Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.65.35.100, 208.95.173.194, 178.239.54.153, 178.239.54.160, 82.3.137.27, 31.151.72.98, 85.17.143.16, 83.86.89.101 Resource List: Observed Start: 05/19/2013 00:05:31.576 PDT Gen. Time: 05/19/2013 00:08:10.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.65.35.100 (00:06:32.850 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59326 (00:06:32.850 PDT) 208.95.173.194 (00:06:01.075 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59359->2710 (00:06:01.075 PDT) 178.239.54.153 (00:05:31.576 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59293->3310 (00:05:31.576 PDT) 178.239.54.160 (00:07:41.562 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59895->3310 (00:07:41.562 PDT) 82.3.137.27 (00:08:05.842 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59924->51413 (00:08:05.842 PDT) 31.151.72.98 (00:05:31.805 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50170 (00:05:31.805 PDT) 85.17.143.16 (00:06:53.605 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59646->6969 (00:06:53.605 PDT) 83.86.89.101 (00:07:32.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60916 (00:07:32.061 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:08:10.658 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:08:10.658 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947131.576 1368947131.577 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.212.121.253, 177.65.35.100, 83.86.89.101, 208.95.173.194 (2), 83.58.237.85, 85.17.143.16, 82.3.137.27, 178.239.54.153, 178.239.54.160, 31.151.72.98 Resource List: Observed Start: 05/19/2013 00:05:31.576 PDT Gen. Time: 05/19/2013 00:09:32.624 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.212.121.253 (00:08:32.531 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33560 (00:08:32.531 PDT) 177.65.35.100 (00:06:32.850 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59326 (00:06:32.850 PDT) 83.86.89.101 (00:07:32.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60916 (00:07:32.061 PDT) 208.95.173.194 (2) (00:06:01.075 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59359->2710 (00:06:01.075 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60108->2710 (00:08:41.054 PDT) 83.58.237.85 (00:09:32.624 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55998 (00:09:32.624 PDT) 85.17.143.16 (00:06:53.605 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59646->6969 (00:06:53.605 PDT) 82.3.137.27 (00:08:05.842 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59924->51413 (00:08:05.842 PDT) 178.239.54.153 (00:05:31.576 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59293->3310 (00:05:31.576 PDT) 178.239.54.160 (00:07:41.562 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59895->3310 (00:07:41.562 PDT) 31.151.72.98 (00:05:31.805 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50170 (00:05:31.805 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:08:10.658 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:08:10.658 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947131.576 1368947131.577 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73, 177.65.35.100, 91.218.38.132, 79.29.4.122, 208.95.173.194, 85.17.143.16, 68.150.224.48, 24.202.107.125, 2.26.184.103, 119.46.206.73 Resource List: Observed Start: 05/19/2013 02:06:25.073 PDT Gen. Time: 05/19/2013 02:10:11.351 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (02:09:42.078 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 51322->80 (02:09:42.078 PDT) 166.78.158.73 (02:08:21.928 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50640->6969 (02:08:21.928 PDT) 177.65.35.100 (02:06:25.073 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59326 (02:06:25.073 PDT) 91.218.38.132 (02:08:55.585 PDT) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50953->2710 (02:08:55.585 PDT) 79.29.4.122 (02:08:25.434 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31049 (02:08:25.434 PDT) 208.95.173.194 (02:08:04.573 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50551->2710 (02:08:04.573 PDT) 85.17.143.16 (02:09:54.176 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51338->6969 (02:09:54.176 PDT) 68.150.224.48 (02:07:29.294 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50366->51413 (02:07:29.294 PDT) 24.202.107.125 (02:07:25.018 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (02:07:25.018 PDT) 2.26.184.103 (02:09:25.304 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (02:09:25.304 PDT) 119.46.206.73 (02:08:48.159 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50945->16881 (02:08:48.159 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:10:11.351 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51398->6099 (02:10:11.351 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954385.073 1368954385.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73, 177.65.35.100, 91.218.38.132, 79.29.4.122, 208.95.173.194, 85.17.143.16, 68.150.224.48, 94.242.221.123, 24.202.107.125, 2.26.184.103, 119.46.206.73 Resource List: Observed Start: 05/19/2013 02:06:25.073 PDT Gen. Time: 05/19/2013 02:10:21.663 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (02:09:42.078 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 51322->80 (02:09:42.078 PDT) 166.78.158.73 (02:08:21.928 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50640->6969 (02:08:21.928 PDT) 177.65.35.100 (02:06:25.073 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59326 (02:06:25.073 PDT) 91.218.38.132 (02:08:55.585 PDT) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50953->2710 (02:08:55.585 PDT) 79.29.4.122 (02:08:25.434 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31049 (02:08:25.434 PDT) 208.95.173.194 (02:08:04.573 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50551->2710 (02:08:04.573 PDT) 85.17.143.16 (02:09:54.176 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51338->6969 (02:09:54.176 PDT) 68.150.224.48 (02:07:29.294 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50366->51413 (02:07:29.294 PDT) 94.242.221.123 (02:10:21.663 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51479->80 (02:10:21.663 PDT) 24.202.107.125 (02:07:25.018 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (02:07:25.018 PDT) 2.26.184.103 (02:09:25.304 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6890 (02:09:25.304 PDT) 119.46.206.73 (02:08:48.159 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50945->16881 (02:08:48.159 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:10:11.351 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51398->6099 (02:10:11.351 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954385.073 1368954385.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152 Resource List: Observed Start: 05/19/2013 04:10:36.517 PDT Gen. Time: 05/19/2013 04:11:00.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (04:10:36.517 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54552->51413 (04:10:36.517 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:11:00.433 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:11:00.433 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368961836.517 1368961836.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194, 61.91.88.23, 85.17.143.16, 80.181.131.193, 94.209.46.10, 94.242.221.123 (2), 83.66.40.87, 61.147.76.36, 24.72.25.28, 2.230.52.152, 199.59.243.109 (2) Resource List: Observed Start: 05/19/2013 04:10:36.517 PDT Gen. Time: 05/19/2013 04:14:36.485 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (04:12:50.680 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55506->2710 (04:12:50.680 PDT) 61.91.88.23 (04:11:38.073 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55028->16883 (04:11:38.073 PDT) 85.17.143.16 (04:12:50.667 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55504->6969 (04:12:50.667 PDT) 80.181.131.193 (04:14:36.485 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32144 (04:14:36.485 PDT) 94.209.46.10 (04:11:35.134 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16335 (04:11:35.134 PDT) 94.242.221.123 (2) (04:11:01.210 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54648->80 (04:11:01.210 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 54648->80 (04:11:01.210 PDT) 83.66.40.87 (04:12:35.641 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51243 (04:12:35.641 PDT) 61.147.76.36 (04:12:43.343 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55488->8284 (04:12:43.343 PDT) 24.72.25.28 (04:13:35.559 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55096 (04:13:35.559 PDT) 2.230.52.152 (04:10:36.517 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54552->51413 (04:10:36.517 PDT) 199.59.243.109 (2) (04:12:50.555 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, ['%17%17[G%BC%C5:%17%03%01%00 @,e 7%BC %0C?%067y%FF%D6s] MAC_Src: 00:01:64:FF:CE:EA 55501->80 (04:12:50.555 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 55501->80 (04:12:50.555 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:11:00.433 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:11:00.433 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368961836.517 1368961836.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.180.198.233, 79.41.234.101, 94.242.221.123 (2), 178.239.54.151, 84.29.114.207, 80.6.5.241, 195.82.146.122 Resource List: Observed Start: 05/19/2013 06:09:00.946 PDT Gen. Time: 05/19/2013 06:12:10.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.180.198.233 (06:12:06.889 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58869->6346 (06:12:06.889 PDT) 79.41.234.101 (06:10:25.224 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (06:10:25.224 PDT) 94.242.221.123 (2) (06:11:40.732 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/mailman/subscribe/risks?email=J.KRUSENBAUM@GMX.DE&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=S] MAC_Src: 00:01:64:FF:CE:EA 58778->80 (06:11:40.732 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 58778->80 (06:11:40.732 PDT) 178.239.54.151 (06:09:00.946 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57670->2710 (06:09:00.946 PDT) 84.29.114.207 (06:11:25.646 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36363 (06:11:25.646 PDT) 80.6.5.241 (06:09:25.052 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57796 (06:09:25.052 PDT) 195.82.146.122 (06:11:51.250 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 58826->80 (06:11:51.250 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:12:10.475 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58870->6099 (06:12:10.475 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968940.946 1368968940.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.180.198.233, 79.41.234.101, 94.242.221.123 (2), 178.239.54.151, 84.29.114.207, 80.6.5.241, 195.82.146.122, 82.81.205.50 Resource List: Observed Start: 05/19/2013 06:09:00.946 PDT Gen. Time: 05/19/2013 06:13:07.891 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.180.198.233 (06:12:06.889 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58869->6346 (06:12:06.889 PDT) 79.41.234.101 (06:10:25.224 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (06:10:25.224 PDT) 94.242.221.123 (2) (06:11:40.732 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/mailman/subscribe/risks?email=J.KRUSENBAUM@GMX.DE&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=S] MAC_Src: 00:01:64:FF:CE:EA 58778->80 (06:11:40.732 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 58778->80 (06:11:40.732 PDT) 178.239.54.151 (06:09:00.946 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57670->2710 (06:09:00.946 PDT) 84.29.114.207 (06:11:25.646 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36363 (06:11:25.646 PDT) 80.6.5.241 (06:09:25.052 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57796 (06:09:25.052 PDT) 195.82.146.122 (06:11:51.250 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 58826->80 (06:11:51.250 PDT) 82.81.205.50 (06:12:25.699 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (06:12:25.699 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:12:10.475 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58870->6099 (06:12:10.475 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968940.946 1368968940.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 187.107.6.249, 61.91.88.99, 79.41.234.101, 94.242.221.123 (2), 95.43.119.26 Resource List: Observed Start: 05/19/2013 08:10:22.161 PDT Gen. Time: 05/19/2013 08:12:51.000 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (08:10:35.645 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61015->51413 (08:10:35.645 PDT) 187.107.6.249 (08:10:22.161 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20655 (08:10:22.161 PDT) 61.91.88.99 (08:11:48.446 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61582->16884 (08:11:48.446 PDT) 79.41.234.101 (08:12:22.410 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (08:12:22.410 PDT) 94.242.221.123 (2) (08:12:11.918 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61611->80 (08:12:11.918 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 61611->80 (08:12:11.918 PDT) 95.43.119.26 (08:11:22.859 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (08:11:22.859 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:12:51.000 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:12:51.000 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368976222.161 1368976222.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 187.107.6.249, 95.241.115.131, 61.91.88.99, 85.17.143.16 (2), 95.43.119.26, 94.242.221.123 (2), 2.230.52.152, 79.41.234.101 Resource List: Observed Start: 05/19/2013 08:10:22.161 PDT Gen. Time: 05/19/2013 08:14:16.345 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (08:13:41.335 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [0519151310%0A] MAC_Src: 00:01:64:FF:CE:EA 62397->80 (08:13:41.335 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 62397->80 (08:13:41.335 PDT) 62400->80 (08:13:41.615 PDT) 187.107.6.249 (08:10:22.161 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20655 (08:10:22.161 PDT) 95.241.115.131 (08:13:22.707 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13035 (08:13:22.707 PDT) 61.91.88.99 (08:11:48.446 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61582->16884 (08:11:48.446 PDT) 85.17.143.16 (2) (08:13:45.483 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 62510->6969 (08:14:01.827 PDT) ------------------------- event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62432->6969 (08:13:45.483 PDT) 95.43.119.26 (08:11:22.859 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (08:11:22.859 PDT) 94.242.221.123 (2) (08:12:11.918 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61611->80 (08:12:11.918 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 61611->80 (08:12:11.918 PDT) 2.230.52.152 (08:10:35.645 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61015->51413 (08:10:35.645 PDT) 79.41.234.101 (08:12:22.410 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (08:12:22.410 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:12:51.000 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:12:51.000 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368976222.161 1368976222.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.160, 200.117.237.22, 166.78.158.73 (2), 94.242.221.123, 46.120.83.95, 83.77.205.156, 195.82.146.122, 199.59.243.109 (2) Resource List: Observed Start: 05/19/2013 10:11:58.739 PDT Gen. Time: 05/19/2013 10:14:21.199 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.160 (10:14:00.724 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51493->3310 (10:14:00.724 PDT) 200.117.237.22 (10:11:58.739 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50649->16883 (10:11:58.739 PDT) 166.78.158.73 (2) (10:14:10.959 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 51512->80 (10:14:10.959 PDT) 51516->80 (10:14:11.144 PDT) 94.242.221.123 (10:12:50.853 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 51051->80 (10:12:50.853 PDT) 46.120.83.95 (10:13:37.682 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (10:13:37.682 PDT) 83.77.205.156 (10:12:37.858 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (10:12:37.858 PDT) 195.82.146.122 (10:13:31.335 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 51318->80 (10:13:31.335 PDT) 199.59.243.109 (2) (10:12:01.265 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%04]%8Fi%0F!O%19/%97%09P%EBU%9A%06%09q%EB5%EB`X&et%A3%FE%B7%8D%1F%11S%FER%E5%EE%B8%FB%A6%FEC%94] MAC_Src: 00:01:64:FF:CE:EA 50658->80 (10:12:01.265 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50658->80 (10:12:01.265 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:14:21.199 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51551->6099 (10:14:21.199 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368983518.739 1368983518.740 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73 (2), 200.117.237.22, 83.77.205.156, 46.120.83.95, 85.17.143.16, 78.97.32.44, 94.242.221.123, 178.239.54.160, 188.76.179.14, 85.74.190.41, 178.48.66.46, 199.59.243.109 (2) Resource List: Observed Start: 05/19/2013 10:11:58.739 PDT Gen. Time: 05/19/2013 10:16:38.020 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (10:13:31.335 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 51318->80 (10:13:31.335 PDT) 166.78.158.73 (2) (10:14:10.959 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 51512->80 (10:14:10.959 PDT) 51516->80 (10:14:11.144 PDT) 200.117.237.22 (10:11:58.739 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50649->16883 (10:11:58.739 PDT) 83.77.205.156 (10:12:37.858 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (10:12:37.858 PDT) 46.120.83.95 (10:13:37.682 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (10:13:37.682 PDT) 85.17.143.16 (10:14:41.379 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51791->6969 (10:14:41.379 PDT) 78.97.32.44 (10:16:38.020 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63139 (10:16:38.020 PDT) 94.242.221.123 (10:12:50.853 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 51051->80 (10:12:50.853 PDT) 178.239.54.160 (10:14:00.724 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51493->3310 (10:14:00.724 PDT) 188.76.179.14 (10:15:38.059 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42639 (10:15:38.059 PDT) 85.74.190.41 (10:14:37.053 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (10:14:37.053 PDT) 178.48.66.46 (10:14:23.752 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51570->6890 (10:14:23.752 PDT) 199.59.243.109 (2) (10:12:01.265 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%04]%8Fi%0F!O%19/%97%09P%EBU%9A%06%09q%EB5%EB`X&et%A3%FE%B7%8D%1F%11S%FER%E5%EE%B8%FB%A6%FEC%94] MAC_Src: 00:01:64:FF:CE:EA 50658->80 (10:12:01.265 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50658->80 (10:12:01.265 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:14:21.199 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51551->6099 (10:14:21.199 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368983518.739 1368983518.740 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.22, 187.2.132.138, 119.46.206.44, 94.242.221.123, 2.184.250.54, 199.59.243.109, 80.47.123.108 (2), 82.81.205.50 Resource List: Observed Start: 05/19/2013 12:11:54.474 PDT Gen. Time: 05/19/2013 12:14:30.783 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.22 (12:13:36.557 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56842->16882 (12:13:36.557 PDT) 187.2.132.138 (12:12:55.791 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38537 (12:12:55.791 PDT) 119.46.206.44 (12:11:58.028 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55976->16883 (12:11:58.028 PDT) 94.242.221.123 (12:13:21.008 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 56554->80 (12:13:21.008 PDT) 2.184.250.54 (12:14:00.618 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29273 (12:14:00.618 PDT) 199.59.243.109 (12:12:31.335 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56188->80 (12:12:31.335 PDT) 80.47.123.108 (2) (12:11:54.474 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (12:11:54.474 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (12:11:54.474 PDT) 82.81.205.50 (12:11:57.694 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (12:11:57.694 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:14:30.783 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:14:30.783 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368990714.474 1368990714.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.184.250.54, 188.55.145.226, 82.81.205.50, 119.46.206.22, 119.46.206.44, 187.2.132.138, 94.242.221.123, 178.239.54.160, 80.47.123.108 (2), 199.59.243.109 Resource List: Observed Start: 05/19/2013 12:11:54.474 PDT Gen. Time: 05/19/2013 12:15:00.829 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.184.250.54 (12:14:00.618 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29273 (12:14:00.618 PDT) 188.55.145.226 (12:15:00.829 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33208 (12:15:00.829 PDT) 82.81.205.50 (12:11:57.694 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (12:11:57.694 PDT) 119.46.206.22 (12:13:36.557 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56842->16882 (12:13:36.557 PDT) 119.46.206.44 (12:11:58.028 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55976->16883 (12:11:58.028 PDT) 187.2.132.138 (12:12:55.791 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38537 (12:12:55.791 PDT) 94.242.221.123 (12:13:21.008 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 56554->80 (12:13:21.008 PDT) 178.239.54.160 (12:14:31.195 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57268->3310 (12:14:31.195 PDT) 80.47.123.108 (2) (12:11:54.474 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (12:11:54.474 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36853 (12:11:54.474 PDT) 199.59.243.109 (12:12:31.335 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56188->80 (12:12:31.335 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:14:30.783 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:14:30.783 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368990714.474 1368990714.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73 (3), 91.75.132.214, 208.95.173.194, 86.165.163.183, 85.17.143.16, 94.242.221.123, 89.74.154.253, 199.59.243.109 Resource List: Observed Start: 05/19/2013 14:13:10.815 PDT Gen. Time: 05/19/2013 14:16:20.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (14:15:40.604 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 51301->80 (14:15:40.604 PDT) 166.78.158.73 (3) (14:14:41.738 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/wp-content/uploads/2011/09/Energy_Roadmap.pdf] MAC_Src: 00:01:64:FF:CE:EA 50952->80 (14:14:41.738 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 50952->80 (14:14:41.738 PDT) 50962->80 (14:14:45.982 PDT) 91.75.132.214 (14:14:38.017 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64422 (14:14:38.017 PDT) 208.95.173.194 (14:13:41.056 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50408->2711 (14:13:41.056 PDT) 86.165.163.183 (14:13:38.140 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28441 (14:13:38.140 PDT) 85.17.143.16 (14:15:40.565 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51303->6969 (14:15:40.565 PDT) 94.242.221.123 (14:14:00.405 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 50563->80 (14:14:00.405 PDT) 89.74.154.253 (14:15:38.055 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29688 (14:15:38.055 PDT) 199.59.243.109 (14:13:10.815 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50082->80 (14:13:10.815 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:16:20.812 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51595->6099 (14:16:20.812 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368997990.815 1368997990.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73 (3), 91.75.132.214, 208.95.173.194, 86.165.163.183, 85.17.143.16, 84.29.162.95, 181.132.137.71, 94.242.221.123, 89.74.154.253, 199.59.243.109 Resource List: Observed Start: 05/19/2013 14:13:10.815 PDT Gen. Time: 05/19/2013 14:17:38.881 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (14:15:40.604 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 51301->80 (14:15:40.604 PDT) 166.78.158.73 (3) (14:14:41.738 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/wp-content/uploads/2011/09/Energy_Roadmap.pdf] MAC_Src: 00:01:64:FF:CE:EA 50952->80 (14:14:41.738 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 50952->80 (14:14:41.738 PDT) 50962->80 (14:14:45.982 PDT) 91.75.132.214 (14:14:38.017 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64422 (14:14:38.017 PDT) 208.95.173.194 (14:13:41.056 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50408->2711 (14:13:41.056 PDT) 86.165.163.183 (14:13:38.140 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28441 (14:13:38.140 PDT) 85.17.143.16 (14:15:40.565 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 51303->6969 (14:15:40.565 PDT) 84.29.162.95 (14:16:38.137 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36139 (14:16:38.137 PDT) 181.132.137.71 (14:17:38.881 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38240 (14:17:38.881 PDT) 94.242.221.123 (14:14:00.405 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 50563->80 (14:14:00.405 PDT) 89.74.154.253 (14:15:38.055 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29688 (14:15:38.055 PDT) 199.59.243.109 (14:13:10.815 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50082->80 (14:13:10.815 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:16:20.812 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51595->6099 (14:16:20.812 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368997990.815 1368997990.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.29.127.53, 77.96.180.177 (2), 85.17.143.16, 166.78.158.73 (3), 77.229.221.106 Resource List: Observed Start: 05/19/2013 16:15:11.044 PDT Gen. Time: 05/19/2013 16:17:20.909 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.29.127.53 (16:16:44.496 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57728 (16:16:44.496 PDT) 77.96.180.177 (2) (16:15:28.807 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57264->6890 (16:15:28.807 PDT) 57917->6890 (16:16:31.830 PDT) 85.17.143.16 (16:16:10.919 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57709->6969 (16:16:10.919 PDT) 166.78.158.73 (3) (16:15:11.044 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57163->80 (16:15:11.044 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 57163->80 (16:15:11.044 PDT) 57170->80 (16:15:11.283 PDT) 77.229.221.106 (16:15:42.149 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17309 (16:15:42.149 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:17:20.909 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:17:20.909 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369005311.044 1369005311.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122 Resource List: Observed Start: 05/19/2013 18:18:31.836 PDT Gen. Time: 05/19/2013 18:19:21.171 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (18:18:31.836 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 62075->80 (18:18:31.836 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:19:21.171 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62398->6099 (18:19:21.171 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369012711.836 1369012711.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.21.46.121, 189.231.38.77, 109.201.148.249, 176.180.198.233, 69.35.66.145, 195.82.146.122 Resource List: Observed Start: 05/19/2013 18:18:31.836 PDT Gen. Time: 05/19/2013 18:21:29.845 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.21.46.121 (18:19:27.197 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (18:19:27.197 PDT) 189.231.38.77 (18:20:29.213 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38119 (18:20:29.213 PDT) 109.201.148.249 (18:19:51.436 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62736->2710 (18:19:51.436 PDT) 176.180.198.233 (18:20:50.716 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63137->6346 (18:20:50.716 PDT) 69.35.66.145 (18:19:50.701 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62732->60254 (18:19:50.701 PDT) 195.82.146.122 (18:18:31.836 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 62075->80 (18:18:31.836 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:19:21.171 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62398->6099 (18:19:21.171 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369012711.836 1369012711.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.21.46.121, 109.201.148.249, 124.8.223.156, 85.17.143.16, 186.86.1.198 Resource List: Observed Start: 05/19/2013 20:18:09.641 PDT Gen. Time: 05/19/2013 20:20:20.098 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.21.46.121 (20:19:22.660 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (20:19:22.660 PDT) 109.201.148.249 (20:20:10.588 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60250->2710 (20:20:10.588 PDT) 124.8.223.156 (20:18:09.641 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59416->16881 (20:18:09.641 PDT) 85.17.143.16 (20:19:39.664 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60156->6969 (20:19:39.664 PDT) 186.86.1.198 (20:18:22.175 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (20:18:22.175 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:20:20.098 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:20:20.098 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369019889.641 1369019889.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.21.46.121, 109.201.148.249, 124.8.223.156, 177.206.254.98, 85.17.143.16, 186.86.1.198 Resource List: Observed Start: 05/19/2013 20:18:09.641 PDT Gen. Time: 05/19/2013 20:20:35.582 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.21.46.121 (20:19:22.660 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (20:19:22.660 PDT) 109.201.148.249 (20:20:10.588 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60250->2710 (20:20:10.588 PDT) 124.8.223.156 (20:18:09.641 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59416->16881 (20:18:09.641 PDT) 177.206.254.98 (20:20:24.105 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46838 (20:20:24.105 PDT) 85.17.143.16 (20:19:39.664 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60156->6969 (20:19:39.664 PDT) 186.86.1.198 (20:18:22.175 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (20:18:22.175 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:20:20.098 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:20:20.098 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369019889.641 1369019889.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 181.50.59.78, 61.91.88.102, 195.82.146.122, 208.83.20.164 Resource List: Observed Start: 05/19/2013 22:20:30.993 PDT Gen. Time: 05/19/2013 22:22:00.651 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 181.50.59.78 (22:21:23.862 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62780 (22:21:23.862 PDT) 61.91.88.102 (22:20:34.063 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54764->16881 (22:20:34.063 PDT) 195.82.146.122 (22:20:51.411 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 54849->80 (22:20:51.411 PDT) 208.83.20.164 (22:20:30.993 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 54751->80 (22:20:30.993 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:22:00.651 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55181->6099 (22:22:00.651 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369027230.993 1369027230.994 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164, 91.218.38.132 (2), 174.93.144.91, 108.249.213.98, 181.50.59.78, 180.182.148.172, 96.52.247.193, 61.91.88.102 Resource List: Observed Start: 05/19/2013 22:20:30.993 PDT Gen. Time: 05/19/2013 22:24:24.197 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (22:20:51.411 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 54849->80 (22:20:51.411 PDT) 208.83.20.164 (22:20:30.993 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 54751->80 (22:20:30.993 PDT) 91.218.38.132 (2) (22:22:51.137 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55462->2710 (22:22:51.137 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 55462->2710 (22:22:51.137 PDT) 174.93.144.91 (22:24:24.197 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10101 (22:24:24.197 PDT) 108.249.213.98 (22:22:24.816 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22697 (22:22:24.816 PDT) 181.50.59.78 (22:21:23.862 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62780 (22:21:23.862 PDT) 180.182.148.172 (22:23:46.615 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55730->51413 (22:23:46.615 PDT) 96.52.247.193 (22:23:24.188 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15937 (22:23:24.188 PDT) 61.91.88.102 (22:20:34.063 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54764->16881 (22:20:34.063 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:22:00.651 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55181->6099 (22:22:00.651 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369027230.993 1369027230.994 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================