Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 202.103.67.135, 188.6.168.23 Resource List: Observed Start: 05/17/2013 01:42:06.673 PDT Gen. Time: 05/17/2013 01:43:40.811 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (01:43:06.101 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (01:43:06.101 PDT) 202.103.67.135 (01:43:33.566 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64413->8080 (01:43:33.566 PDT) 188.6.168.23 (01:42:06.673 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35939 (01:42:06.673 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:43:40.811 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64422->6099 (01:43:40.811 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368780126.673 1368780126.674 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 188.76.179.14, 202.103.67.135, 188.6.168.23, 195.82.146.122 Resource List: Observed Start: 05/17/2013 01:42:06.673 PDT Gen. Time: 05/17/2013 01:44:51.163 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (01:43:06.101 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (01:43:06.101 PDT) 188.76.179.14 (01:44:09.173 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42639 (01:44:09.173 PDT) 202.103.67.135 (01:43:33.566 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64413->8080 (01:43:33.566 PDT) 188.6.168.23 (01:42:06.673 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35939 (01:42:06.673 PDT) 195.82.146.122 (01:44:41.779 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 64596->80 (01:44:41.779 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:43:40.811 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64422->6099 (01:43:40.811 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368780126.673 1368780126.674 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 190.225.59.143, 83.101.72.75, 201.246.99.197 Resource List: Observed Start: 05/17/2013 03:41:09.766 PDT Gen. Time: 05/17/2013 03:43:40.809 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (03:43:35.684 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63348->2710 (03:43:35.684 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63348->2710 (03:43:35.684 PDT) 190.225.59.143 (03:41:09.766 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35757 (03:41:09.766 PDT) 83.101.72.75 (03:42:10.633 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:42:10.633 PDT) 201.246.99.197 (03:43:14.680 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51741 (03:43:14.680 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:43:40.809 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:43:40.809 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368787269.766 1368787269.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 69.62.136.16, 91.218.38.132 (2), 190.225.59.143, 202.103.67.135, 83.101.72.75, 201.246.99.197 Resource List: Observed Start: 05/17/2013 03:41:09.766 PDT Gen. Time: 05/17/2013 03:45:04.311 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 69.62.136.16 (03:44:17.730 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20085 (03:44:17.730 PDT) 91.218.38.132 (2) (03:43:35.684 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63348->2710 (03:43:35.684 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63348->2710 (03:43:35.684 PDT) 190.225.59.143 (03:41:09.766 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35757 (03:41:09.766 PDT) 202.103.67.135 (03:44:01.152 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63460->8080 (03:44:01.152 PDT) 83.101.72.75 (03:42:10.633 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:42:10.633 PDT) 201.246.99.197 (03:43:14.680 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51741 (03:43:14.680 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:43:40.809 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (03:43:40.809 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368787269.766 1368787269.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 108.103.161.183, 126.91.113.44, 179.210.8.229, 91.140.74.8, 41.66.14.25, 202.103.67.135 Resource List: Observed Start: 05/17/2013 05:41:41.906 PDT Gen. Time: 05/17/2013 05:45:33.448 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 108.103.161.183 (05:44:23.478 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65336->6890 (05:44:23.478 PDT) 126.91.113.44 (05:43:43.197 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (05:43:43.197 PDT) 179.210.8.229 (05:42:43.653 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (05:42:43.653 PDT) 91.140.74.8 (05:44:47.658 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34368 (05:44:47.658 PDT) 41.66.14.25 (05:41:41.906 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44634 (05:41:41.906 PDT) 202.103.67.135 (05:44:51.265 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49174->8080 (05:44:51.265 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:45:33.448 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49340->6099 (05:45:33.448 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368794501.906 1368794501.907 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 108.103.161.183, 126.91.113.44, 179.210.8.229, 91.140.74.8, 175.139.0.154, 41.66.14.25, 202.103.67.135 Resource List: Observed Start: 05/17/2013 05:41:41.906 PDT Gen. Time: 05/17/2013 05:45:50.226 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 108.103.161.183 (05:44:23.478 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65336->6890 (05:44:23.478 PDT) 126.91.113.44 (05:43:43.197 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (05:43:43.197 PDT) 179.210.8.229 (05:42:43.653 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (05:42:43.653 PDT) 91.140.74.8 (05:44:47.658 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34368 (05:44:47.658 PDT) 175.139.0.154 (05:45:50.226 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (05:45:50.226 PDT) 41.66.14.25 (05:41:41.906 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44634 (05:41:41.906 PDT) 202.103.67.135 (05:44:51.265 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49174->8080 (05:44:51.265 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:45:33.448 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49340->6099 (05:45:33.448 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368794501.906 1368794501.907 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 201.75.126.124, 202.103.67.135, 37.45.48.225 Resource List: Observed Start: 05/17/2013 07:44:43.303 PDT Gen. Time: 05/17/2013 07:46:01.109 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 201.75.126.124 (07:45:43.101 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25504 (07:45:43.101 PDT) 202.103.67.135 (07:45:00.659 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57919->8080 (07:45:00.659 PDT) 37.45.48.225 (07:44:43.303 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29775 (07:44:43.303 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:46:01.109 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:46:01.109 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368801883.303 1368801883.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 201.75.126.124, 94.209.46.10, 76.173.70.169, 202.103.67.135, 37.45.48.225, 58.11.176.203 Resource List: Observed Start: 05/17/2013 07:44:43.303 PDT Gen. Time: 05/17/2013 07:48:48.440 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (07:47:15.240 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58685->2710 (07:47:15.240 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58685->2710 (07:47:15.240 PDT) 201.75.126.124 (07:45:43.101 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25504 (07:45:43.101 PDT) 94.209.46.10 (07:47:48.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16335 (07:47:48.034 PDT) 76.173.70.169 (07:46:43.079 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22222 (07:46:43.079 PDT) 202.103.67.135 (07:45:00.659 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57919->8080 (07:45:00.659 PDT) 37.45.48.225 (07:44:43.303 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29775 (07:44:43.303 PDT) 58.11.176.203 (07:48:48.440 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43244 (07:48:48.440 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:46:01.109 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (07:46:01.109 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368801883.303 1368801883.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 69.35.66.145 Resource List: Observed Start: 05/17/2013 09:47:52.662 PDT Gen. Time: 05/17/2013 09:48:11.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 69.35.66.145 (09:47:52.662 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59660->60254 (09:47:52.662 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:48:11.232 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59671->6099 (09:48:11.232 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368809272.662 1368809272.663 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.29.4.122, 90.151.110.247, 69.35.66.145, 195.82.146.122, 121.14.98.151 Resource List: Observed Start: 05/17/2013 09:47:52.662 PDT Gen. Time: 05/17/2013 09:50:09.855 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.29.4.122 (09:49:27.107 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31049 (09:49:27.107 PDT) 90.151.110.247 (09:48:26.582 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49001 (09:48:26.582 PDT) 69.35.66.145 (09:47:52.662 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59660->60254 (09:47:52.662 PDT) 195.82.146.122 (09:48:41.494 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 60055->80 (09:48:41.494 PDT) 121.14.98.151 (09:48:41.478 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60056->9090 (09:48:41.478 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:48:11.232 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59671->6099 (09:48:11.232 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368809272.662 1368809272.663 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 11:49:00.893 PDT Gen. Time: 05/17/2013 11:49:00.893 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:49:00.893 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:49:00.893 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368816540.893 1368816540.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.172.16.31, 178.239.54.153, 190.160.2.131 (2), 190.215.28.223, 83.77.205.156, 79.13.248.71 Resource List: Observed Start: 05/17/2013 11:49:00.893 PDT Gen. Time: 05/17/2013 11:52:33.397 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.172.16.31 (11:50:33.794 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16942 (11:50:33.794 PDT) 178.239.54.153 (11:49:26.044 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63618->3310 (11:49:26.044 PDT) 190.160.2.131 (2) (11:49:06.042 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63456->16881 (11:49:06.042 PDT) 64223->16881 (11:51:06.053 PDT) 190.215.28.223 (11:51:33.193 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59467 (11:51:33.193 PDT) 83.77.205.156 (11:49:33.364 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (11:49:33.364 PDT) 79.13.248.71 (11:52:33.397 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29800 (11:52:33.397 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:49:00.893 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (11:49:00.893 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368816540.893 1368816540.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 178.239.54.153, 79.87.91.72 Resource List: Observed Start: 05/17/2013 13:50:11.859 PDT Gen. Time: 05/17/2013 13:50:31.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (13:50:16.446 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52480->51413 (13:50:16.446 PDT) 178.239.54.153 (13:50:11.859 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52463->3310 (13:50:11.859 PDT) 79.87.91.72 (13:50:25.239 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40908 (13:50:25.239 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:50:31.201 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52667->6099 (13:50:31.201 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368823811.859 1368823811.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 178.239.54.153, 187.126.93.131, 79.87.91.72, 111.252.237.202, 195.82.146.122, 86.168.34.156 Resource List: Observed Start: 05/17/2013 13:50:11.859 PDT Gen. Time: 05/17/2013 13:53:56.361 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (13:50:16.446 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52480->51413 (13:50:16.446 PDT) 178.239.54.153 (13:50:11.859 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52463->3310 (13:50:11.859 PDT) 187.126.93.131 (13:52:26.097 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51441 (13:52:26.097 PDT) 79.87.91.72 (13:50:25.239 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40908 (13:50:25.239 PDT) 111.252.237.202 (13:53:56.361 PDT) event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14878 (13:53:56.361 PDT) 195.82.146.122 (13:50:51.626 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 52848->80 (13:50:51.626 PDT) 86.168.34.156 (13:51:26.160 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32860 (13:51:26.160 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:50:31.201 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52667->6099 (13:50:31.201 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368823811.859 1368823811.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.231.39.71, 178.239.54.153, 217.55.62.128, 78.108.159.17 (3) Resource List: Observed Start: 05/17/2013 15:49:11.007 PDT Gen. Time: 05/17/2013 15:50:40.728 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.231.39.71 (15:49:34.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38119 (15:49:34.520 PDT) 178.239.54.153 (15:49:11.007 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49291->3310 (15:49:11.007 PDT) 217.55.62.128 (15:50:36.518 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56221 (15:50:36.518 PDT) 78.108.159.17 (3) (15:49:38.520 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49575->6881 (15:49:38.520 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 49575->6881 (15:49:38.520 PDT) 49629->6881 (15:49:48.022 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:50:40.728 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:50:40.728 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368830951.007 1368830951.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.231.39.71 (2), 178.239.54.153 (2), 95.94.18.158, 217.55.62.128, 91.218.38.132 (2), 78.108.159.17 (3) Resource List: Observed Start: 05/17/2013 15:49:11.007 PDT Gen. Time: 05/17/2013 15:53:13.085 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.231.39.71 (2) (15:49:34.520 PDT-15:51:36.551 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->38119 (15:49:34.520 PDT-15:51:36.551 PDT) 178.239.54.153 (2) (15:49:11.007 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49989->3310 (15:50:51.425 PDT) 49291->3310 (15:49:11.007 PDT) 95.94.18.158 (15:52:36.683 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46585 (15:52:36.683 PDT) 217.55.62.128 (15:50:36.518 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56221 (15:50:36.518 PDT) 91.218.38.132 (2) (15:52:39.044 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50674->2710 (15:52:39.044 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50674->2710 (15:52:39.044 PDT) 78.108.159.17 (3) (15:49:38.520 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49575->6881 (15:49:38.520 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 49575->6881 (15:49:38.520 PDT) 49629->6881 (15:49:48.022 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:50:40.728 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:50:40.728 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368830951.007 1368831096.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.150.56.228, 178.239.54.153, 195.82.146.122 Resource List: Observed Start: 05/17/2013 17:51:32.160 PDT Gen. Time: 05/17/2013 17:52:02.121 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.150.56.228 (17:51:47.595 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32181 (17:51:47.595 PDT) 178.239.54.153 (17:51:32.160 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60564->3310 (17:51:32.160 PDT) 195.82.146.122 (17:51:51.767 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 60688->80 (17:51:51.767 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:52:02.121 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60723->6099 (17:52:02.121 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368838292.160 1368838292.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.150.56.228, 178.239.54.153, 200.83.193.112, 195.82.146.122 Resource List: Observed Start: 05/17/2013 17:51:32.160 PDT Gen. Time: 05/17/2013 17:52:53.912 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.150.56.228 (17:51:47.595 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32181 (17:51:47.595 PDT) 178.239.54.153 (17:51:32.160 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60564->3310 (17:51:32.160 PDT) 200.83.193.112 (17:52:53.912 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14603 (17:52:53.912 PDT) 195.82.146.122 (17:51:51.767 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 60688->80 (17:51:51.767 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:52:02.121 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60723->6099 (17:52:02.121 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368838292.160 1368838292.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153 Resource List: Observed Start: 05/17/2013 19:52:11.141 PDT Gen. Time: 05/17/2013 19:52:20.841 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (19:52:11.141 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60529->3310 (19:52:11.141 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:52:20.841 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:52:20.841 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368845531.141 1368845531.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 80.47.193.66, 178.239.54.153 (2), 119.46.206.43, 174.20.190.167, 175.139.0.154, 181.163.148.144, 154.45.216.142 Resource List: Observed Start: 05/17/2013 19:52:11.141 PDT Gen. Time: 05/17/2013 19:56:54.796 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 80.47.193.66 (19:55:52.725 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60228 (19:55:52.725 PDT) 178.239.54.153 (2) (19:52:11.141 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60529->3310 (19:52:11.141 PDT) 61508->3310 (19:55:42.038 PDT) 119.46.206.43 (19:53:55.291 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60945->16881 (19:53:55.291 PDT) 174.20.190.167 (19:54:51.953 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33363 (19:54:51.953 PDT) 175.139.0.154 (19:53:51.992 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (19:53:51.992 PDT) 181.163.148.144 (19:52:46.288 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34721 (19:52:46.288 PDT) 154.45.216.142 (19:55:34.319 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61477->1046 (19:55:34.319 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:52:20.841 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:52:20.841 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT