Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.222.144.201, 91.218.38.132, 207.216.217.228, 84.228.106.72 Resource List: Observed Start: 06/29/2013 00:58:18.113 PDT Gen. Time: 06/29/2013 01:00:40.612 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.222.144.201 (00:59:23.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19152 (00:59:23.061 PDT) 91.218.38.132 (00:59:51.455 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63309->2710 (00:59:51.455 PDT) 207.216.217.228 (00:58:18.113 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47877 (00:58:18.113 PDT) 84.228.106.72 (01:00:24.628 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14110 (01:00:24.628 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:00:40.612 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:00:40.612 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372492698.113 1372492698.114 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.222.144.201, 78.133.94.87, 91.218.38.132, 197.35.45.12, 207.216.217.228, 121.14.98.151, 84.228.106.72 Resource List: Observed Start: 06/29/2013 00:58:18.113 PDT Gen. Time: 06/29/2013 01:02:26.259 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.222.144.201 (00:59:23.061 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19152 (00:59:23.061 PDT) 78.133.94.87 (01:01:26.349 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30508 (01:01:26.349 PDT) 91.218.38.132 (00:59:51.455 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63309->2710 (00:59:51.455 PDT) 197.35.45.12 (01:02:26.259 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (01:02:26.259 PDT) 207.216.217.228 (00:58:18.113 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47877 (00:58:18.113 PDT) 121.14.98.151 (01:01:50.606 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 63621->9090 (01:01:50.606 PDT) 84.228.106.72 (01:00:24.628 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14110 (01:00:24.628 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:00:40.612 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:00:40.612 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372492698.113 1372492698.114 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 94.169.50.48, 84.228.106.72 Resource List: Observed Start: 06/29/2013 03:01:18.370 PDT Gen. Time: 06/29/2013 03:02:01.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 94.169.50.48 (03:01:18.370 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59310->10006 (03:01:18.370 PDT) 84.228.106.72 (03:01:47.896 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14110 (03:01:47.896 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:02:01.139 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59531->6099 (03:02:01.139 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372500078.370 1372500078.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.210.127.96, 94.169.50.48 (2), 91.218.38.132 (2), 171.7.174.103, 190.42.196.245, 84.228.106.72 Resource List: Observed Start: 06/29/2013 03:01:18.370 PDT Gen. Time: 06/29/2013 03:04:53.642 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.210.127.96 (03:03:53.902 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10806 (03:03:53.902 PDT) 94.169.50.48 (2) (03:01:18.370 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59310->10006 (03:01:18.370 PDT) 60232->10006 (03:04:45.423 PDT) 91.218.38.132 (2) (03:03:21.383 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59805->2710 (03:03:21.383 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59805->2710 (03:03:21.383 PDT) 171.7.174.103 (03:02:55.397 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59741->7547 (03:02:55.397 PDT) 190.42.196.245 (03:02:53.456 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (03:02:53.456 PDT) 84.228.106.72 (03:01:47.896 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14110 (03:01:47.896 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:02:01.139 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59531->6099 (03:02:01.139 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372500078.370 1372500078.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132, 85.17.143.16, 173.11.243.162, 79.18.49.136, 151.227.117.136, 158.194.137.88, 121.14.98.151 Resource List: Observed Start: 06/29/2013 04:58:58.118 PDT Gen. Time: 06/29/2013 05:02:10.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (05:01:01.063 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58160->2710 (05:01:01.063 PDT) 85.17.143.16 (04:59:41.223 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57843->6969 (04:59:41.223 PDT) 173.11.243.162 (04:58:58.118 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:58:58.118 PDT) 79.18.49.136 (05:02:01.323 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24954 (05:02:01.323 PDT) 151.227.117.136 (04:59:59.356 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64155 (04:59:59.356 PDT) 158.194.137.88 (05:00:59.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48728 (05:00:59.520 PDT) 121.14.98.151 (04:59:51.287 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57934->9090 (04:59:51.287 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:02:10.607 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:02:10.607 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372507138.118 1372507138.119 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.226.218.19, 91.218.38.132, 85.17.143.16, 173.11.243.162, 79.18.49.136, 151.227.117.136, 158.194.137.88, 121.14.98.151 Resource List: Observed Start: 06/29/2013 04:58:58.118 PDT Gen. Time: 06/29/2013 05:03:02.253 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.226.218.19 (05:03:02.253 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48241 (05:03:02.253 PDT) 91.218.38.132 (05:01:01.063 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58160->2710 (05:01:01.063 PDT) 85.17.143.16 (04:59:41.223 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57843->6969 (04:59:41.223 PDT) 173.11.243.162 (04:58:58.118 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:58:58.118 PDT) 79.18.49.136 (05:02:01.323 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24954 (05:02:01.323 PDT) 151.227.117.136 (04:59:59.356 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64155 (04:59:59.356 PDT) 158.194.137.88 (05:00:59.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48728 (05:00:59.520 PDT) 121.14.98.151 (04:59:51.287 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57934->9090 (04:59:51.287 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:02:10.607 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:02:10.607 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372507138.118 1372507138.119 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.189.251.63 (2), 91.218.38.132 (3), 37.153.12.154 (2), 121.14.98.151, 188.53.109.165 Resource List: Observed Start: 06/29/2013 07:01:21.063 PDT Gen. Time: 06/29/2013 07:03:51.571 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.189.251.63 (2) (07:01:43.615 PDT-07:03:45.644 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->17506 (07:01:43.615 PDT-07:03:45.644 PDT) 91.218.38.132 (3) (07:01:21.063 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56559->2710 (07:01:41.459 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56390->2710 (07:01:21.063 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56390->2710 (07:01:21.063 PDT) 37.153.12.154 (2) (07:03:50.350 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57124->6881 (07:03:50.350 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57124->6881 (07:03:50.350 PDT) 121.14.98.151 (07:02:41.387 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56763->9090 (07:02:41.387 PDT) 188.53.109.165 (07:02:44.650 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48800 (07:02:44.650 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:03:51.571 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57132->6099 (07:03:51.571 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372514481.063 1372514625.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 109.189.251.63 (2), 203.219.85.161, 91.218.38.132 (3), 37.153.12.154 (3), 121.14.98.151, 188.53.109.165 Resource List: Observed Start: 06/29/2013 07:01:21.063 PDT Gen. Time: 06/29/2013 07:05:22.815 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 109.189.251.63 (2) (07:01:43.615 PDT-07:03:45.644 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->17506 (07:01:43.615 PDT-07:03:45.644 PDT) 203.219.85.161 (07:04:46.419 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53250 (07:04:46.419 PDT) 91.218.38.132 (3) (07:01:21.063 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56559->2710 (07:01:41.459 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56390->2710 (07:01:21.063 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 56390->2710 (07:01:21.063 PDT) 37.153.12.154 (3) (07:03:50.350 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57124->6881 (07:03:50.350 PDT) ------------------------- event=1:2102181 (2) {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57124->6881 (07:03:50.350 PDT) 57158->6881 (07:03:59.849 PDT) 121.14.98.151 (07:02:41.387 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56763->9090 (07:02:41.387 PDT) 188.53.109.165 (07:02:44.650 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48800 (07:02:44.650 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:03:51.571 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57132->6099 (07:03:51.571 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372514481.063 1372514625.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.111.88.8, 197.33.20.146, 91.218.38.132, 177.19.153.209, 95.211.162.90 Resource List: Observed Start: 06/29/2013 09:02:02.738 PDT Gen. Time: 06/29/2013 09:04:00.910 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.111.88.8 (09:02:38.565 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51444 (09:02:38.565 PDT) 197.33.20.146 (09:03:38.021 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25529 (09:03:38.021 PDT) 91.218.38.132 (09:02:21.456 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62109->2710 (09:02:21.456 PDT) 177.19.153.209 (09:02:02.738 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62061->16881 (09:02:02.738 PDT) 95.211.162.90 (09:03:31.041 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62552->2710 (09:03:31.041 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:04:00.910 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:04:00.910 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372521722.738 1372521722.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 84.111.88.8, 197.33.20.146, 91.218.38.132, 2.89.215.46, 177.19.153.209, 95.211.162.90 Resource List: Observed Start: 06/29/2013 09:02:02.738 PDT Gen. Time: 06/29/2013 09:05:20.452 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 84.111.88.8 (09:02:38.565 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51444 (09:02:38.565 PDT) 197.33.20.146 (09:03:38.021 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25529 (09:03:38.021 PDT) 91.218.38.132 (09:02:21.456 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62109->2710 (09:02:21.456 PDT) 2.89.215.46 (09:04:38.923 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57243 (09:04:38.923 PDT) 177.19.153.209 (09:02:02.738 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 62061->16881 (09:02:02.738 PDT) 95.211.162.90 (09:03:31.041 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62552->2710 (09:03:31.041 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:04:00.910 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:04:00.910 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372521722.738 1372521722.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 189.231.9.254 Resource List: Observed Start: 06/29/2013 11:04:38.615 PDT Gen. Time: 06/29/2013 11:05:30.937 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (11:05:25.493 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57211->2710 (11:05:25.493 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 57211->2710 (11:05:25.493 PDT) 189.231.9.254 (11:04:38.615 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->38119 (11:04:38.615 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:05:30.937 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57252->6099 (11:05:30.937 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372529078.615 1372529078.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 197.33.20.146, 149.241.68.130, 91.218.38.132 (2), 61.91.88.132, 189.231.9.254 (2), 213.106.206.126 Resource List: Observed Start: 06/29/2013 11:04:38.615 PDT Gen. Time: 06/29/2013 11:08:39.932 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 197.33.20.146 (11:05:38.513 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->25529 (11:05:38.513 PDT) 149.241.68.130 (11:07:38.663 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21966 (11:07:38.663 PDT) 91.218.38.132 (2) (11:05:25.493 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57211->2710 (11:05:25.493 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 57211->2710 (11:05:25.493 PDT) 61.91.88.132 (11:06:00.135 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57556->16884 (11:06:00.135 PDT) 189.231.9.254 (2) (11:04:38.615 PDT-11:06:38.646 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->38119 (11:04:38.615 PDT-11:06:38.646 PDT) 213.106.206.126 (11:08:39.932 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->40374 (11:08:39.932 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (11:05:30.937 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57252->6099 (11:05:30.937 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372529078.615 1372529198.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 203.113.15.52, 60.226.161.41, 85.17.143.16, 122.107.225.180, 95.211.162.90 Resource List: Observed Start: 06/29/2013 13:04:39.847 PDT Gen. Time: 06/29/2013 13:06:30.795 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (13:05:32.199 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52689->2710 (13:05:32.199 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52689->2710 (13:05:32.199 PDT) 203.113.15.52 (13:04:39.847 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52426->16882 (13:04:39.847 PDT) 60.226.161.41 (13:06:29.140 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13418 (13:06:29.140 PDT) 85.17.143.16 (13:05:43.150 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52818->6969 (13:05:43.150 PDT) 122.107.225.180 (13:05:29.054 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22976 (13:05:29.054 PDT) 95.211.162.90 (13:04:41.839 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52457->2710 (13:04:41.839 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:06:30.795 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:06:30.795 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372536279.847 1372536279.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 186.22.120.8, 91.218.38.132 (2), 203.113.15.52, 60.226.161.41, 85.17.143.16, 173.241.102.70, 122.107.225.180, 95.211.162.90 Resource List: Observed Start: 06/29/2013 13:04:39.847 PDT Gen. Time: 06/29/2013 13:08:29.320 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 186.22.120.8 (13:07:29.327 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23961 (13:07:29.327 PDT) 91.218.38.132 (2) (13:05:32.199 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52689->2710 (13:05:32.199 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 52689->2710 (13:05:32.199 PDT) 203.113.15.52 (13:04:39.847 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52426->16882 (13:04:39.847 PDT) 60.226.161.41 (13:06:29.140 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13418 (13:06:29.140 PDT) 85.17.143.16 (13:05:43.150 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52818->6969 (13:05:43.150 PDT) 173.241.102.70 (13:08:29.320 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22366 (13:08:29.320 PDT) 122.107.225.180 (13:05:29.054 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22976 (13:05:29.054 PDT) 95.211.162.90 (13:04:41.839 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52457->2710 (13:04:41.839 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (13:06:30.795 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (13:06:30.795 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372536279.847 1372536279.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/29/2013 15:08:10.246 PDT Gen. Time: 06/29/2013 15:08:10.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:08:10.246 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50220->6099 (15:08:10.246 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372543690.246 1372543690.247 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.82.174.233, 176.44.26.169, 166.78.158.73, 88.179.55.248, 94.36.160.105 Resource List: Observed Start: 06/29/2013 15:08:10.246 PDT Gen. Time: 06/29/2013 15:12:29.048 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.82.174.233 (15:11:45.333 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54875 (15:11:45.333 PDT) 176.44.26.169 (15:10:45.986 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27315 (15:10:45.986 PDT) 166.78.158.73 (15:10:51.069 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51234->6969 (15:10:51.069 PDT) 88.179.55.248 (15:09:45.079 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29692 (15:09:45.079 PDT) 94.36.160.105 (15:08:44.401 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (15:08:44.401 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:08:10.246 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50220->6099 (15:08:10.246 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372543690.246 1372543690.247 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 151.27.98.57, 173.33.93.90 Resource List: Observed Start: 06/29/2013 17:08:29.385 PDT Gen. Time: 06/29/2013 17:08:40.179 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 151.27.98.57 (17:08:29.385 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44822 (17:08:29.385 PDT) 173.33.93.90 (17:08:40.103 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53831->16969 (17:08:40.103 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:08:40.179 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:08:40.179 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372550909.385 1372550909.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.92, 91.218.38.132 (2), 166.78.158.73, 89.27.32.9, 151.27.98.57, 216.183.134.196 (2), 31.209.211.118, 173.33.93.90 (2) Resource List: Observed Start: 06/29/2013 17:08:29.385 PDT Gen. Time: 06/29/2013 17:12:09.474 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.92 (17:09:52.621 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54188->16882 (17:09:52.621 PDT) 91.218.38.132 (2) (17:09:37.463 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54118->2710 (17:09:37.463 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 54118->2710 (17:09:37.463 PDT) 166.78.158.73 (17:11:30.439 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54457->6969 (17:11:30.439 PDT) 89.27.32.9 (17:09:29.712 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53644 (17:09:29.712 PDT) 151.27.98.57 (17:08:29.385 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44822 (17:08:29.385 PDT) 216.183.134.196 (2) (17:11:09.897 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22366 (17:11:09.897 PDT) ------------------------- event=1:2008581 {udp} E7[info] ET P2P BitTorrent DHT ping request, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22366 (17:11:09.897 PDT) 31.209.211.118 (17:11:07.810 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51110 (17:11:07.810 PDT) 173.33.93.90 (2) (17:08:40.103 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53831->16969 (17:08:40.103 PDT) 54611->16969 (17:11:57.155 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:08:40.179 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:08:40.179 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372550909.385 1372550909.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.222.144.201, 60.226.161.41, 95.211.162.90, 5.29.4.185, 50.72.214.34 Resource List: Observed Start: 06/29/2013 19:07:01.044 PDT Gen. Time: 06/29/2013 19:10:21.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.222.144.201 (19:07:10.194 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19152 (19:07:10.194 PDT) 60.226.161.41 (19:10:21.144 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13418 (19:10:21.144 PDT) 95.211.162.90 (19:07:01.044 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52460->2710 (19:07:01.044 PDT) 5.29.4.185 (19:09:20.401 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29260 (19:09:20.401 PDT) 50.72.214.34 (19:08:18.122 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58692 (19:08:18.122 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:10:21.235 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53218->6099 (19:10:21.235 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372558021.044 1372558021.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.222.144.201, 60.226.161.41, 89.27.32.9, 95.211.162.90, 5.29.4.185, 50.72.214.34 Resource List: Observed Start: 06/29/2013 19:07:01.044 PDT Gen. Time: 06/29/2013 19:11:21.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.222.144.201 (19:07:10.194 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19152 (19:07:10.194 PDT) 60.226.161.41 (19:10:21.144 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13418 (19:10:21.144 PDT) 89.27.32.9 (19:11:21.201 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53644 (19:11:21.201 PDT) 95.211.162.90 (19:07:01.044 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52460->2710 (19:07:01.044 PDT) 5.29.4.185 (19:09:20.401 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29260 (19:09:20.401 PDT) 50.72.214.34 (19:08:18.122 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->58692 (19:08:18.122 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:10:21.235 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 53218->6099 (19:10:21.235 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372558021.044 1372558021.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 76.123.50.174, 89.99.212.237, 180.182.148.172, 85.17.143.16, 89.93.150.106 Resource List: Observed Start: 06/29/2013 21:08:27.600 PDT Gen. Time: 06/29/2013 21:11:10.651 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 76.123.50.174 (21:10:29.687 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37586 (21:10:29.687 PDT) 89.99.212.237 (21:09:29.279 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47717 (21:09:29.279 PDT) 180.182.148.172 (21:08:43.177 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55378->51413 (21:08:43.177 PDT) 85.17.143.16 (21:10:35.963 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55934->6969 (21:10:35.963 PDT) 89.93.150.106 (21:08:27.600 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:08:27.600 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:11:10.651 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:11:10.651 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372565307.600 1372565307.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 76.123.50.174, 89.99.212.237, 180.182.148.172, 86.183.190.2, 85.17.143.16, 89.93.150.106 Resource List: Observed Start: 06/29/2013 21:08:27.600 PDT Gen. Time: 06/29/2013 21:11:29.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 76.123.50.174 (21:10:29.687 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37586 (21:10:29.687 PDT) 89.99.212.237 (21:09:29.279 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->47717 (21:09:29.279 PDT) 180.182.148.172 (21:08:43.177 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55378->51413 (21:08:43.177 PDT) 86.183.190.2 (21:11:29.862 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24296 (21:11:29.862 PDT) 85.17.143.16 (21:10:35.963 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55934->6969 (21:10:35.963 PDT) 89.93.150.106 (21:08:27.600 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:08:27.600 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:11:10.651 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:11:10.651 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372565307.600 1372565307.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================