Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.28.24.168, 50.19.95.119 (2), 178.207.16.88, 71.187.0.178, 166.78.158.73, 220.245.18.190, 82.16.144.214, 82.74.170.163 Resource List: Observed Start: 03/28/2013 02:34:10.212 PDT Gen. Time: 03/28/2013 02:36:51.568 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.28.24.168 (02:36:10.835 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64564 (02:36:10.835 PDT) 50.19.95.119 (2) (02:36:01.486 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55153->80 (02:36:01.486 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 55153->80 (02:36:01.486 PDT) 178.207.16.88 (02:34:39.895 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54761->16881 (02:34:39.895 PDT) 71.187.0.178 (02:35:51.315 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55139->6969 (02:35:51.315 PDT) 166.78.158.73 (02:34:31.511 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54728->6969 (02:34:31.511 PDT) 220.245.18.190 (02:34:10.212 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57042 (02:34:10.212 PDT) 82.16.144.214 (02:35:10.394 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22222 (02:35:10.394 PDT) 82.74.170.163 (02:35:49.863 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55134->51413 (02:35:49.863 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:36:51.568 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55452->6099 (02:36:51.568 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364463250.212 1364463250.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21, 93.38.75.185, 166.78.158.73, 82.16.144.214, 220.245.18.190, 2.28.24.168, 82.74.170.163, 71.187.0.178, 178.207.16.88, 50.19.95.119 (2) Resource List: Observed Start: 03/28/2013 02:34:10.212 PDT Gen. Time: 03/28/2013 02:38:09.239 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (02:37:32.222 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55777->12583 (02:37:32.222 PDT) 93.38.75.185 (02:37:11.632 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21499 (02:37:11.632 PDT) 166.78.158.73 (02:34:31.511 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54728->6969 (02:34:31.511 PDT) 82.16.144.214 (02:35:10.394 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22222 (02:35:10.394 PDT) 220.245.18.190 (02:34:10.212 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57042 (02:34:10.212 PDT) 2.28.24.168 (02:36:10.835 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64564 (02:36:10.835 PDT) 82.74.170.163 (02:35:49.863 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55134->51413 (02:35:49.863 PDT) 71.187.0.178 (02:35:51.315 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55139->6969 (02:35:51.315 PDT) 178.207.16.88 (02:34:39.895 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54761->16881 (02:34:39.895 PDT) 50.19.95.119 (2) (02:36:01.486 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55153->80 (02:36:01.486 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 55153->80 (02:36:01.486 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:36:51.568 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55452->6099 (02:36:51.568 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364463250.212 1364463250.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119 (2), 91.218.38.132 (2), 71.187.0.178, 183.136.156.21, 121.1.52.25 Resource List: Observed Start: 03/28/2013 04:36:10.784 PDT Gen. Time: 03/28/2013 04:37:30.763 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (2) (04:36:31.347 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62007->80 (04:36:31.347 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62007->80 (04:36:31.347 PDT) 91.218.38.132 (2) (04:36:19.079 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61958->2710 (04:36:19.079 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 61958->2710 (04:36:19.079 PDT) 71.187.0.178 (04:36:10.784 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61814->6969 (04:36:10.784 PDT) 183.136.156.21 (04:37:18.784 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62264->12583 (04:37:18.784 PDT) 121.1.52.25 (04:36:31.272 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42810 (04:36:31.272 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:37:30.763 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:37:30.763 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364470570.784 1364470570.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21 (2), 91.218.38.132 (2), 208.95.173.194, 24.203.11.185, 180.153.115.172, 71.187.0.178, 50.19.95.119 (2), 178.239.54.153 (2), 94.242.221.123, 121.1.52.25, 93.71.20.84, 86.97.181.67 Resource List: Observed Start: 03/28/2013 04:36:10.784 PDT Gen. Time: 03/28/2013 04:40:07.993 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (2) (04:37:18.784 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62264->12583 (04:37:18.784 PDT) 63003->12583 (04:39:35.319 PDT) 91.218.38.132 (2) (04:36:19.079 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61958->2710 (04:36:19.079 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 61958->2710 (04:36:19.079 PDT) 208.95.173.194 (04:38:41.305 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 62673->2710 (04:38:41.305 PDT) 24.203.11.185 (04:38:32.866 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (04:38:32.866 PDT) 180.153.115.172 (04:38:26.302 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62602->11938 (04:38:26.302 PDT) 71.187.0.178 (04:36:10.784 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61814->6969 (04:36:10.784 PDT) 50.19.95.119 (2) (04:36:31.347 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62007->80 (04:36:31.347 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62007->80 (04:36:31.347 PDT) 178.239.54.153 (2) (04:38:11.651 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62445->3310 (04:38:11.651 PDT) 62985->3310 (04:39:31.721 PDT) 94.242.221.123 (04:38:41.292 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 62674->80 (04:38:41.292 PDT) 121.1.52.25 (04:36:31.272 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42810 (04:36:31.272 PDT) 93.71.20.84 (04:39:34.902 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53321 (04:39:34.902 PDT) 86.97.181.67 (04:37:32.107 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40253 (04:37:32.107 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:37:30.763 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:37:30.763 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364470570.784 1364470570.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 178.239.54.153, 187.67.52.141, 93.70.83.143, 150.101.100.2, 178.207.16.88 Resource List: Observed Start: 03/28/2013 06:38:06.093 PDT Gen. Time: 03/28/2013 06:39:11.259 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (06:39:02.081 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56480->2710 (06:39:02.081 PDT) 178.239.54.153 (06:38:41.395 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56409->3310 (06:38:41.395 PDT) 187.67.52.141 (06:39:11.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (06:39:11.061 PDT) 93.70.83.143 (06:39:09.106 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56506->6890 (06:39:09.106 PDT) 150.101.100.2 (06:38:11.546 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (06:38:11.546 PDT) 178.207.16.88 (06:38:06.093 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56107->16881 (06:38:06.093 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:39:11.259 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56554->6099 (06:39:11.259 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364477886.093 1364477886.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 208.95.173.194, 187.67.52.141, 82.16.115.223, 178.207.16.88, 119.46.206.105, 150.101.100.2, 178.239.54.153 (2), 94.242.221.123, 93.70.83.143 (2) Resource List: Observed Start: 03/28/2013 06:38:06.093 PDT Gen. Time: 03/28/2013 06:41:56.776 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (06:40:20.218 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56987->2710 (06:40:20.218 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56987->2710 (06:40:20.218 PDT) 208.95.173.194 (06:39:02.081 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56480->2710 (06:39:02.081 PDT) 187.67.52.141 (06:39:11.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (06:39:11.061 PDT) 82.16.115.223 (06:41:11.571 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60176 (06:41:11.571 PDT) 178.207.16.88 (06:38:06.093 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56107->16881 (06:38:06.093 PDT) 119.46.206.105 (06:40:35.132 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57102->16881 (06:40:35.132 PDT) 150.101.100.2 (06:38:11.546 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (06:38:11.546 PDT) 178.239.54.153 (2) (06:38:41.395 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56409->3310 (06:38:41.395 PDT) 56888->3310 (06:40:11.857 PDT) 94.242.221.123 (06:39:11.422 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 56553->80 (06:39:11.422 PDT) 93.70.83.143 (2) (06:39:09.106 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56506->6890 (06:39:09.106 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (06:40:11.408 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:39:11.259 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56554->6099 (06:39:11.259 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364477886.093 1364477886.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 210.50.224.214, 109.201.148.249, 81.105.198.19 Resource List: Observed Start: 03/28/2013 08:38:05.398 PDT Gen. Time: 03/28/2013 08:39:20.552 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 210.50.224.214 (08:38:05.398 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45007 (08:38:05.398 PDT) 109.201.148.249 (08:39:10.990 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56880->2710 (08:39:10.990 PDT) 81.105.198.19 (08:39:08.135 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35935 (08:39:08.135 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:39:20.552 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:39:20.552 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364485085.398 1364485085.399 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 183.136.156.21, 81.105.198.19, 208.95.173.194, 109.201.148.249, 50.156.56.149, 210.50.224.214, 178.239.54.153, 94.242.221.123, 80.66.219.18 Resource List: Observed Start: 03/28/2013 08:38:05.398 PDT Gen. Time: 03/28/2013 08:42:06.191 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 183.136.156.21 (08:41:23.986 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57947->12583 (08:41:23.986 PDT) 81.105.198.19 (08:39:08.135 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35935 (08:39:08.135 PDT) 208.95.173.194 (08:39:31.338 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57163->2710 (08:39:31.338 PDT) 109.201.148.249 (08:39:10.990 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56880->2710 (08:39:10.990 PDT) 50.156.56.149 (08:41:08.684 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29090 (08:41:08.684 PDT) 210.50.224.214 (08:38:05.398 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45007 (08:38:05.398 PDT) 178.239.54.153 (08:40:31.105 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57571->3310 (08:40:31.105 PDT) 94.242.221.123 (08:39:51.680 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 57242->80 (08:39:51.680 PDT) 80.66.219.18 (08:40:08.267 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->7000 (08:40:08.267 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:39:20.552 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:39:20.552 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364485085.398 1364485085.399 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.24.182.91, 94.242.221.123 Resource List: Observed Start: 03/28/2013 10:40:26.020 PDT Gen. Time: 03/28/2013 10:41:01.055 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.24.182.91 (10:40:26.020 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (10:40:26.020 PDT) 94.242.221.123 (10:40:31.789 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 59329->80 (10:40:31.789 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:41:01.055 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59392->6099 (10:41:01.055 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364492426.020 1364492426.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 84.24.182.91, 41.233.167.181, 93.70.77.160 (2), 180.153.115.172, 94.242.221.123, 70.77.199.174, 24.15.84.15 Resource List: Observed Start: 03/28/2013 10:40:26.020 PDT Gen. Time: 03/28/2013 10:44:26.083 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (10:41:12.208 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59427->3310 (10:41:12.208 PDT) 84.24.182.91 (10:40:26.020 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21908 (10:40:26.020 PDT) 41.233.167.181 (10:41:21.473 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59526->22474 (10:41:21.473 PDT) 93.70.77.160 (2) (10:42:22.201 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60075->6890 (10:42:22.201 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (10:43:27.510 PDT) 180.153.115.172 (10:44:20.023 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60943->11938 (10:44:20.023 PDT) 94.242.221.123 (10:40:31.789 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 59329->80 (10:40:31.789 PDT) 70.77.199.174 (10:41:27.449 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (10:41:27.449 PDT) 24.15.84.15 (10:42:27.665 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56920 (10:42:27.665 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:41:01.055 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59392->6099 (10:41:01.055 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364492426.020 1364492426.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 93.72.185.78, 77.49.53.134, 208.95.173.194 (2), 180.153.115.172, 123.230.101.58, 178.239.54.153, 94.242.221.123, 95.43.118.150 Resource List: Observed Start: 03/28/2013 12:38:42.483 PDT Gen. Time: 03/28/2013 12:42:02.691 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (12:39:41.571 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55299->80 (12:39:41.571 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 55299->80 (12:39:41.571 PDT) 55301->80 (12:39:41.753 PDT) 93.72.185.78 (12:38:42.483 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43466 (12:38:42.483 PDT) 77.49.53.134 (12:40:44.456 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61442 (12:40:44.456 PDT) 208.95.173.194 (2) (12:40:41.567 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55758->2710 (12:40:41.567 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55758->2710 (12:40:41.567 PDT) 180.153.115.172 (12:41:48.569 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56324->11938 (12:41:48.569 PDT) 123.230.101.58 (12:39:43.830 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49152 (12:39:43.830 PDT) 178.239.54.153 (12:41:51.352 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56348->3310 (12:41:51.352 PDT) 94.242.221.123 (12:41:10.916 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 55864->80 (12:41:10.916 PDT) 95.43.118.150 (12:41:44.297 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (12:41:44.297 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:42:02.691 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:42:02.691 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364499522.483 1364499522.484 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 85.241.182.210, 208.95.173.194 (2), 109.201.148.249, 180.153.115.172 (2), 76.117.11.204, 178.239.54.153, 41.237.225.18, 94.242.221.123, 61.91.88.49, 117.193.161.213 Resource List: Observed Start: 03/28/2013 14:39:36.561 PDT Gen. Time: 03/28/2013 14:43:31.200 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (14:40:21.465 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 55251->80 (14:40:21.465 PDT) 55267->80 (14:40:21.693 PDT) 85.241.182.210 (14:42:37.775 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26125 (14:42:37.775 PDT) 208.95.173.194 (2) (14:41:21.226 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55637->2710 (14:41:21.226 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55637->2710 (14:41:21.226 PDT) 109.201.148.249 (14:40:11.251 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55052->2710 (14:40:11.251 PDT) 180.153.115.172 (2) (14:39:48.544 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54957->11938 (14:39:48.544 PDT) 56371->11938 (14:42:44.098 PDT) 76.117.11.204 (14:41:37.274 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49350 (14:41:37.274 PDT) 178.239.54.153 (14:42:32.002 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56276->3310 (14:42:32.002 PDT) 41.237.225.18 (14:39:36.561 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64616 (14:39:36.561 PDT) 94.242.221.123 (14:41:51.570 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 55941->80 (14:41:51.570 PDT) 61.91.88.49 (14:41:21.284 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55640->16881 (14:41:21.284 PDT) 117.193.161.213 (14:40:37.168 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26105 (14:40:37.168 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:43:31.200 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56714->6099 (14:43:31.200 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364506776.561 1364506776.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 85.241.182.210, 208.95.173.194 (2), 109.201.148.249, 180.153.115.172 (2), 46.233.20.88, 76.117.11.204, 178.239.54.153, 41.237.225.18, 94.242.221.123, 61.91.88.49, 117.193.161.213 Resource List: Observed Start: 03/28/2013 14:39:36.561 PDT Gen. Time: 03/28/2013 14:43:37.007 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (14:40:21.465 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 55251->80 (14:40:21.465 PDT) 55267->80 (14:40:21.693 PDT) 85.241.182.210 (14:42:37.775 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26125 (14:42:37.775 PDT) 208.95.173.194 (2) (14:41:21.226 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55637->2710 (14:41:21.226 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55637->2710 (14:41:21.226 PDT) 109.201.148.249 (14:40:11.251 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55052->2710 (14:40:11.251 PDT) 180.153.115.172 (2) (14:39:48.544 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54957->11938 (14:39:48.544 PDT) 56371->11938 (14:42:44.098 PDT) 46.233.20.88 (14:43:37.007 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45538 (14:43:37.007 PDT) 76.117.11.204 (14:41:37.274 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49350 (14:41:37.274 PDT) 178.239.54.153 (14:42:32.002 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56276->3310 (14:42:32.002 PDT) 41.237.225.18 (14:39:36.561 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64616 (14:39:36.561 PDT) 94.242.221.123 (14:41:51.570 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 55941->80 (14:41:51.570 PDT) 61.91.88.49 (14:41:21.284 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55640->16881 (14:41:21.284 PDT) 117.193.161.213 (14:40:37.168 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26105 (14:40:37.168 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:43:31.200 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56714->6099 (14:43:31.200 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364506776.561 1364506776.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.129.0.228, 69.35.66.145, 2.216.3.209 Resource List: Observed Start: 03/28/2013 16:43:23.134 PDT Gen. Time: 03/28/2013 16:44:30.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.129.0.228 (16:44:23.478 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11100 (16:44:23.478 PDT) 69.35.66.145 (16:44:17.478 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55133->60254 (16:44:17.478 PDT) 2.216.3.209 (16:43:23.134 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (16:43:23.134 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:44:30.901 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:44:30.901 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364514203.134 1364514203.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.16.24.172, 50.19.95.119 (2), 71.187.0.178, 180.153.115.172, 78.129.0.228, 69.35.66.145, 82.16.144.214, 2.216.3.209 Resource List: Observed Start: 03/28/2013 16:43:23.134 PDT Gen. Time: 03/28/2013 16:47:23.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.16.24.172 (16:46:24.666 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25427 (16:46:24.666 PDT) 50.19.95.119 (2) (16:45:11.399 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55529->80 (16:45:11.399 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 55529->80 (16:45:11.399 PDT) 71.187.0.178 (16:44:41.112 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55402->6969 (16:44:41.112 PDT) 180.153.115.172 (16:45:20.494 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55734->11938 (16:45:20.494 PDT) 78.129.0.228 (16:44:23.478 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11100 (16:44:23.478 PDT) 69.35.66.145 (16:44:17.478 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55133->60254 (16:44:17.478 PDT) 82.16.144.214 (16:45:23.411 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22222 (16:45:23.411 PDT) 2.216.3.209 (16:43:23.134 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (16:43:23.134 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:44:30.901 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:44:30.901 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364514203.134 1364514203.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.50.132.35, 69.132.1.106, 208.95.173.194, 71.187.0.178, 50.19.95.119 (2), 154.45.216.162, 2.191.95.191, 178.239.54.153, 94.242.221.123, 99.245.169.16 Resource List: Observed Start: 03/28/2013 18:42:39.938 PDT Gen. Time: 03/28/2013 18:46:30.826 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.50.132.35 (18:43:39.346 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (18:43:39.346 PDT) 69.132.1.106 (18:42:39.938 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59348 (18:42:39.938 PDT) 208.95.173.194 (18:42:41.496 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61015->2710 (18:42:41.496 PDT) 71.187.0.178 (18:45:01.562 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61893->6969 (18:45:01.562 PDT) 50.19.95.119 (2) (18:45:41.738 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/comics/time/4ec08b20b0be913f7f0f9faf77b30f4bf2d683d224cc9b87479fd8706ad0aa75.png] MAC_Src: 00:01:64:FF:CE:EA 62222->80 (18:45:41.738 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62222->80 (18:45:41.738 PDT) 154.45.216.162 (18:45:25.608 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62149->1073 (18:45:25.608 PDT) 2.191.95.191 (18:44:46.019 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33555 (18:44:46.019 PDT) 178.239.54.153 (18:43:31.268 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61371->3310 (18:43:31.268 PDT) 94.242.221.123 (18:42:50.836 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 61040->80 (18:42:50.836 PDT) 99.245.169.16 (18:45:49.725 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60844 (18:45:49.725 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:46:30.826 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62602->6099 (18:46:30.826 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364521359.938 1364521359.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.50.132.35, 69.132.1.106, 208.95.173.194, 71.187.0.178, 50.19.95.119 (2), 154.45.216.162, 2.191.95.191, 178.239.54.153, 94.242.221.123, 121.1.52.25, 99.245.169.16 Resource List: Observed Start: 03/28/2013 18:42:39.938 PDT Gen. Time: 03/28/2013 18:46:49.827 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.50.132.35 (18:43:39.346 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (18:43:39.346 PDT) 69.132.1.106 (18:42:39.938 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59348 (18:42:39.938 PDT) 208.95.173.194 (18:42:41.496 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61015->2710 (18:42:41.496 PDT) 71.187.0.178 (18:45:01.562 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61893->6969 (18:45:01.562 PDT) 50.19.95.119 (2) (18:45:41.738 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/comics/time/4ec08b20b0be913f7f0f9faf77b30f4bf2d683d224cc9b87479fd8706ad0aa75.png] MAC_Src: 00:01:64:FF:CE:EA 62222->80 (18:45:41.738 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62222->80 (18:45:41.738 PDT) 154.45.216.162 (18:45:25.608 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62149->1073 (18:45:25.608 PDT) 2.191.95.191 (18:44:46.019 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33555 (18:44:46.019 PDT) 178.239.54.153 (18:43:31.268 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61371->3310 (18:43:31.268 PDT) 94.242.221.123 (18:42:50.836 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 61040->80 (18:42:50.836 PDT) 121.1.52.25 (18:46:49.827 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42810 (18:46:49.827 PDT) 99.245.169.16 (18:45:49.725 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60844 (18:45:49.725 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:46:30.826 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62602->6099 (18:46:30.826 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364521359.938 1364521359.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119 (2), 95.211.195.235, 95.155.100.44 Resource List: Observed Start: 03/28/2013 20:46:01.284 PDT Gen. Time: 03/28/2013 20:47:21.221 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (2) (20:46:01.284 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [>%02^(`%F1%CB%1D%13BitTorrent protocol%00%00%00%00%00%00%00%01||%D6%0C%06(u%D8pUy%B6+%82!$e%BB%03-M4-4-0--f7d4b64737d6%00%00%00%0F%05%BF%B7%FF%FF%FFw%AF%F9%FE%BF%FF%FA%FF%EE%00] MAC_Src: 00:01:64:FF:CE:EA 59842->80 (20:46:01.284 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 59842->80 (20:46:01.284 PDT) 95.211.195.235 (20:47:18.166 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60351->59216 (20:47:18.166 PDT) 95.155.100.44 (20:46:33.485 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36324 (20:46:33.485 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:47:21.221 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:47:21.221 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364528761.284 1364528761.285 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.159.6.89, 91.202.73.55, 101.109.112.136, 208.95.173.194, 95.155.100.44, 173.11.243.162, 180.153.115.172, 95.211.195.235, 50.19.95.119 (2) Resource List: Observed Start: 03/28/2013 20:46:01.284 PDT Gen. Time: 03/28/2013 20:50:05.080 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.159.6.89 (20:47:33.082 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33434 (20:47:33.082 PDT) 91.202.73.55 (20:50:01.231 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61159->80 (20:50:01.231 PDT) 101.109.112.136 (20:49:36.566 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (20:49:36.566 PDT) 208.95.173.194 (20:50:01.219 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61160->2711 (20:50:01.219 PDT) 95.155.100.44 (20:46:33.485 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36324 (20:46:33.485 PDT) 173.11.243.162 (20:48:35.017 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (20:48:35.017 PDT) 180.153.115.172 (20:49:18.202 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60960->24155 (20:49:18.202 PDT) 95.211.195.235 (20:47:18.166 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60351->59216 (20:47:18.166 PDT) 50.19.95.119 (2) (20:46:01.284 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [>%02^(`%F1%CB%1D%13BitTorrent protocol%00%00%00%00%00%00%00%01||%D6%0C%06(u%D8pUy%B6+%82!$e%BB%03-M4-4-0--f7d4b64737d6%00%00%00%0F%05%BF%B7%FF%FF%FFw%AF%F9%FE%BF%FF%FA%FF%EE%00] MAC_Src: 00:01:64:FF:CE:EA 59842->80 (20:46:01.284 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 59842->80 (20:46:01.284 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:47:21.221 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:47:21.221 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364528761.284 1364528761.285 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 68.82.177.217 Resource List: Observed Start: 03/28/2013 22:49:08.771 PDT Gen. Time: 03/28/2013 22:49:20.705 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 68.82.177.217 (22:49:08.771 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (22:49:08.771 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:49:20.705 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49436->6099 (22:49:20.705 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364536148.771 1364536148.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 111.91.231.69, 91.202.73.55, 208.95.173.194, 68.82.177.217, 61.91.88.91, 74.60.80.210, 180.153.115.172, 92.0.4.236, 69.142.96.40 Resource List: Observed Start: 03/28/2013 22:49:08.771 PDT Gen. Time: 03/28/2013 22:52:55.185 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 111.91.231.69 (22:52:09.348 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24070 (22:52:09.348 PDT) 91.202.73.55 (22:50:41.334 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 49864->80 (22:50:41.334 PDT) 208.95.173.194 (22:50:30.939 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49826->2711 (22:50:30.939 PDT) 68.82.177.217 (22:49:08.771 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (22:49:08.771 PDT) 61.91.88.91 (22:51:32.969 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50100->16884 (22:51:32.969 PDT) 74.60.80.210 (22:52:32.245 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50405->54266 (22:52:32.245 PDT) 180.153.115.172 (22:49:43.203 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49497->24155 (22:49:43.203 PDT) 92.0.4.236 (22:51:09.020 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26680 (22:51:09.020 PDT) 69.142.96.40 (22:50:09.239 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (22:50:09.239 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:49:20.705 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49436->6099 (22:49:20.705 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364536148.771 1364536148.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================