Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 208.83.20.164, 91.218.38.132 (2), 46.105.125.167, 199.59.243.105, 85.17.143.16, 50.19.95.119 (2), 178.239.54.153, 91.121.60.42, 92.16.103.247, 223.204.49.24 (2) Resource List: Observed Start: 05/16/2013 17:48:09.045 PDT Gen. Time: 05/16/2013 17:50:40.284 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (17:48:51.834 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 61313->80 (17:48:51.834 PDT) 61360->80 (17:48:53.131 PDT) 208.83.20.164 (17:49:31.936 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 61891->80 (17:49:31.936 PDT) 91.218.38.132 (2) (17:48:51.834 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61273->2710 (17:48:51.834 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 61273->2710 (17:48:51.834 PDT) 46.105.125.167 (17:50:10.173 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (17:50:10.173 PDT) 199.59.243.105 (17:49:31.961 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61906->80 (17:49:31.961 PDT) 85.17.143.16 (17:48:51.834 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61295->6969 (17:48:51.834 PDT) 50.19.95.119 (2) (17:48:51.834 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61304->80 (17:48:51.834 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 61304->80 (17:48:51.834 PDT) 178.239.54.153 (17:48:51.834 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61288->3310 (17:48:51.834 PDT) 91.121.60.42 (17:48:19.012 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 60941->80 (17:48:19.012 PDT) 92.16.103.247 (17:49:09.860 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59067 (17:49:09.860 PDT) 223.204.49.24 (2) (17:48:09.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->9659 (17:48:09.045 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->9659 (17:48:09.045 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:50:40.284 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:50:40.284 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368751689.045 1368751689.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 80.47.193.66, 166.78.158.73 (2), 208.83.20.164, 91.218.38.132 (2), 46.105.125.167, 199.59.243.105, 85.17.143.16, 50.19.95.119 (2), 178.239.54.153, 2.230.52.152, 91.121.60.42, 92.16.103.247, 223.204.49.24 (2) Resource List: Observed Start: 05/16/2013 17:48:09.045 PDT Gen. Time: 05/16/2013 17:52:10.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 80.47.193.66 (17:51:10.589 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60228 (17:51:10.589 PDT) 166.78.158.73 (2) (17:48:51.834 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 61313->80 (17:48:51.834 PDT) 61360->80 (17:48:53.131 PDT) 208.83.20.164 (17:49:31.936 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 61891->80 (17:49:31.936 PDT) 91.218.38.132 (2) (17:48:51.834 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61273->2710 (17:48:51.834 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 61273->2710 (17:48:51.834 PDT) 46.105.125.167 (17:50:10.173 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (17:50:10.173 PDT) 199.59.243.105 (17:49:31.961 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61906->80 (17:49:31.961 PDT) 85.17.143.16 (17:48:51.834 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 61295->6969 (17:48:51.834 PDT) 50.19.95.119 (2) (17:48:51.834 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61304->80 (17:48:51.834 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 61304->80 (17:48:51.834 PDT) 178.239.54.153 (17:48:51.834 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61288->3310 (17:48:51.834 PDT) 2.230.52.152 (17:51:50.471 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64089->51413 (17:51:50.471 PDT) 91.121.60.42 (17:48:19.012 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/appcast.xml] MAC_Src: 00:01:64:FF:CE:EA 60941->80 (17:48:19.012 PDT) 92.16.103.247 (17:49:09.860 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59067 (17:49:09.860 PDT) 223.204.49.24 (2) (17:48:09.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->9659 (17:48:09.045 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->9659 (17:48:09.045 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:50:40.284 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:50:40.284 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368751689.045 1368751689.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 94.242.221.123, 78.22.112.205, 117.83.34.236, 82.102.136.160 Resource List: Observed Start: 05/16/2013 17:52:15.268 PDT Gen. Time: 05/16/2013 17:53:10.960 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (17:52:18.462 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64689->3310 (17:52:18.462 PDT) 94.242.221.123 (17:52:19.628 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 64743->80 (17:52:19.628 PDT) 78.22.112.205 (17:52:15.268 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63553 (17:52:15.268 PDT) 117.83.34.236 (17:52:25.584 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29454 (17:52:25.584 PDT) 82.102.136.160 (17:52:50.494 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65426->16881 (17:52:50.494 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:53:10.960 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49505->6099 (17:53:10.960 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368751935.268 1368751935.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164, 91.218.38.132 (2), 79.29.4.122, 202.103.67.135, 62.16.140.242, 78.22.112.205, 82.102.136.160, 186.86.1.198, 117.83.34.236, 24.206.23.81, 178.239.54.153, 94.242.221.123, 2.230.52.152, 77.67.84.202 Resource List: Observed Start: 05/16/2013 17:52:15.268 PDT Gen. Time: 05/16/2013 17:56:19.441 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (17:53:11.131 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 49504->80 (17:53:11.131 PDT) 208.83.20.164 (17:55:50.369 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 51384->80 (17:55:50.369 PDT) 91.218.38.132 (2) (17:54:31.543 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50441->2710 (17:54:31.543 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50441->2710 (17:54:31.543 PDT) 79.29.4.122 (17:55:16.555 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31049 (17:55:16.555 PDT) 202.103.67.135 (17:55:05.925 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50556->8080 (17:55:05.925 PDT) 62.16.140.242 (17:54:15.035 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26932 (17:54:15.035 PDT) 78.22.112.205 (17:52:15.268 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63553 (17:52:15.268 PDT) 82.102.136.160 (17:52:50.494 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65426->16881 (17:52:50.494 PDT) 186.86.1.198 (17:56:19.441 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (17:56:19.441 PDT) 117.83.34.236 (17:52:25.584 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29454 (17:52:25.584 PDT) 24.206.23.81 (17:53:15.779 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64194 (17:53:15.779 PDT) 178.239.54.153 (17:52:18.462 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64689->3310 (17:52:18.462 PDT) 94.242.221.123 (17:52:19.628 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 64743->80 (17:52:19.628 PDT) 2.230.52.152 (17:55:50.028 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51376->51413 (17:55:50.028 PDT) 77.67.84.202 (17:54:23.946 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50380->16883 (17:54:23.946 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:53:10.960 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49505->6099 (17:53:10.960 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368751935.268 1368751935.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 18:04:51.243 PDT Gen. Time: 05/16/2013 18:04:51.243 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:04:51.243 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55294->6099 (18:04:51.243 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368752691.243 1368752691.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 61.147.76.36, 211.76.109.2, 119.46.206.35, 79.41.234.101, 88.245.144.238, 195.82.146.122 Resource List: Observed Start: 05/16/2013 18:04:51.243 PDT Gen. Time: 05/16/2013 18:08:21.297 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (18:06:28.402 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (18:06:28.402 PDT) 61.147.76.36 (18:07:54.507 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55887->8284 (18:07:54.507 PDT) 211.76.109.2 (18:06:49.130 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55656->16881 (18:06:49.130 PDT) 119.46.206.35 (18:05:48.731 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55466->16882 (18:05:48.731 PDT) 79.41.234.101 (18:05:24.105 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:05:24.105 PDT) 88.245.144.238 (18:07:30.889 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19807 (18:07:30.889 PDT) 195.82.146.122 (18:06:01.754 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 55486->80 (18:06:01.754 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:04:51.243 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55294->6099 (18:04:51.243 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368752691.243 1368752691.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 208.83.20.164, 208.95.173.194 (2), 199.59.243.105, 24.77.229.147, 50.19.95.119 (2), 222.252.75.68, 189.133.180.114, 187.104.108.219 Resource List: Observed Start: 05/16/2013 18:16:42.612 PDT Gen. Time: 05/16/2013 18:20:10.465 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (18:19:01.302 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 58172->80 (18:19:01.302 PDT) 58178->80 (18:19:01.477 PDT) 208.83.20.164 (18:19:40.822 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 58343->80 (18:19:40.822 PDT) 208.95.173.194 (2) (18:19:01.254 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58168->2710 (18:19:01.254 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58168->2710 (18:19:01.254 PDT) 199.59.243.105 (18:19:40.846 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58345->80 (18:19:40.846 PDT) 24.77.229.147 (18:19:48.186 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46672 (18:19:48.186 PDT) 50.19.95.119 (2) (18:19:01.254 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58171->80 (18:19:01.254 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 58171->80 (18:19:01.254 PDT) 222.252.75.68 (18:16:42.612 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13695 (18:16:42.612 PDT) 189.133.180.114 (18:17:42.157 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35439 (18:17:42.157 PDT) 187.104.108.219 (18:18:46.102 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14618 (18:18:46.102 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:20:10.465 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:20:10.465 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368753402.612 1368753402.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 208.83.20.164, 208.95.173.194 (2), 117.254.249.125, 199.59.243.105, 24.77.229.147, 50.19.95.119 (2), 222.252.75.68, 189.133.180.114, 187.104.108.219 Resource List: Observed Start: 05/16/2013 18:16:42.612 PDT Gen. Time: 05/16/2013 18:20:48.776 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (18:19:01.302 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 58172->80 (18:19:01.302 PDT) 58178->80 (18:19:01.477 PDT) 208.83.20.164 (18:19:40.822 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 58343->80 (18:19:40.822 PDT) 208.95.173.194 (2) (18:19:01.254 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58168->2710 (18:19:01.254 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58168->2710 (18:19:01.254 PDT) 117.254.249.125 (18:20:48.776 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42642 (18:20:48.776 PDT) 199.59.243.105 (18:19:40.846 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 58345->80 (18:19:40.846 PDT) 24.77.229.147 (18:19:48.186 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46672 (18:19:48.186 PDT) 50.19.95.119 (2) (18:19:01.254 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58171->80 (18:19:01.254 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 58171->80 (18:19:01.254 PDT) 222.252.75.68 (18:16:42.612 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13695 (18:16:42.612 PDT) 189.133.180.114 (18:17:42.157 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35439 (18:17:42.157 PDT) 187.104.108.219 (18:18:46.102 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14618 (18:18:46.102 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:20:10.465 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:20:10.465 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368753402.612 1368753402.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 79.29.4.122 Resource List: Observed Start: 05/16/2013 18:36:18.542 PDT Gen. Time: 05/16/2013 18:37:31.091 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (18:37:24.256 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (18:37:24.256 PDT) 79.29.4.122 (18:36:18.542 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31049 (18:36:18.542 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:37:31.091 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64723->6099 (18:37:31.091 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368754578.542 1368754578.543 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 176.180.198.233, 79.29.4.122, 79.41.234.101, 195.82.146.122, 82.81.205.50, 41.34.12.28 Resource List: Observed Start: 05/16/2013 18:36:18.542 PDT Gen. Time: 05/16/2013 18:40:24.763 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (18:37:24.256 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (18:37:24.256 PDT) 176.180.198.233 (18:38:54.973 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65050->6346 (18:38:54.973 PDT) 79.29.4.122 (18:36:18.542 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31049 (18:36:18.542 PDT) 79.41.234.101 (18:39:24.616 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:39:24.616 PDT) 195.82.146.122 (18:38:41.350 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 64998->80 (18:38:41.350 PDT) 82.81.205.50 (18:40:24.763 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (18:40:24.763 PDT) 41.34.12.28 (18:38:24.572 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21751 (18:38:24.572 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:37:31.091 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64723->6099 (18:37:31.091 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368754578.542 1368754578.543 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 151.40.161.35, 91.218.38.132 (2), 189.101.100.209, 37.153.12.154 Resource List: Observed Start: 05/16/2013 19:05:38.092 PDT Gen. Time: 05/16/2013 19:07:50.953 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (19:06:43.646 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55221->51413 (19:06:43.646 PDT) 151.40.161.35 (19:07:10.156 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51197 (19:07:10.156 PDT) 91.218.38.132 (2) (19:07:42.386 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55558->2710 (19:07:42.386 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 55558->2710 (19:07:42.386 PDT) 189.101.100.209 (19:06:05.082 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (19:06:05.082 PDT) 37.153.12.154 (19:05:38.092 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 55025->6881 (19:05:38.092 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:07:50.953 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:07:50.953 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368756338.092 1368756338.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 114.108.192.231, 118.165.160.23, 181.50.59.78 Resource List: Observed Start: 05/16/2013 19:37:08.008 PDT Gen. Time: 05/16/2013 19:39:10.446 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 114.108.192.231 (19:37:43.547 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65303->16881 (19:37:43.547 PDT) 118.165.160.23 (19:38:09.147 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64977 (19:38:09.147 PDT) 181.50.59.78 (19:37:08.008 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62780 (19:37:08.008 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:39:10.446 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49250->6099 (19:39:10.446 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368758228.008 1368758228.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 177.19.153.205, 101.161.162.233, 202.103.67.135, 181.50.59.78, 85.17.143.16, 24.206.23.81, 114.108.192.231, 118.165.160.23 Resource List: Observed Start: 05/16/2013 19:37:08.008 PDT Gen. Time: 05/16/2013 19:41:13.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (19:40:40.888 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 49666->80 (19:40:40.888 PDT) 177.19.153.205 (19:40:43.109 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49672->16883 (19:40:43.109 PDT) 101.161.162.233 (19:40:14.203 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43291 (19:40:14.203 PDT) 202.103.67.135 (19:41:13.268 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49775->8080 (19:41:13.268 PDT) 181.50.59.78 (19:37:08.008 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62780 (19:37:08.008 PDT) 85.17.143.16 (19:39:32.908 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49440->6969 (19:39:32.908 PDT) 24.206.23.81 (19:39:14.404 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64194 (19:39:14.404 PDT) 114.108.192.231 (19:37:43.547 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65303->16881 (19:37:43.547 PDT) 118.165.160.23 (19:38:09.147 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64977 (19:38:09.147 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:39:10.446 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49250->6099 (19:39:10.446 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368758228.008 1368758228.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.202.139.253 Resource List: Observed Start: 05/16/2013 20:38:24.329 PDT Gen. Time: 05/16/2013 20:39:20.808 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.202.139.253 (20:38:24.329 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63805 (20:38:24.329 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:39:20.808 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:39:20.808 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368761904.329 1368761904.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 101.161.162.233, 61.91.88.77, 87.68.240.251, 95.120.35.175, 85.195.33.52, 77.202.139.253 Resource List: Observed Start: 05/16/2013 20:38:24.329 PDT Gen. Time: 05/16/2013 20:42:26.509 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 101.161.162.233 (20:39:24.253 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43291 (20:39:24.253 PDT) 61.91.88.77 (20:39:30.560 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63354->16882 (20:39:30.560 PDT) 87.68.240.251 (20:41:24.907 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31815 (20:41:24.907 PDT) 95.120.35.175 (20:42:26.509 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (20:42:26.509 PDT) 85.195.33.52 (20:40:24.511 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51422 (20:40:24.511 PDT) 77.202.139.253 (20:38:24.329 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63805 (20:38:24.329 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:39:20.808 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:39:20.808 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368761904.329 1368761904.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 180.182.148.172 Resource List: Observed Start: 05/16/2013 21:40:59.957 PDT Gen. Time: 05/16/2013 21:41:31.158 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 180.182.148.172 (21:40:59.957 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63117->51413 (21:40:59.957 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:41:31.158 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63233->6099 (21:41:31.158 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368765659.957 1368765659.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 108.7.164.107, 91.218.38.132 (2), 202.103.67.135, 37.153.12.154 (3), 46.120.83.95, 85.17.143.16, 142.162.50.245, 180.182.148.172, 124.106.91.22 Resource List: Observed Start: 05/16/2013 21:40:59.957 PDT Gen. Time: 05/16/2013 21:45:08.860 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (21:43:01.012 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 63592->80 (21:43:01.012 PDT) 108.7.164.107 (21:41:38.871 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17344 (21:41:38.871 PDT) 91.218.38.132 (2) (21:43:41.177 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63814->2710 (21:43:41.177 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63814->2710 (21:43:41.177 PDT) 202.103.67.135 (21:41:51.353 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63346->8080 (21:41:51.353 PDT) 37.153.12.154 (3) (21:42:31.502 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63490->6881 (21:42:31.502 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 63490->6881 (21:42:31.502 PDT) 63554->6881 (21:42:41.005 PDT) 46.120.83.95 (21:43:42.801 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (21:43:42.801 PDT) 85.17.143.16 (21:43:48.317 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63822->6969 (21:43:48.317 PDT) 142.162.50.245 (21:42:41.478 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13570 (21:42:41.478 PDT) 180.182.148.172 (21:40:59.957 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63117->51413 (21:40:59.957 PDT) 124.106.91.22 (21:44:45.347 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20629 (21:44:45.347 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:41:31.158 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63233->6099 (21:41:31.158 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368765659.957 1368765659.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================