Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.201.148.249, 195.66.171.240, 110.136.220.235, 119.46.206.42, 24.41.136.201, 80.6.5.241, 37.153.12.154 (2), 208.83.20.164 Resource List: Observed Start: 05/20/2013 00:19:58.481 PDT Gen. Time: 05/20/2013 00:22:30.922 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.201.148.249 (00:20:41.308 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55600->2710 (00:20:41.308 PDT) 195.66.171.240 (00:21:31.507 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55848->16882 (00:21:31.507 PDT) 110.136.220.235 (00:20:18.481 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (00:20:18.481 PDT) 119.46.206.42 (00:19:58.481 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55388->16882 (00:19:58.481 PDT) 24.41.136.201 (00:21:20.006 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26839 (00:21:20.006 PDT) 80.6.5.241 (00:22:20.263 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57796 (00:22:20.263 PDT) 37.153.12.154 (2) (00:20:12.486 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 55408->6881 (00:20:12.486 PDT) 55454->6881 (00:20:22.254 PDT) 208.83.20.164 (00:21:10.762 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55679->80 (00:21:10.762 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:22:30.922 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:22:30.922 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369034398.481 1369034398.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 80.47.193.66, 208.83.20.164, 24.41.136.201, 110.136.220.235, 109.201.148.249, 37.153.12.154 (2), 195.66.171.240, 177.32.99.161, 80.6.5.241, 119.46.206.42 Resource List: Observed Start: 05/20/2013 00:19:58.481 PDT Gen. Time: 05/20/2013 00:24:20.705 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 80.47.193.66 (00:23:20.431 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60228 (00:23:20.431 PDT) 208.83.20.164 (00:21:10.762 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55679->80 (00:21:10.762 PDT) 24.41.136.201 (00:21:20.006 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26839 (00:21:20.006 PDT) 110.136.220.235 (00:20:18.481 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (00:20:18.481 PDT) 109.201.148.249 (00:20:41.308 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55600->2710 (00:20:41.308 PDT) 37.153.12.154 (2) (00:20:12.486 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 55408->6881 (00:20:12.486 PDT) 55454->6881 (00:20:22.254 PDT) 195.66.171.240 (00:21:31.507 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55848->16882 (00:21:31.507 PDT) 177.32.99.161 (00:24:20.705 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (00:24:20.705 PDT) 80.6.5.241 (00:22:20.263 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57796 (00:22:20.263 PDT) 119.46.206.42 (00:19:58.481 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55388->16882 (00:19:58.481 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:22:30.922 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:22:30.922 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369034398.481 1369034398.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.29.127.53, 112.198.213.96, 109.201.148.249, 115.124.206.216, 177.207.113.39, 195.82.146.122, 208.83.20.164 Resource List: Observed Start: 05/20/2013 02:20:04.946 PDT Gen. Time: 05/20/2013 02:24:11.392 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.29.127.53 (02:22:12.296 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57728 (02:22:12.296 PDT) 112.198.213.96 (02:21:07.627 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22865 (02:21:07.627 PDT) 109.201.148.249 (02:21:01.335 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56235->2710 (02:21:01.335 PDT) 115.124.206.216 (02:20:04.946 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51850 (02:20:04.946 PDT) 177.207.113.39 (02:23:15.616 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (02:23:15.616 PDT) 195.82.146.122 (02:22:51.185 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 56777->80 (02:22:51.185 PDT) 208.83.20.164 (02:21:30.860 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 56391->80 (02:21:30.860 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:24:11.392 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57096->6099 (02:24:11.392 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369041604.946 1369041604.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.233.106.210, 91.218.38.132 (2), 86.165.163.183 Resource List: Observed Start: 05/20/2013 04:22:34.482 PDT Gen. Time: 05/20/2013 04:24:30.029 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.233.106.210 (04:23:26.420 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (04:23:26.420 PDT) 91.218.38.132 (2) (04:22:34.482 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63467->2710 (04:22:34.482 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63467->2710 (04:22:34.482 PDT) 86.165.163.183 (04:24:26.012 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28441 (04:24:26.012 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:24:30.029 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:24:30.029 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369048954.482 1369048954.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.233.106.210, 137.147.156.13, 91.218.38.132 (2), 181.47.89.155, 86.165.163.183 Resource List: Observed Start: 05/20/2013 04:22:34.482 PDT Gen. Time: 05/20/2013 04:26:26.179 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.233.106.210 (04:23:26.420 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (04:23:26.420 PDT) 137.147.156.13 (04:25:26.002 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12298 (04:25:26.002 PDT) 91.218.38.132 (2) (04:22:34.482 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63467->2710 (04:22:34.482 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63467->2710 (04:22:34.482 PDT) 181.47.89.155 (04:26:26.179 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64476 (04:26:26.179 PDT) 86.165.163.183 (04:24:26.012 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28441 (04:24:26.012 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:24:30.029 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:24:30.029 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369048954.482 1369048954.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.66, 79.41.234.101, 37.153.12.154, 58.169.106.26, 195.82.146.122, 121.14.98.151, 85.73.155.153, 208.83.20.164 Resource List: Observed Start: 05/20/2013 06:22:31.122 PDT Gen. Time: 05/20/2013 06:26:21.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.66 (06:23:40.418 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55592->16882 (06:23:40.418 PDT) 79.41.234.101 (06:24:25.976 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (06:24:25.976 PDT) 37.153.12.154 (06:22:35.401 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 55134->6881 (06:22:35.401 PDT) 58.169.106.26 (06:25:25.266 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29285 (06:25:25.266 PDT) 195.82.146.122 (06:24:40.787 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 55995->80 (06:24:40.787 PDT) 121.14.98.151 (06:24:30.396 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55858->9090 (06:24:30.396 PDT) 85.73.155.153 (06:23:24.743 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53429 (06:23:24.743 PDT) 208.83.20.164 (06:22:31.122 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55108->80 (06:22:31.122 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:26:21.005 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56563->6099 (06:26:21.005 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369056151.122 1369056151.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 121.14.98.151, 208.83.20.164, 85.73.155.153, 58.169.106.26, 37.153.12.154, 217.39.102.216, 61.91.88.66, 79.41.234.101 Resource List: Observed Start: 05/20/2013 06:22:31.122 PDT Gen. Time: 05/20/2013 06:26:25.034 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (06:24:40.787 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 55995->80 (06:24:40.787 PDT) 121.14.98.151 (06:24:30.396 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55858->9090 (06:24:30.396 PDT) 208.83.20.164 (06:22:31.122 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55108->80 (06:22:31.122 PDT) 85.73.155.153 (06:23:24.743 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53429 (06:23:24.743 PDT) 58.169.106.26 (06:25:25.266 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29285 (06:25:25.266 PDT) 37.153.12.154 (06:22:35.401 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 55134->6881 (06:22:35.401 PDT) 217.39.102.216 (06:26:25.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11490 (06:26:25.034 PDT) 61.91.88.66 (06:23:40.418 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55592->16882 (06:23:40.418 PDT) 79.41.234.101 (06:24:25.976 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (06:24:25.976 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:26:21.005 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56563->6099 (06:26:21.005 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369056151.122 1369056151.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.90, 166.78.158.73 (3), 78.0.223.151, 62.195.248.193, 2.24.58.155, 108.7.164.107 Resource List: Observed Start: 05/20/2013 08:23:47.647 PDT Gen. Time: 05/20/2013 08:26:40.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.90 (08:26:39.990 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59655->16883 (08:26:39.990 PDT) 166.78.158.73 (3) (08:26:01.576 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59308->80 (08:26:01.576 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 59308->80 (08:26:01.576 PDT) 59309->80 (08:26:01.770 PDT) 78.0.223.151 (08:23:49.860 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38792 (08:23:49.860 PDT) 62.195.248.193 (08:23:47.647 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16862 (08:23:47.647 PDT) 2.24.58.155 (08:25:49.786 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30837 (08:25:49.786 PDT) 108.7.164.107 (08:24:48.856 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17344 (08:24:48.856 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:26:40.722 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:26:40.722 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369063427.647 1369063427.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 108.7.164.107, 61.91.88.100, 62.195.248.193, 2.24.58.155, 119.46.206.90, 78.0.223.151, 41.233.106.210, 85.74.190.41 Resource List: Observed Start: 05/20/2013 08:23:47.647 PDT Gen. Time: 05/20/2013 08:27:53.052 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (08:26:01.576 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59308->80 (08:26:01.576 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 59308->80 (08:26:01.576 PDT) 59309->80 (08:26:01.770 PDT) 108.7.164.107 (08:24:48.856 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17344 (08:24:48.856 PDT) 61.91.88.100 (08:27:42.247 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60137->16883 (08:27:42.247 PDT) 62.195.248.193 (08:23:47.647 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16862 (08:23:47.647 PDT) 2.24.58.155 (08:25:49.786 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30837 (08:25:49.786 PDT) 119.46.206.90 (08:26:39.990 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59655->16883 (08:26:39.990 PDT) 78.0.223.151 (08:23:49.860 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38792 (08:23:49.860 PDT) 41.233.106.210 (08:27:53.052 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (08:27:53.052 PDT) 85.74.190.41 (08:26:53.150 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (08:26:53.150 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:26:40.722 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:26:40.722 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369063427.647 1369063427.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 124.8.223.98, 87.121.52.95 Resource List: Observed Start: 05/20/2013 10:27:54.473 PDT Gen. Time: 05/20/2013 10:28:10.822 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 124.8.223.98 (10:28:03.702 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62687->16881 (10:28:03.702 PDT) 87.121.52.95 (10:27:54.473 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25882 (10:27:54.473 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:28:10.822 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62716->6099 (10:28:10.822 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369070874.473 1369070874.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.54.42.108, 124.8.223.98, 154.45.216.190, 178.198.227.250, 83.60.28.19, 37.153.12.154 (2), 208.83.20.164 (2), 87.121.52.95 Resource List: Observed Start: 05/20/2013 10:27:54.473 PDT Gen. Time: 05/20/2013 10:31:01.646 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.54.42.108 (10:31:01.646 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27629 (10:31:01.646 PDT) 124.8.223.98 (10:28:03.702 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62687->16881 (10:28:03.702 PDT) 154.45.216.190 (10:29:37.569 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63376->1053 (10:29:37.569 PDT) 178.198.227.250 (10:29:55.394 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15772 (10:29:55.394 PDT) 83.60.28.19 (10:28:55.025 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53836 (10:28:55.025 PDT) 37.153.12.154 (2) (10:29:39.272 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 63389->6881 (10:29:39.272 PDT) 63447->6881 (10:29:48.781 PDT) 208.83.20.164 (2) (10:30:30.930 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63690->80 (10:30:30.930 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 63690->80 (10:30:30.930 PDT) 87.121.52.95 (10:27:54.473 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25882 (10:27:54.473 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:28:10.822 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62716->6099 (10:28:10.822 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369070874.473 1369070874.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.21.46.121, 85.17.143.16, 110.136.220.235, 166.78.158.73 (3), 79.56.255.133, 119.46.206.19 Resource List: Observed Start: 05/20/2013 12:25:57.021 PDT Gen. Time: 05/20/2013 12:28:40.770 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.21.46.121 (12:28:25.562 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (12:28:25.562 PDT) 85.17.143.16 (12:26:59.538 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50772->6969 (12:26:59.538 PDT) 110.136.220.235 (12:27:25.505 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (12:27:25.505 PDT) 166.78.158.73 (3) (12:27:01.521 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50781->80 (12:27:01.521 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 50781->80 (12:27:01.521 PDT) 50785->80 (12:27:01.707 PDT) 79.56.255.133 (12:26:25.324 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55984 (12:26:25.324 PDT) 119.46.206.19 (12:25:57.021 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50325->16883 (12:25:57.021 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:28:40.770 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:28:40.770 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369077957.021 1369077957.022 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 78.21.46.121, 86.136.168.88, 85.17.143.16, 110.136.220.235, 166.78.158.73 (3), 79.56.255.133, 119.46.206.19 Resource List: Observed Start: 05/20/2013 12:25:57.021 PDT Gen. Time: 05/20/2013 12:30:29.034 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (12:29:27.094 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (12:29:27.094 PDT) 78.21.46.121 (12:28:25.562 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (12:28:25.562 PDT) 86.136.168.88 (12:30:29.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55038 (12:30:29.034 PDT) 85.17.143.16 (12:26:59.538 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50772->6969 (12:26:59.538 PDT) 110.136.220.235 (12:27:25.505 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (12:27:25.505 PDT) 166.78.158.73 (3) (12:27:01.521 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50781->80 (12:27:01.521 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 50781->80 (12:27:01.521 PDT) 50785->80 (12:27:01.707 PDT) 79.56.255.133 (12:26:25.324 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55984 (12:26:25.324 PDT) 119.46.206.19 (12:25:57.021 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50325->16883 (12:25:57.021 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:28:40.770 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:28:40.770 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369077957.021 1369077957.022 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 177.207.113.39, 195.82.146.122 Resource List: Observed Start: 05/20/2013 14:29:22.149 PDT Gen. Time: 05/20/2013 14:30:11.349 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (14:29:22.205 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (14:29:22.205 PDT) 177.207.113.39 (14:29:23.209 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (14:29:23.209 PDT) 195.82.146.122 (14:29:22.149 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 58235->80 (14:29:22.149 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:30:11.349 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58616->6099 (14:30:11.349 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369085362.149 1369085362.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 181.47.89.155, 177.207.113.39, 174.93.144.91, 195.82.146.122 Resource List: Observed Start: 05/20/2013 14:29:22.149 PDT Gen. Time: 05/20/2013 14:31:22.168 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (14:29:22.205 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (14:29:22.205 PDT) 181.47.89.155 (14:30:22.924 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64476 (14:30:22.924 PDT) 177.207.113.39 (14:29:23.209 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (14:29:23.209 PDT) 174.93.144.91 (14:31:22.168 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10101 (14:31:22.168 PDT) 195.82.146.122 (14:29:22.149 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 58235->80 (14:29:22.149 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:30:11.349 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58616->6099 (14:30:11.349 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369085362.149 1369085362.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.100, 177.207.113.39, 65.183.158.128, 166.78.158.73 (2), 183.151.39.61, 69.157.89.144 (2), 121.14.98.151 Resource List: Observed Start: 05/20/2013 16:27:42.071 PDT Gen. Time: 05/20/2013 16:30:50.312 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.100 (16:27:42.071 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63971->16883 (16:27:42.071 PDT) 177.207.113.39 (16:27:44.266 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (16:27:44.266 PDT) 65.183.158.128 (16:29:44.794 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:29:44.794 PDT) 166.78.158.73 (2) (16:28:00.766 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 64089->80 (16:28:01.061 PDT) 64088->80 (16:28:00.766 PDT) 183.151.39.61 (16:28:46.090 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64507->11862 (16:28:46.090 PDT) 69.157.89.144 (2) (16:28:44.591 PDT-16:30:44.487 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->47749 (16:28:44.591 PDT-16:30:44.487 PDT) 121.14.98.151 (16:27:42.911 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63956->9090 (16:27:42.911 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:30:50.312 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:30:50.312 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369092462.071 1369092644.488 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 93.50.57.31, 208.83.20.164, 208.95.173.194 (2), 213.220.232.98, 85.17.143.16, 124.232.148.178, 94.242.221.123, 83.223.212.29 Resource List: Observed Start: 05/20/2013 18:28:41.232 PDT Gen. Time: 05/20/2013 18:32:11.285 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (18:28:41.232 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 64753->80 (18:28:41.232 PDT) 64754->80 (18:28:41.492 PDT) 93.50.57.31 (18:29:22.861 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (18:29:22.861 PDT) 208.83.20.164 (18:29:30.893 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 64949->80 (18:29:30.893 PDT) 208.95.173.194 (2) (18:28:50.770 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64787->2710 (18:28:50.770 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64864->2711 (18:29:21.627 PDT) 213.220.232.98 (18:30:22.805 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36436 (18:30:22.805 PDT) 85.17.143.16 (18:31:34.109 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49388->6969 (18:31:34.109 PDT) 124.232.148.178 (18:29:35.074 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64983->8284 (18:29:35.074 PDT) 94.242.221.123 (18:29:30.986 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 64950->80 (18:29:30.986 PDT) 83.223.212.29 (18:31:23.169 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:31:23.169 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:32:11.285 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49485->6099 (18:32:11.285 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369099721.232 1369099721.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (2), 93.50.57.31, 208.83.20.164, 208.95.173.194 (2), 213.220.232.98, 85.17.143.16, 124.232.148.178, 94.242.221.123, 65.184.50.244, 83.223.212.29 Resource List: Observed Start: 05/20/2013 18:28:41.232 PDT Gen. Time: 05/20/2013 18:32:23.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (2) (18:28:41.232 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 64753->80 (18:28:41.232 PDT) 64754->80 (18:28:41.492 PDT) 93.50.57.31 (18:29:22.861 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (18:29:22.861 PDT) 208.83.20.164 (18:29:30.893 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 64949->80 (18:29:30.893 PDT) 208.95.173.194 (2) (18:28:50.770 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 64787->2710 (18:28:50.770 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64864->2711 (18:29:21.627 PDT) 213.220.232.98 (18:30:22.805 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36436 (18:30:22.805 PDT) 85.17.143.16 (18:31:34.109 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49388->6969 (18:31:34.109 PDT) 124.232.148.178 (18:29:35.074 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64983->8284 (18:29:35.074 PDT) 94.242.221.123 (18:29:30.986 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 64950->80 (18:29:30.986 PDT) 65.184.50.244 (18:32:23.127 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52494 (18:32:23.127 PDT) 83.223.212.29 (18:31:23.169 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:31:23.169 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:32:11.285 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49485->6099 (18:32:11.285 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369099721.232 1369099721.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.207.16.238, 188.133.20.154, 37.153.12.154, 190.161.53.65 Resource List: Observed Start: 05/20/2013 20:30:30.791 PDT Gen. Time: 05/20/2013 20:32:30.172 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.207.16.238 (20:30:41.209 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59757->16882 (20:30:41.209 PDT) 188.133.20.154 (20:31:31.851 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36773 (20:31:31.851 PDT) 37.153.12.154 (20:30:42.205 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 59760->6881 (20:30:42.205 PDT) 190.161.53.65 (20:30:30.791 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63311 (20:30:30.791 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:32:30.172 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:32:30.172 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369107030.791 1369107030.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.73, 67.142.227.103, 177.5.236.39, 178.207.16.238, 188.133.20.154 (2), 37.153.12.154, 190.161.53.65 Resource List: Observed Start: 05/20/2013 20:30:30.791 PDT Gen. Time: 05/20/2013 20:34:31.053 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.73 (20:34:31.053 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61027->16881 (20:34:31.053 PDT) 67.142.227.103 (20:33:28.035 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60603->32431 (20:33:28.035 PDT) 177.5.236.39 (20:32:31.346 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43988 (20:32:31.346 PDT) 178.207.16.238 (20:30:41.209 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59757->16882 (20:30:41.209 PDT) 188.133.20.154 (2) (20:31:31.851 PDT-20:33:31.883 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->36773 (20:31:31.851 PDT-20:33:31.883 PDT) 37.153.12.154 (20:30:42.205 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 59760->6881 (20:30:42.205 PDT) 190.161.53.65 (20:30:30.791 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63311 (20:30:30.791 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:32:30.172 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:32:30.172 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369107030.791 1369107211.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 41.176.132.248 (2), 41.237.231.197 Resource List: Observed Start: 05/20/2013 22:31:36.213 PDT Gen. Time: 05/20/2013 22:34:31.671 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 41.176.132.248 (2) (22:31:36.213 PDT-22:33:40.225 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->41872 (22:31:36.213 PDT-22:33:40.225 PDT) 41.237.231.197 (22:32:38.140 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54325 (22:32:38.140 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:34:31.671 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50448->6099 (22:34:31.671 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369114296.213 1369114420.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.174.24.222, 41.176.132.248 (2), 85.17.143.16, 41.237.231.197, 208.83.20.164 (2), 195.82.146.122 Resource List: Observed Start: 05/20/2013 22:31:36.213 PDT Gen. Time: 05/20/2013 22:35:39.990 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.174.24.222 (22:34:40.635 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (22:34:40.635 PDT) 41.176.132.248 (2) (22:31:36.213 PDT-22:33:40.225 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->41872 (22:31:36.213 PDT-22:33:40.225 PDT) 85.17.143.16 (22:34:43.951 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50562->6969 (22:34:43.951 PDT) 41.237.231.197 (22:32:38.140 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54325 (22:32:38.140 PDT) 208.83.20.164 (2) (22:35:31.177 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50826->80 (22:35:31.177 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 50826->80 (22:35:31.177 PDT) 195.82.146.122 (22:35:10.899 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 50613->80 (22:35:10.899 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:34:31.671 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50448->6099 (22:34:31.671 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369114296.213 1369114420.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================