (10:18:18.315 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (10:18:18.315 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:18:20.950 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52007->6099 (10:18:20.950 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364318139.838 1364318139.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (2) Resource List: Observed Start: 03/26/2013 12:18:38.166 PDT Gen. Time: 03/26/2013 12:18:40.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (2) (12:18:38.166 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57293->6881 (12:18:38.166 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57293->6881 (12:18:38.166 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:18:40.784 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:18:40.784 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364325518.166 1364325518.167 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 218.186.80.47, 79.43.109.89 (6), 189.60.17.149, 80.174.189.60, 183.136.156.21, 80.47.123.108 Resource List: Observed Start: 03/26/2013 12:18:38.166 PDT Gen. Time: 03/26/2013 12:23:02.238 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 218.186.80.47 (12:22:11.451 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (12:22:11.451 PDT) 79.43.109.89 (6) (12:18:38.166 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57293->6881 (12:18:38.166 PDT) 59457->6881 (12:22:21.238 PDT) ------------------------- event=1:2102181 (4) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57293->6881 (12:18:38.166 PDT) 57915->6881 (12:19:30.182 PDT) 59074->6881 (12:21:35.222 PDT) 59457->6881 (12:22:21.238 PDT) 189.60.17.149 (12:19:10.879 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21268 (12:19:10.879 PDT) 80.174.189.60 (12:20:11.001 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58007 (12:20:11.001 PDT) 183.136.156.21 (12:21:18.717 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58786->30039 (12:21:18.717 PDT) 80.47.123.108 (12:21:11.774 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (12:21:11.774 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:18:40.784 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:18:40.784 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364325518.166 1364325518.167 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89, 108.70.88.136, 166.78.158.73, 183.136.156.21, 186.86.1.198, 190.135.32.3 Resource List: Observed Start: 03/26/2013 14:17:24.109 PDT Gen. Time: 03/26/2013 14:20:21.460 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (14:17:30.666 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 60690->6881 (14:17:30.666 PDT) 108.70.88.136 (14:18:24.334 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13835 (14:18:24.334 PDT) 166.78.158.73 (14:18:01.255 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60966->6969 (14:18:01.255 PDT) 183.136.156.21 (14:19:42.201 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61893->30039 (14:19:42.201 PDT) 186.86.1.198 (14:19:25.203 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (14:19:25.203 PDT) 190.135.32.3 (14:17:24.109 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57949 (14:17:24.109 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:20:21.460 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62208->6099 (14:20:21.460 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364332644.109 1364332644.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (2), 108.70.88.136, 166.78.158.73, 183.136.156.21, 186.86.1.198, 190.135.32.3, 95.226.214.213 Resource List: Observed Start: 03/26/2013 14:17:24.109 PDT Gen. Time: 03/26/2013 14:21:24.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (2) (14:17:30.666 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 60690->6881 (14:17:30.666 PDT) 62414->6881 (14:20:33.717 PDT) 108.70.88.136 (14:18:24.334 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13835 (14:18:24.334 PDT) 166.78.158.73 (14:18:01.255 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60966->6969 (14:18:01.255 PDT) 183.136.156.21 (14:19:42.201 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61893->30039 (14:19:42.201 PDT) 186.86.1.198 (14:19:25.203 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (14:19:25.203 PDT) 190.135.32.3 (14:17:24.109 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57949 (14:17:24.109 PDT) 95.226.214.213 (14:20:25.724 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24848 (14:20:25.724 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:20:21.460 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62208->6099 (14:20:21.460 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364332644.109 1364332644.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (2), 86.215.81.11 Resource List: Observed Start: 03/26/2013 16:20:23.766 PDT Gen. Time: 03/26/2013 16:21:20.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (2) (16:20:23.766 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56811->6881 (16:20:23.766 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 56811->6881 (16:20:23.766 PDT) 86.215.81.11 (16:21:19.388 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:21:19.388 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:21:20.966 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:21:20.966 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364340023.766 1364340023.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.109.89 (2), 71.72.213.203, 85.138.46.223, 183.136.156.21, 86.215.81.11, 82.50.125.177 Resource List: Observed Start: 03/26/2013 16:20:23.766 PDT Gen. Time: 03/26/2013 16:24:25.011 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.109.89 (2) (16:20:23.766 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56811->6881 (16:20:23.766 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 56811->6881 (16:20:23.766 PDT) 71.72.213.203 (16:22:19.384 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:22:19.384 PDT) 85.138.46.223 (16:23:19.537 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (16:23:19.537 PDT) 183.136.156.21 (16:23:22.322 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58147->30039 (16:23:22.322 PDT) 86.215.81.11 (16:21:19.388 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:21:19.388 PDT) 82.50.125.177 (16:24:20.485 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30540 (16:24:20.485 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:21:20.966 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:21:20.966 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364340023.766 1364340023.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.138.56.183, 91.218.38.132 (2), 112.186.136.107 Resource List: Observed Start: 03/26/2013 18:21:16.590 PDT Gen. Time: 03/26/2013 18:23:10.808 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.138.56.183 (18:21:17.085 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49122 (18:21:17.085 PDT) 91.218.38.132 (2) (18:21:16.590 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58361->2710 (18:21:16.590 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58361->2710 (18:21:16.590 PDT) 112.186.136.107 (18:22:19.361 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52413 (18:22:19.361 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:23:10.808 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59988->6099 (18:23:10.808 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364347276.590 1364347276.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 5.22.128.4, 89.138.56.183, 91.218.38.132 (2), 112.186.136.107, 37.153.12.154 (3), 201.21.55.29 Resource List: Observed Start: 03/26/2013 18:21:16.590 PDT Gen. Time: 03/26/2013 18:25:16.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 5.22.128.4 (18:23:21.655 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24544 (18:23:21.655 PDT) 89.138.56.183 (18:21:17.085 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49122 (18:21:17.085 PDT) 91.218.38.132 (2) (18:21:16.590 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58361->2710 (18:21:16.590 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58361->2710 (18:21:16.590 PDT) 112.186.136.107 (18:22:19.361 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52413 (18:22:19.361 PDT) 37.153.12.154 (3) (18:23:19.156 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60151->6881 (18:23:19.156 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 60151->6881 (18:23:19.156 PDT) 60284->6881 (18:23:29.147 PDT) 201.21.55.29 (18:24:21.164 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45725 (18:24:21.164 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:23:10.808 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59988->6099 (18:23:10.808 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364347276.590 1364347276.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.24.243.22 Resource List: Observed Start: 03/26/2013 20:23:31.725 PDT Gen. Time: 03/26/2013 20:24:00.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.24.243.22 (20:23:31.725 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (20:23:31.725 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:24:00.588 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:24:00.588 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364354611.725 1364354611.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 108.181.26.246, 91.218.38.132 (2), 199.59.243.63 (2), 79.42.81.232, 78.129.0.228, 183.136.156.21, 88.24.243.22 Resource List: Observed Start: 03/26/2013 20:23:31.725 PDT Gen. Time: 03/26/2013 20:27:31.840 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 108.181.26.246 (20:25:34.428 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (20:25:34.428 PDT) 91.218.38.132 (2) (20:26:11.055 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57940->2710 (20:26:11.055 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 57940->2710 (20:26:11.055 PDT) 199.59.243.63 (2) (20:26:00.792 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57884->80 (20:26:00.792 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57884->80 (20:26:00.792 PDT) 79.42.81.232 (20:26:37.649 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64572 (20:26:37.649 PDT) 78.129.0.228 (20:24:32.518 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11100 (20:24:32.518 PDT) 183.136.156.21 (20:25:14.950 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57447->14638 (20:25:14.950 PDT) 88.24.243.22 (20:23:31.725 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (20:23:31.725 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:24:00.588 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:24:00.588 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364354611.725 1364354611.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.54.57.147, 82.161.46.166, 99.248.204.160 Resource List: Observed Start: 03/26/2013 22:23:44.462 PDT Gen. Time: 03/26/2013 22:25:51.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.54.57.147 (22:25:49.072 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22126 (22:25:49.072 PDT) 82.161.46.166 (22:23:44.462 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22142 (22:23:44.462 PDT) 99.248.204.160 (22:24:46.053 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60912 (22:24:46.053 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:25:51.471 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57819->6099 (22:25:51.471 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364361824.462 1364361824.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.54.57.147, 121.214.216.167, 82.161.46.166, 91.218.38.132 (2), 199.59.243.63 (2), 99.248.204.160, 183.136.156.21 Resource List: Observed Start: 03/26/2013 22:23:44.462 PDT Gen. Time: 03/26/2013 22:27:44.836 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.54.57.147 (22:25:49.072 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22126 (22:25:49.072 PDT) 121.214.216.167 (22:26:53.462 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26386 (22:26:53.462 PDT) 82.161.46.166 (22:23:44.462 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22142 (22:23:44.462 PDT) 91.218.38.132 (2) (22:27:12.817 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58206->2710 (22:27:12.817 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58206->2710 (22:27:12.817 PDT) 199.59.243.63 (2) (22:26:31.551 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58098->80 (22:26:31.551 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58098->80 (22:26:31.551 PDT) 99.248.204.160 (22:24:46.053 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60912 (22:24:46.053 PDT) 183.136.156.21 (22:26:18.363 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58043->14638 (22:26:18.363 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:25:51.471 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57819->6099 (22:25:51.471 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364361824.462 1364361824.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================