Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 46.36.75.30, 178.207.16.88, 187.2.97.31 Resource List: Observed Start: 03/30/2013 03:00:27.548 PDT Gen. Time: 03/30/2013 03:02:10.608 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (03:01:21.496 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63481->3310 (03:01:21.496 PDT) 46.36.75.30 (03:00:27.548 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19996 (03:00:27.548 PDT) 178.207.16.88 (03:01:53.824 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63607->16881 (03:01:53.824 PDT) 187.2.97.31 (03:01:39.028 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38537 (03:01:39.028 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:02:10.608 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63679->6099 (03:02:10.608 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364637627.548 1364637627.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.237.208.48, 178.239.54.153, 46.36.75.30, 2.226.218.19, 178.207.16.88, 24.203.11.185, 208.83.20.164 (2), 187.2.97.31 Resource List: Observed Start: 03/30/2013 03:00:27.548 PDT Gen. Time: 03/30/2013 03:04:45.828 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.237.208.48 (03:02:39.670 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64616 (03:02:39.670 PDT) 178.239.54.153 (03:01:21.496 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63481->3310 (03:01:21.496 PDT) 46.36.75.30 (03:00:27.548 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19996 (03:00:27.548 PDT) 2.226.218.19 (03:03:42.665 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48241 (03:03:42.665 PDT) 178.207.16.88 (03:01:53.824 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63607->16881 (03:01:53.824 PDT) 24.203.11.185 (03:04:45.828 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (03:04:45.828 PDT) 208.83.20.164 (2) (03:03:10.707 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%17%08%7F%E5%00%00%00%00%8B%1F%D8bn%B2%EE)*OT%DC}G%B4%C8%8A2%1Cc%80] MAC_Src: 00:01:64:FF:CE:EA 64068->80 (03:03:10.707 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 64068->80 (03:03:10.707 PDT) 187.2.97.31 (03:01:39.028 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38537 (03:01:39.028 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:02:10.608 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63679->6099 (03:02:10.608 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364637627.548 1364637627.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 61.91.88.46 Resource List: Observed Start: 03/30/2013 05:01:24.676 PDT Gen. Time: 03/30/2013 05:02:20.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (05:01:52.829 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51145->3310 (05:01:52.829 PDT) 61.91.88.46 (05:01:24.676 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51023->16881 (05:01:24.676 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:02:20.740 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:02:20.740 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364644884.676 1364644884.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 177.32.230.127, 86.18.214.169, 84.229.247.34, 176.40.114.120, 85.17.143.16, 208.83.20.164 (2), 61.91.88.46 Resource List: Observed Start: 03/30/2013 05:01:24.676 PDT Gen. Time: 03/30/2013 05:05:24.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (05:01:52.829 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51145->3310 (05:01:52.829 PDT) 177.32.230.127 (05:04:24.711 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62943 (05:04:24.711 PDT) 86.18.214.169 (05:03:24.185 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43441 (05:03:24.185 PDT) 84.229.247.34 (05:05:24.246 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59311 (05:05:24.246 PDT) 176.40.114.120 (05:02:24.457 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55064 (05:02:24.457 PDT) 85.17.143.16 (05:03:33.712 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52017->6969 (05:03:33.712 PDT) 208.83.20.164 (2) (05:03:41.031 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52051->80 (05:03:41.031 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 52051->80 (05:03:41.031 PDT) 61.91.88.46 (05:01:24.676 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51023->16881 (05:01:24.676 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:02:20.740 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:02:20.740 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364644884.676 1364644884.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 209.240.127.144, 89.227.51.22, 62.45.39.9 Resource List: Observed Start: 03/30/2013 07:02:45.316 PDT Gen. Time: 03/30/2013 07:04:10.138 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 209.240.127.144 (07:02:59.195 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47063 (07:02:59.195 PDT) 89.227.51.22 (07:02:45.316 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61957->6346 (07:02:45.316 PDT) 62.45.39.9 (07:04:00.385 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16006 (07:04:00.385 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:04:10.138 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62546->6099 (07:04:10.138 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364652165.316 1364652165.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.81.155.114, 209.240.127.144, 76.117.11.204, 89.227.51.22 (3), 62.45.39.9 (3), 208.83.20.164 (2) Resource List: Observed Start: 03/30/2013 07:02:45.316 PDT Gen. Time: 03/30/2013 07:07:00.404 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.81.155.114 (07:06:39.584 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63816->6902 (07:06:39.584 PDT) 209.240.127.144 (07:02:59.195 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47063 (07:02:59.195 PDT) 76.117.11.204 (07:06:00.813 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15784 (07:06:00.813 PDT) 89.227.51.22 (3) (07:02:45.316 PDT) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63132->6346 (07:05:24.864 PDT) 62663->6346 (07:04:16.843 PDT) 61957->6346 (07:02:45.316 PDT) 62.45.39.9 (3) (07:04:00.385 PDT-07:07:00.404 PDT) event=1:1100013 (3) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 3: 51413->16006 (07:04:00.385 PDT-07:07:00.404 PDT) 208.83.20.164 (2) (07:04:10.229 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62545->80 (07:04:10.229 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 62545->80 (07:04:10.229 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:04:10.138 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62546->6099 (07:04:10.138 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364652165.316 1364652420.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 86.59.152.111, 89.227.51.22, 24.15.84.15, 208.83.20.164 (2) Resource List: Observed Start: 03/30/2013 09:03:11.259 PDT Gen. Time: 03/30/2013 09:05:10.663 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (09:03:11.267 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58245->3310 (09:03:11.267 PDT) 86.59.152.111 (09:03:11.259 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (09:03:11.259 PDT) 89.227.51.22 (09:04:45.973 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59202->6346 (09:04:45.973 PDT) 24.15.84.15 (09:04:11.060 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56920 (09:04:11.060 PDT) 208.83.20.164 (2) (09:04:41.531 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%7F%BE%EA%A2 %C4%C2n%EC%96%04%91%9Bgn%7FK%8E%11t%93%B2] MAC_Src: 00:01:64:FF:CE:EA 59179->80 (09:04:41.531 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 59179->80 (09:04:41.531 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:05:10.663 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:05:10.663 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364659391.259 1364659391.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 86.59.152.111, 50.132.116.230, 89.227.51.22, 187.232.253.167, 24.15.84.15 (2), 196.217.158.238, 208.83.20.164 (2) Resource List: Observed Start: 03/30/2013 09:03:11.259 PDT Gen. Time: 03/30/2013 09:07:12.786 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (09:03:11.267 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58245->3310 (09:03:11.267 PDT) 86.59.152.111 (09:03:11.259 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (09:03:11.259 PDT) 50.132.116.230 (09:05:11.225 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30696 (09:05:11.225 PDT) 89.227.51.22 (09:04:45.973 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59202->6346 (09:04:45.973 PDT) 187.232.253.167 (09:06:18.077 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59930->6890 (09:06:18.077 PDT) 24.15.84.15 (2) (09:04:11.060 PDT-09:06:11.067 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->56920 (09:04:11.060 PDT-09:06:11.067 PDT) 196.217.158.238 (09:07:12.786 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:07:12.786 PDT) 208.83.20.164 (2) (09:04:41.531 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%7F%BE%EA%A2 %C4%C2n%EC%96%04%91%9Bgn%7FK%8E%11t%93%B2] MAC_Src: 00:01:64:FF:CE:EA 59179->80 (09:04:41.531 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 59179->80 (09:04:41.531 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:05:10.663 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:05:10.663 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364659391.259 1364659571.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.81.155.114 Resource List: Observed Start: 03/30/2013 11:06:38.370 PDT Gen. Time: 03/30/2013 11:07:00.464 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.81.155.114 (11:06:38.370 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56099->6902 (11:06:38.370 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:07:00.464 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56189->6099 (11:07:00.464 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364666798.370 1364666798.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.241.182.210, 74.59.143.54, 79.81.155.114, 115.124.199.27, 88.170.234.86 Resource List: Observed Start: 03/30/2013 11:06:38.370 PDT Gen. Time: 03/30/2013 11:09:28.253 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.241.182.210 (11:08:28.625 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26125 (11:08:28.625 PDT) 74.59.143.54 (11:07:28.221 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45970 (11:07:28.221 PDT) 79.81.155.114 (11:06:38.370 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56099->6902 (11:06:38.370 PDT) 115.124.199.27 (11:09:28.253 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51850 (11:09:28.253 PDT) 88.170.234.86 (11:07:48.399 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56556->6890 (11:07:48.399 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:07:00.464 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56189->6099 (11:07:00.464 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364666798.370 1364666798.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/30/2013 13:07:51.737 PDT Gen. Time: 03/30/2013 13:07:51.737 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:07:51.737 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:07:51.737 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364674071.737 1364674071.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 208.83.20.164 (2), 91.218.38.132 (2), 31.59.140.80, 85.17.143.16, 50.132.116.230, 88.170.234.86, 87.6.86.213, 2.216.3.209 Resource List: Observed Start: 03/30/2013 13:07:51.737 PDT Gen. Time: 03/30/2013 13:11:23.347 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (13:11:21.704 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50522->80 (13:11:21.704 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 50522->80 (13:11:21.704 PDT) 50527->80 (13:11:21.878 PDT) 208.83.20.164 (2) (13:10:01.398 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [Request%0D%0ADate: Sat, 30 ] MAC_Src: 00:01:64:FF:CE:EA 49801->80 (13:10:01.398 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 49801->80 (13:10:01.398 PDT) 91.218.38.132 (2) (13:09:36.130 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49571->2710 (13:09:36.130 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 49571->2710 (13:09:36.130 PDT) 31.59.140.80 (13:11:23.347 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21814 (13:11:23.347 PDT) 85.17.143.16 (13:09:52.446 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49720->6969 (13:09:52.446 PDT) 50.132.116.230 (13:08:23.192 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30696 (13:08:23.192 PDT) 88.170.234.86 (13:08:26.116 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65391->6890 (13:08:26.116 PDT) 87.6.86.213 (13:10:23.467 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64572 (13:10:23.467 PDT) 2.216.3.209 (13:09:23.073 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (13:09:23.073 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:07:51.737 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:07:51.737 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364674071.737 1364674071.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.106.253.247 Resource List: Observed Start: 03/30/2013 15:08:53.975 PDT Gen. Time: 03/30/2013 15:09:30.587 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.106.253.247 (15:08:53.975 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15422 (15:08:53.975 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:09:30.587 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59303->6099 (15:09:30.587 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364681333.975 1364681333.976 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 116.240.185.122, 166.78.158.73 (3), 65.36.106.110, 208.83.20.164 (3), 187.233.239.196 (2), 109.106.253.247, 41.34.50.112 Resource List: Observed Start: 03/30/2013 15:08:53.975 PDT Gen. Time: 03/30/2013 15:13:02.409 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 116.240.185.122 (15:12:00.429 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45007 (15:12:00.429 PDT) 166.78.158.73 (3) (15:11:51.061 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [ Request%0D%0ADate: Sat, 30 Mar 2013 22:11:50 %0D%0AServer: Planetseer%0D%0AAccept-Ranges: no] MAC_Src: 00:01:64:FF:CE:EA 60537->80 (15:11:51.061 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 60537->80 (15:11:51.061 PDT) 60538->80 (15:11:51.229 PDT) 65.36.106.110 (15:09:56.484 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24104 (15:09:56.484 PDT) 208.83.20.164 (3) (15:10:40.688 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/search?q= 37.59.7.22 malware&go=&qs=n&form=QBLH&pq= 37.59.7.22 malware&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 59938->80 (15:10:40.688 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 59938->80 (15:10:40.688 PDT) 60733->80 (15:12:21.355 PDT) 187.233.239.196 (2) (15:09:31.196 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59320->6890 (15:09:31.196 PDT) 60168->6890 (15:11:18.226 PDT) 109.106.253.247 (15:08:53.975 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15422 (15:08:53.975 PDT) 41.34.50.112 (15:10:58.165 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21751 (15:10:58.165 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:09:30.587 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59303->6099 (15:09:30.587 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364681333.975 1364681333.976 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.53.99.31, 95.211.190.109, 187.233.239.196, 217.165.77.169 Resource List: Observed Start: 03/30/2013 17:07:38.251 PDT Gen. Time: 03/30/2013 17:09:41.004 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.53.99.31 (17:08:22.420 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10810 (17:08:22.420 PDT) 95.211.190.109 (17:07:38.251 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50178->36153 (17:07:38.251 PDT) 187.233.239.196 (17:09:15.360 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50876->6890 (17:09:15.360 PDT) 217.165.77.169 (17:09:24.950 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58405 (17:09:24.950 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:09:41.004 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:09:41.004 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364688458.251 1364688458.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.244.16.33, 188.53.99.31, 95.211.190.109, 208.83.20.164 (2), 187.233.239.196, 82.81.30.157, 217.165.77.169 Resource List: Observed Start: 03/30/2013 17:07:38.251 PDT Gen. Time: 03/30/2013 17:11:26.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.244.16.33 (17:11:26.798 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59605 (17:11:26.798 PDT) 188.53.99.31 (17:08:22.420 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10810 (17:08:22.420 PDT) 95.211.190.109 (17:07:38.251 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50178->36153 (17:07:38.251 PDT) 208.83.20.164 (2) (17:11:11.164 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51654->80 (17:11:11.164 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 51654->80 (17:11:11.164 PDT) 187.233.239.196 (17:09:15.360 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50876->6890 (17:09:15.360 PDT) 82.81.30.157 (17:10:24.450 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (17:10:24.450 PDT) 217.165.77.169 (17:09:24.950 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58405 (17:09:24.950 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:09:41.004 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:09:41.004 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364688458.251 1364688458.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.35.236.239, 213.21.100.246, 173.11.243.162 Resource List: Observed Start: 03/30/2013 19:08:49.913 PDT Gen. Time: 03/30/2013 19:11:00.214 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.35.236.239 (19:08:49.913 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63383 (19:08:49.913 PDT) 213.21.100.246 (19:10:51.938 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28018 (19:10:51.938 PDT) 173.11.243.162 (19:09:49.821 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (19:09:49.821 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:11:00.214 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63667->6099 (19:11:00.214 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364695729.913 1364695729.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.35.236.239, 213.21.100.246, 166.78.158.73 (2), 173.11.243.162 (2), 208.83.20.164 (2), 81.233.58.48 Resource List: Observed Start: 03/30/2013 19:08:49.913 PDT Gen. Time: 03/30/2013 19:12:57.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.35.236.239 (19:08:49.913 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63383 (19:08:49.913 PDT) 213.21.100.246 (19:10:51.938 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28018 (19:10:51.938 PDT) 166.78.158.73 (2) (19:12:40.606 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 64355->80 (19:12:40.606 PDT) 64359->80 (19:12:40.863 PDT) 173.11.243.162 (2) (19:09:49.821 PDT-19:12:57.102 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->51413 (19:09:49.821 PDT-19:12:57.102 PDT) 208.83.20.164 (2) (19:11:50.310 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64008->80 (19:11:50.310 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 64008->80 (19:11:50.310 PDT) 81.233.58.48 (19:11:57.062 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34484 (19:11:57.062 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:11:00.214 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63667->6099 (19:11:00.214 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364695729.913 1364695977.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================