Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.232.209.229 Resource List: Observed Start: 04/03/2013 01:49:23.085 PDT Gen. Time: 04/03/2013 01:50:05.305 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.232.209.229 (01:49:23.085 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (01:49:23.085 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:50:05.305 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:50:05.305 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364978963.085 1364978963.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 50.19.95.119 (2), 124.106.91.22, 115.223.202.217, 89.227.244.5 (2), 98.127.248.93, 89.142.46.179, 187.232.209.229 (2) Resource List: Observed Start: 04/03/2013 01:49:23.085 PDT Gen. Time: 04/03/2013 01:53:24.150 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (01:50:41.200 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54477->2710 (01:50:41.200 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54477->2710 (01:50:41.200 PDT) 50.19.95.119 (2) (01:51:50.845 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54904->80 (01:51:50.845 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 54904->80 (01:51:50.845 PDT) 124.106.91.22 (01:50:24.744 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20629 (01:50:24.744 PDT) 115.223.202.217 (01:51:29.022 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16001 (01:51:29.022 PDT) 89.227.244.5 (2) (01:50:14.102 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54253->6346 (01:50:14.102 PDT) 55154->6346 (01:52:22.137 PDT) 98.127.248.93 (01:53:24.150 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55468->6890 (01:53:24.150 PDT) 89.142.46.179 (01:52:35.552 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43033 (01:52:35.552 PDT) 187.232.209.229 (2) (01:49:23.085 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54749->6890 (01:51:18.704 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (01:49:23.085 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:50:05.305 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:50:05.305 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364978963.085 1364978963.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.19.89.247 Resource List: Observed Start: 04/03/2013 03:51:13.007 PDT Gen. Time: 04/03/2013 03:51:20.608 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.19.89.247 (03:51:13.007 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16179 (03:51:13.007 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:51:20.608 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52302->6099 (03:51:20.608 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364986273.007 1364986273.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 2.234.99.156, 199.172.227.14, 208.95.173.194 (2), 98.127.248.93, 178.207.16.88, 89.227.244.5, 50.19.95.119 (2), 178.239.54.153, 177.19.89.247, 199.59.243.63, 2.216.3.209 Resource List: Observed Start: 04/03/2013 03:51:13.007 PDT Gen. Time: 04/03/2013 03:55:03.973 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (03:51:44.565 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52464->2710 (03:51:44.565 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52464->2710 (03:51:44.565 PDT) 2.234.99.156 (03:52:13.148 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30226 (03:52:13.148 PDT) 199.172.227.14 (03:53:13.127 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15652 (03:53:13.127 PDT) 208.95.173.194 (2) (03:51:20.787 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52300->2710 (03:51:20.787 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52300->2710 (03:51:20.787 PDT) 98.127.248.93 (03:52:18.585 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52757->6890 (03:52:18.585 PDT) 178.207.16.88 (03:54:31.284 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53737->16881 (03:54:31.284 PDT) 89.227.244.5 (03:53:21.540 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53183->6346 (03:53:21.540 PDT) 50.19.95.119 (2) (03:52:00.839 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/index.php/Runproof.sh] MAC_Src: 00:01:64:FF:CE:EA 52489->80 (03:52:00.839 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 52489->80 (03:52:00.839 PDT) 178.239.54.153 (03:54:21.104 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53558->3310 (03:54:21.104 PDT) 177.19.89.247 (03:51:13.007 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16179 (03:51:13.007 PDT) 199.59.243.63 (03:54:31.271 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 53745->80 (03:54:31.271 PDT) 2.216.3.209 (03:54:13.398 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (03:54:13.398 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:51:20.608 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52302->6099 (03:51:20.608 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364986273.007 1364986273.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 85.17.143.16, 90.217.171.236 Resource List: Observed Start: 04/03/2013 07:52:11.179 PDT Gen. Time: 04/03/2013 07:52:50.969 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (07:52:11.179 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65097->2710 (07:52:11.179 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65097->2710 (07:52:11.179 PDT) 85.17.143.16 (07:52:22.882 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65288->6969 (07:52:22.882 PDT) 90.217.171.236 (07:52:14.108 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10407 (07:52:14.108 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:52:50.969 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49211->6099 (07:52:50.969 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365000731.179 1365000731.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.190.251.159, 91.218.38.132 (2), 208.95.173.194 (2), 85.17.143.16, 2.103.233.177, 89.227.244.5, 178.207.16.88, 68.145.116.224, 50.19.95.119 (2), 90.217.171.236, 199.59.243.63 (2) Resource List: Observed Start: 04/03/2013 07:52:11.179 PDT Gen. Time: 04/03/2013 07:55:57.931 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.190.251.159 (07:54:15.700 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59138 (07:54:15.700 PDT) 91.218.38.132 (2) (07:54:56.335 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50270->2710 (07:54:56.335 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50270->2710 (07:54:56.335 PDT) 208.95.173.194 (2) (07:52:11.179 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 65097->2710 (07:52:11.179 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65097->2710 (07:52:11.179 PDT) 85.17.143.16 (07:52:22.882 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65288->6969 (07:52:22.882 PDT) 2.103.233.177 (07:53:14.954 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46048 (07:53:14.954 PDT) 89.227.244.5 (07:55:29.933 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50721->6346 (07:55:29.933 PDT) 178.207.16.88 (07:54:27.636 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50102->16881 (07:54:27.636 PDT) 68.145.116.224 (07:55:15.223 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22915 (07:55:15.223 PDT) 50.19.95.119 (2) (07:52:51.042 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49210->80 (07:52:51.042 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 49210->80 (07:52:51.042 PDT) 90.217.171.236 (07:52:14.108 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10407 (07:52:14.108 PDT) 199.59.243.63 (2) (07:55:20.586 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50541->80 (07:55:20.586 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50541->80 (07:55:20.586 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:52:50.969 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49211->6099 (07:52:50.969 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365000731.179 1365000731.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 108.225.37.238, 98.127.248.93, 24.171.232.126 Resource List: Observed Start: 04/03/2013 09:51:23.011 PDT Gen. Time: 04/03/2013 09:53:10.986 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (09:52:51.381 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49793->2710 (09:52:51.381 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49793->2710 (09:52:51.381 PDT) 108.225.37.238 (09:52:23.035 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25260 (09:52:23.035 PDT) 98.127.248.93 (09:52:13.913 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49439->6890 (09:52:13.913 PDT) 24.171.232.126 (09:51:23.011 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20500 (09:51:23.011 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:53:10.986 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:53:10.986 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365007883.011 1365007883.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 50.19.95.119 (2), 108.225.37.238, 41.233.173.56, 190.160.0.227, 66.75.49.164, 98.127.248.93, 24.171.232.126 Resource List: Observed Start: 04/03/2013 09:51:23.011 PDT Gen. Time: 04/03/2013 09:55:23.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (09:52:51.381 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49793->2710 (09:52:51.381 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49793->2710 (09:52:51.381 PDT) 50.19.95.119 (2) (09:53:21.076 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50092->80 (09:53:21.076 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 50092->80 (09:53:21.076 PDT) 108.225.37.238 (09:52:23.035 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25260 (09:52:23.035 PDT) 41.233.173.56 (09:53:23.357 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54528 (09:53:23.357 PDT) 190.160.0.227 (09:53:47.442 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50337->16882 (09:53:47.442 PDT) 66.75.49.164 (09:54:24.983 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20746 (09:54:24.983 PDT) 98.127.248.93 (09:52:13.913 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49439->6890 (09:52:13.913 PDT) 24.171.232.126 (09:51:23.011 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20500 (09:51:23.011 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:53:10.986 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:53:10.986 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365007883.011 1365007883.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 50.19.95.119 (2), 98.127.248.93 (2), 189.152.69.58 Resource List: Observed Start: 04/03/2013 11:53:35.006 PDT Gen. Time: 04/03/2013 11:55:11.081 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (11:53:41.392 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52373->2710 (11:53:41.392 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52373->2710 (11:53:41.392 PDT) 50.19.95.119 (2) (11:54:00.851 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/lWJgvB0qk6LDERooiM6w5JzXwi3CGCCifiRLW9c-DkRV5y2J62yuk3cuWVA0uw05JQ=h360] MAC_Src: 00:01:64:FF:CE:EA 52451->80 (11:54:00.851 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 52451->80 (11:54:00.851 PDT) 98.127.248.93 (2) (11:53:35.006 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52236->6890 (11:53:35.006 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (11:53:35.125 PDT) 189.152.69.58 (11:54:37.664 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16942 (11:54:37.664 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:55:11.081 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53030->6099 (11:55:11.081 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365015215.006 1365015215.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 50.19.95.119 (2), 199.59.243.63 (2), 74.215.69.159, 98.127.248.93 (5), 37.153.12.154 (2), 189.152.69.58 (2) Resource List: Observed Start: 04/03/2013 11:53:35.006 PDT Gen. Time: 04/03/2013 11:57:35.760 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (11:53:41.392 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52373->2710 (11:53:41.392 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52373->2710 (11:53:41.392 PDT) 50.19.95.119 (2) (11:54:00.851 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/lWJgvB0qk6LDERooiM6w5JzXwi3CGCCifiRLW9c-DkRV5y2J62yuk3cuWVA0uw05JQ=h360] MAC_Src: 00:01:64:FF:CE:EA 52451->80 (11:54:00.851 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 52451->80 (11:54:00.851 PDT) 199.59.243.63 (2) (11:56:01.158 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53469->80 (11:56:01.158 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 53469->80 (11:56:01.158 PDT) 74.215.69.159 (11:55:41.107 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36633 (11:55:41.107 PDT) 98.127.248.93 (5) (11:53:35.006 PDT) event=1:1100012 (4) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54293->6890 (11:57:24.069 PDT) 52236->6890 (11:53:35.006 PDT) 53718->6890 (11:56:20.115 PDT) 53151->6890 (11:55:17.089 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (11:53:35.125 PDT) 37.153.12.154 (2) (11:57:25.767 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 54315->6881 (11:57:25.767 PDT) 54448->6881 (11:57:35.760 PDT) 189.152.69.58 (2) (11:54:37.664 PDT-11:56:41.674 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->16942 (11:54:37.664 PDT-11:56:41.674 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:55:11.081 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53030->6099 (11:55:11.081 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365015215.006 1365015401.675 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.138.46.223, 98.127.248.93, 208.83.20.164 (2), 85.73.204.61 Resource List: Observed Start: 04/03/2013 13:54:11.353 PDT Gen. Time: 04/03/2013 13:55:40.159 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.138.46.223 (13:55:11.300 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (13:55:11.300 PDT) 98.127.248.93 (13:54:20.141 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52899->6890 (13:54:20.141 PDT) 208.83.20.164 (2) (13:54:50.677 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53125->80 (13:54:50.677 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 53125->80 (13:54:50.677 PDT) 85.73.204.61 (13:54:11.353 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (13:54:11.353 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:55:40.159 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:55:40.159 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365022451.353 1365022451.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 176.58.210.190, 98.127.248.93 (2), 37.153.12.154 (2), 201.10.166.60, 85.138.46.223, 178.239.54.151, 199.59.243.63 (2), 85.73.204.61 Resource List: Observed Start: 04/03/2013 13:54:11.353 PDT Gen. Time: 04/03/2013 13:58:02.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (13:54:50.677 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53125->80 (13:54:50.677 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 53125->80 (13:54:50.677 PDT) 176.58.210.190 (13:56:11.409 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61073 (13:56:11.409 PDT) 98.127.248.93 (2) (13:54:20.141 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52899->6890 (13:54:20.141 PDT) 53746->6890 (13:56:15.608 PDT) 37.153.12.154 (2) (13:56:23.812 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 53939->6881 (13:56:23.812 PDT) 53989->6881 (13:56:33.826 PDT) 201.10.166.60 (13:57:11.206 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13558 (13:57:11.206 PDT) 85.138.46.223 (13:55:11.300 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34650 (13:55:11.300 PDT) 178.239.54.151 (13:57:20.422 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54312->2710 (13:57:20.422 PDT) 199.59.243.63 (2) (13:56:20.822 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53871->80 (13:56:20.822 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 53871->80 (13:56:20.822 PDT) 85.73.204.61 (13:54:11.353 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (13:54:11.353 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:55:40.159 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:55:40.159 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365022451.353 1365022451.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/03/2013 15:57:40.792 PDT Gen. Time: 04/03/2013 15:57:40.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:57:40.792 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59667->6099 (15:57:40.792 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365029860.792 1365029860.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 178.239.54.153, 119.46.206.39, 89.227.244.5, 31.53.76.171, 72.130.72.229, 208.83.20.164, 74.12.215.237 Resource List: Observed Start: 04/03/2013 15:57:40.792 PDT Gen. Time: 04/03/2013 16:01:01.384 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (16:01:01.383 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60889->2710 (16:01:01.384 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60890->2711 (16:01:01.383 PDT) 178.239.54.153 (15:57:40.962 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59666->3310 (15:57:40.962 PDT) 119.46.206.39 (15:58:43.879 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60077->16881 (15:58:43.879 PDT) 89.227.244.5 (16:00:31.192 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60835->6346 (16:00:31.192 PDT) 31.53.76.171 (16:00:11.614 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29940 (16:00:11.614 PDT) 72.130.72.229 (15:58:08.859 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49491 (15:58:08.859 PDT) 208.83.20.164 (15:59:41.102 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60452->6969 (15:59:41.102 PDT) 74.12.215.237 (15:59:10.361 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29628 (15:59:10.361 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:57:40.792 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59667->6099 (15:57:40.792 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365029860.792 1365029860.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 75.159.142.5, 199.59.243.63, 89.227.244.5, 108.35.182.217, 203.206.185.145, 208.83.20.164 (3) Resource List: Observed Start: 04/03/2013 17:55:12.176 PDT Gen. Time: 04/03/2013 17:58:11.343 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:58:11.343 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57812->3310 (17:58:11.343 PDT) 75.159.142.5 (17:55:12.176 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62658 (17:55:12.176 PDT) 199.59.243.63 (17:56:51.098 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57349->80 (17:56:51.098 PDT) 89.227.244.5 (17:57:24.231 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57671->6346 (17:57:24.231 PDT) 108.35.182.217 (17:57:14.469 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (17:57:14.469 PDT) 203.206.185.145 (17:56:13.109 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:56:13.109 PDT) 208.83.20.164 (3) (17:56:01.571 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%88%D3%E6%17%F3%B1%E1%8C%F7@%E6U] MAC_Src: 00:01:64:FF:CE:EA 56971->80 (17:56:01.571 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 56971->80 (17:56:01.571 PDT) 57332->80 (17:56:41.721 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:57:50.786 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:57:50.786 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365036912.176 1365036912.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 75.159.142.5, 199.59.243.63, 89.227.244.5, 108.35.182.217, 175.156.162.42, 203.206.185.145, 208.83.20.164 (3) Resource List: Observed Start: 04/03/2013 17:55:12.176 PDT Gen. Time: 04/03/2013 17:59:09.855 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:58:11.343 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57812->3310 (17:58:11.343 PDT) 75.159.142.5 (17:55:12.176 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62658 (17:55:12.176 PDT) 199.59.243.63 (17:56:51.098 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57349->80 (17:56:51.098 PDT) 89.227.244.5 (17:57:24.231 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57671->6346 (17:57:24.231 PDT) 108.35.182.217 (17:57:14.469 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (17:57:14.469 PDT) 175.156.162.42 (17:58:14.112 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29902 (17:58:14.112 PDT) 203.206.185.145 (17:56:13.109 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:56:13.109 PDT) 208.83.20.164 (3) (17:56:01.571 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%88%D3%E6%17%F3%B1%E1%8C%F7@%E6U] MAC_Src: 00:01:64:FF:CE:EA 56971->80 (17:56:01.571 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 56971->80 (17:56:01.571 PDT) 57332->80 (17:56:41.721 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:57:50.786 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:57:50.786 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365036912.176 1365036912.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (3), 61.91.88.24, 98.127.248.93, 71.187.0.178, 178.239.54.153, 96.52.247.193, 177.32.99.161, 71.76.62.182, 92.0.12.73, 199.59.243.63 Resource List: Observed Start: 04/03/2013 19:56:07.998 PDT Gen. Time: 04/03/2013 19:59:51.838 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (3) (19:56:51.554 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50396->80 (19:56:51.554 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 50396->80 (19:56:51.554 PDT) 50733->80 (19:57:41.713 PDT) 61.91.88.24 (19:56:51.811 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50397->16882 (19:56:51.811 PDT) 98.127.248.93 (19:58:14.618 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50880->6890 (19:58:14.618 PDT) 71.187.0.178 (19:59:51.838 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51397->6969 (19:59:51.838 PDT) 178.239.54.153 (19:58:41.221 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51012->3310 (19:58:41.221 PDT) 96.52.247.193 (19:56:07.998 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (19:56:07.998 PDT) 177.32.99.161 (19:57:08.909 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (19:57:08.909 PDT) 71.76.62.182 (19:58:10.014 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31886 (19:58:10.014 PDT) 92.0.12.73 (19:59:10.838 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26680 (19:59:10.838 PDT) 199.59.243.63 (19:57:41.695 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50734->80 (19:57:41.695 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:59:51.740 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51398->6099 (19:59:51.740 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365044167.998 1365044167.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 177.32.230.127, 96.52.247.193, 71.187.0.178, 89.227.244.5, 99.246.113.197, 208.83.20.164 (2), 118.93.1.189 Resource List: Observed Start: 04/03/2013 21:57:31.629 PDT Gen. Time: 04/03/2013 22:00:41.500 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (21:59:11.914 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55175->3310 (21:59:11.914 PDT) 177.32.230.127 (21:57:33.922 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62943 (21:57:33.922 PDT) 96.52.247.193 (22:00:41.500 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (22:00:41.500 PDT) 71.187.0.178 (22:00:11.556 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55480->6969 (22:00:11.556 PDT) 89.227.244.5 (21:59:34.035 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55339->6346 (21:59:34.035 PDT) 99.246.113.197 (21:59:41.610 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->1720 (21:59:41.610 PDT) 208.83.20.164 (2) (21:57:31.629 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%0A%15%00%00%00%00%00%00%00%00%00%00%16%8EM8%A5%C1*E%13P%BFG%B1%DAe%E9%FE,1I%EB%0E%DAN%86I%B3$%82%90{%0A%E2%EE%02%0Agm%12%BC%AC%0C%DB%98] MAC_Src: 00:01:64:FF:CE:EA 54756->80 (21:57:31.629 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 54756->80 (21:57:31.629 PDT) 118.93.1.189 (21:58:36.472 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41222 (21:58:36.472 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:00:41.117 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:00:41.117 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365051451.629 1365051451.630 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 99.246.113.197, 208.83.20.164 (3), 89.227.244.5, 71.187.0.178, 178.239.54.153, 61.91.88.119, 96.52.247.193, 118.93.1.189, 177.32.230.127 Resource List: Observed Start: 04/03/2013 21:57:31.629 PDT Gen. Time: 04/03/2013 22:01:33.199 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 99.246.113.197 (21:59:41.610 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->1720 (21:59:41.610 PDT) 208.83.20.164 (3) (21:57:31.629 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [%0A%15%00%00%00%00%00%00%00%00%00%00%16%8EM8%A5%C1*E%13P%BFG%B1%DAe%E9%FE,1I%EB%0E%DAN%86I%B3$%82%90{%0A%E2%EE%02%0Agm%12%BC%AC%0C%DB%98] MAC_Src: 00:01:64:FF:CE:EA 54756->80 (21:57:31.629 PDT) 55826->6969 (22:01:21.767 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 54756->80 (21:57:31.629 PDT) 89.227.244.5 (21:59:34.035 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55339->6346 (21:59:34.035 PDT) 71.187.0.178 (22:00:11.556 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55480->6969 (22:00:11.556 PDT) 178.239.54.153 (21:59:11.914 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55175->3310 (21:59:11.914 PDT) 61.91.88.119 (22:00:51.804 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55695->16881 (22:00:51.804 PDT) 96.52.247.193 (22:00:41.500 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (22:00:41.500 PDT) 118.93.1.189 (21:58:36.472 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41222 (21:58:36.472 PDT) 177.32.230.127 (21:57:33.922 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62943 (21:57:33.922 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:00:41.117 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:00:41.117 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365051451.629 1365051451.630 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================