Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.207.16.115, 188.219.151.105, 84.29.114.207, 208.83.20.164 (2) Resource List: Observed Start: 05/23/2013 00:57:33.750 PDT Gen. Time: 05/23/2013 01:00:00.679 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.207.16.115 (00:57:33.750 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65249->16882 (00:57:33.750 PDT) 188.219.151.105 (00:58:25.532 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59435 (00:58:25.532 PDT) 84.29.114.207 (00:59:25.021 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36363 (00:59:25.021 PDT) 208.83.20.164 (2) (00:57:51.088 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65328->80 (00:57:51.088 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 65328->80 (00:57:51.088 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:00:00.679 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:00:00.679 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369295853.750 1369295853.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (4), 91.218.38.132 (2), 221.204.204.141, 124.8.223.168, 110.136.220.235, 82.161.69.109, 85.17.143.16, 180.182.148.172, 41.236.152.77, 2.239.19.132 Resource List: Observed Start: 05/23/2013 02:58:13.635 PDT Gen. Time: 05/23/2013 03:01:50.721 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (4) (02:58:51.076 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49855->80 (02:58:51.076 PDT) 50503->80 (03:00:50.650 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 49855->80 (02:58:51.076 PDT) 50503->80 (03:00:50.650 PDT) 91.218.38.132 (2) (03:00:00.363 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50221->2710 (03:00:00.363 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50221->2710 (03:00:00.363 PDT) 221.204.204.141 (03:00:43.997 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50481->8284 (03:00:43.997 PDT) 124.8.223.168 (02:59:35.155 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50129->16881 (02:59:35.155 PDT) 110.136.220.235 (03:00:24.794 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (03:00:24.794 PDT) 82.161.69.109 (03:01:24.899 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (03:01:24.899 PDT) 85.17.143.16 (03:01:50.011 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50800->6969 (03:01:50.011 PDT) 180.182.148.172 (02:58:13.635 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49580->51413 (02:58:13.635 PDT) 41.236.152.77 (02:59:24.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37181 (02:59:24.520 PDT) 2.239.19.132 (02:58:23.462 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40242 (02:58:23.462 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:01:50.721 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50803->6099 (03:01:50.721 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369303093.635 1369303093.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (4), 91.218.38.132 (2), 221.204.204.141, 124.8.223.168, 110.136.220.235, 82.161.69.109, 85.17.143.16, 180.182.148.172, 41.236.152.77, 2.239.19.132, 199.59.243.109 Resource List: Observed Start: 05/23/2013 02:58:13.635 PDT Gen. Time: 05/23/2013 03:02:20.785 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (4) (02:58:51.076 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49855->80 (02:58:51.076 PDT) 50503->80 (03:00:50.650 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 49855->80 (02:58:51.076 PDT) 50503->80 (03:00:50.650 PDT) 91.218.38.132 (2) (03:00:00.363 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50221->2710 (03:00:00.363 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50221->2710 (03:00:00.363 PDT) 221.204.204.141 (03:00:43.997 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50481->8284 (03:00:43.997 PDT) 124.8.223.168 (02:59:35.155 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50129->16881 (02:59:35.155 PDT) 110.136.220.235 (03:00:24.794 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (03:00:24.794 PDT) 82.161.69.109 (03:01:24.899 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26085 (03:01:24.899 PDT) 85.17.143.16 (03:01:50.011 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50800->6969 (03:01:50.011 PDT) 180.182.148.172 (02:58:13.635 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49580->51413 (02:58:13.635 PDT) 41.236.152.77 (02:59:24.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37181 (02:59:24.520 PDT) 2.239.19.132 (02:58:23.462 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40242 (02:58:23.462 PDT) 199.59.243.109 (03:02:20.785 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50866->80 (03:02:20.785 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:01:50.721 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50803->6099 (03:01:50.721 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369303093.635 1369303093.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 179.186.83.248, 190.160.0.227, 199.59.243.109 (2), 208.83.20.164 (2) Resource List: Observed Start: 05/23/2013 05:01:26.580 PDT Gen. Time: 05/23/2013 05:02:50.507 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 179.186.83.248 (05:02:23.424 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (05:02:23.424 PDT) 190.160.0.227 (05:01:26.580 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52749->16882 (05:01:26.580 PDT) 199.59.243.109 (2) (05:02:41.431 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/ipInfo/IPRep.php?IP=67.215.242.138&SPEED=fast&FORMAT=csv] MAC_Src: 00:01:64:FF:CE:EA 53209->80 (05:02:41.431 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 53209->80 (05:02:41.431 PDT) 208.83.20.164 (2) (05:01:31.229 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/OUTPUT/UNIQUE/1c9baba8a3b81defe2d5ffc8417bc62f/html/block_label_280_block.html] MAC_Src: 00:01:64:FF:CE:EA 52804->80 (05:01:31.229 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 52804->80 (05:01:31.229 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:02:50.507 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:02:50.507 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369310486.580 1369310486.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 62.162.204.151, 208.83.20.164 (4), 179.186.83.248, 91.218.38.132 (2), 84.75.141.177, 49.147.20.194, 190.160.0.227, 119.46.206.104, 203.113.15.204, 65.184.50.244, 199.59.243.109 (2) Resource List: Observed Start: 05/23/2013 05:01:26.580 PDT Gen. Time: 05/23/2013 05:05:24.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 62.162.204.151 (05:05:19.186 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53972->16881 (05:05:19.186 PDT) 208.83.20.164 (4) (05:01:31.229 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [/OUTPUT/UNIQUE/1c9baba8a3b81defe2d5ffc8417bc62f/html/block_label_280_block.html] MAC_Src: 00:01:64:FF:CE:EA 52804->80 (05:01:31.229 PDT) 53584->80 (05:03:50.571 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 52804->80 (05:01:31.229 PDT) 53584->80 (05:03:50.571 PDT) 179.186.83.248 (05:02:23.424 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (05:02:23.424 PDT) 91.218.38.132 (2) (05:03:50.703 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53586->2710 (05:03:50.703 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 53586->2710 (05:03:50.703 PDT) 84.75.141.177 (05:04:24.862 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (05:04:24.862 PDT) 49.147.20.194 (05:05:24.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30228 (05:05:24.201 PDT) 190.160.0.227 (05:01:26.580 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52749->16882 (05:01:26.580 PDT) 119.46.206.104 (05:03:57.200 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53602->16882 (05:03:57.200 PDT) 203.113.15.204 (05:02:56.184 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53262->16882 (05:02:56.184 PDT) 65.184.50.244 (05:03:24.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52494 (05:03:24.200 PDT) 199.59.243.109 (2) (05:02:41.431 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/ipInfo/IPRep.php?IP=67.215.242.138&SPEED=fast&FORMAT=csv] MAC_Src: 00:01:64:FF:CE:EA 53209->80 (05:02:41.431 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 53209->80 (05:02:41.431 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:02:50.507 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:02:50.507 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369310486.580 1369310486.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.213.209.220, 80.213.220.184, 208.83.20.164, 199.59.243.109 (2) Resource List: Observed Start: 05/23/2013 07:02:34.281 PDT Gen. Time: 05/23/2013 07:04:10.805 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.213.209.220 (07:03:34.166 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:03:34.166 PDT) 80.213.220.184 (07:02:34.281 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54606 (07:02:34.281 PDT) 208.83.20.164 (07:04:00.786 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 62130->80 (07:04:00.786 PDT) 199.59.243.109 (2) (07:03:11.646 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/socialstream/get.json/8777792/timeslice/1369317770/10?jsoncallback=usstream] MAC_Src: 00:01:64:FF:CE:EA 61840->80 (07:03:11.646 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61840->80 (07:03:11.646 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:04:10.805 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62140->6099 (07:04:10.805 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369317754.281 1369317754.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.31.80.124, 195.82.146.122, 208.83.20.164 (2), 91.218.38.132 (2), 46.120.83.95, 80.213.220.184, 85.17.143.16, 186.213.209.220, 201.160.192.221, 178.207.16.248, 178.239.54.160, 199.59.243.109 (2) Resource List: Observed Start: 05/23/2013 07:02:34.281 PDT Gen. Time: 05/23/2013 07:06:35.993 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.31.80.124 (07:06:35.993 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35757 (07:06:35.993 PDT) 195.82.146.122 (07:04:21.421 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 62178->80 (07:04:21.421 PDT) 208.83.20.164 (2) (07:04:00.786 PDT) event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 62130->80 (07:04:00.786 PDT) 62756->80 (07:05:51.168 PDT) 91.218.38.132 (2) (07:04:15.017 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62150->2710 (07:04:15.017 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62150->2710 (07:04:15.017 PDT) 46.120.83.95 (07:04:34.044 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (07:04:34.044 PDT) 80.213.220.184 (07:02:34.281 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54606 (07:02:34.281 PDT) 85.17.143.16 (07:04:43.857 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62401->6969 (07:04:43.857 PDT) 186.213.209.220 (07:03:34.166 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:03:34.166 PDT) 201.160.192.221 (07:05:35.082 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15326 (07:05:35.082 PDT) 178.207.16.248 (07:05:46.092 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62748->16884 (07:05:46.092 PDT) 178.239.54.160 (07:05:20.908 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62517->3310 (07:05:20.908 PDT) 199.59.243.109 (2) (07:03:11.646 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/socialstream/get.json/8777792/timeslice/1369317770/10?jsoncallback=usstream] MAC_Src: 00:01:64:FF:CE:EA 61840->80 (07:03:11.646 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61840->80 (07:03:11.646 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:04:10.805 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62140->6099 (07:04:10.805 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369317754.281 1369317754.282 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 Resource List: Observed Start: 05/23/2013 09:04:30.756 PDT Gen. Time: 05/23/2013 09:04:40.366 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (09:04:30.756 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 58178->80 (09:04:30.756 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:04:40.366 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:04:40.366 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369325070.756 1369325070.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.147.76.36, 124.8.223.168, 190.130.13.162, 85.17.143.16, 79.41.234.101, 96.52.54.214, 213.104.125.189, 208.83.20.164 (3) Resource List: Observed Start: 05/23/2013 09:04:30.756 PDT Gen. Time: 05/23/2013 09:08:35.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.147.76.36 (09:08:35.367 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59744->8284 (09:08:35.367 PDT) 124.8.223.168 (09:04:44.965 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58290->16881 (09:04:44.965 PDT) 190.130.13.162 (09:05:23.816 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34170 (09:05:23.816 PDT) 85.17.143.16 (09:06:45.336 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59076->6969 (09:06:45.336 PDT) 79.41.234.101 (09:06:23.024 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (09:06:23.024 PDT) 96.52.54.214 (09:08:23.674 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26300 (09:08:23.674 PDT) 213.104.125.189 (09:07:23.317 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13896 (09:07:23.317 PDT) 208.83.20.164 (3) (09:04:30.756 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58970->80 (09:06:31.031 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 58178->80 (09:04:30.756 PDT) 58970->80 (09:06:31.031 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:04:40.366 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:04:40.366 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369325070.756 1369325070.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.43.19.121, 188.219.151.105, 208.83.20.164 (2), 77.67.84.217 Resource List: Observed Start: 05/23/2013 11:04:32.382 PDT Gen. Time: 05/23/2013 11:06:01.897 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.43.19.121 (11:04:32.382 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24607 (11:04:32.382 PDT) 188.219.151.105 (11:05:32.743 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59435 (11:05:32.743 PDT) 208.83.20.164 (2) (11:05:01.807 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61810->80 (11:05:01.807 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 61810->80 (11:05:01.807 PDT) 77.67.84.217 (11:04:47.375 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61732->16881 (11:04:47.375 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:06:01.897 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62285->6099 (11:06:01.897 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369332272.382 1369332272.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 79.43.19.121, 208.83.20.164 (4), 190.130.13.162, 188.219.151.105, 68.150.224.48, 124.232.148.178, 92.108.1.95, 77.67.84.217 Resource List: Observed Start: 05/23/2013 11:04:32.382 PDT Gen. Time: 05/23/2013 11:08:14.239 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (11:06:21.112 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 62353->80 (11:06:21.112 PDT) 79.43.19.121 (11:04:32.382 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24607 (11:04:32.382 PDT) 208.83.20.164 (4) (11:05:01.807 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61810->80 (11:05:01.807 PDT) 62687->80 (11:07:01.382 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%88%81h!f%09%00%AF:|/U;%BCmJH%F3,J] MAC_Src: 00:01:64:FF:CE:EA 61810->80 (11:05:01.807 PDT) 62687->80 (11:07:01.382 PDT) 190.130.13.162 (11:07:33.272 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34170 (11:07:33.272 PDT) 188.219.151.105 (11:05:32.743 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59435 (11:05:32.743 PDT) 68.150.224.48 (11:07:40.383 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63097->51413 (11:07:40.383 PDT) 124.232.148.178 (11:06:32.757 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62547->8284 (11:06:32.757 PDT) 92.108.1.95 (11:06:33.493 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46575 (11:06:33.493 PDT) 77.67.84.217 (11:04:47.375 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61732->16881 (11:04:47.375 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:06:01.897 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62285->6099 (11:06:01.897 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369332272.382 1369332272.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.54.44.132, 94.0.124.96, 180.182.148.172, 89.99.212.237, 69.35.66.145, 208.83.20.164 (4), 85.0.177.201 Resource List: Observed Start: 05/23/2013 13:03:19.337 PDT Gen. Time: 05/23/2013 13:06:30.415 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.54.44.132 (13:04:19.704 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23569 (13:04:19.704 PDT) 94.0.124.96 (13:05:19.096 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28662 (13:05:19.096 PDT) 180.182.148.172 (13:05:03.851 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51349->51413 (13:05:03.851 PDT) 89.99.212.237 (13:03:19.337 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47717 (13:03:19.337 PDT) 69.35.66.145 (13:03:34.669 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50608->60254 (13:03:34.669 PDT) 208.83.20.164 (4) (13:03:51.146 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50761->80 (13:03:51.146 PDT) 51550->80 (13:05:31.416 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 50761->80 (13:03:51.146 PDT) 51550->80 (13:05:31.416 PDT) 85.0.177.201 (13:06:19.314 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59958 (13:06:19.314 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:06:30.415 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:06:30.415 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369339399.337 1369339399.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.0.124.96, 91.218.38.132 (2), 208.83.20.164 (4), 69.35.66.145, 85.17.143.16, 180.182.148.172, 68.37.211.111, 121.54.44.132, 89.99.212.237, 85.0.177.201 Resource List: Observed Start: 05/23/2013 13:03:19.337 PDT Gen. Time: 05/23/2013 13:07:20.013 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.0.124.96 (13:05:19.096 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28662 (13:05:19.096 PDT) 91.218.38.132 (2) (13:06:53.798 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52288->2710 (13:06:53.798 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52288->2710 (13:06:53.798 PDT) 208.83.20.164 (4) (13:03:51.146 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50761->80 (13:03:51.146 PDT) 51550->80 (13:05:31.416 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%87#%BEf%99%17O%FF=FN%F3%FF%FF%9B_v] MAC_Src: 00:01:64:FF:CE:EA 50761->80 (13:03:51.146 PDT) 51550->80 (13:05:31.416 PDT) 69.35.66.145 (13:03:34.669 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50608->60254 (13:03:34.669 PDT) 85.17.143.16 (13:06:53.226 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52286->6969 (13:06:53.226 PDT) 180.182.148.172 (13:05:03.851 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51349->51413 (13:05:03.851 PDT) 68.37.211.111 (13:07:20.013 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10079 (13:07:20.013 PDT) 121.54.44.132 (13:04:19.704 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23569 (13:04:19.704 PDT) 89.99.212.237 (13:03:19.337 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47717 (13:03:19.337 PDT) 85.0.177.201 (13:06:19.314 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59958 (13:06:19.314 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:06:30.415 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:06:30.415 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369339399.337 1369339399.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/23/2013 15:08:20.511 PDT Gen. Time: 05/23/2013 15:08:20.511 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:08:20.511 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54330->6099 (15:08:20.511 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369346900.511 1369346900.512 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 82.102.136.166, 72.11.161.253, 182.55.168.150, 186.204.105.80, 93.97.234.142, 64.69.46.217, 86.21.9.150, 208.83.20.164 Resource List: Observed Start: 05/23/2013 15:08:20.511 PDT Gen. Time: 05/23/2013 15:12:26.421 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 82.102.136.166 (15:08:43.037 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54575->16881 (15:08:43.037 PDT) 72.11.161.253 (15:09:24.237 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33462 (15:09:24.237 PDT) 182.55.168.150 (15:11:26.556 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43119 (15:11:26.556 PDT) 186.204.105.80 (15:08:24.544 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46831 (15:08:24.544 PDT) 93.97.234.142 (15:12:26.421 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30486 (15:12:26.421 PDT) 64.69.46.217 (15:09:43.319 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55044->43611 (15:09:43.319 PDT) 86.21.9.150 (15:10:24.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18296 (15:10:24.061 PDT) 208.83.20.164 (15:11:50.631 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [C%0E%0A%94%9D%CF%F5Gy%F8%C4%EBR%F6JE%93%89%E60%B9%BA#{Y%D7%A1%A6] MAC_Src: 00:01:64:FF:CE:EA 55828->80 (15:11:50.631 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:08:20.511 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54330->6099 (15:08:20.511 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369346900.511 1369346900.512 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 122.179.88.116, 208.83.20.164 (2), 91.218.38.132 (2), 61.91.88.77, 89.136.160.243, 2.97.134.246, 122.193.14.71, 175.139.0.154, 203.113.15.205, 199.59.243.109 (2) Resource List: Observed Start: 05/23/2013 17:05:41.067 PDT Gen. Time: 05/23/2013 17:09:20.616 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 122.179.88.116 (17:07:49.867 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38488 (17:07:49.867 PDT) 208.83.20.164 (2) (17:08:50.723 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51730->80 (17:08:50.723 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 51730->80 (17:08:50.723 PDT) 91.218.38.132 (2) (17:07:12.414 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51016->2710 (17:07:12.414 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51016->2710 (17:07:12.414 PDT) 61.91.88.77 (17:06:34.199 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50857->16882 (17:06:34.199 PDT) 89.136.160.243 (17:05:44.533 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14519 (17:05:44.533 PDT) 2.97.134.246 (17:08:49.220 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59067 (17:08:49.220 PDT) 122.193.14.71 (17:07:35.215 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51205->43776 (17:07:35.215 PDT) 175.139.0.154 (17:06:47.648 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64875 (17:06:47.648 PDT) 203.113.15.205 (17:08:41.454 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51675->16882 (17:08:41.454 PDT) 199.59.243.109 (2) (17:05:41.067 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50546->80 (17:05:41.067 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50546->80 (17:05:41.067 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:09:20.616 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:09:20.616 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369353941.067 1369353941.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 122.179.88.116, 208.83.20.164 (2), 91.218.38.132 (2), 61.91.88.77, 89.136.160.243, 2.97.134.246, 124.232.148.148, 122.193.14.71, 175.139.0.154, 203.113.15.205, 199.59.243.109 (2) Resource List: Observed Start: 05/23/2013 17:05:41.067 PDT Gen. Time: 05/23/2013 17:09:43.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 122.179.88.116 (17:07:49.867 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38488 (17:07:49.867 PDT) 208.83.20.164 (2) (17:08:50.723 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51730->80 (17:08:50.723 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 51730->80 (17:08:50.723 PDT) 91.218.38.132 (2) (17:07:12.414 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51016->2710 (17:07:12.414 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51016->2710 (17:07:12.414 PDT) 61.91.88.77 (17:06:34.199 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50857->16882 (17:06:34.199 PDT) 89.136.160.243 (17:05:44.533 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14519 (17:05:44.533 PDT) 2.97.134.246 (17:08:49.220 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59067 (17:08:49.220 PDT) 124.232.148.148 (17:09:43.246 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52083->8284 (17:09:43.246 PDT) 122.193.14.71 (17:07:35.215 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51205->43776 (17:07:35.215 PDT) 175.139.0.154 (17:06:47.648 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64875 (17:06:47.648 PDT) 203.113.15.205 (17:08:41.454 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51675->16882 (17:08:41.454 PDT) 199.59.243.109 (2) (17:05:41.067 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50546->80 (17:05:41.067 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 50546->80 (17:05:41.067 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:09:20.616 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:09:20.616 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369353941.067 1369353941.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.132, 188.50.159.160, 151.28.234.233, 195.82.146.122, 86.176.12.143, 208.83.20.164 (2) Resource List: Observed Start: 05/23/2013 19:08:21.085 PDT Gen. Time: 05/23/2013 19:10:30.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.132 (19:09:45.145 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59917->16881 (19:09:45.145 PDT) 188.50.159.160 (19:09:05.748 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (19:09:05.748 PDT) 151.28.234.233 (19:10:05.321 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (19:10:05.321 PDT) 195.82.146.122 (19:10:01.365 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 59937->80 (19:10:01.365 PDT) 86.176.12.143 (19:08:45.789 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59581->6890 (19:08:45.789 PDT) 208.83.20.164 (2) (19:08:21.085 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59334->80 (19:08:21.085 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 59334->80 (19:08:21.085 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:10:30.560 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60189->6099 (19:10:30.560 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369361301.085 1369361301.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 61.91.88.132, 208.83.20.164 (2), 188.50.159.160, 85.17.143.16, 86.176.12.143, 123.2.8.25, 151.28.234.233, 95.211.174.166 Resource List: Observed Start: 05/23/2013 19:08:21.085 PDT Gen. Time: 05/23/2013 19:12:07.120 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (19:10:01.365 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 59937->80 (19:10:01.365 PDT) 61.91.88.132 (19:09:45.145 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59917->16881 (19:09:45.145 PDT) 208.83.20.164 (2) (19:08:21.085 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59334->80 (19:08:21.085 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 59334->80 (19:08:21.085 PDT) 188.50.159.160 (19:09:05.748 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (19:09:05.748 PDT) 85.17.143.16 (19:10:47.663 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60306->6969 (19:10:47.663 PDT) 86.176.12.143 (19:08:45.789 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59581->6890 (19:08:45.789 PDT) 123.2.8.25 (19:11:06.033 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42873 (19:11:06.033 PDT) 151.28.234.233 (19:10:05.321 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33172 (19:10:05.321 PDT) 95.211.174.166 (19:12:07.120 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60881 (19:12:07.120 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:10:30.560 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60189->6099 (19:10:30.560 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369361301.085 1369361301.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/23/2013 21:10:50.266 PDT Gen. Time: 05/23/2013 21:10:50.266 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:10:50.266 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:10:50.266 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369368650.266 1369368650.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 80.47.193.66, 91.218.38.132 (2), 173.11.243.162, 188.133.20.154, 98.26.19.64 Resource List: Observed Start: 05/23/2013 21:10:50.266 PDT Gen. Time: 05/23/2013 21:14:17.126 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 80.47.193.66 (21:14:17.126 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60228 (21:14:17.126 PDT) 91.218.38.132 (2) (21:11:00.382 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50634->2710 (21:11:00.382 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50634->2710 (21:11:00.382 PDT) 173.11.243.162 (21:13:17.744 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:13:17.744 PDT) 188.133.20.154 (21:11:15.736 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36773 (21:11:15.736 PDT) 98.26.19.64 (21:12:15.770 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48263 (21:12:15.770 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:10:50.266 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:10:50.266 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369368650.266 1369368650.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================