Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.89.209.104, 77.250.12.152 Resource List: Observed Start: 06/19/2013 00:45:40.132 PDT Gen. Time: 06/19/2013 00:47:01.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.89.209.104 (00:46:27.037 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57243 (00:46:27.037 PDT) 77.250.12.152 (00:45:40.132 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51714->51413 (00:45:40.132 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:47:01.939 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52062->6099 (00:47:01.939 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371627940.132 1371627940.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 98.113.16.190, 2.89.209.104, 77.250.12.152 (2), 82.19.10.53, 199.59.243.109 (2), 109.152.113.15 Resource List: Observed Start: 06/19/2013 00:45:40.132 PDT Gen. Time: 06/19/2013 00:49:27.161 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 98.113.16.190 (00:48:27.603 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60260 (00:48:27.603 PDT) 2.89.209.104 (00:46:27.037 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57243 (00:46:27.037 PDT) 77.250.12.152 (2) (00:45:40.132 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51714->51413 (00:45:40.132 PDT) 52249->51413 (00:47:43.618 PDT) 82.19.10.53 (00:49:27.161 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64050 (00:49:27.161 PDT) 199.59.243.109 (2) (00:48:30.077 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52425->80 (00:48:30.077 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 52425->80 (00:48:30.077 PDT) 109.152.113.15 (00:47:27.104 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54916 (00:47:27.104 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:47:01.939 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52062->6099 (00:47:01.939 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371627940.132 1371627940.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 150.101.100.2, 71.229.210.230, 77.250.12.152 (2), 86.176.141.222 Resource List: Observed Start: 06/19/2013 02:44:27.867 PDT Gen. Time: 06/19/2013 02:47:30.716 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 150.101.100.2 (02:46:29.459 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (02:46:29.459 PDT) 71.229.210.230 (02:45:27.622 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24092 (02:45:27.622 PDT) 77.250.12.152 (2) (02:44:30.261 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53745->51413 (02:44:30.261 PDT) 54336->51413 (02:46:32.295 PDT) 86.176.141.222 (02:44:27.867 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47729 (02:44:27.867 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:47:30.716 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:47:30.716 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371635067.867 1371635067.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 150.101.100.2, 71.229.210.230 (2), 142.134.214.253, 77.250.12.152 (2), 86.176.141.222, 114.101.149.178 Resource List: Observed Start: 06/19/2013 02:44:27.867 PDT Gen. Time: 06/19/2013 02:48:32.628 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 150.101.100.2 (02:46:29.459 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (02:46:29.459 PDT) 71.229.210.230 (2) (02:45:27.622 PDT-02:48:32.628 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->24092 (02:45:27.622 PDT-02:48:32.628 PDT) 142.134.214.253 (02:47:31.078 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48431 (02:47:31.078 PDT) 77.250.12.152 (2) (02:44:30.261 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53745->51413 (02:44:30.261 PDT) 54336->51413 (02:46:32.295 PDT) 86.176.141.222 (02:44:27.867 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47729 (02:44:27.867 PDT) 114.101.149.178 (02:47:34.309 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54657->22589 (02:47:34.309 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:47:30.716 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:47:30.716 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371635067.867 1371635312.629 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.108.1.95, 77.250.12.152 (2), 83.77.205.156, 176.32.193.173 Resource List: Observed Start: 06/19/2013 04:46:27.983 PDT Gen. Time: 06/19/2013 04:49:11.510 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.108.1.95 (04:47:27.915 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46575 (04:47:27.915 PDT) 77.250.12.152 (2) (04:46:37.823 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58569->51413 (04:46:37.823 PDT) 59045->51413 (04:48:28.359 PDT) 83.77.205.156 (04:48:30.211 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (04:48:30.211 PDT) 176.32.193.173 (04:46:27.983 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:46:27.983 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:49:11.510 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59220->6099 (04:49:11.510 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371642387.983 1371642387.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 92.108.1.95, 91.218.38.132 (2), 177.32.193.130, 68.192.44.64, 77.250.12.152 (2), 83.77.205.156, 199.59.243.109, 176.32.193.173 Resource List: Observed Start: 06/19/2013 04:46:27.983 PDT Gen. Time: 06/19/2013 04:50:30.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 92.108.1.95 (04:47:27.915 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46575 (04:47:27.915 PDT) 91.218.38.132 (2) (04:49:37.837 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59426->2710 (04:49:37.837 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59426->2710 (04:49:37.837 PDT) 177.32.193.130 (04:50:30.747 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62943 (04:50:30.747 PDT) 68.192.44.64 (04:49:30.686 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54647 (04:49:30.686 PDT) 77.250.12.152 (2) (04:46:37.823 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58569->51413 (04:46:37.823 PDT) 59045->51413 (04:48:28.359 PDT) 83.77.205.156 (04:48:30.211 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (04:48:30.211 PDT) 199.59.243.109 (04:49:21.584 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59246->80 (04:49:21.584 PDT) 176.32.193.173 (04:46:27.983 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:46:27.983 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:49:11.510 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59220->6099 (04:49:11.510 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371642387.983 1371642387.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 197.35.8.97, 77.250.12.152, 41.250.214.215 Resource List: Observed Start: 06/19/2013 06:47:38.693 PDT Gen. Time: 06/19/2013 06:49:20.847 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 197.35.8.97 (06:48:39.320 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (06:48:39.320 PDT) 77.250.12.152 (06:48:42.188 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63839->51413 (06:48:42.188 PDT) 41.250.214.215 (06:47:38.693 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64751 (06:47:38.693 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:49:20.847 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:49:20.847 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371649658.693 1371649658.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 24.202.107.125, 112.198.200.207, 123.110.141.189, 197.35.8.97, 77.250.12.152, 41.250.214.215, 41.226.129.231, 199.59.243.109 Resource List: Observed Start: 06/19/2013 06:47:38.693 PDT Gen. Time: 06/19/2013 06:51:42.923 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 24.202.107.125 (06:50:39.870 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45910 (06:50:39.870 PDT) 112.198.200.207 (06:51:42.923 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22865 (06:51:42.923 PDT) 123.110.141.189 (06:50:54.041 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64633->16881 (06:50:54.041 PDT) 197.35.8.97 (06:48:39.320 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (06:48:39.320 PDT) 77.250.12.152 (06:48:42.188 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63839->51413 (06:48:42.188 PDT) 41.250.214.215 (06:47:38.693 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64751 (06:47:38.693 PDT) 41.226.129.231 (06:49:39.024 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15476 (06:49:39.024 PDT) 199.59.243.109 (06:49:41.082 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64216->80 (06:49:41.082 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:49:20.847 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:49:20.847 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371649658.693 1371649658.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 116.88.84.172, 119.46.206.84, 24.54.226.24, 199.59.243.109 Resource List: Observed Start: 06/19/2013 08:49:35.711 PDT Gen. Time: 06/19/2013 08:51:00.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 116.88.84.172 (08:50:35.954 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32791 (08:50:35.954 PDT) 119.46.206.84 (08:49:49.299 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64039->16884 (08:49:49.299 PDT) 24.54.226.24 (08:49:35.711 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34742 (08:49:35.711 PDT) 199.59.243.109 (08:50:20.488 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64237->80 (08:50:20.488 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:51:00.550 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64491->6099 (08:51:00.550 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371656975.711 1371656975.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 85.23.24.123, 77.250.12.152, 91.218.38.132 (2), 122.150.47.239, 46.40.112.25, 119.46.206.84, 116.88.84.172, 24.54.226.24, 98.113.16.190, 199.59.243.109, 178.239.54.151 Resource List: Observed Start: 06/19/2013 08:49:35.711 PDT Gen. Time: 06/19/2013 08:53:36.452 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 85.23.24.123 (08:53:36.452 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49437 (08:53:36.452 PDT) 77.250.12.152 (08:51:29.002 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64679->51413 (08:51:29.002 PDT) 91.218.38.132 (2) (08:52:39.545 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65286->2710 (08:52:39.545 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 65286->2710 (08:52:39.545 PDT) 122.150.47.239 (08:51:35.079 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47851 (08:51:35.079 PDT) 46.40.112.25 (08:52:29.340 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 65111->38130 (08:52:29.340 PDT) 119.46.206.84 (08:49:49.299 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 64039->16884 (08:49:49.299 PDT) 116.88.84.172 (08:50:35.954 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->32791 (08:50:35.954 PDT) 24.54.226.24 (08:49:35.711 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->34742 (08:49:35.711 PDT) 98.113.16.190 (08:52:36.677 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60260 (08:52:36.677 PDT) 199.59.243.109 (08:50:20.488 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64237->80 (08:50:20.488 PDT) 178.239.54.151 (08:52:31.180 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 65151->2710 (08:52:31.180 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:51:00.550 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64491->6099 (08:51:00.550 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371656975.711 1371656975.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 119.46.206.28, 82.35.148.186, 123.110.141.189, 200.24.16.223, 166.78.158.73, 88.170.98.241, 199.59.243.109 (2), 122.107.57.45 Resource List: Observed Start: 06/19/2013 10:48:39.095 PDT Gen. Time: 06/19/2013 10:52:00.226 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 119.46.206.28 (10:51:50.147 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52569->16884 (10:51:50.147 PDT) 82.35.148.186 (10:50:28.349 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->8080 (10:50:28.349 PDT) 123.110.141.189 (10:50:01.115 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51644->16881 (10:50:01.115 PDT) 200.24.16.223 (10:51:28.244 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16758 (10:51:28.244 PDT) 166.78.158.73 (10:49:20.807 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51311->6969 (10:49:20.807 PDT) 88.170.98.241 (10:48:39.095 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51091->6890 (10:48:39.095 PDT) 199.59.243.109 (2) (10:50:50.620 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52111->80 (10:50:50.620 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 52111->80 (10:50:50.620 PDT) 122.107.57.45 (10:49:27.007 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44143 (10:49:27.007 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:52:00.226 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:52:00.226 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371664119.095 1371664119.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73, 46.120.83.95, 123.110.141.189, 200.24.16.223, 122.107.57.45, 119.46.206.28, 88.170.98.241, 199.59.243.109 (2), 82.35.148.186 Resource List: Observed Start: 06/19/2013 10:48:39.095 PDT Gen. Time: 06/19/2013 10:52:29.023 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (10:49:20.807 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51311->6969 (10:49:20.807 PDT) 46.120.83.95 (10:52:29.023 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49364 (10:52:29.023 PDT) 123.110.141.189 (10:50:01.115 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51644->16881 (10:50:01.115 PDT) 200.24.16.223 (10:51:28.244 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16758 (10:51:28.244 PDT) 122.107.57.45 (10:49:27.007 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44143 (10:49:27.007 PDT) 119.46.206.28 (10:51:50.147 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52569->16884 (10:51:50.147 PDT) 88.170.98.241 (10:48:39.095 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51091->6890 (10:48:39.095 PDT) 199.59.243.109 (2) (10:50:50.620 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52111->80 (10:50:50.620 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 52111->80 (10:50:50.620 PDT) 82.35.148.186 (10:50:28.349 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->8080 (10:50:28.349 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:52:00.226 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:52:00.226 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371664119.095 1371664119.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 Resource List: Observed Start: 06/19/2013 12:53:15.770 PDT Gen. Time: 06/19/2013 12:53:30.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (12:53:15.770 PDT) event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58117->2710 (12:53:15.770 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:53:30.966 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58213->6099 (12:53:30.966 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371671595.770 1371671595.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152 (2), 187.59.245.157, 91.218.38.132 (2), 83.149.86.133, 2.29.152.211, 190.160.2.22, 178.239.54.153, 66.186.67.122, 201.141.135.193 Resource List: Observed Start: 06/19/2013 12:53:15.770 PDT Gen. Time: 06/19/2013 12:57:31.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (2) (12:53:37.228 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58299->51413 (12:53:37.228 PDT) 59740->51413 (12:56:34.769 PDT) 187.59.245.157 (12:53:51.813 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17491 (12:53:51.813 PDT) 91.218.38.132 (2) (12:53:15.770 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 60127->2710 (12:57:31.206 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 58117->2710 (12:53:15.770 PDT) 83.149.86.133 (12:55:11.490 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58987->6969 (12:55:11.490 PDT) 2.29.152.211 (12:56:54.881 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28109 (12:56:54.881 PDT) 190.160.2.22 (12:54:46.704 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58798->16883 (12:54:46.704 PDT) 178.239.54.153 (12:56:31.183 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59672->3310 (12:56:31.183 PDT) 66.186.67.122 (12:54:54.728 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23306 (12:54:54.728 PDT) 201.141.135.193 (12:55:54.995 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12295 (12:55:54.995 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:53:30.966 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58213->6099 (12:53:30.966 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371671595.770 1371671595.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.151, 89.103.147.109 Resource List: Observed Start: 06/19/2013 14:53:52.197 PDT Gen. Time: 06/19/2013 14:54:20.833 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.151 (14:54:11.779 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58833->2710 (14:54:11.779 PDT) 89.103.147.109 (14:53:52.197 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14387 (14:53:52.197 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:54:20.833 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:54:20.833 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371678832.197 1371678832.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152, 109.78.226.152, 178.239.54.151, 89.103.147.109, 83.101.72.75, 94.168.133.99, 83.149.86.133, 82.1.74.144 (2) Resource List: Observed Start: 06/19/2013 14:53:52.197 PDT Gen. Time: 06/19/2013 14:56:52.719 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (14:56:39.695 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60057->51413 (14:56:39.695 PDT) 109.78.226.152 (14:54:52.263 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14622 (14:54:52.263 PDT) 178.239.54.151 (14:54:11.779 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58833->2710 (14:54:11.779 PDT) 89.103.147.109 (14:53:52.197 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14387 (14:53:52.197 PDT) 83.101.72.75 (14:56:52.719 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (14:56:52.719 PDT) 94.168.133.99 (14:55:52.923 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20833 (14:55:52.923 PDT) 83.149.86.133 (14:55:41.159 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59591->6969 (14:55:41.159 PDT) 82.1.74.144 (2) (14:54:21.652 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58883->6890 (14:54:21.652 PDT) 59417->6890 (14:55:32.189 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (14:54:20.833 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (14:54:20.833 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371678832.197 1371678832.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.230.52.152 (2), 112.198.200.207, 178.239.54.151, 77.250.12.152, 177.189.22.129, 83.77.205.156, 197.35.1.164 Resource List: Observed Start: 06/19/2013 16:52:33.938 PDT Gen. Time: 06/19/2013 16:55:41.180 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.230.52.152 (2) (16:53:40.041 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57862->51413 (16:53:40.041 PDT) 58301->51413 (16:55:11.041 PDT) 112.198.200.207 (16:53:33.082 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22865 (16:53:33.082 PDT) 178.239.54.151 (16:55:01.002 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58220->2710 (16:55:01.002 PDT) 77.250.12.152 (16:52:40.475 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57538->51413 (16:52:40.475 PDT) 177.189.22.129 (16:52:33.938 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (16:52:33.938 PDT) 83.77.205.156 (16:55:33.903 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:55:33.903 PDT) 197.35.1.164 (16:54:33.954 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (16:54:33.954 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:55:41.180 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58536->6099 (16:55:41.180 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371685953.938 1371685953.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.24.253.50, 189.170.128.213, 61.91.88.66, 178.239.54.151, 77.250.12.152 (2), 66.130.146.243 Resource List: Observed Start: 06/19/2013 18:53:59.418 PDT Gen. Time: 06/19/2013 18:56:41.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.24.253.50 (18:56:06.508 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58693 (18:56:06.508 PDT) 189.170.128.213 (18:54:59.851 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:54:59.851 PDT) 61.91.88.66 (18:54:26.652 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60735->16882 (18:54:26.652 PDT) 178.239.54.151 (18:55:41.945 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61116->2710 (18:55:41.945 PDT) 77.250.12.152 (2) (18:55:34.854 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61044->51413 (18:55:34.854 PDT) 61344->51413 (18:56:34.870 PDT) 66.130.146.243 (18:53:59.418 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45803 (18:53:59.418 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:56:41.016 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:56:41.016 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371693239.418 1371693239.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152 (2), 91.218.38.132 (2), 82.39.181.94, 176.24.253.50, 83.149.86.133, 61.91.88.66, 178.239.54.153, 66.130.146.243, 189.170.128.213, 178.239.54.151 Resource List: Observed Start: 06/19/2013 18:53:59.418 PDT Gen. Time: 06/19/2013 18:58:02.028 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (2) (18:55:34.854 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61044->51413 (18:55:34.854 PDT) 61344->51413 (18:56:34.870 PDT) 91.218.38.132 (2) (18:56:55.320 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61432->2710 (18:56:55.320 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 61432->2710 (18:56:55.320 PDT) 82.39.181.94 (18:57:06.375 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55926 (18:57:06.375 PDT) 176.24.253.50 (18:56:06.508 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58693 (18:56:06.508 PDT) 83.149.86.133 (18:57:01.677 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61448->6969 (18:57:01.677 PDT) 61.91.88.66 (18:54:26.652 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 60735->16882 (18:54:26.652 PDT) 178.239.54.153 (18:58:02.028 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61697->3310 (18:58:02.028 PDT) 66.130.146.243 (18:53:59.418 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45803 (18:53:59.418 PDT) 189.170.128.213 (18:54:59.851 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (18:54:59.851 PDT) 178.239.54.151 (18:55:41.945 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61116->2710 (18:55:41.945 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:56:41.016 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:56:41.016 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371693239.418 1371693239.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 176.24.253.50, 178.239.54.151, 82.1.74.144, 2.98.182.55 Resource List: Observed Start: 06/19/2013 20:56:21.461 PDT Gen. Time: 06/19/2013 20:58:21.001 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 176.24.253.50 (20:56:40.400 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58693 (20:56:40.400 PDT) 178.239.54.151 (20:56:21.461 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63222->2710 (20:56:21.461 PDT) 82.1.74.144 (20:56:30.052 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63240->6890 (20:56:30.052 PDT) 2.98.182.55 (20:57:40.278 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13720 (20:57:40.278 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:58:21.001 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63794->6099 (20:58:21.001 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371700581.461 1371700581.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 126.91.113.44, 178.239.54.153, 176.24.253.50, 189.170.128.213, 91.218.38.132, 178.239.54.151, 82.1.74.144, 2.98.182.55 Resource List: Observed Start: 06/19/2013 20:56:21.461 PDT Gen. Time: 06/19/2013 21:00:22.828 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 126.91.113.44 (20:59:47.331 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60199 (20:59:47.331 PDT) 178.239.54.153 (20:58:41.190 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63915->3310 (20:58:41.190 PDT) 176.24.253.50 (20:56:40.400 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58693 (20:56:40.400 PDT) 189.170.128.213 (20:58:46.228 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (20:58:46.228 PDT) 91.218.38.132 (20:59:51.565 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64314->2710 (20:59:51.565 PDT) 178.239.54.151 (20:56:21.461 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63222->2710 (20:56:21.461 PDT) 82.1.74.144 (20:56:30.052 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63240->6890 (20:56:30.052 PDT) 2.98.182.55 (20:57:40.278 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13720 (20:57:40.278 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (20:58:21.001 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63794->6099 (20:58:21.001 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371700581.461 1371700581.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 77.250.12.152, 177.32.193.130, 178.239.54.151 Resource List: Observed Start: 06/19/2013 22:57:21.799 PDT Gen. Time: 06/19/2013 22:58:50.997 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 77.250.12.152 (22:58:43.311 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53723->51413 (22:58:43.311 PDT) 177.32.193.130 (22:58:23.542 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62943 (22:58:23.542 PDT) 178.239.54.151 (22:57:21.799 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53436->2710 (22:57:21.799 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (22:58:50.997 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (22:58:50.997 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1371707841.799 1371707841.800 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================