Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/27/2013 03:52:20.321 PDT Gen. Time: 05/27/2013 03:52:20.321 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:52:20.321 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56269->6099 (03:52:20.321 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369651940.321 1369651940.322 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 117.254.254.89, 177.19.153.204, 184.145.100.171, 85.17.143.16, 120.150.32.13, 83.149.86.133, 78.1.171.152, 178.239.54.151 Resource List: Observed Start: 05/27/2013 03:52:20.321 PDT Gen. Time: 05/27/2013 03:56:24.191 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (03:52:32.536 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56370->2710 (03:52:32.536 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56370->2710 (03:52:32.536 PDT) 117.254.254.89 (03:55:47.673 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18048 (03:55:47.673 PDT) 177.19.153.204 (03:55:37.356 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57026->16881 (03:55:37.356 PDT) 184.145.100.171 (03:54:45.686 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36795 (03:54:45.686 PDT) 85.17.143.16 (03:53:10.901 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56444->6969 (03:53:10.901 PDT) 120.150.32.13 (03:52:44.462 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52606 (03:52:44.462 PDT) 83.149.86.133 (03:53:10.895 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56445->6969 (03:53:10.895 PDT) 78.1.171.152 (03:53:45.988 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38792 (03:53:45.988 PDT) 178.239.54.151 (03:54:31.303 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56770->2710 (03:54:31.303 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:52:20.321 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56269->6099 (03:52:20.321 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369651940.321 1369651940.322 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.71, 121.7.162.88 Resource List: Observed Start: 05/27/2013 05:52:08.072 PDT Gen. Time: 05/27/2013 05:53:00.611 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.71 (05:52:08.072 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55724->16881 (05:52:08.072 PDT) 121.7.162.88 (05:52:20.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36174 (05:52:20.201 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:53:00.611 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:53:00.611 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369659128.072 1369659128.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 208.83.20.164 (2), 94.67.92.200, 121.7.162.88, 85.17.143.16, 61.91.88.74, 213.177.0.5, 200.117.108.227, 178.239.54.151, 61.91.88.71 Resource List: Observed Start: 05/27/2013 05:52:08.072 PDT Gen. Time: 05/27/2013 05:56:08.140 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 208.83.20.164 (2) (05:53:10.721 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56018->80 (05:53:10.721 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 56018->80 (05:53:10.721 PDT) 94.67.92.200 (05:53:20.343 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58992 (05:53:20.343 PDT) 121.7.162.88 (05:52:20.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36174 (05:52:20.201 PDT) 85.17.143.16 (05:53:50.956 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56269->6969 (05:53:50.956 PDT) 61.91.88.74 (05:56:08.140 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56885->16884 (05:56:08.140 PDT) 213.177.0.5 (05:54:22.361 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62084 (05:54:22.361 PDT) 200.117.108.227 (05:55:22.443 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20433 (05:55:22.443 PDT) 178.239.54.151 (05:55:01.364 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56553->2710 (05:55:01.364 PDT) 61.91.88.71 (05:52:08.072 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55724->16881 (05:52:08.072 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:53:00.611 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:53:00.611 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369659128.072 1369659128.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.123.186.68, 177.32.99.161, 178.239.54.160, 161.184.225.168, 208.83.20.164 (2), 195.82.146.122 Resource List: Observed Start: 05/27/2013 07:51:11.122 PDT Gen. Time: 05/27/2013 07:54:31.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.123.186.68 (07:53:14.970 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:53:14.970 PDT) 177.32.99.161 (07:52:14.461 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (07:52:14.461 PDT) 178.239.54.160 (07:51:22.510 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61960->3310 (07:51:22.510 PDT) 161.184.225.168 (07:54:14.788 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46384 (07:54:14.788 PDT) 208.83.20.164 (2) (07:53:30.791 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62657->80 (07:53:30.791 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 62657->80 (07:53:30.791 PDT) 195.82.146.122 (07:51:11.122 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 61931->80 (07:51:11.122 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:54:31.016 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63027->6099 (07:54:31.016 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369666271.122 1369666271.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 95.123.186.68, 177.32.99.161, 178.239.54.160, 85.17.143.16, 161.184.225.168, 83.149.86.133, 208.83.20.164 (2), 195.82.146.122 Resource List: Observed Start: 05/27/2013 07:51:11.122 PDT Gen. Time: 05/27/2013 07:55:01.853 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 95.123.186.68 (07:53:14.970 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (07:53:14.970 PDT) 177.32.99.161 (07:52:14.461 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10506 (07:52:14.461 PDT) 178.239.54.160 (07:51:22.510 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61960->3310 (07:51:22.510 PDT) 85.17.143.16 (07:54:31.174 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63028->6969 (07:54:31.174 PDT) 161.184.225.168 (07:54:14.788 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46384 (07:54:14.788 PDT) 83.149.86.133 (07:54:31.174 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63029->6969 (07:54:31.174 PDT) 208.83.20.164 (2) (07:53:30.791 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62657->80 (07:53:30.791 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 62657->80 (07:53:30.791 PDT) 195.82.146.122 (07:51:11.122 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 61931->80 (07:51:11.122 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:54:31.016 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63027->6099 (07:54:31.016 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369666271.122 1369666271.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.71, 74.59.143.54 (2), 188.50.159.160, 208.83.20.164 (4) Resource List: Observed Start: 05/27/2013 09:52:05.490 PDT Gen. Time: 05/27/2013 09:55:00.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.71 (09:52:08.314 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55356->16881 (09:52:08.314 PDT) 74.59.143.54 (2) (09:52:05.490 PDT-09:54:05.658 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->45970 (09:52:05.490 PDT-09:54:05.658 PDT) 188.50.159.160 (09:53:05.368 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (09:53:05.368 PDT) 208.83.20.164 (4) (09:53:41.322 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55957->80 (09:53:41.322 PDT) 56327->80 (09:54:41.613 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55957->80 (09:53:41.322 PDT) 56327->80 (09:54:41.613 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:55:00.919 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:55:00.919 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369673525.490 1369673645.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.71, 115.87.163.227, 74.59.143.54 (2), 61.91.88.62, 85.17.143.16, 75.76.188.47, 188.50.159.160, 208.83.20.164 (4) Resource List: Observed Start: 05/27/2013 09:52:05.490 PDT Gen. Time: 05/27/2013 09:56:06.280 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.71 (09:52:08.314 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55356->16881 (09:52:08.314 PDT) 115.87.163.227 (09:55:06.412 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43244 (09:55:06.412 PDT) 74.59.143.54 (2) (09:52:05.490 PDT-09:54:05.658 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->45970 (09:52:05.490 PDT-09:54:05.658 PDT) 61.91.88.62 (09:55:32.634 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56636->16881 (09:55:32.634 PDT) 85.17.143.16 (09:55:11.849 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56394->6969 (09:55:11.849 PDT) 75.76.188.47 (09:56:06.280 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50921 (09:56:06.280 PDT) 188.50.159.160 (09:53:05.368 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (09:53:05.368 PDT) 208.83.20.164 (4) (09:53:41.322 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55957->80 (09:53:41.322 PDT) 56327->80 (09:54:41.613 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 55957->80 (09:53:41.322 PDT) 56327->80 (09:54:41.613 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:55:00.919 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:55:00.919 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369673525.490 1369673645.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.17.143.16, 188.173.208.180, 110.136.220.235, 166.78.158.73 Resource List: Observed Start: 05/27/2013 11:55:22.405 PDT Gen. Time: 05/27/2013 11:56:31.076 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.17.143.16 (11:55:41.172 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56304->6969 (11:55:41.172 PDT) 188.173.208.180 (11:55:22.405 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15319 (11:55:22.405 PDT) 110.136.220.235 (11:56:23.139 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (11:56:23.139 PDT) 166.78.158.73 (11:56:11.602 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56388->6969 (11:56:11.602 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:56:31.076 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56515->6099 (11:56:31.076 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369680922.405 1369680922.406 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.76.179.14, 119.46.206.39, 85.17.143.16, 188.173.208.180, 95.180.90.3, 187.163.1.166, 110.136.220.235, 166.78.158.73 Resource List: Observed Start: 05/27/2013 11:55:22.405 PDT Gen. Time: 05/27/2013 11:59:24.928 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.76.179.14 (11:58:24.333 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42639 (11:58:24.333 PDT) 119.46.206.39 (11:57:59.740 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57113->16881 (11:57:59.740 PDT) 85.17.143.16 (11:55:41.172 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56304->6969 (11:55:41.172 PDT) 188.173.208.180 (11:55:22.405 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15319 (11:55:22.405 PDT) 95.180.90.3 (11:59:24.928 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55437 (11:59:24.928 PDT) 187.163.1.166 (11:57:24.035 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62397 (11:57:24.035 PDT) 110.136.220.235 (11:56:23.139 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (11:56:23.139 PDT) 166.78.158.73 (11:56:11.602 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56388->6969 (11:56:11.602 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:56:31.076 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 56515->6099 (11:56:31.076 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369680922.405 1369680922.406 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73, 177.189.9.237 Resource List: Observed Start: 05/27/2013 13:56:59.608 PDT Gen. Time: 05/27/2013 13:57:10.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (13:57:02.460 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54293->6969 (13:57:02.460 PDT) 177.189.9.237 (13:56:59.608 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (13:56:59.608 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:57:10.323 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:57:10.323 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369688219.608 1369688219.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.231.87.121, 201.160.192.130, 74.59.143.54, 173.11.243.162, 166.78.158.73 (4), 92.43.227.18, 177.189.9.237 Resource List: Observed Start: 05/27/2013 13:56:59.608 PDT Gen. Time: 05/27/2013 14:01:06.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.231.87.121 (13:57:59.720 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20433 (13:57:59.720 PDT) 201.160.192.130 (13:59:03.236 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15326 (13:59:03.236 PDT) 74.59.143.54 (14:00:05.205 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45970 (14:00:05.205 PDT) 173.11.243.162 (14:01:06.148 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (14:01:06.148 PDT) 166.78.158.73 (4) (13:57:02.460 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54293->6969 (13:57:02.460 PDT) 54637->80 (13:58:02.294 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 54636->80 (13:58:01.164 PDT) 54637->80 (13:58:02.294 PDT) 92.43.227.18 (13:59:42.363 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55229->58196 (13:59:42.363 PDT) 177.189.9.237 (13:56:59.608 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (13:56:59.608 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:57:10.323 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:57:10.323 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369688219.608 1369688219.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 142.162.50.245, 91.218.38.132, 85.17.143.16, 166.78.158.73 (3), 93.97.234.142, 187.163.1.166 Resource List: Observed Start: 05/27/2013 15:56:25.287 PDT Gen. Time: 05/27/2013 15:58:51.448 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 142.162.50.245 (15:58:26.269 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13570 (15:58:26.269 PDT) 91.218.38.132 (15:57:01.266 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60338->2710 (15:57:01.266 PDT) 85.17.143.16 (15:56:40.878 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60279->6969 (15:56:40.878 PDT) 166.78.158.73 (3) (15:58:41.216 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/favicon.ico] MAC_Src: 00:01:64:FF:CE:EA 60997->80 (15:58:41.216 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 60997->80 (15:58:41.216 PDT) 60998->80 (15:58:42.396 PDT) 93.97.234.142 (15:57:26.258 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31269 (15:57:26.258 PDT) 187.163.1.166 (15:56:25.287 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62397 (15:56:25.287 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:58:51.448 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61042->6099 (15:58:51.448 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369695385.287 1369695385.288 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 70.77.128.204, 166.78.158.73 (3), 91.218.38.132, 93.97.234.142, 85.17.143.16, 124.8.223.81, 187.163.1.166, 142.162.50.245, 190.130.13.251 Resource List: Observed Start: 05/27/2013 15:56:25.287 PDT Gen. Time: 05/27/2013 16:00:26.190 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 70.77.128.204 (16:00:26.190 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59315 (16:00:26.190 PDT) 166.78.158.73 (3) (15:58:41.216 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/favicon.ico] MAC_Src: 00:01:64:FF:CE:EA 60997->80 (15:58:41.216 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 60997->80 (15:58:41.216 PDT) 60998->80 (15:58:42.396 PDT) 91.218.38.132 (15:57:01.266 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60338->2710 (15:57:01.266 PDT) 93.97.234.142 (15:57:26.258 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->31269 (15:57:26.258 PDT) 85.17.143.16 (15:56:40.878 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 60279->6969 (15:56:40.878 PDT) 124.8.223.81 (16:00:03.562 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61402->16883 (16:00:03.562 PDT) 187.163.1.166 (15:56:25.287 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62397 (15:56:25.287 PDT) 142.162.50.245 (15:58:26.269 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13570 (15:58:26.269 PDT) 190.130.13.251 (15:59:26.393 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34170 (15:59:26.393 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:58:51.448 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61042->6099 (15:58:51.448 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369695385.287 1369695385.288 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/27/2013 17:59:50.734 PDT Gen. Time: 05/27/2013 17:59:50.734 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:59:50.734 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:59:50.734 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369702790.734 1369702790.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.119.87.105, 61.91.88.136, 117.254.254.89, 98.242.100.94, 203.113.15.54, 208.83.20.164 (2) Resource List: Observed Start: 05/27/2013 17:59:50.734 PDT Gen. Time: 05/27/2013 18:03:08.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.119.87.105 (18:02:23.034 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42157 (18:02:23.034 PDT) 61.91.88.136 (18:02:32.143 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60748->16884 (18:02:32.143 PDT) 117.254.254.89 (18:01:23.793 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40329 (18:01:23.793 PDT) 98.242.100.94 (18:00:23.957 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48603 (18:00:23.957 PDT) 203.113.15.54 (18:00:37.108 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60283->16881 (18:00:37.108 PDT) 208.83.20.164 (2) (18:02:00.980 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60568->80 (18:02:00.980 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 60568->80 (18:02:00.980 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:59:50.734 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:59:50.734 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369702790.734 1369702790.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73, 208.83.20.164 (2), 69.35.66.145, 24.71.230.123, 190.160.2.131, 85.17.143.16, 201.251.97.214, 174.20.173.20, 177.134.196.34 Resource List: Observed Start: 05/27/2013 19:57:31.707 PDT Gen. Time: 05/27/2013 20:01:01.309 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (19:57:31.707 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 57725->80 (19:57:31.707 PDT) 166.78.158.73 (19:58:50.982 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58025->6969 (19:58:50.982 PDT) 208.83.20.164 (2) (19:57:40.967 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/docs/NIST Guide to Supervisory and Data Acquisition-SCADA and Industrial Control Systems Security (2007).pdf] MAC_Src: 00:01:64:FF:CE:EA 57762->80 (19:57:40.967 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 57762->80 (19:57:40.967 PDT) 69.35.66.145 (19:58:56.265 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58038->60254 (19:58:56.265 PDT) 24.71.230.123 (20:00:18.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11596 (20:00:18.061 PDT) 190.160.2.131 (20:00:30.436 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58493->16881 (20:00:30.436 PDT) 85.17.143.16 (19:57:51.143 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57794->6969 (19:57:51.143 PDT) 201.251.97.214 (19:57:53.956 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57800->16881 (19:57:53.956 PDT) 174.20.173.20 (19:58:18.291 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33363 (19:58:18.291 PDT) 177.134.196.34 (19:59:18.202 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (19:59:18.202 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:01:01.309 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58603->6099 (20:01:01.309 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369709851.707 1369709851.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 195.82.146.122, 166.78.158.73, 208.83.20.164 (2), 69.35.66.145, 201.214.174.212, 24.71.230.123, 190.160.2.131, 85.17.143.16, 201.251.97.214, 174.20.173.20, 177.134.196.34 Resource List: Observed Start: 05/27/2013 19:57:31.707 PDT Gen. Time: 05/27/2013 20:01:18.838 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 195.82.146.122 (19:57:31.707 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/ann?uk=jL3CyxuYXA/scrape&info_hash= %FF%92x%FF%1Cw;@%12%FF%F67w%19%9C] MAC_Src: 00:01:64:FF:CE:EA 57725->80 (19:57:31.707 PDT) 166.78.158.73 (19:58:50.982 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58025->6969 (19:58:50.982 PDT) 208.83.20.164 (2) (19:57:40.967 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/docs/NIST Guide to Supervisory and Data Acquisition-SCADA and Industrial Control Systems Security (2007).pdf] MAC_Src: 00:01:64:FF:CE:EA 57762->80 (19:57:40.967 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%81%B4[0%BAx%FF%8C%FF%FF%FF%FD%01%A0S%FF] MAC_Src: 00:01:64:FF:CE:EA 57762->80 (19:57:40.967 PDT) 69.35.66.145 (19:58:56.265 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58038->60254 (19:58:56.265 PDT) 201.214.174.212 (20:01:18.838 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44822 (20:01:18.838 PDT) 24.71.230.123 (20:00:18.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11596 (20:00:18.061 PDT) 190.160.2.131 (20:00:30.436 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58493->16881 (20:00:30.436 PDT) 85.17.143.16 (19:57:51.143 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 57794->6969 (19:57:51.143 PDT) 201.251.97.214 (19:57:53.956 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57800->16881 (19:57:53.956 PDT) 174.20.173.20 (19:58:18.291 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33363 (19:58:18.291 PDT) 177.134.196.34 (19:59:18.202 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (19:59:18.202 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:01:01.309 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58603->6099 (20:01:01.309 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369709851.707 1369709851.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44 Resource List: Observed Start: 05/27/2013 22:01:09.940 PDT Gen. Time: 05/27/2013 22:01:40.223 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (22:01:09.940 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (22:01:09.940 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:01:40.223 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:01:40.223 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369717269.940 1369717269.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152, 126.91.113.44, 216.221.72.112, 192.0.149.205, 85.17.143.16, 60.226.113.71, 208.83.20.164 (4) Resource List: Observed Start: 05/27/2013 22:01:09.940 PDT Gen. Time: 05/27/2013 22:05:11.169 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (22:02:23.154 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53860->51413 (22:02:23.154 PDT) 126.91.113.44 (22:01:09.940 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (22:01:09.940 PDT) 216.221.72.112 (22:04:10.242 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (22:04:10.242 PDT) 192.0.149.205 (22:02:09.103 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42014 (22:02:09.103 PDT) 85.17.143.16 (22:03:41.175 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54189->6969 (22:03:41.175 PDT) 60.226.113.71 (22:03:10.111 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22579 (22:03:10.111 PDT) 208.83.20.164 (4) (22:03:00.608 PDT) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54044->80 (22:03:00.608 PDT) 54238->80 (22:04:01.011 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FFb]U~@%FF%BDY7%FF%ACW%FFO%A8] MAC_Src: 00:01:64:FF:CE:EA 54044->80 (22:03:00.608 PDT) 54238->80 (22:04:01.011 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:01:40.223 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:01:40.223 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369717269.940 1369717269.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================