Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.202.107.125, 50.19.95.119 (2), 77.250.12.152 (2), 190.98.93.207 Resource List: Observed Start: 06/10/2013 00:45:21.277 PDT Gen. Time: 06/10/2013 00:47:10.335 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.202.107.125 (00:46:05.005 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (00:46:05.005 PDT) 50.19.95.119 (2) (00:45:21.277 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61519->80 (00:45:21.277 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 61519->80 (00:45:21.277 PDT) 77.250.12.152 (2) (00:45:33.900 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61581->51413 (00:45:33.900 PDT) 61797->51413 (00:46:33.408 PDT) 190.98.93.207 (00:47:06.185 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (00:47:06.185 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:47:10.335 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:47:10.335 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370850321.277 1370850321.278 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.202.107.125, 50.19.95.119 (2), 91.218.38.132 (2), 77.250.12.152 (3), 41.212.121.253, 37.153.12.154 (2), 190.98.93.207 Resource List: Observed Start: 06/10/2013 00:45:21.277 PDT Gen. Time: 06/10/2013 00:49:10.291 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.202.107.125 (00:46:05.005 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (00:46:05.005 PDT) 50.19.95.119 (2) (00:45:21.277 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61519->80 (00:45:21.277 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 61519->80 (00:45:21.277 PDT) 91.218.38.132 (2) (00:47:31.637 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62058->2710 (00:47:31.637 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 62058->2710 (00:47:31.637 PDT) 77.250.12.152 (3) (00:45:33.900 PDT) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61581->51413 (00:45:33.900 PDT) 61797->51413 (00:46:33.408 PDT) 62387->51413 (00:48:43.210 PDT) 41.212.121.253 (00:48:09.980 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33560 (00:48:09.980 PDT) 37.153.12.154 (2) (00:48:45.712 PDT) event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 62410->6881 (00:48:45.712 PDT) 62450->6881 (00:48:55.215 PDT) 190.98.93.207 (00:47:06.185 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (00:47:06.185 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:47:10.335 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (00:47:10.335 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370850321.277 1370850321.278 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.108.1.95, 50.19.95.119 (2), 180.182.148.172, 174.92.220.4, 77.250.12.152 (2), 109.60.86.58, 219.85.102.171 Resource List: Observed Start: 06/10/2013 02:45:31.213 PDT Gen. Time: 06/10/2013 02:49:00.684 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.108.1.95 (02:47:39.356 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46575 (02:47:39.356 PDT) 50.19.95.119 (2) (02:45:51.570 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [h%D8J%F9%B9%AEH%D0llection/36960834/1369897377076675/] MAC_Src: 00:01:64:FF:CE:EA 59820->80 (02:45:51.570 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 59820->80 (02:45:51.570 PDT) 180.182.148.172 (02:47:58.066 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60514->51413 (02:47:58.066 PDT) 174.92.220.4 (02:45:37.385 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10101 (02:45:37.385 PDT) 77.250.12.152 (2) (02:45:31.213 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59710->51413 (02:45:31.213 PDT) 60033->51413 (02:46:34.743 PDT) 109.60.86.58 (02:48:40.854 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18286 (02:48:40.854 PDT) 219.85.102.171 (02:46:38.289 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50843 (02:46:38.289 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:49:00.684 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60864->6099 (02:49:00.684 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370857531.213 1370857531.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/10/2013 04:49:10.922 PDT Gen. Time: 06/10/2013 04:49:10.922 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:49:10.922 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:49:10.922 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370864950.922 1370864950.923 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152, 99.241.94.191, 81.62.182.61, 85.17.143.16, 83.149.86.133, 142.162.50.245, 130.208.129.77, 94.242.221.123, 178.239.54.151 Resource List: Observed Start: 06/10/2013 04:49:10.922 PDT Gen. Time: 06/10/2013 04:52:34.709 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (04:49:35.059 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51608->51413 (04:49:35.059 PDT) 99.241.94.191 (04:52:34.709 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52715->6890 (04:52:34.709 PDT) 81.62.182.61 (04:50:51.641 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58560 (04:50:51.641 PDT) 85.17.143.16 (04:50:56.579 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52118->6969 (04:50:56.579 PDT) 83.149.86.133 (04:50:31.476 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51885->6969 (04:50:31.476 PDT) 142.162.50.245 (04:52:00.122 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13570 (04:52:00.122 PDT) 130.208.129.77 (04:49:51.953 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57471 (04:49:51.953 PDT) 94.242.221.123 (04:51:11.819 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 52171->80 (04:51:11.819 PDT) 178.239.54.151 (04:52:11.288 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52526->2710 (04:52:11.288 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:49:10.922 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (04:49:10.922 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370864950.922 1370864950.923 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 108.181.26.246, 178.239.54.160, 50.19.95.119 (2), 91.218.38.132 (2), 115.132.81.142, 77.250.12.152 (2), 125.201.112.1, 178.117.73.101 Resource List: Observed Start: 06/10/2013 06:46:37.123 PDT Gen. Time: 06/10/2013 06:50:20.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 108.181.26.246 (06:48:31.196 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (06:48:31.196 PDT) 178.239.54.160 (06:47:10.878 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49985->3310 (06:47:10.878 PDT) 50.19.95.119 (2) (06:47:10.770 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49986->80 (06:47:10.770 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 49986->80 (06:47:10.770 PDT) 91.218.38.132 (2) (06:48:57.272 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50872->2710 (06:48:57.272 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50872->2710 (06:48:57.272 PDT) 115.132.81.142 (06:47:31.001 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (06:47:31.001 PDT) 77.250.12.152 (2) (06:46:37.123 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49753->51413 (06:46:37.123 PDT) 50290->51413 (06:47:38.152 PDT) 125.201.112.1 (06:49:07.483 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50879->13762 (06:49:07.483 PDT) 178.117.73.101 (06:49:31.368 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36194 (06:49:31.368 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:50:20.479 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51255->6099 (06:50:20.479 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370871997.123 1370871997.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 125.201.112.1, 77.250.12.152 (3), 91.218.38.132 (2), 50.19.95.119 (2), 188.87.160.50, 178.239.54.160, 115.132.81.142, 178.117.73.101, 108.181.26.246 Resource List: Observed Start: 06/10/2013 06:46:37.123 PDT Gen. Time: 06/10/2013 06:50:31.051 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 125.201.112.1 (06:49:07.483 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50879->13762 (06:49:07.483 PDT) 77.250.12.152 (3) (06:46:37.123 PDT) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49753->51413 (06:46:37.123 PDT) 50290->51413 (06:47:38.152 PDT) 51342->51413 (06:50:30.689 PDT) 91.218.38.132 (2) (06:48:57.272 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50872->2710 (06:48:57.272 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 50872->2710 (06:48:57.272 PDT) 50.19.95.119 (2) (06:47:10.770 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49986->80 (06:47:10.770 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 49986->80 (06:47:10.770 PDT) 188.87.160.50 (06:50:31.051 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30740 (06:50:31.051 PDT) 178.239.54.160 (06:47:10.878 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49985->3310 (06:47:10.878 PDT) 115.132.81.142 (06:47:31.001 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (06:47:31.001 PDT) 178.117.73.101 (06:49:31.368 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36194 (06:49:31.368 PDT) 108.181.26.246 (06:48:31.196 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56980 (06:48:31.196 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:50:20.479 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51255->6099 (06:50:20.479 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370871997.123 1370871997.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.248.76.147, 77.250.12.152, 186.36.234.133 Resource List: Observed Start: 06/10/2013 08:49:52.239 PDT Gen. Time: 06/10/2013 08:51:20.536 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.248.76.147 (08:50:55.761 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49754 (08:50:55.761 PDT) 77.250.12.152 (08:50:46.179 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56970->51413 (08:50:46.179 PDT) 186.36.234.133 (08:49:52.239 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62927 (08:49:52.239 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:51:20.536 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:51:20.536 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370879392.239 1370879392.240 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 188.76.179.14, 85.94.101.223, 77.248.76.147, 178.239.54.151, 94.242.221.123, 77.250.12.152 (3), 186.36.234.133, 83.149.86.133 Resource List: Observed Start: 06/10/2013 08:49:52.239 PDT Gen. Time: 06/10/2013 08:53:51.546 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 188.76.179.14 (08:52:56.536 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42639 (08:52:56.536 PDT) 85.94.101.223 (08:51:56.183 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52803 (08:51:56.183 PDT) 77.248.76.147 (08:50:55.761 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49754 (08:50:55.761 PDT) 178.239.54.151 (08:53:31.544 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58154->2710 (08:53:31.544 PDT) 94.242.221.123 (08:52:31.032 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 57704->80 (08:52:31.032 PDT) 77.250.12.152 (3) (08:50:46.179 PDT) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56970->51413 (08:50:46.179 PDT) 57649->51413 (08:52:28.712 PDT) 58115->51413 (08:53:30.227 PDT) 186.36.234.133 (08:49:52.239 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62927 (08:49:52.239 PDT) 83.149.86.133 (08:51:40.697 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57327->6969 (08:51:40.697 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:51:20.536 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (08:51:20.536 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370879392.239 1370879392.240 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152 (2), 181.134.26.136 Resource List: Observed Start: 06/10/2013 10:50:36.399 PDT Gen. Time: 06/10/2013 10:52:31.247 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (2) (10:50:36.399 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59219->51413 (10:50:36.399 PDT) 59700->51413 (10:51:39.412 PDT) 181.134.26.136 (10:51:31.670 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (10:51:31.670 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:52:31.247 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59976->6099 (10:52:31.247 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370886636.399 1370886636.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 181.47.89.155, 94.242.221.123, 77.250.12.152 (3), 181.134.26.136, 86.49.102.117, 83.149.86.133 Resource List: Observed Start: 06/10/2013 10:50:36.399 PDT Gen. Time: 06/10/2013 10:53:31.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 181.47.89.155 (10:52:31.270 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64476 (10:52:31.270 PDT) 94.242.221.123 (10:53:01.734 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 60211->80 (10:53:01.734 PDT) 77.250.12.152 (3) (10:50:36.399 PDT) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59219->51413 (10:50:36.399 PDT) 59700->51413 (10:51:39.412 PDT) 60354->51413 (10:53:26.423 PDT) 181.134.26.136 (10:51:31.670 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (10:51:31.670 PDT) 86.49.102.117 (10:53:31.664 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49767 (10:53:31.664 PDT) 83.149.86.133 (10:52:31.405 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59977->6969 (10:52:31.405 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:52:31.247 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59976->6099 (10:52:31.247 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370886636.399 1370886636.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 88.183.13.40, 78.134.75.99, 77.250.12.152, 83.149.86.133, 82.84.89.78 Resource List: Observed Start: 06/10/2013 12:50:32.172 PDT Gen. Time: 06/10/2013 12:53:20.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 88.183.13.40 (12:51:32.486 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49259 (12:51:32.486 PDT) 78.134.75.99 (12:52:32.100 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58949 (12:52:32.100 PDT) 77.250.12.152 (12:51:44.432 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50871->51413 (12:51:44.432 PDT) 83.149.86.133 (12:53:01.159 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51353->6969 (12:53:01.159 PDT) 82.84.89.78 (12:50:32.172 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (12:50:32.172 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:53:20.784 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (12:53:20.784 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370893832.172 1370893832.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.202.107.125, 190.244.16.33, 72.11.161.253, 94.242.221.123, 77.250.12.152 (3), 70.77.199.174, 83.149.86.133 Resource List: Observed Start: 06/10/2013 14:51:25.988 PDT Gen. Time: 06/10/2013 14:54:50.884 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.202.107.125 (14:51:36.018 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (14:51:36.018 PDT) 190.244.16.33 (14:53:38.163 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59605 (14:53:38.163 PDT) 72.11.161.253 (14:52:38.652 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33462 (14:52:38.652 PDT) 94.242.221.123 (14:54:00.520 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 54188->80 (14:54:00.520 PDT) 77.250.12.152 (3) (14:51:25.988 PDT) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53155->51413 (14:51:25.988 PDT) 53731->51413 (14:52:46.987 PDT) 54262->51413 (14:54:24.999 PDT) 70.77.199.174 (14:54:38.758 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17938 (14:54:38.758 PDT) 83.149.86.133 (14:53:41.186 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54049->6969 (14:53:41.186 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:54:50.884 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54498->6099 (14:54:50.884 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370901085.988 1370901085.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152 Resource List: Observed Start: 06/10/2013 16:55:25.827 PDT Gen. Time: 06/10/2013 16:55:40.721 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (16:55:25.827 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62933->51413 (16:55:25.827 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:55:40.721 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:55:40.721 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370908525.827 1370908525.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.108.1.95, 88.188.134.225, 83.152.88.43, 85.17.143.16 (2), 178.239.54.151, 77.250.12.152 (4), 208.83.20.164, 86.185.206.129 Resource List: Observed Start: 06/10/2013 16:55:25.827 PDT Gen. Time: 06/10/2013 16:59:20.465 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.108.1.95 (16:58:20.010 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46575 (16:58:20.010 PDT) 88.188.134.225 (16:57:20.106 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (16:57:20.106 PDT) 83.152.88.43 (16:59:20.465 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12432 (16:59:20.465 PDT) 85.17.143.16 (2) (16:57:51.657 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 63784->6969 (16:57:51.657 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63784->6969 (16:57:51.657 PDT) 178.239.54.151 (16:56:01.037 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63217->2710 (16:56:01.037 PDT) 77.250.12.152 (4) (16:55:25.827 PDT) event=1:1100012 (4) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62933->51413 (16:55:25.827 PDT) 63325->51413 (16:56:28.338 PDT) 63688->51413 (16:57:33.837 PDT) 64086->51413 (16:58:43.847 PDT) 208.83.20.164 (16:56:21.251 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%7F%A1%0D%80%BB%FF%86UM8%92%07%BF%FD%9F%FF%FF] MAC_Src: 00:01:64:FF:CE:EA 63255->80 (16:56:21.251 PDT) 86.185.206.129 (16:56:20.633 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54916 (16:56:20.633 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:55:40.721 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:55:40.721 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370908525.827 1370908525.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 187.113.162.90, 171.7.99.120, 59.15.78.137, 178.239.54.151, 94.242.221.123, 83.149.86.133, 178.117.73.101 Resource List: Observed Start: 06/10/2013 18:54:51.631 PDT Gen. Time: 06/10/2013 18:57:31.366 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 187.113.162.90 (18:56:26.192 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (18:56:26.192 PDT) 171.7.99.120 (18:56:01.695 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51915->7547 (18:56:01.695 PDT) 59.15.78.137 (18:57:30.376 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12705 (18:57:30.376 PDT) 178.239.54.151 (18:56:41.173 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52192->2710 (18:56:41.173 PDT) 94.242.221.123 (18:54:51.650 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 51608->80 (18:54:51.650 PDT) 83.149.86.133 (18:54:51.631 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51609->6969 (18:54:51.631 PDT) 178.117.73.101 (18:55:26.566 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36194 (18:55:26.566 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:57:31.366 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52328->6099 (18:57:31.366 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370915691.631 1370915691.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152, 59.15.78.137, 202.76.171.12, 83.149.86.133, 94.242.221.123, 171.7.99.120, 187.113.162.90, 178.239.54.151, 178.117.73.101 Resource List: Observed Start: 06/10/2013 18:54:51.631 PDT Gen. Time: 06/10/2013 18:58:31.410 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (18:57:36.915 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52419->51413 (18:57:36.915 PDT) 59.15.78.137 (18:57:30.376 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12705 (18:57:30.376 PDT) 202.76.171.12 (18:58:31.410 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->41660 (18:58:31.410 PDT) 83.149.86.133 (18:54:51.631 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51609->6969 (18:54:51.631 PDT) 94.242.221.123 (18:54:51.650 PDT) event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/free/scrape?info_hash=%9D%A2%81%13|%FF%B7%1Ar3%0E%B5%F0O%FF%FA%FF] MAC_Src: 00:01:64:FF:CE:EA 51608->80 (18:54:51.650 PDT) 171.7.99.120 (18:56:01.695 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51915->7547 (18:56:01.695 PDT) 187.113.162.90 (18:56:26.192 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (18:56:26.192 PDT) 178.239.54.151 (18:56:41.173 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52192->2710 (18:56:41.173 PDT) 178.117.73.101 (18:55:26.566 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->36194 (18:55:26.566 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:57:31.366 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52328->6099 (18:57:31.366 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370915691.631 1370915691.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.162.62.79, 178.239.54.151 Resource List: Observed Start: 06/10/2013 20:57:11.255 PDT Gen. Time: 06/10/2013 20:58:10.882 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.162.62.79 (20:57:25.618 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38375 (20:57:25.618 PDT) 178.239.54.151 (20:57:11.255 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55668->2710 (20:57:11.255 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:58:10.882 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:58:10.882 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370923031.255 1370923031.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152, 91.218.38.132 (2), 61.91.88.99, 2.29.153.118, 190.162.62.79, 85.17.143.16 (3), 96.52.54.214, 178.239.54.160, 190.199.162.94, 24.137.74.194, 178.239.54.151 Resource List: Observed Start: 06/10/2013 20:57:11.255 PDT Gen. Time: 06/10/2013 21:01:26.082 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (20:58:24.818 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55996->51413 (20:58:24.818 PDT) 91.218.38.132 (2) (21:00:06.173 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56486->2710 (21:00:06.173 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56486->2710 (21:00:06.173 PDT) 61.91.88.99 (20:59:43.655 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56457->16881 (20:59:43.655 PDT) 2.29.153.118 (21:01:26.082 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28109 (21:01:26.082 PDT) 190.162.62.79 (20:57:25.618 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38375 (20:57:25.618 PDT) 85.17.143.16 (3) (20:59:11.805 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56206->6969 (20:59:11.805 PDT) ------------------------- event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 56759->6969 (21:00:51.671 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56206->6969 (20:59:11.805 PDT) 96.52.54.214 (20:58:26.994 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26300 (20:58:26.994 PDT) 178.239.54.160 (21:00:31.552 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56611->3310 (21:00:31.552 PDT) 190.199.162.94 (20:59:26.883 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50414 (20:59:26.883 PDT) 24.137.74.194 (21:00:26.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44822 (21:00:26.200 PDT) 178.239.54.151 (20:57:11.255 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55668->2710 (20:57:11.255 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:58:10.882 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (20:58:10.882 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370923031.255 1370923031.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================