Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.244.241.138, 119.46.206.84, 89.99.92.58, 198.254.240.15, 5.71.166.198, 195.82.146.122, 208.83.20.164 (2) Resource List: Observed Start: 05/26/2013 03:36:31.067 PDT Gen. Time: 05/26/2013 03:40:20.999 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.244.241.138 (03:38:35.712 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (03:38:35.712 PDT) 119.46.206.84 (03:37:49.942 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55783->16884 (03:37:49.942 PDT) 89.99.92.58 (03:36:34.364 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41829 (03:36:34.364 PDT) 198.254.240.15 (03:39:38.916 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23899 (03:39:38.916 PDT) 5.71.166.198 (03:37:34.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62834 (03:37:34.201 PDT) 195.82.146.122 (03:38:51.613 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 56099->80 (03:38:51.613 PDT) 208.83.20.164 (2) (03:36:31.067 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55340->80 (03:36:31.067 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 55340->80 (03:36:31.067 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:40:20.999 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56402->6099 (03:40:20.999 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369564591.067 1369564591.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.44, 95.244.241.138, 119.46.206.84, 89.99.92.58, 198.254.240.15, 5.71.166.198, 195.82.146.122, 208.83.20.164 (2) Resource List: Observed Start: 05/26/2013 03:36:31.067 PDT Gen. Time: 05/26/2013 03:40:33.234 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.44 (03:40:33.234 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56567->16883 (03:40:33.234 PDT) 95.244.241.138 (03:38:35.712 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24874 (03:38:35.712 PDT) 119.46.206.84 (03:37:49.942 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55783->16884 (03:37:49.942 PDT) 89.99.92.58 (03:36:34.364 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41829 (03:36:34.364 PDT) 198.254.240.15 (03:39:38.916 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23899 (03:39:38.916 PDT) 5.71.166.198 (03:37:34.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62834 (03:37:34.201 PDT) 195.82.146.122 (03:38:51.613 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 56099->80 (03:38:51.613 PDT) 208.83.20.164 (2) (03:36:31.067 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55340->80 (03:36:31.067 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 55340->80 (03:36:31.067 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:40:20.999 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56402->6099 (03:40:20.999 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369564591.067 1369564591.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/26/2013 05:40:30.952 PDT Gen. Time: 05/26/2013 05:40:30.952 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:40:30.952 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:40:30.952 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369572030.952 1369572030.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 200.117.237.23, 178.239.54.160, 89.99.212.237, 121.219.36.63, 94.209.46.10, 2.223.214.199, 208.83.20.164 Resource List: Observed Start: 05/26/2013 05:40:30.952 PDT Gen. Time: 05/26/2013 05:44:37.248 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 200.117.237.23 (05:43:29.940 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59258->16884 (05:43:29.940 PDT) 178.239.54.160 (05:42:51.330 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59096->3310 (05:42:51.330 PDT) 89.99.212.237 (05:42:29.294 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47717 (05:42:29.294 PDT) 121.219.36.63 (05:44:29.360 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53448 (05:44:29.360 PDT) 94.209.46.10 (05:43:29.401 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16335 (05:43:29.401 PDT) 2.223.214.199 (05:41:29.016 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51695 (05:41:29.016 PDT) 208.83.20.164 (05:41:21.067 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58516->6969 (05:41:21.067 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:40:30.952 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:40:30.952 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369572030.952 1369572030.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164, 91.218.38.132 (2), 173.254.227.67, 119.46.206.99, 114.76.26.107, 78.108.159.17 (2), 95.22.86.53, 198.254.240.15, 219.84.215.235 Resource List: Observed Start: 05/26/2013 07:38:49.646 PDT Gen. Time: 05/26/2013 07:42:01.002 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (07:40:50.662 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 52301->80 (07:40:50.662 PDT) 208.83.20.164 (07:41:50.982 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52729->6969 (07:41:50.982 PDT) 91.218.38.132 (2) (07:39:02.207 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51304->2710 (07:39:02.207 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51304->2710 (07:39:02.207 PDT) 173.254.227.67 (07:39:52.165 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51754->43611 (07:39:52.165 PDT) 119.46.206.99 (07:41:04.932 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52334->16882 (07:41:04.932 PDT) 114.76.26.107 (07:39:44.699 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55083 (07:39:44.699 PDT) 78.108.159.17 (2) (07:39:45.663 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 51720->6881 (07:39:45.663 PDT) 51770->6881 (07:39:55.166 PDT) 95.22.86.53 (07:40:44.468 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64422 (07:40:44.468 PDT) 198.254.240.15 (07:41:44.469 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23899 (07:41:44.469 PDT) 219.84.215.235 (07:38:49.646 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51262->16882 (07:38:49.646 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:42:01.002 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52743->6099 (07:42:01.002 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369579129.646 1369579129.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 208.83.20.164, 91.218.38.132 (2), 173.254.227.67, 119.46.206.99, 114.76.26.107, 78.108.159.17 (2), 77.207.208.215, 95.22.86.53, 119.46.206.74, 198.254.240.15, 219.84.215.235 Resource List: Observed Start: 05/26/2013 07:38:49.646 PDT Gen. Time: 05/26/2013 07:42:48.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (07:40:50.662 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 52301->80 (07:40:50.662 PDT) 208.83.20.164 (07:41:50.982 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52729->6969 (07:41:50.982 PDT) 91.218.38.132 (2) (07:39:02.207 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51304->2710 (07:39:02.207 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51304->2710 (07:39:02.207 PDT) 173.254.227.67 (07:39:52.165 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51754->43611 (07:39:52.165 PDT) 119.46.206.99 (07:41:04.932 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52334->16882 (07:41:04.932 PDT) 114.76.26.107 (07:39:44.699 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55083 (07:39:44.699 PDT) 78.108.159.17 (2) (07:39:45.663 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 51720->6881 (07:39:45.663 PDT) 51770->6881 (07:39:55.166 PDT) 77.207.208.215 (07:42:47.249 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27367 (07:42:47.249 PDT) 95.22.86.53 (07:40:44.468 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64422 (07:40:44.468 PDT) 119.46.206.74 (07:42:37.947 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53025->16884 (07:42:37.947 PDT) 198.254.240.15 (07:41:44.469 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23899 (07:41:44.469 PDT) 219.84.215.235 (07:38:49.646 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51262->16882 (07:38:49.646 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:42:01.002 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52743->6099 (07:42:01.002 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369579129.646 1369579129.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/26/2013 09:42:30.721 PDT Gen. Time: 05/26/2013 09:42:30.721 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:42:30.721 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:42:30.721 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369586550.721 1369586550.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.51.47.30, 119.46.206.106, 109.201.148.249, 218.33.227.134, 99.119.244.30, 208.83.20.164, 198.204.245.5 Resource List: Observed Start: 05/26/2013 09:42:30.721 PDT Gen. Time: 05/26/2013 09:45:24.375 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.51.47.30 (09:44:24.607 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54067 (09:44:24.607 PDT) 119.46.206.106 (09:42:34.194 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56353->16883 (09:42:34.194 PDT) 109.201.148.249 (09:44:01.172 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56979->2710 (09:44:01.172 PDT) 218.33.227.134 (09:43:24.204 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49152 (09:43:24.204 PDT) 99.119.244.30 (09:45:24.375 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13562 (09:45:24.375 PDT) 208.83.20.164 (09:42:31.106 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56301->6969 (09:42:31.106 PDT) 198.204.245.5 (09:43:47.212 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56934->28396 (09:43:47.212 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:42:30.721 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:42:30.721 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369586550.721 1369586550.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.201.148.249, 85.210.5.35 Resource List: Observed Start: 05/26/2013 11:43:30.093 PDT Gen. Time: 05/26/2013 11:44:20.326 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.201.148.249 (11:44:11.166 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63613->2710 (11:44:11.166 PDT) 85.210.5.35 (11:43:30.093 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55741 (11:43:30.093 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:44:20.326 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63635->6099 (11:44:20.326 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369593810.093 1369593810.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 61.91.88.70, 177.19.153.205, 189.110.46.50, 69.35.66.145, 109.201.148.249, 85.210.5.35, 31.151.72.98, 79.56.255.110, 177.134.196.34 Resource List: Observed Start: 05/26/2013 11:43:30.093 PDT Gen. Time: 05/26/2013 11:47:30.554 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (11:44:32.538 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63898->2710 (11:44:32.538 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 63898->2710 (11:44:32.538 PDT) 61.91.88.70 (11:45:32.260 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64317->16884 (11:45:32.260 PDT) 177.19.153.205 (11:44:32.928 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63901->16883 (11:44:32.928 PDT) 189.110.46.50 (11:44:30.123 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63557 (11:44:30.123 PDT) 69.35.66.145 (11:46:37.280 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64833->60254 (11:46:37.280 PDT) 109.201.148.249 (11:44:11.166 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63613->2710 (11:44:11.166 PDT) 85.210.5.35 (11:43:30.093 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55741 (11:43:30.093 PDT) 31.151.72.98 (11:47:30.554 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50169 (11:47:30.554 PDT) 79.56.255.110 (11:45:30.460 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55984 (11:45:30.460 PDT) 177.134.196.34 (11:46:30.059 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (11:46:30.059 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:44:20.326 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63635->6099 (11:44:20.326 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369593810.093 1369593810.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/26/2013 13:44:40.845 PDT Gen. Time: 05/26/2013 13:44:40.845 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:44:40.845 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:44:40.845 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369601080.845 1369601080.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 197.27.20.237, 178.239.54.160, 86.128.248.44 Resource List: Observed Start: 05/26/2013 13:44:40.845 PDT Gen. Time: 05/26/2013 13:46:23.067 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 197.27.20.237 (13:46:23.067 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18921 (13:46:23.067 PDT) 178.239.54.160 (13:45:21.179 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52252->3310 (13:45:21.179 PDT) 86.128.248.44 (13:45:23.451 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32860 (13:45:23.451 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:44:40.845 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:44:40.845 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369601080.845 1369601080.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 112.156.150.99 Resource List: Observed Start: 05/26/2013 15:46:30.379 PDT Gen. Time: 05/26/2013 15:46:40.392 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 112.156.150.99 (15:46:30.379 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32792 (15:46:30.379 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:46:40.392 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49788->6099 (15:46:40.392 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369608390.379 1369608390.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.24.253.50, 82.102.136.166, 85.17.143.16, 83.149.86.133, 171.7.130.6, 122.150.173.48, 78.97.32.44, 112.156.150.99 Resource List: Observed Start: 05/26/2013 15:46:30.379 PDT Gen. Time: 05/26/2013 15:50:30.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.24.253.50 (15:49:30.215 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58693 (15:49:30.215 PDT) 82.102.136.166 (15:47:54.379 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50153->16881 (15:47:54.379 PDT) 85.17.143.16 (15:49:40.603 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 50880->6969 (15:49:40.603 PDT) 83.149.86.133 (15:49:40.597 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50881->6969 (15:49:40.597 PDT) 171.7.130.6 (15:49:12.900 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50598->7547 (15:49:12.900 PDT) 122.150.173.48 (15:47:30.875 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45449 (15:47:30.875 PDT) 78.97.32.44 (15:48:30.822 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63139 (15:48:30.822 PDT) 112.156.150.99 (15:46:30.379 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32792 (15:46:30.379 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:46:40.392 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 49788->6099 (15:46:40.392 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369608390.379 1369608390.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 189.59.8.105, 178.239.54.160, 61.91.88.99, 77.56.16.122, 99.0.36.64, 201.231.132.171, 208.83.20.164, 189.231.33.126 Resource List: Observed Start: 05/26/2013 17:44:28.783 PDT Gen. Time: 05/26/2013 17:47:40.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 189.59.8.105 (17:46:58.322 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52185->16881 (17:46:58.322 PDT) 178.239.54.160 (17:46:41.195 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52157->3310 (17:46:41.195 PDT) 61.91.88.99 (17:44:39.022 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51606->16881 (17:44:39.022 PDT) 77.56.16.122 (17:44:28.783 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (17:44:28.783 PDT) 99.0.36.64 (17:47:29.282 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (17:47:29.282 PDT) 201.231.132.171 (17:46:29.610 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31526 (17:46:29.610 PDT) 208.83.20.164 (17:44:40.683 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51620->6969 (17:44:40.683 PDT) 189.231.33.126 (17:45:29.300 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38119 (17:45:29.300 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:47:40.435 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:47:40.435 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369615468.783 1369615468.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 99.0.36.64, 208.83.20.164, 201.231.132.171, 61.91.88.99, 201.103.139.239, 189.231.33.126, 178.239.54.160, 189.59.8.105, 77.56.16.122 Resource List: Observed Start: 05/26/2013 17:44:28.783 PDT Gen. Time: 05/26/2013 17:48:29.346 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 99.0.36.64 (17:47:29.282 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (17:47:29.282 PDT) 208.83.20.164 (17:44:40.683 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51620->6969 (17:44:40.683 PDT) 201.231.132.171 (17:46:29.610 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31526 (17:46:29.610 PDT) 61.91.88.99 (17:44:39.022 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51606->16881 (17:44:39.022 PDT) 201.103.139.239 (17:48:29.346 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28202 (17:48:29.346 PDT) 189.231.33.126 (17:45:29.300 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38119 (17:45:29.300 PDT) 178.239.54.160 (17:46:41.195 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52157->3310 (17:46:41.195 PDT) 189.59.8.105 (17:46:58.322 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52185->16881 (17:46:58.322 PDT) 77.56.16.122 (17:44:28.783 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (17:44:28.783 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:47:40.435 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:47:40.435 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369615468.783 1369615468.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.225.101.72, 180.182.148.172, 166.78.158.73 (3) Resource List: Observed Start: 05/26/2013 19:48:12.989 PDT Gen. Time: 05/26/2013 19:49:21.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.225.101.72 (19:49:09.401 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (19:49:09.401 PDT) 180.182.148.172 (19:48:12.989 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52218->51413 (19:48:12.989 PDT) 166.78.158.73 (3) (19:48:41.868 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52391->80 (19:48:41.868 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 52391->80 (19:48:41.868 PDT) 52395->80 (19:48:42.969 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:49:21.027 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52539->6099 (19:49:21.027 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369622892.989 1369622892.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 108.7.164.107, 90.225.101.72, 219.84.215.225, 37.153.12.154 (3), 85.17.143.16 (2), 120.150.32.13, 180.182.148.172, 187.104.104.55, 178.239.54.151 Resource List: Observed Start: 05/26/2013 19:48:12.989 PDT Gen. Time: 05/26/2013 19:52:14.484 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (19:48:41.868 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52391->80 (19:48:41.868 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 52391->80 (19:48:41.868 PDT) 52395->80 (19:48:42.969 PDT) 108.7.164.107 (19:51:14.878 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17344 (19:51:14.878 PDT) 90.225.101.72 (19:49:09.401 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (19:49:09.401 PDT) 219.84.215.225 (19:49:23.949 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52548->16882 (19:49:23.949 PDT) 37.153.12.154 (3) (19:51:06.041 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52952->6881 (19:51:06.041 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 52952->6881 (19:51:06.041 PDT) 52964->6881 (19:51:16.042 PDT) 85.17.143.16 (2) (19:50:41.104 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52854->6969 (19:50:41.104 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52854->6969 (19:50:41.104 PDT) 120.150.32.13 (19:52:14.484 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52606 (19:52:14.484 PDT) 180.182.148.172 (19:48:12.989 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52218->51413 (19:48:12.989 PDT) 187.104.104.55 (19:50:13.519 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14618 (19:50:13.519 PDT) 178.239.54.151 (19:52:01.525 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53214->2710 (19:52:01.525 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:49:21.027 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52539->6099 (19:49:21.027 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369622892.989 1369622892.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3) Resource List: Observed Start: 05/26/2013 21:49:21.744 PDT Gen. Time: 05/26/2013 21:49:51.099 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (21:49:21.744 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [|%19%B4sa{%DF%16^%87%E6%F3:|E%8B;%E0%D9#L%83%0F%C2@%FB%F8%A1%16%03%E7%C1%AB%C9%B7%96%99%A9%DD%9FH%AD7%95%97%E3%B7%CC0<%9E%81%9F%B5%DB%84%EB%F5T%D6%EF%A62%DC] MAC_Src: 00:01:64:FF:CE:EA 49587->80 (21:49:21.744 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 49587->80 (21:49:21.744 PDT) 49588->80 (21:49:22.055 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:49:51.099 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:49:51.099 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369630161.744 1369630161.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 112.156.150.99, 85.17.143.16, 120.150.32.13, 83.149.86.133, 115.70.98.165, 111.90.151.90, 178.239.54.151, 61.91.88.71 Resource List: Observed Start: 05/26/2013 21:49:21.744 PDT Gen. Time: 05/26/2013 21:52:42.850 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (21:49:21.744 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [|%19%B4sa{%DF%16^%87%E6%F3:|E%8B;%E0%D9#L%83%0F%C2@%FB%F8%A1%16%03%E7%C1%AB%C9%B7%96%99%A9%DD%9FH%AD7%95%97%E3%B7%CC0<%9E%81%9F%B5%DB%84%EB%F5T%D6%EF%A62%DC] MAC_Src: 00:01:64:FF:CE:EA 49587->80 (21:49:21.744 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 49587->80 (21:49:21.744 PDT) 49588->80 (21:49:22.055 PDT) 112.156.150.99 (21:52:10.391 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32792 (21:52:10.391 PDT) 85.17.143.16 (21:51:11.339 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 50037->6969 (21:51:11.339 PDT) 120.150.32.13 (21:50:07.331 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52606 (21:50:07.331 PDT) 83.149.86.133 (21:51:11.338 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50038->6969 (21:51:11.338 PDT) 115.70.98.165 (21:51:10.203 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45275 (21:51:10.203 PDT) 111.90.151.90 (21:50:07.690 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49803->19201 (21:50:07.690 PDT) 178.239.54.151 (21:52:42.035 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50531->2710 (21:52:42.035 PDT) 61.91.88.71 (21:52:08.222 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50334->16881 (21:52:08.222 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:49:51.099 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:49:51.099 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369630161.744 1369630161.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================