Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 115.167.84.163 (2), 208.95.172.130 (2), 91.121.60.42 Resource List: Observed Start: 04/26/2013 13:24:42.917 PDT Gen. Time: 04/26/2013 13:26:20.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (13:24:42.917 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 64770->80 (13:24:42.917 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 115.167.84.163 (2) (13:25:51.482 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43523 (13:25:51.482 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43523 (13:25:51.482 PDT) 208.95.172.130 (2) (13:25:43.252 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64894->80 (13:25:43.252 PDT) ------------------------- event=1:2007727 {tcp} E7[info] ET P2P possible torrent download, [/download/268820209/thriller special edition.torrent] MAC_Src: 00:01:64:FF:CE:EA 64894->80 (13:25:43.252 PDT) 91.121.60.42 (13:25:57.157 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 64903->80 (13:25:57.157 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:26:20.773 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:26:20.773 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367007882.917 1367007882.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 91.218.38.132 (2), 199.59.243.106, 181.28.83.89, 82.9.128.31, 83.149.86.133, 2.230.52.152, 91.121.60.42, 115.167.84.163 (2), 208.95.172.130 (2) Resource List: Observed Start: 04/26/2013 13:24:42.917 PDT Gen. Time: 04/26/2013 13:28:33.693 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (13:24:42.917 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 64770->80 (13:24:42.917 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (13:26:32.591 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65284->2710 (13:26:32.591 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 65284->2710 (13:26:32.591 PDT) 199.59.243.106 (13:28:09.912 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50025->80 (13:28:09.912 PDT) 181.28.83.89 (13:26:53.615 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49236 (13:26:53.615 PDT) 82.9.128.31 (13:27:53.694 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48308 (13:27:53.694 PDT) 83.149.86.133 (13:28:09.912 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50017->6969 (13:28:09.912 PDT) 2.230.52.152 (13:26:34.385 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65326->51413 (13:26:34.385 PDT) 91.121.60.42 (13:25:57.157 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 64903->80 (13:25:57.157 PDT) 115.167.84.163 (2) (13:25:51.482 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43523 (13:25:51.482 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43523 (13:25:51.482 PDT) 208.95.172.130 (2) (13:25:43.252 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64894->80 (13:25:43.252 PDT) ------------------------- event=1:2007727 {tcp} E7[info] ET P2P possible torrent download, [/download/268820209/thriller special edition.torrent] MAC_Src: 00:01:64:FF:CE:EA 64894->80 (13:25:43.252 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:26:20.773 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:26:20.773 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367007882.917 1367007882.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 213.89.147.93 Resource List: Observed Start: 04/26/2013 13:28:36.913 PDT Gen. Time: 04/26/2013 13:29:16.109 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (13:28:36.913 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50754->51413 (13:28:36.913 PDT) 213.89.147.93 (13:28:53.050 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17236 (13:28:53.050 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.109 (13:29:16.109 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51492->2701 (13:29:16.109 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367008116.913 1367008116.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.75.141.177, 98.26.19.64, 176.180.198.233, 109.201.148.249, 100.1.96.205, 85.17.143.16, 83.82.249.245, 203.113.15.198, 50.19.95.119, 213.89.147.93, 178.239.54.160 (3), 2.230.52.152, 177.32.99.161 Resource List: Observed Start: 04/26/2013 13:28:36.913 PDT Gen. Time: 04/26/2013 13:32:37.991 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.75.141.177 (13:32:04.202 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 53462->6881 (13:32:04.202 PDT) 98.26.19.64 (13:31:53.623 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48263 (13:31:53.623 PDT) 176.180.198.233 (13:31:13.198 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53212->6346 (13:31:13.198 PDT) 109.201.148.249 (13:31:51.181 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53395->2710 (13:31:51.181 PDT) 100.1.96.205 (13:30:53.521 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55845 (13:30:53.521 PDT) 85.17.143.16 (13:29:41.894 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51530->6969 (13:29:41.894 PDT) 83.82.249.245 (13:29:35.237 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25856 (13:29:35.237 PDT) 203.113.15.198 (13:29:36.929 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51977->16884 (13:29:36.929 PDT) 50.19.95.119 (13:29:41.893 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/us/mcafee-labs/threat-intelligence.aspx] MAC_Src: 00:01:64:FF:CE:EA 51504->80 (13:29:41.893 PDT) 213.89.147.93 (13:28:53.050 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17236 (13:28:53.050 PDT) 178.239.54.160 (3) (13:29:41.893 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51489->3310 (13:29:41.893 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52671->3310 (13:30:10.495 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52671->3310 (13:30:10.495 PDT) 2.230.52.152 (13:28:36.913 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50754->51413 (13:28:36.913 PDT) 177.32.99.161 (13:29:53.803 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (13:29:53.803 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.109 (13:29:16.109 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51492->2701 (13:29:16.109 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367008116.913 1367008116.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 176.180.198.233, 46.120.83.95, 79.115.187.176 Resource List: Observed Start: 04/26/2013 13:40:59.569 PDT Gen. Time: 04/26/2013 13:42:31.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (13:41:24.307 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58026->2710 (13:41:24.307 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58026->2710 (13:41:24.307 PDT) 176.180.198.233 (13:41:21.750 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58022->6346 (13:41:21.750 PDT) 46.120.83.95 (13:40:59.569 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (13:40:59.569 PDT) 79.115.187.176 (13:41:59.416 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25442 (13:41:59.416 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:42:31.515 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58343->6099 (13:42:31.515 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367008859.569 1367008859.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.11.219.208, 84.215.116.18, 91.218.38.132 (2), 150.101.100.2, 176.180.198.233 (2), 46.120.83.95, 79.115.187.176 Resource List: Observed Start: 04/26/2013 13:40:59.569 PDT Gen. Time: 04/26/2013 13:45:01.053 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.11.219.208 (13:45:01.053 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (13:45:01.053 PDT) 84.215.116.18 (13:44:01.647 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45362 (13:44:01.647 PDT) 91.218.38.132 (2) (13:41:24.307 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58026->2710 (13:41:24.307 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58026->2710 (13:41:24.307 PDT) 150.101.100.2 (13:43:00.144 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (13:43:00.144 PDT) 176.180.198.233 (2) (13:41:21.750 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58022->6346 (13:41:21.750 PDT) 58832->6346 (13:44:19.268 PDT) 46.120.83.95 (13:40:59.569 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (13:40:59.569 PDT) 79.115.187.176 (13:41:59.416 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25442 (13:41:59.416 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:42:31.515 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58343->6099 (13:42:31.515 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367008859.569 1367008859.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 50.68.21.112, 124.8.223.137, 110.74.40.37, 41.233.17.12 Resource List: Observed Start: 04/26/2013 13:50:49.083 PDT Gen. Time: 04/26/2013 13:53:31.047 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (13:50:49.083 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60638->51413 (13:50:49.083 PDT) 50.68.21.112 (13:52:05.292 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41942 (13:52:05.292 PDT) 124.8.223.137 (13:52:10.979 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61034->16884 (13:52:10.979 PDT) 110.74.40.37 (13:53:07.419 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (13:53:07.419 PDT) 41.233.17.12 (13:51:05.869 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (13:51:05.869 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.109 (13:53:31.047 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61535->2701 (13:53:31.047 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367009449.083 1367009449.084 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152 (2), 85.74.190.41, 50.68.21.112, 124.8.223.137, 208.83.20.164 (2), 110.74.40.37, 41.233.17.12 Resource List: Observed Start: 04/26/2013 13:50:49.083 PDT Gen. Time: 04/26/2013 13:54:36.725 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (2) (13:50:49.083 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60638->51413 (13:50:49.083 PDT) 61781->51413 (13:54:13.044 PDT) 85.74.190.41 (13:54:07.549 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (13:54:07.549 PDT) 50.68.21.112 (13:52:05.292 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41942 (13:52:05.292 PDT) 124.8.223.137 (13:52:10.979 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61034->16884 (13:52:10.979 PDT) 208.83.20.164 (2) (13:53:31.117 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%99%D2%C2`v%0C%C7%D4E%D7V%B2=%9C%AB%16A!\%BF%CC%E6%C5)%16k%98/%D9%C5] MAC_Src: 00:01:64:FF:CE:EA 61536->80 (13:53:31.117 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 61536->80 (13:53:31.117 PDT) 110.74.40.37 (13:53:07.419 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (13:53:07.419 PDT) 41.233.17.12 (13:51:05.869 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (13:51:05.869 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.109 (13:53:31.047 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61535->2701 (13:53:31.047 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367009449.083 1367009449.084 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.168.7.151, 79.31.24.96, 91.218.38.132 (2), 176.180.198.233, 94.209.46.10, 124.8.223.137, 187.65.129.47 Resource List: Observed Start: 04/26/2013 13:55:07.243 PDT Gen. Time: 04/26/2013 13:58:10.787 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.168.7.151 (13:58:09.370 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14284 (13:58:09.370 PDT) 79.31.24.96 (13:56:09.286 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (13:56:09.286 PDT) 91.218.38.132 (2) (13:56:54.956 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62597->2710 (13:56:54.956 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62597->2710 (13:56:54.956 PDT) 176.180.198.233 (13:57:18.852 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62747->6346 (13:57:18.852 PDT) 94.209.46.10 (13:57:09.579 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16335 (13:57:09.579 PDT) 124.8.223.137 (13:56:11.009 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62470->16884 (13:56:11.009 PDT) 187.65.129.47 (13:55:07.243 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10933 (13:55:07.243 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:58:10.787 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:58:10.787 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367009707.243 1367009707.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 208.95.172.130, 46.165.211.181, 88.180.126.150 Resource List: Observed Start: 04/26/2013 15:40:37.883 PDT Gen. Time: 04/26/2013 15:43:51.834 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (15:40:37.883 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 53362->80 (15:40:37.883 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.172.130 (15:42:28.439 PDT) event=1:2007727 {tcp} E7[info] ET P2P possible torrent download, [/download/117776813/the blues brothers soundtrack.torrent] MAC_Src: 00:01:64:FF:CE:EA 53486->80 (15:42:28.439 PDT) 46.165.211.181 (15:42:15.601 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53485->80 (15:42:15.601 PDT) 88.180.126.150 (15:43:12.219 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (15:43:12.219 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 208.87.35.103 (15:43:51.834 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53820->2710 (15:43:51.834 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367016037.883 1367016037.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 178.239.54.153, 208.95.172.130, 46.165.211.181, 213.220.232.98, 88.180.126.150 Resource List: Observed Start: 04/26/2013 15:40:37.883 PDT Gen. Time: 04/26/2013 15:44:40.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (15:40:37.883 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 53362->80 (15:40:37.883 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (15:43:51.861 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53814->3310 (15:43:51.861 PDT) 208.95.172.130 (15:42:28.439 PDT) event=1:2007727 {tcp} E7[info] ET P2P possible torrent download, [/download/117776813/the blues brothers soundtrack.torrent] MAC_Src: 00:01:64:FF:CE:EA 53486->80 (15:42:28.439 PDT) 46.165.211.181 (15:42:15.601 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53485->80 (15:42:15.601 PDT) 213.220.232.98 (15:44:12.659 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36436 (15:44:12.659 PDT) 88.180.126.150 (15:43:12.219 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (15:43:12.219 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 208.87.35.103 (15:43:51.834 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53820->2710 (15:43:51.834 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367016037.883 1367016037.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 46.233.20.88, 208.95.172.130 (3), 46.165.211.181, 199.59.243.107, 80.232.243.157, 208.83.20.164, 75.179.180.251, 91.202.73.55 (2) Resource List: Observed Start: 04/26/2013 15:58:31.758 PDT Gen. Time: 04/26/2013 16:01:35.975 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (15:58:31.758 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 56043->80 (15:58:31.758 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 46.233.20.88 (16:01:35.975 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45538 (16:01:35.975 PDT) 208.95.172.130 (3) (15:59:29.088 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [/search?q= 199.89.170.197 blacklist&go=&qs=n&form=QBLH&pq= 199.89.170.197 blacklist&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 57026->80 (16:00:46.564 PDT) ------------------------- event=1:2007727 (2) {tcp} E7[info] ET P2P possible torrent download, [/download/113738945/Television's Greatest Hits Of The '50s And '60s.torrent] MAC_Src: 00:01:64:FF:CE:EA 56149->80 (15:59:29.088 PDT) 57026->80 (16:00:46.564 PDT) 46.165.211.181 (15:59:16.895 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56147->80 (15:59:16.895 PDT) 199.59.243.107 (16:00:55.840 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 56992->80 (16:00:55.840 PDT) 80.232.243.157 (15:59:35.155 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (15:59:35.155 PDT) 208.83.20.164 (16:00:55.840 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 56997->80 (16:00:55.840 PDT) 75.179.180.251 (16:00:35.030 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21610 (16:00:35.030 PDT) 91.202.73.55 (2) (16:00:55.840 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56987->80 (16:00:55.840 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 56987->80 (16:00:55.840 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:01:30.413 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:01:30.413 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367017111.758 1367017111.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: 208.95.172.130 Peer Coord. List: 208.83.20.164, 199.59.243.107, 91.202.73.55 (2), 75.179.180.251, 46.165.211.181, 46.233.20.88, 80.232.243.157, 95.211.212.14, 208.95.172.130 (3) Resource List: Observed Start: 04/26/2013 15:58:31.758 PDT Gen. Time: 04/26/2013 16:02:32.822 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.95.172.130 (15:58:31.758 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 56043->80 (15:58:31.758 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (16:00:55.840 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 56997->80 (16:00:55.840 PDT) 199.59.243.107 (16:00:55.840 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 56992->80 (16:00:55.840 PDT) 91.202.73.55 (2) (16:00:55.840 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56987->80 (16:00:55.840 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 56987->80 (16:00:55.840 PDT) 75.179.180.251 (16:00:35.030 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21610 (16:00:35.030 PDT) 46.165.211.181 (15:59:16.895 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56147->80 (15:59:16.895 PDT) 46.233.20.88 (16:01:35.975 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45538 (16:01:35.975 PDT) 80.232.243.157 (15:59:35.155 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (15:59:35.155 PDT) 95.211.212.14 (16:02:04.894 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58303->30197 (16:02:04.894 PDT) 208.95.172.130 (3) (15:59:29.088 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [/search?q= 199.89.170.197 blacklist&go=&qs=n&form=QBLH&pq= 199.89.170.197 blacklist&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 57026->80 (16:00:46.564 PDT) ------------------------- event=1:2007727 (2) {tcp} E7[info] ET P2P possible torrent download, [/download/113738945/Television's Greatest Hits Of The '50s And '60s.torrent] MAC_Src: 00:01:64:FF:CE:EA 56149->80 (15:59:29.088 PDT) 57026->80 (16:00:46.564 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:01:30.413 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:01:30.413 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367017111.758 1367017111.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.30, 213.107.176.134, 84.75.141.177 Resource List: Observed Start: 04/26/2013 16:02:40.990 PDT Gen. Time: 04/26/2013 16:03:42.494 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.30 (16:03:04.635 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59515->16884 (16:03:04.635 PDT) 213.107.176.134 (16:03:40.797 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27080 (16:03:40.797 PDT) 84.75.141.177 (16:02:40.990 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:02:40.990 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.107 (16:03:42.494 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60326->2701 (16:03:42.494 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367017360.990 1367017360.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 61.91.88.30, 213.107.176.134, 208.83.20.164 (3), 84.75.141.177 (2), 41.233.17.12 (2) Resource List: Observed Start: 04/26/2013 16:02:40.990 PDT Gen. Time: 04/26/2013 16:06:41.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (16:05:46.114 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60767->51413 (16:05:46.114 PDT) 61.91.88.30 (16:03:04.635 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59515->16884 (16:03:04.635 PDT) 213.107.176.134 (16:03:40.797 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27080 (16:03:40.797 PDT) 208.83.20.164 (3) (16:03:42.633 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60037->6969 (16:03:42.633 PDT) 61033->80 (16:06:00.934 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FFinfo_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 61033->80 (16:06:00.934 PDT) 84.75.141.177 (2) (16:02:40.990 PDT-16:05:40.219 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->6881 (16:02:40.990 PDT-16:05:40.219 PDT) 41.233.17.12 (2) (16:04:40.894 PDT-16:06:40.809 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->29733 (16:04:40.894 PDT-16:06:40.809 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.107 (16:03:42.494 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60326->2701 (16:03:42.494 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367017360.990 1367017600.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 110.74.40.37, 84.75.141.177 Resource List: Observed Start: 04/26/2013 16:15:47.308 PDT Gen. Time: 04/26/2013 16:17:01.048 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 110.74.40.37 (16:15:47.308 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (16:15:47.308 PDT) 84.75.141.177 (16:16:48.728 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:16:48.728 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:17:01.048 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64828->6099 (16:17:01.048 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367018147.308 1367018147.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 91.218.38.132, 99.230.104.255, 213.107.176.134, 110.74.40.37, 84.75.141.177 Resource List: Observed Start: 04/26/2013 16:15:47.308 PDT Gen. Time: 04/26/2013 16:19:43.093 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (16:19:03.740 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65180->51413 (16:19:03.740 PDT) 91.218.38.132 (16:18:41.214 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65119->2710 (16:18:41.214 PDT) 99.230.104.255 (16:17:48.463 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (16:17:48.463 PDT) 213.107.176.134 (16:18:48.779 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27080 (16:18:48.779 PDT) 110.74.40.37 (16:15:47.308 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (16:15:47.308 PDT) 84.75.141.177 (16:16:48.728 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:16:48.728 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:17:01.048 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64828->6099 (16:17:01.048 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367018147.308 1367018147.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.180.198.233 (2), 108.7.164.107 Resource List: Observed Start: 04/26/2013 16:32:04.357 PDT Gen. Time: 04/26/2013 16:33:30.595 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.180.198.233 (2) (16:33:07.219 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51436->6346 (16:33:07.219 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6346 (16:33:07.669 PDT) 108.7.164.107 (16:32:04.357 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17344 (16:32:04.357 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:33:30.595 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:33:30.595 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367019124.357 1367019124.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.220.137.145, 176.180.198.233 (2), 157.157.85.178, 208.83.20.164 (3), 108.7.164.107 Resource List: Observed Start: 04/26/2013 16:32:04.357 PDT Gen. Time: 04/26/2013 16:36:04.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.220.137.145 (16:35:09.261 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26387 (16:35:09.261 PDT) 176.180.198.233 (2) (16:33:07.219 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51436->6346 (16:33:07.219 PDT) ------------------------- event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6346 (16:33:07.669 PDT) 157.157.85.178 (16:34:08.935 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51110 (16:34:08.935 PDT) 208.83.20.164 (3) (16:34:51.021 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51790->6969 (16:34:51.021 PDT) 52197->80 (16:36:01.350 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FFinfo_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 52197->80 (16:36:01.350 PDT) 108.7.164.107 (16:32:04.357 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17344 (16:32:04.357 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:33:30.595 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:33:30.595 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367019124.357 1367019124.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 91.218.38.132, 175.136.162.149, 90.193.188.49 Resource List: Observed Start: 04/26/2013 16:48:46.460 PDT Gen. Time: 04/26/2013 16:50:21.200 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (16:49:11.040 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56300->51413 (16:49:11.040 PDT) 91.218.38.132 (16:48:51.665 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56191->2710 (16:48:51.665 PDT) 175.136.162.149 (16:48:46.460 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (16:48:46.460 PDT) 90.193.188.49 (16:49:53.337 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14035 (16:49:53.337 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:50:21.200 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56505->6099 (16:50:21.200 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367020126.460 1367020126.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152 (2), 91.218.38.132, 176.180.198.233, 99.98.193.219, 99.230.104.255, 175.136.162.149, 90.193.188.49, 91.202.73.55 Resource List: Observed Start: 04/26/2013 16:48:46.460 PDT Gen. Time: 04/26/2013 16:52:46.504 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (2) (16:49:11.040 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56300->51413 (16:49:11.040 PDT) 56521->51413 (16:50:27.341 PDT) 91.218.38.132 (16:48:51.665 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56191->2710 (16:48:51.665 PDT) 176.180.198.233 (16:52:06.350 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56869->6346 (16:52:06.350 PDT) 99.98.193.219 (16:51:53.400 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55862 (16:51:53.400 PDT) 99.230.104.255 (16:50:53.495 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (16:50:53.495 PDT) 175.136.162.149 (16:48:46.460 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (16:48:46.460 PDT) 90.193.188.49 (16:49:53.337 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14035 (16:49:53.337 PDT) 91.202.73.55 (16:52:11.467 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56894->80 (16:52:11.467 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:50:21.200 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56505->6099 (16:50:21.200 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367020126.460 1367020126.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.49.232.241, 96.48.21.135, 91.218.38.132 (3), 176.180.198.233, 187.36.23.55, 24.203.11.185 Resource List: Observed Start: 04/26/2013 17:17:49.037 PDT Gen. Time: 04/26/2013 17:21:10.930 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.49.232.241 (17:20:53.665 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (17:20:53.665 PDT) 96.48.21.135 (17:17:49.037 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34334 (17:17:49.037 PDT) 91.218.38.132 (3) (17:19:02.001 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61923->2710 (17:19:02.001 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62273->2710 (17:21:04.212 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62273->2710 (17:21:04.212 PDT) 176.180.198.233 (17:19:58.121 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62108->6346 (17:19:58.121 PDT) 187.36.23.55 (17:19:49.895 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45725 (17:19:49.895 PDT) 24.203.11.185 (17:18:49.532 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (17:18:49.532 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:21:10.930 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:21:10.930 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367021869.037 1367021869.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 200.83.239.125, 74.45.194.60, 176.180.198.233 Resource List: Observed Start: 04/26/2013 17:50:49.061 PDT Gen. Time: 04/26/2013 17:52:31.091 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.83.239.125 (17:51:49.535 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17591 (17:51:49.535 PDT) 74.45.194.60 (17:50:49.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12689 (17:50:49.061 PDT) 176.180.198.233 (17:51:07.039 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53622->6346 (17:51:07.039 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:52:31.091 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53964->6099 (17:52:31.091 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367023849.061 1367023849.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 200.83.239.125, 24.126.60.36, 59.15.78.137, 74.45.194.60, 176.180.198.233 Resource List: Observed Start: 04/26/2013 17:50:49.061 PDT Gen. Time: 04/26/2013 17:54:49.415 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:54:00.337 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54260->3310 (17:54:00.337 PDT) 200.83.239.125 (17:51:49.535 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17591 (17:51:49.535 PDT) 24.126.60.36 (17:53:53.035 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47842 (17:53:53.035 PDT) 59.15.78.137 (17:52:49.219 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12705 (17:52:49.219 PDT) 74.45.194.60 (17:50:49.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12689 (17:50:49.061 PDT) 176.180.198.233 (17:51:07.039 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53622->6346 (17:51:07.039 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:52:31.091 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53964->6099 (17:52:31.091 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367023849.061 1367023849.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 176.180.198.233, 83.77.205.156, 46.176.5.130, 79.158.219.189, 76.190.170.122 Resource List: Observed Start: 04/26/2013 18:49:21.354 PDT Gen. Time: 04/26/2013 18:52:40.834 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (18:49:21.354 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50602->2710 (18:49:21.354 PDT) 176.180.198.233 (18:50:37.935 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50931->6346 (18:50:37.935 PDT) 83.77.205.156 (18:52:38.776 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (18:52:38.776 PDT) 46.176.5.130 (18:51:30.502 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25328 (18:51:30.502 PDT) 79.158.219.189 (18:49:29.514 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31761 (18:49:29.514 PDT) 76.190.170.122 (18:50:29.310 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57345 (18:50:29.310 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:52:40.834 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:52:40.834 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367027361.354 1367027361.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.133.75.219, 189.124.240.41, 91.218.38.132 (2), 176.180.198.233, 121.7.131.109, 200.111.5.62 Resource List: Observed Start: 04/26/2013 19:50:50.369 PDT Gen. Time: 04/26/2013 19:54:00.749 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.133.75.219 (19:50:50.369 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43794 (19:50:50.369 PDT) 189.124.240.41 (19:53:50.918 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20803 (19:53:50.918 PDT) 91.218.38.132 (2) (19:51:51.524 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51666->2710 (19:51:51.524 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51666->2710 (19:51:51.524 PDT) 176.180.198.233 (19:52:13.382 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51768->6346 (19:52:13.382 PDT) 121.7.131.109 (19:51:50.402 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31535 (19:51:50.402 PDT) 200.111.5.62 (19:52:50.096 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56214 (19:52:50.096 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:54:00.749 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52252->6099 (19:54:00.749 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367031050.369 1367031050.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.7.52.136 (5), 196.205.180.97 Resource List: Observed Start: 04/26/2013 21:53:49.729 PDT Gen. Time: 04/26/2013 21:54:10.592 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.7.52.136 (5) (21:53:49.729 PDT-21:54:01.732 PDT) event=1:2000357 (5) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:01:64:FF:CE:EA 5: 61199->6890 (21:53:49.729 PDT-21:54:01.732 PDT) 196.205.180.97 (21:53:55.091 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (21:53:55.091 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:54:10.592 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:54:10.592 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367038429.729 1367038441.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 96.239.60.166, 176.180.198.233, 46.30.239.240, 24.7.52.136 (13), 95.244.202.205 Resource List: Observed Start: 04/26/2013 21:57:55.791 PDT Gen. Time: 04/26/2013 22:01:11.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 96.239.60.166 (22:00:15.053 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30860 (22:00:15.053 PDT) 176.180.198.233 (22:00:06.323 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63388->6346 (22:00:06.323 PDT) 46.30.239.240 (21:58:03.681 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43591 (21:58:03.681 PDT) 24.7.52.136 (13) (21:57:55.791 PDT-22:01:02.838 PDT) event=1:2000357 (13) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:01:64:FF:CE:EA 13: 61199->6890 (21:57:55.791 PDT-22:01:02.838 PDT) 95.244.202.205 (21:59:11.261 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43033 (21:59:11.261 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 199.59.243.107 (22:01:11.204 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63730->2701 (22:01:11.204 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367038675.791 1367038862.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================