Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.41 Resource List: Observed Start: 05/21/2013 00:35:29.833 PDT Gen. Time: 05/21/2013 00:35:31.160 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.41 (00:35:29.833 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51440->16882 (00:35:29.833 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:35:31.160 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:35:31.160 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369121729.833 1369121729.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.32.99.161, 178.239.54.160, 109.129.210.176, 61.91.88.41, 166.78.158.73 (3), 208.83.20.164 Resource List: Observed Start: 05/21/2013 00:35:29.833 PDT Gen. Time: 05/21/2013 00:37:56.179 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.32.99.161 (00:36:54.181 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (00:36:54.181 PDT) 178.239.54.160 (00:37:10.943 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51851->3310 (00:37:10.943 PDT) 109.129.210.176 (00:35:50.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40959 (00:35:50.520 PDT) 61.91.88.41 (00:35:29.833 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51440->16882 (00:35:29.833 PDT) 166.78.158.73 (3) (00:36:01.297 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51539->80 (00:36:01.297 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 51539->80 (00:36:01.297 PDT) 51540->80 (00:36:01.560 PDT) 208.83.20.164 (00:36:11.697 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 51566->80 (00:36:11.697 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:35:31.160 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:35:31.160 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369121729.833 1369121729.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 180.182.148.172 Resource List: Observed Start: 05/21/2013 02:36:07.885 PDT Gen. Time: 05/21/2013 02:36:50.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 180.182.148.172 (02:36:07.885 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54777->51413 (02:36:07.885 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:36:50.862 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55031->6099 (02:36:50.862 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369128967.885 1369128967.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.142.179.200, 178.207.16.232, 180.182.148.172, 61.91.88.62, 98.26.19.64, 195.82.146.122, 208.83.20.164 (2), 79.35.72.247 Resource List: Observed Start: 05/21/2013 02:36:07.885 PDT Gen. Time: 05/21/2013 02:40:09.424 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.142.179.200 (02:39:07.080 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (02:39:07.080 PDT) 178.207.16.232 (02:37:57.966 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55333->16884 (02:37:57.966 PDT) 180.182.148.172 (02:36:07.885 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54777->51413 (02:36:07.885 PDT) 61.91.88.62 (02:39:46.284 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55853->16881 (02:39:46.284 PDT) 98.26.19.64 (02:37:01.137 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48263 (02:37:01.137 PDT) 195.82.146.122 (02:36:51.059 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 55029->80 (02:36:51.059 PDT) 208.83.20.164 (2) (02:36:50.931 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55030->80 (02:36:50.931 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 55030->80 (02:36:50.931 PDT) 79.35.72.247 (02:38:03.199 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32144 (02:38:03.199 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:36:50.862 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55031->6099 (02:36:50.862 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369128967.885 1369128967.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 75.168.94.55, 68.150.224.48 Resource List: Observed Start: 05/21/2013 04:36:50.253 PDT Gen. Time: 05/21/2013 04:37:10.685 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 75.168.94.55 (04:36:50.253 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33363 (04:36:50.253 PDT) 68.150.224.48 (04:37:10.253 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59066->51413 (04:37:10.253 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:37:10.685 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:37:10.685 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369136210.253 1369136210.254 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 208.95.173.194, 68.150.224.48, 78.97.32.44, 75.168.94.55, 190.230.151.64, 178.239.54.160, 177.32.99.161, 109.163.226.31 Resource List: Observed Start: 05/21/2013 04:36:50.253 PDT Gen. Time: 05/21/2013 04:40:53.120 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (04:37:11.558 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59068->80 (04:37:11.558 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 59068->80 (04:37:11.558 PDT) 208.95.173.194 (04:38:31.516 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 59625->2710 (04:38:31.516 PDT) 68.150.224.48 (04:37:10.253 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59066->51413 (04:37:10.253 PDT) 78.97.32.44 (04:38:52.425 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63139 (04:38:52.425 PDT) 75.168.94.55 (04:36:50.253 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33363 (04:36:50.253 PDT) 190.230.151.64 (04:40:53.120 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35757 (04:40:53.120 PDT) 178.239.54.160 (04:38:11.162 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59407->3310 (04:38:11.162 PDT) 177.32.99.161 (04:39:53.368 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (04:39:53.368 PDT) 109.163.226.31 (04:37:52.664 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58642 (04:37:52.664 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:37:10.685 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:37:10.685 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369136210.253 1369136210.254 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164 (2), 208.95.173.194, 119.46.206.16, 95.241.115.131, 79.12.22.90, 85.17.143.16, 178.239.54.160, 190.254.218.14 Resource List: Observed Start: 05/21/2013 06:36:41.666 PDT Gen. Time: 05/21/2013 06:39:21.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (06:38:31.405 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 53749->80 (06:38:31.405 PDT) 208.83.20.164 (2) (06:37:41.654 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53402->80 (06:37:41.654 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 53402->80 (06:37:41.654 PDT) 208.95.173.194 (06:39:01.185 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53950->2710 (06:39:01.185 PDT) 119.46.206.16 (06:38:50.588 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53924->16881 (06:38:50.588 PDT) 95.241.115.131 (06:37:21.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13035 (06:37:21.061 PDT) 79.12.22.90 (06:38:21.689 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52717 (06:38:21.689 PDT) 85.17.143.16 (06:37:44.067 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53421->6969 (06:37:44.067 PDT) 178.239.54.160 (06:38:51.820 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53932->3310 (06:38:51.820 PDT) 190.254.218.14 (06:36:41.666 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53124->16882 (06:36:41.666 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:39:21.367 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54072->6099 (06:39:21.367 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369143401.666 1369143401.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164 (2), 24.41.136.201, 208.95.173.194, 119.46.206.16, 95.241.115.131, 79.12.22.90, 69.35.66.145, 190.177.129.12, 85.17.143.16, 178.239.54.160, 190.254.218.14 Resource List: Observed Start: 05/21/2013 06:36:41.666 PDT Gen. Time: 05/21/2013 06:40:22.614 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (06:38:31.405 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 53749->80 (06:38:31.405 PDT) 208.83.20.164 (2) (06:37:41.654 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53402->80 (06:37:41.654 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 53402->80 (06:37:41.654 PDT) 24.41.136.201 (06:40:22.614 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26839 (06:40:22.614 PDT) 208.95.173.194 (06:39:01.185 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 53950->2710 (06:39:01.185 PDT) 119.46.206.16 (06:38:50.588 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53924->16881 (06:38:50.588 PDT) 95.241.115.131 (06:37:21.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13035 (06:37:21.061 PDT) 79.12.22.90 (06:38:21.689 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52717 (06:38:21.689 PDT) 69.35.66.145 (06:39:51.104 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54317->60254 (06:39:51.104 PDT) 190.177.129.12 (06:39:22.098 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49813 (06:39:22.098 PDT) 85.17.143.16 (06:37:44.067 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53421->6969 (06:37:44.067 PDT) 178.239.54.160 (06:38:51.820 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53932->3310 (06:38:51.820 PDT) 190.254.218.14 (06:36:41.666 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53124->16882 (06:36:41.666 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:39:21.367 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54072->6099 (06:39:21.367 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369143401.666 1369143401.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.95.173.194 (2), 124.8.223.150, 31.151.72.98, 181.47.89.155, 119.46.206.41, 208.83.20.164 (2) Resource List: Observed Start: 05/21/2013 08:38:02.305 PDT Gen. Time: 05/21/2013 08:39:50.092 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.95.173.194 (2) (08:39:30.358 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54417->2710 (08:39:30.358 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54417->2710 (08:39:30.358 PDT) 124.8.223.150 (08:38:03.666 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53720->16882 (08:38:03.666 PDT) 31.151.72.98 (08:39:04.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50170 (08:39:04.045 PDT) 181.47.89.155 (08:38:02.305 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64476 (08:38:02.305 PDT) 119.46.206.41 (08:39:40.263 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54540->16882 (08:39:40.263 PDT) 208.83.20.164 (2) (08:38:10.724 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53740->80 (08:38:10.724 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 53740->80 (08:38:10.724 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:39:50.092 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:39:50.092 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369150682.305 1369150682.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.41, 181.47.89.155, 151.40.161.35, 208.83.20.164 (2), 208.95.173.194 (2), 37.153.12.154 (2), 124.8.223.150, 82.102.136.166, 177.32.99.161, 31.151.72.98 Resource List: Observed Start: 05/21/2013 08:38:02.305 PDT Gen. Time: 05/21/2013 08:42:05.251 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.41 (08:39:40.263 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54540->16882 (08:39:40.263 PDT) 181.47.89.155 (08:38:02.305 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64476 (08:38:02.305 PDT) 151.40.161.35 (08:40:07.266 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51197 (08:40:07.266 PDT) 208.83.20.164 (2) (08:38:10.724 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53740->80 (08:38:10.724 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 53740->80 (08:38:10.724 PDT) 208.95.173.194 (2) (08:39:30.358 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 54417->2710 (08:39:30.358 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54417->2710 (08:39:30.358 PDT) 37.153.12.154 (2) (08:40:25.746 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 54687->6881 (08:40:25.746 PDT) 54882->6881 (08:40:37.747 PDT) 124.8.223.150 (08:38:03.666 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53720->16882 (08:38:03.666 PDT) 82.102.136.166 (08:40:44.298 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54949->16881 (08:40:44.298 PDT) 177.32.99.161 (08:41:10.163 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (08:41:10.163 PDT) 31.151.72.98 (08:39:04.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50170 (08:39:04.045 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:39:50.092 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:39:50.092 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369150682.305 1369150682.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 109.197.98.169, 119.46.206.18, 208.83.20.164 (2), 208.95.173.194 (2), 190.16.24.172, 78.21.46.121, 2.230.52.152, 178.207.16.232 Resource List: Observed Start: 05/21/2013 10:37:57.709 PDT Gen. Time: 05/21/2013 10:41:21.443 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (10:40:01.184 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 60479->80 (10:40:01.184 PDT) 109.197.98.169 (10:39:43.431 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52819 (10:39:43.431 PDT) 119.46.206.18 (10:39:32.521 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60260->16882 (10:39:32.521 PDT) 208.83.20.164 (2) (10:38:41.138 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [b%9F%84%EF%C1%AD%1A%DE;T%B8l%11%E7%9El%95%E0C#%B5] MAC_Src: 00:01:64:FF:CE:EA 59857->80 (10:38:41.138 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 59857->80 (10:38:41.138 PDT) 208.95.173.194 (2) (10:39:51.761 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60459->2710 (10:39:51.761 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60459->2710 (10:39:51.761 PDT) 190.16.24.172 (10:38:43.552 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21825 (10:38:43.552 PDT) 78.21.46.121 (10:40:43.541 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (10:40:43.541 PDT) 2.230.52.152 (10:41:01.044 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60956->51413 (10:41:01.044 PDT) 178.207.16.232 (10:37:57.709 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59493->16884 (10:37:57.709 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:41:21.443 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61020->6099 (10:41:21.443 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369157877.709 1369157877.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 109.197.98.169, 119.46.206.18, 208.83.20.164 (2), 83.77.205.156, 208.95.173.194 (2), 190.16.24.172, 78.21.46.121, 2.230.52.152, 178.207.16.232 Resource List: Observed Start: 05/21/2013 10:37:57.709 PDT Gen. Time: 05/21/2013 10:42:25.194 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (10:40:01.184 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 60479->80 (10:40:01.184 PDT) 109.197.98.169 (10:39:43.431 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52819 (10:39:43.431 PDT) 119.46.206.18 (10:39:32.521 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60260->16882 (10:39:32.521 PDT) 208.83.20.164 (2) (10:38:41.138 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [b%9F%84%EF%C1%AD%1A%DE;T%B8l%11%E7%9El%95%E0C#%B5] MAC_Src: 00:01:64:FF:CE:EA 59857->80 (10:38:41.138 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 59857->80 (10:38:41.138 PDT) 83.77.205.156 (10:41:43.121 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (10:41:43.121 PDT) 208.95.173.194 (2) (10:39:51.761 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60459->2710 (10:39:51.761 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60459->2710 (10:39:51.761 PDT) 190.16.24.172 (10:38:43.552 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21825 (10:38:43.552 PDT) 78.21.46.121 (10:40:43.541 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (10:40:43.541 PDT) 2.230.52.152 (10:41:01.044 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60956->51413 (10:41:01.044 PDT) 178.207.16.232 (10:37:57.709 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59493->16884 (10:37:57.709 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:41:21.443 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61020->6099 (10:41:21.443 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369157877.709 1369157877.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 137.147.156.13 Resource List: Observed Start: 05/21/2013 12:41:37.562 PDT Gen. Time: 05/21/2013 12:41:41.026 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 137.147.156.13 (12:41:37.562 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12298 (12:41:37.562 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:41:41.026 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:41:41.026 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369165297.562 1369165297.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 178.239.54.153, 70.64.88.3, 67.142.227.103, 137.147.156.13, 177.207.4.110 (2), 85.17.143.16, 68.49.234.223 Resource List: Observed Start: 05/21/2013 12:41:37.562 PDT Gen. Time: 05/21/2013 12:45:38.539 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (12:45:04.328 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54423->51413 (12:45:04.328 PDT) 178.239.54.153 (12:44:50.179 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54385->3310 (12:44:50.179 PDT) 70.64.88.3 (12:43:38.717 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62415 (12:43:38.717 PDT) 67.142.227.103 (12:43:52.089 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53947->32431 (12:43:52.089 PDT) 137.147.156.13 (12:41:37.562 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12298 (12:41:37.562 PDT) 177.207.4.110 (2) (12:42:37.544 PDT-12:45:38.539 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->17491 (12:42:37.544 PDT-12:45:38.539 PDT) 85.17.143.16 (12:42:50.574 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53408->6969 (12:42:50.574 PDT) 68.49.234.223 (12:44:38.112 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22554 (12:44:38.112 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:41:41.026 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:41:41.026 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369165297.562 1369165538.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.21.46.121, 2.230.52.152, 208.95.173.194, 85.17.143.16, 132.248.66.18, 208.83.20.164 (2), 195.82.146.122 Resource List: Observed Start: 05/21/2013 14:41:00.597 PDT Gen. Time: 05/21/2013 14:43:10.546 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.21.46.121 (14:41:46.524 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (14:41:46.524 PDT) 2.230.52.152 (14:41:07.013 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58266->51413 (14:41:07.013 PDT) 208.95.173.194 (14:41:00.597 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58248->2710 (14:41:00.597 PDT) 85.17.143.16 (14:42:37.036 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58992->6969 (14:42:37.036 PDT) 132.248.66.18 (14:42:47.056 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49684 (14:42:47.056 PDT) 208.83.20.164 (2) (14:42:40.553 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59011->80 (14:42:40.553 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 59011->80 (14:42:40.553 PDT) 195.82.146.122 (14:41:30.988 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 58441->80 (14:41:30.988 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:43:10.546 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59134->6099 (14:43:10.546 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369172460.597 1369172460.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164 (2), 208.95.173.194, 78.21.46.121, 132.248.66.18, 85.17.143.16, 137.147.156.13, 2.230.52.152 (2), 86.26.16.197 Resource List: Observed Start: 05/21/2013 14:41:00.597 PDT Gen. Time: 05/21/2013 14:45:17.960 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (14:41:30.988 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 58441->80 (14:41:30.988 PDT) 208.83.20.164 (2) (14:42:40.553 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59011->80 (14:42:40.553 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 59011->80 (14:42:40.553 PDT) 208.95.173.194 (14:41:00.597 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 58248->2710 (14:41:00.597 PDT) 78.21.46.121 (14:41:46.524 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12438 (14:41:46.524 PDT) 132.248.66.18 (14:42:47.056 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49684 (14:42:47.056 PDT) 85.17.143.16 (14:42:37.036 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58992->6969 (14:42:37.036 PDT) 137.147.156.13 (14:44:49.572 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12298 (14:44:49.572 PDT) 2.230.52.152 (2) (14:41:07.013 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58266->51413 (14:41:07.013 PDT) 59797->51413 (14:44:33.068 PDT) 86.26.16.197 (14:43:47.624 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16702 (14:43:47.624 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:43:10.546 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59134->6099 (14:43:10.546 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369172460.597 1369172460.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 200.117.237.23, 70.64.88.3, 208.95.173.194 (2), 2.230.52.152, 24.246.58.184, 200.83.193.112, 195.82.146.122, 208.83.20.164 (2) Resource List: Observed Start: 05/21/2013 18:41:19.679 PDT Gen. Time: 05/21/2013 18:45:00.397 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.117.237.23 (18:43:29.155 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55804->16884 (18:43:29.155 PDT) 70.64.88.3 (18:43:16.877 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62415 (18:43:16.877 PDT) 208.95.173.194 (2) (18:41:51.200 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55123->2710 (18:41:51.200 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55123->2710 (18:41:51.200 PDT) 2.230.52.152 (18:41:19.679 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54812->51413 (18:41:19.679 PDT) 24.246.58.184 (18:44:16.266 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26683 (18:44:16.266 PDT) 200.83.193.112 (18:42:16.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14603 (18:42:16.034 PDT) 195.82.146.122 (18:43:41.193 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 55974->80 (18:43:41.193 PDT) 208.83.20.164 (2) (18:43:41.071 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55975->80 (18:43:41.071 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55975->80 (18:43:41.071 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:45:00.397 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56513->6099 (18:45:00.397 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369186879.679 1369186879.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 200.117.237.23, 208.83.20.164 (2), 70.64.88.3, 59.15.78.137, 208.95.173.194 (2), 200.83.193.112, 24.246.58.184, 2.230.52.152 (2) Resource List: Observed Start: 05/21/2013 18:41:19.679 PDT Gen. Time: 05/21/2013 18:45:31.490 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (18:43:41.193 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 55974->80 (18:43:41.193 PDT) 200.117.237.23 (18:43:29.155 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55804->16884 (18:43:29.155 PDT) 208.83.20.164 (2) (18:43:41.071 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55975->80 (18:43:41.071 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55975->80 (18:43:41.071 PDT) 70.64.88.3 (18:43:16.877 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62415 (18:43:16.877 PDT) 59.15.78.137 (18:45:17.190 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12705 (18:45:17.190 PDT) 208.95.173.194 (2) (18:41:51.200 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 55123->2710 (18:41:51.200 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55123->2710 (18:41:51.200 PDT) 200.83.193.112 (18:42:16.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14603 (18:42:16.034 PDT) 24.246.58.184 (18:44:16.266 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26683 (18:44:16.266 PDT) 2.230.52.152 (2) (18:41:19.679 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54812->51413 (18:41:19.679 PDT) 56715->51413 (18:45:31.490 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:45:00.397 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56513->6099 (18:45:00.397 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369186879.679 1369186879.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.18, 2.97.134.246 (2), 77.29.126.170, 208.83.20.164 (2) Resource List: Observed Start: 05/21/2013 20:43:29.038 PDT Gen. Time: 05/21/2013 20:45:40.457 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.18 (20:43:41.891 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55983->16882 (20:43:41.891 PDT) 2.97.134.246 (2) (20:43:29.038 PDT-20:45:29.020 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->59067 (20:43:29.038 PDT-20:45:29.020 PDT) 77.29.126.170 (20:44:29.699 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20733 (20:44:29.699 PDT) 208.83.20.164 (2) (20:44:21.476 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%AF%00%EA%F7D/%82%E6d %D9D/%DB%8A%07%EAO%99%1B-%C4%D7%9A%A9%00%0C%87t^%E3%DE%9A?aO%EE%1E%EAoV%8B%E8~%BA%E70%03%F8%BE%CD#s$%F5%9B%B7%FD;Kg$%A4%C5%A5<] MAC_Src: 00:01:64:FF:CE:EA 56135->80 (20:44:21.476 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 56135->80 (20:44:21.476 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:45:40.457 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:45:40.457 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369194209.038 1369194329.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 177.19.153.211, 99.230.104.255, 195.82.146.122 Resource List: Observed Start: 05/21/2013 22:46:21.385 PDT Gen. Time: 05/21/2013 22:47:30.674 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 177.19.153.211 (22:47:29.118 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62627->16884 (22:47:29.118 PDT) 99.230.104.255 (22:46:32.719 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (22:46:32.719 PDT) 195.82.146.122 (22:46:21.385 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 62288->80 (22:46:21.385 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:47:30.674 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62634->6099 (22:47:30.674 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369201581.385 1369201581.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 70.64.88.3, 177.19.153.211, 99.230.104.255, 95.120.35.175, 78.134.100.7, 203.113.15.61, 195.82.146.122 Resource List: Observed Start: 05/21/2013 22:46:21.385 PDT Gen. Time: 05/21/2013 22:49:32.374 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (22:47:51.054 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62698->3310 (22:47:51.054 PDT) 70.64.88.3 (22:47:32.379 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62415 (22:47:32.379 PDT) 177.19.153.211 (22:47:29.118 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62627->16884 (22:47:29.118 PDT) 99.230.104.255 (22:46:32.719 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (22:46:32.719 PDT) 95.120.35.175 (22:49:32.374 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32958 (22:49:32.374 PDT) 78.134.100.7 (22:48:32.221 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (22:48:32.221 PDT) 203.113.15.61 (22:48:37.408 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62899->16884 (22:48:37.408 PDT) 195.82.146.122 (22:46:21.385 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 62288->80 (22:46:21.385 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:47:30.674 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62634->6099 (22:47:30.674 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369201581.385 1369201581.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================