Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 108.181.26.246, 71.187.0.178, 89.227.244.5, 2.103.233.177 Resource List: Observed Start: 04/04/2013 00:00:10.641 PDT Gen. Time: 04/04/2013 00:01:50.212 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 108.181.26.246 (00:00:10.641 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (00:00:10.641 PDT) 71.187.0.178 (00:00:51.113 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55074->6969 (00:00:51.113 PDT) 89.227.244.5 (00:00:22.892 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55010->6346 (00:00:22.892 PDT) 2.103.233.177 (00:01:11.292 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46048 (00:01:11.292 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:01:50.212 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55319->6099 (00:01:50.212 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365058810.641 1365058810.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 98.127.248.93, 2.103.233.177, 89.227.244.5 (2), 71.187.0.178, 50.19.95.119 (2), 95.233.116.165, 75.159.142.5, 108.181.26.246 Resource List: Observed Start: 04/04/2013 00:00:10.641 PDT Gen. Time: 04/04/2013 00:04:02.629 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (00:03:00.761 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55605->2710 (00:03:00.762 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55606->2711 (00:03:00.761 PDT) 98.127.248.93 (00:02:16.423 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55388->6890 (00:02:16.423 PDT) 2.103.233.177 (00:01:11.292 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46048 (00:01:11.292 PDT) 89.227.244.5 (2) (00:00:22.892 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55010->6346 (00:00:22.892 PDT) 55725->6346 (00:03:18.439 PDT) 71.187.0.178 (00:00:51.113 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55074->6969 (00:00:51.113 PDT) 50.19.95.119 (2) (00:02:40.475 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55542->80 (00:02:40.475 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 55542->80 (00:02:40.475 PDT) 95.233.116.165 (00:02:11.879 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44937 (00:02:11.879 PDT) 75.159.142.5 (00:03:11.931 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62658 (00:03:11.931 PDT) 108.181.26.246 (00:00:10.641 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (00:00:10.641 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:01:50.212 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55319->6099 (00:01:50.212 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365058810.641 1365058810.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.59.152.111, 119.46.206.113, 91.218.38.132 (2), 74.215.69.159, 208.83.20.164 Resource List: Observed Start: 04/04/2013 02:00:57.176 PDT Gen. Time: 04/04/2013 02:02:10.346 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.59.152.111 (02:02:01.198 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (02:02:01.198 PDT) 119.46.206.113 (02:01:13.043 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59073->16884 (02:01:13.043 PDT) 91.218.38.132 (2) (02:02:09.102 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59372->2710 (02:02:09.102 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59372->2710 (02:02:09.102 PDT) 74.215.69.159 (02:00:57.176 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36633 (02:00:57.176 PDT) 208.83.20.164 (02:02:00.831 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59346->6969 (02:02:00.831 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:02:10.346 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:02:10.346 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365066057.176 1365066057.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164, 91.218.38.132 (2), 86.59.152.111, 208.95.173.194, 98.127.248.93, 82.12.4.85, 94.64.135.180, 119.46.206.113, 50.19.95.119 (2), 178.239.54.153, 74.215.69.159 Resource List: Observed Start: 04/04/2013 02:00:57.176 PDT Gen. Time: 04/04/2013 02:04:57.060 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (02:02:00.831 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59346->6969 (02:02:00.831 PDT) 91.218.38.132 (2) (02:02:09.102 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59372->2710 (02:02:09.102 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59372->2710 (02:02:09.102 PDT) 86.59.152.111 (02:02:01.198 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (02:02:01.198 PDT) 208.95.173.194 (02:03:20.645 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59911->2710 (02:03:20.645 PDT) 98.127.248.93 (02:03:15.334 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59806->6890 (02:03:15.334 PDT) 82.12.4.85 (02:03:07.579 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44494 (02:03:07.579 PDT) 94.64.135.180 (02:04:07.430 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48014 (02:04:07.430 PDT) 119.46.206.113 (02:01:13.043 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59073->16884 (02:01:13.043 PDT) 50.19.95.119 (2) (02:02:51.383 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/people/saidi/] MAC_Src: 00:01:64:FF:CE:EA 59626->80 (02:02:51.383 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 59626->80 (02:02:51.383 PDT) 178.239.54.153 (02:03:20.628 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59913->3310 (02:03:20.628 PDT) 74.215.69.159 (02:00:57.176 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36633 (02:00:57.176 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:02:10.346 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:02:10.346 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365066057.176 1365066057.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.139.45.57, 187.232.199.195 Resource List: Observed Start: 04/04/2013 04:03:09.238 PDT Gen. Time: 04/04/2013 04:03:31.071 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.139.45.57 (04:03:09.238 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50590 (04:03:09.238 PDT) 187.232.199.195 (04:03:10.835 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54542->6890 (04:03:10.835 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:03:31.071 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54859->6099 (04:03:31.071 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365073389.238 1365073389.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.241.224.106, 208.83.20.164 (2), 177.139.45.57, 208.95.173.194 (2), 98.127.248.93, 2.177.160.102, 187.232.199.195, 50.132.116.230, 50.19.95.119 (2), 199.59.243.63 (2), 2.216.3.209 Resource List: Observed Start: 04/04/2013 04:03:09.238 PDT Gen. Time: 04/04/2013 04:06:58.686 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.241.224.106 (04:04:14.272 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55015->35883 (04:04:14.272 PDT) 208.83.20.164 (2) (04:05:41.056 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 55583->80 (04:05:41.056 PDT) 55609->80 (04:05:51.200 PDT) 177.139.45.57 (04:03:09.238 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50590 (04:03:09.238 PDT) 208.95.173.194 (2) (04:03:41.395 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54871->2710 (04:03:41.395 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54871->2710 (04:03:41.395 PDT) 98.127.248.93 (04:06:10.858 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55665->6890 (04:06:10.858 PDT) 2.177.160.102 (04:05:10.400 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22364 (04:05:10.400 PDT) 187.232.199.195 (04:03:10.835 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54542->6890 (04:03:10.835 PDT) 50.132.116.230 (04:06:10.113 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30696 (04:06:10.113 PDT) 50.19.95.119 (2) (04:03:31.140 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54858->80 (04:03:31.140 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 54858->80 (04:03:31.140 PDT) 199.59.243.63 (2) (04:05:41.037 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55582->80 (04:05:41.037 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 55582->80 (04:05:41.037 PDT) 2.216.3.209 (04:04:10.361 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (04:04:10.361 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:03:31.071 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54859->6099 (04:03:31.071 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365073389.238 1365073389.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.12.84.96, 177.143.130.179, 178.239.54.151, 98.127.248.93, 208.83.20.164 Resource List: Observed Start: 04/04/2013 06:01:31.362 PDT Gen. Time: 04/04/2013 06:03:40.677 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.12.84.96 (06:03:16.603 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62256 (06:03:16.603 PDT) 177.143.130.179 (06:02:16.883 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43308 (06:02:16.883 PDT) 178.239.54.151 (06:01:31.362 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50996->2710 (06:01:31.362 PDT) 98.127.248.93 (06:02:17.173 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51276->6890 (06:02:17.173 PDT) 208.83.20.164 (06:03:00.848 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51458->6969 (06:03:00.848 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:03:40.677 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:03:40.677 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365080491.362 1365080491.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.172.135.232, 208.83.20.164, 24.157.183.7, 208.95.173.194, 98.127.248.93 (2), 177.143.130.179, 119.12.84.96, 50.19.95.119 (2), 178.239.54.153, 178.239.54.151 Resource List: Observed Start: 04/04/2013 06:01:31.362 PDT Gen. Time: 04/04/2013 06:05:16.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.172.135.232 (06:05:16.532 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19045 (06:05:16.532 PDT) 208.83.20.164 (06:03:00.848 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51458->6969 (06:03:00.848 PDT) 24.157.183.7 (06:04:16.705 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55713 (06:04:16.705 PDT) 208.95.173.194 (06:04:21.258 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52237->2710 (06:04:21.258 PDT) 98.127.248.93 (2) (06:02:17.173 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51276->6890 (06:02:17.173 PDT) 51912->6890 (06:04:00.698 PDT) 177.143.130.179 (06:02:16.883 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43308 (06:02:16.883 PDT) 119.12.84.96 (06:03:16.603 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62256 (06:03:16.603 PDT) 50.19.95.119 (2) (06:04:01.004 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51913->80 (06:04:01.004 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 51913->80 (06:04:01.004 PDT) 178.239.54.153 (06:04:21.252 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52239->3310 (06:04:21.252 PDT) 178.239.54.151 (06:01:31.362 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50996->2710 (06:01:31.362 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:03:40.677 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:03:40.677 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365080491.362 1365080491.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 178.239.54.153, 175.136.162.149 Resource List: Observed Start: 04/04/2013 08:05:01.218 PDT Gen. Time: 04/04/2013 08:05:21.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (08:05:01.234 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56922->2710 (08:05:01.234 PDT) 178.239.54.153 (08:05:01.218 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56924->3310 (08:05:01.218 PDT) 175.136.162.149 (08:05:12.128 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (08:05:12.128 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:05:21.455 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57203->6099 (08:05:21.455 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365087901.218 1365087901.219 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 178.239.54.153, 208.95.173.194, 199.59.243.63 (2), 50.132.116.230, 175.136.162.149 (2), 98.127.248.93, 208.83.20.164 (2) Resource List: Observed Start: 04/04/2013 08:05:01.218 PDT Gen. Time: 04/04/2013 08:09:03.693 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (08:06:12.500 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (08:06:12.500 PDT) 178.239.54.153 (08:05:01.218 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56924->3310 (08:05:01.218 PDT) 208.95.173.194 (08:05:01.234 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56922->2710 (08:05:01.234 PDT) 199.59.243.63 (2) (08:06:31.535 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/OUTPUT/UNIQUE/2bff93eb5520c40b89d848d7ff2a82fa/html/sub_425E70.png] MAC_Src: 00:01:64:FF:CE:EA 57766->80 (08:06:31.535 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57766->80 (08:06:31.535 PDT) 50.132.116.230 (08:07:12.102 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30696 (08:07:12.102 PDT) 175.136.162.149 (2) (08:05:12.128 PDT-08:08:12.106 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->64874 (08:05:12.128 PDT-08:08:12.106 PDT) 98.127.248.93 (08:06:19.183 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57603->6890 (08:06:19.183 PDT) 208.83.20.164 (2) (08:06:31.579 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 57767->80 (08:06:31.579 PDT) 57836->80 (08:06:51.751 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:05:21.455 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57203->6099 (08:05:21.455 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365087901.218 1365088092.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 178.239.54.153, 50.19.95.119 (2), 130.43.35.58 Resource List: Observed Start: 04/04/2013 10:05:20.396 PDT Gen. Time: 04/04/2013 10:05:50.284 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (10:05:41.147 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49604->2710 (10:05:41.147 PDT) 178.239.54.153 (10:05:30.752 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49572->3310 (10:05:30.752 PDT) 50.19.95.119 (2) (10:05:20.396 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/pagead/ads?client=ca-pub-7926803483606169&output=html&h=600&slotname=8801930845&w=160&ea=0&flash=11.6.602.180&url=http:/www.ra] MAC_Src: 00:01:64:FF:CE:EA 49340->80 (10:05:20.396 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 49340->80 (10:05:20.396 PDT) 130.43.35.58 (10:05:39.435 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43179 (10:05:39.435 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:05:50.284 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:05:50.284 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365095120.396 1365095120.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.102, 208.83.20.164 (2), 91.81.65.131, 208.95.173.194, 188.51.236.157, 109.60.78.185, 130.43.35.58, 50.19.95.119 (2), 200.117.237.18, 178.239.54.153, 199.59.243.63 (2) Resource List: Observed Start: 04/04/2013 10:05:20.396 PDT Gen. Time: 04/04/2013 10:09:20.685 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.102 (10:06:15.412 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49739->16881 (10:06:15.412 PDT) 208.83.20.164 (2) (10:07:10.461 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 50162->80 (10:07:10.461 PDT) 50347->80 (10:07:20.620 PDT) 91.81.65.131 (10:08:39.094 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57486 (10:08:39.094 PDT) 208.95.173.194 (10:05:41.147 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 49604->2710 (10:05:41.147 PDT) 188.51.236.157 (10:06:39.652 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (10:06:39.652 PDT) 109.60.78.185 (10:07:39.241 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18286 (10:07:39.241 PDT) 130.43.35.58 (10:05:39.435 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43179 (10:05:39.435 PDT) 50.19.95.119 (2) (10:05:20.396 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/pagead/ads?client=ca-pub-7926803483606169&output=html&h=600&slotname=8801930845&w=160&ea=0&flash=11.6.602.180&url=http:/www.ra] MAC_Src: 00:01:64:FF:CE:EA 49340->80 (10:05:20.396 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 49340->80 (10:05:20.396 PDT) 200.117.237.18 (10:08:28.965 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50951->16884 (10:08:28.965 PDT) 178.239.54.153 (10:05:30.752 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49572->3310 (10:05:30.752 PDT) 199.59.243.63 (2) (10:07:10.442 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50161->80 (10:07:10.442 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50161->80 (10:07:10.442 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:05:50.284 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:05:50.284 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365095120.396 1365095120.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 199.59.243.63 (2), 150.101.100.2, 98.127.248.93, 208.83.20.164 (2) Resource List: Observed Start: 04/04/2013 12:07:15.272 PDT Gen. Time: 04/04/2013 12:08:16.568 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (12:08:16.568 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62089->2710 (12:08:16.568 PDT) 199.59.243.63 (2) (12:07:31.070 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61821->80 (12:07:31.070 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61821->80 (12:07:31.070 PDT) 150.101.100.2 (12:07:16.196 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (12:07:16.196 PDT) 98.127.248.93 (12:07:15.272 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61493->6890 (12:07:15.272 PDT) 208.83.20.164 (2) (12:07:31.101 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 61822->80 (12:07:31.101 PDT) 61912->80 (12:07:41.250 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:08:01.351 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61953->6099 (12:08:01.351 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365102435.272 1365102435.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 91.218.38.132 (2), 98.127.248.93, 130.43.35.58, 69.159.202.240, 178.207.16.88, 210.50.202.125, 150.101.100.2, 188.4.239.84, 199.59.243.63 (2) Resource List: Observed Start: 04/04/2013 12:07:15.272 PDT Gen. Time: 04/04/2013 12:11:18.319 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (12:07:31.101 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 61822->80 (12:07:31.101 PDT) 61912->80 (12:07:41.250 PDT) 91.218.38.132 (2) (12:08:16.568 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62089->2710 (12:08:16.568 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62089->2710 (12:08:16.568 PDT) 98.127.248.93 (12:07:15.272 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61493->6890 (12:07:15.272 PDT) 130.43.35.58 (12:11:18.319 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43179 (12:11:18.319 PDT) 69.159.202.240 (12:08:17.418 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49399 (12:08:17.418 PDT) 178.207.16.88 (12:09:14.535 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62614->16881 (12:09:14.535 PDT) 210.50.202.125 (12:10:18.037 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45007 (12:10:18.037 PDT) 150.101.100.2 (12:07:16.196 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (12:07:16.196 PDT) 188.4.239.84 (12:09:18.949 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58483 (12:09:18.949 PDT) 199.59.243.63 (2) (12:07:31.070 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61821->80 (12:07:31.070 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61821->80 (12:07:31.070 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:08:01.351 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61953->6099 (12:08:01.351 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365102435.272 1365102435.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (3), 208.95.173.194, 72.130.72.229, 98.127.248.93 (2), 24.15.84.15, 50.19.95.119 (2), 178.239.54.153, 72.53.157.239, 199.59.243.63 (2), 69.142.96.40 Resource List: Observed Start: 04/04/2013 14:04:51.101 PDT Gen. Time: 04/04/2013 14:08:21.288 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (3) (14:04:51.101 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55580->6969 (14:04:51.101 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 57093->80 (14:08:01.117 PDT) 57388->80 (14:08:21.288 PDT) 208.95.173.194 (14:06:51.808 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56524->2710 (14:06:51.808 PDT) 72.130.72.229 (14:07:13.320 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49491 (14:07:13.320 PDT) 98.127.248.93 (2) (14:05:19.769 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55868->6890 (14:05:19.769 PDT) 56786->6890 (14:07:18.806 PDT) 24.15.84.15 (14:06:13.358 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56920 (14:06:13.358 PDT) 50.19.95.119 (2) (14:06:41.421 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56500->80 (14:06:41.421 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 56500->80 (14:06:41.421 PDT) 178.239.54.153 (14:06:43.506 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56499->3310 (14:06:43.506 PDT) 72.53.157.239 (14:08:13.185 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45830 (14:08:13.185 PDT) 199.59.243.63 (2) (14:08:01.097 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/work/] MAC_Src: 00:01:64:FF:CE:EA 57092->80 (14:08:01.097 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 57092->80 (14:08:01.097 PDT) 69.142.96.40 (14:05:13.640 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10304 (14:05:13.640 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:08:20.739 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:08:20.739 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365109491.101 1365109491.102 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 208.95.173.194, 98.127.248.93 (2), 188.142.45.188, 50.19.95.119 (2), 178.239.54.153, 85.0.254.40, 79.50.11.244, 199.59.243.63 (2), 94.7.222.146 Resource List: Observed Start: 04/04/2013 16:06:40.712 PDT Gen. Time: 04/04/2013 16:09:46.900 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (16:08:41.795 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 60838->80 (16:08:41.795 PDT) 60867->80 (16:09:01.941 PDT) 208.95.173.194 (16:07:31.491 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60444->2710 (16:07:31.491 PDT) 98.127.248.93 (2) (16:07:12.787 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60251->6890 (16:07:12.787 PDT) 61090->6890 (16:09:17.822 PDT) 188.142.45.188 (16:08:45.784 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63555 (16:08:45.784 PDT) 50.19.95.119 (2) (16:07:21.050 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60405->80 (16:07:21.050 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 60405->80 (16:07:21.050 PDT) 178.239.54.153 (16:07:21.143 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60404->3310 (16:07:21.143 PDT) 85.0.254.40 (16:06:40.712 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15624 (16:06:40.712 PDT) 79.50.11.244 (16:09:46.900 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:09:46.900 PDT) 199.59.243.63 (2) (16:08:41.776 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60837->80 (16:08:41.776 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 60837->80 (16:08:41.776 PDT) 94.7.222.146 (16:07:43.110 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26321 (16:07:43.110 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:09:31.018 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61229->6099 (16:09:31.018 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365116800.712 1365116800.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.34.210.184, 199.59.243.63 (2), 70.77.199.174, 208.83.20.164 (2), 98.26.19.64 Resource List: Observed Start: 04/04/2013 18:08:40.431 PDT Gen. Time: 04/04/2013 18:10:40.405 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.34.210.184 (18:09:40.372 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61113 (18:09:40.372 PDT) 199.59.243.63 (2) (18:09:20.800 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60698->80 (18:09:20.800 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 60698->80 (18:09:20.800 PDT) 70.77.199.174 (18:10:40.405 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (18:10:40.405 PDT) 208.83.20.164 (2) (18:09:20.818 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 60699->80 (18:09:20.818 PDT) 60769->80 (18:09:30.961 PDT) 98.26.19.64 (18:08:40.431 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48263 (18:08:40.431 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:09:50.466 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:09:50.466 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365124120.431 1365124120.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.227.201.154, 93.34.210.184, 199.59.243.63 (2), 50.132.116.230, 70.77.199.174, 37.153.12.154, 208.83.20.164 (2), 98.26.19.64 Resource List: Observed Start: 04/04/2013 18:08:40.431 PDT Gen. Time: 04/04/2013 18:12:41.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.227.201.154 (18:11:25.351 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61985->60845 (18:11:25.351 PDT) 93.34.210.184 (18:09:40.372 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61113 (18:09:40.372 PDT) 199.59.243.63 (2) (18:09:20.800 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60698->80 (18:09:20.800 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 60698->80 (18:09:20.800 PDT) 50.132.116.230 (18:11:41.135 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30696 (18:11:41.135 PDT) 70.77.199.174 (18:10:40.405 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (18:10:40.405 PDT) 37.153.12.154 (18:11:38.049 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 62120->6881 (18:11:38.049 PDT) 208.83.20.164 (2) (18:09:20.818 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 60699->80 (18:09:20.818 PDT) 60769->80 (18:09:30.961 PDT) 98.26.19.64 (18:08:40.431 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48263 (18:08:40.431 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:09:50.466 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:09:50.466 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365124120.431 1365124120.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 98.197.74.225, 199.59.243.63 (2), 116.250.43.193, 199.172.227.14, 98.127.248.93, 14.198.69.132, 208.83.20.164 (2) Resource List: Observed Start: 04/04/2013 20:08:18.781 PDT Gen. Time: 04/04/2013 20:11:20.951 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 98.197.74.225 (20:09:57.167 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->3074 (20:09:57.167 PDT) 199.59.243.63 (2) (20:09:40.589 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/comics/time/cf787ae6e5a71803ba8db6de3db61c9c03a501599f1c4459a61e47af7a73bdd0.png] MAC_Src: 00:01:64:FF:CE:EA 56390->80 (20:09:40.589 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 56390->80 (20:09:40.589 PDT) 116.250.43.193 (20:10:57.719 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20346 (20:10:57.719 PDT) 199.172.227.14 (20:08:57.432 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15652 (20:08:57.432 PDT) 98.127.248.93 (20:08:18.781 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55559->6890 (20:08:18.781 PDT) 14.198.69.132 (20:10:57.499 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57092->46881 (20:10:57.499 PDT) 208.83.20.164 (2) (20:09:50.721 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 56463->80 (20:09:50.721 PDT) 56602->80 (20:10:10.867 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:11:20.951 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57515->6099 (20:11:20.951 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365131298.781 1365131298.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.1.215.175, 98.197.74.225, 199.59.243.63 (2), 116.250.43.193, 199.172.227.14, 98.127.248.93, 14.198.69.132, 208.83.20.164 (2) Resource List: Observed Start: 04/04/2013 20:08:18.781 PDT Gen. Time: 04/04/2013 20:12:38.674 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.1.215.175 (20:11:58.084 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50105 (20:11:58.084 PDT) 98.197.74.225 (20:09:57.167 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->3074 (20:09:57.167 PDT) 199.59.243.63 (2) (20:09:40.589 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/comics/time/cf787ae6e5a71803ba8db6de3db61c9c03a501599f1c4459a61e47af7a73bdd0.png] MAC_Src: 00:01:64:FF:CE:EA 56390->80 (20:09:40.589 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 56390->80 (20:09:40.589 PDT) 116.250.43.193 (20:10:57.719 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20346 (20:10:57.719 PDT) 199.172.227.14 (20:08:57.432 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15652 (20:08:57.432 PDT) 98.127.248.93 (20:08:18.781 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55559->6890 (20:08:18.781 PDT) 14.198.69.132 (20:10:57.499 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57092->46881 (20:10:57.499 PDT) 208.83.20.164 (2) (20:09:50.721 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 56463->80 (20:09:50.721 PDT) 56602->80 (20:10:10.867 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:11:20.951 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57515->6099 (20:11:20.951 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365131298.781 1365131298.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 72.53.157.239, 199.59.243.63 (2), 99.230.104.255, 88.123.192.241, 208.83.20.164 (2) Resource List: Observed Start: 04/04/2013 22:09:54.864 PDT Gen. Time: 04/04/2013 22:12:00.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (22:11:21.276 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49305->2710 (22:11:21.276 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 49305->2710 (22:11:21.276 PDT) 72.53.157.239 (22:09:54.864 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45830 (22:09:54.864 PDT) 199.59.243.63 (2) (22:10:00.813 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [G%C8%BB%18%AE%FE%A4%B4%B6%E4`U%DD%EE%EA%DC%00%CB%1C:[{%CE~%8D%13S%EB%DF%B4%ABI%C54%C5%FB%C8}%CB%80A.L %AC%84%FC%D7%0D%82%C0%AF%B4%B2VU%AD%9E^W%07g2*pX%E8%1Fs%8C%03%97%09s%81j%C4%F9%A8%1C%8F] MAC_Src: 00:01:64:FF:CE:EA 64700->80 (22:10:00.813 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 64700->80 (22:10:00.813 PDT) 99.230.104.255 (22:10:55.438 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (22:10:55.438 PDT) 88.123.192.241 (22:11:56.164 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12870 (22:11:56.164 PDT) 208.83.20.164 (2) (22:10:41.026 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 65195->80 (22:10:41.026 PDT) 65196->80 (22:10:47.960 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:12:00.523 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:12:00.523 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365138594.864 1365138594.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.123.192.241, 208.83.20.164 (2), 91.218.38.132 (2), 177.12.63.16, 177.12.63.21, 99.230.104.255, 72.53.157.239, 79.50.11.244, 199.59.243.63 (2) Resource List: Observed Start: 04/04/2013 22:09:54.864 PDT Gen. Time: 04/04/2013 22:13:57.421 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.123.192.241 (22:11:56.164 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12870 (22:11:56.164 PDT) 208.83.20.164 (2) (22:10:41.026 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 65195->80 (22:10:41.026 PDT) 65196->80 (22:10:47.960 PDT) 91.218.38.132 (2) (22:11:21.276 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49305->2710 (22:11:21.276 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 49305->2710 (22:11:21.276 PDT) 177.12.63.16 (22:12:11.982 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49769->6016 (22:12:11.982 PDT) 177.12.63.21 (22:13:27.507 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50705->6021 (22:13:27.507 PDT) 99.230.104.255 (22:10:55.438 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (22:10:55.438 PDT) 72.53.157.239 (22:09:54.864 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45830 (22:09:54.864 PDT) 79.50.11.244 (22:12:58.596 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (22:12:58.596 PDT) 199.59.243.63 (2) (22:10:00.813 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [G%C8%BB%18%AE%FE%A4%B4%B6%E4`U%DD%EE%EA%DC%00%CB%1C:[{%CE~%8D%13S%EB%DF%B4%ABI%C54%C5%FB%C8}%CB%80A.L %AC%84%FC%D7%0D%82%C0%AF%B4%B2VU%AD%9E^W%07g2*pX%E8%1Fs%8C%03%97%09s%81j%C4%F9%A8%1C%8F] MAC_Src: 00:01:64:FF:CE:EA 64700->80 (22:10:00.813 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 64700->80 (22:10:00.813 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:12:00.523 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:12:00.523 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365138594.864 1365138594.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================