Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 74.107.91.65, 178.239.54.160, 180.182.148.172, 108.227.132.147, 80.219.123.61, 199.59.243.109 (2) Resource List: Observed Start: 07/10/2013 17:28:51.261 PDT Gen. Time: 07/10/2013 17:31:00.207 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 74.107.91.65 (17:28:51.261 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26713 (17:28:51.261 PDT) 178.239.54.160 (17:30:51.033 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51976->3310 (17:30:51.033 PDT) 180.182.148.172 (17:30:12.764 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51849->51413 (17:30:12.764 PDT) 108.227.132.147 (17:29:53.912 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (17:29:53.912 PDT) 80.219.123.61 (17:30:55.308 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30473 (17:30:55.308 PDT) 199.59.243.109 (2) (17:29:51.799 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51827->80 (17:29:51.799 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 51827->80 (17:29:51.799 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:31:00.207 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51992->6099 (17:31:00.207 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373502531.261 1373502531.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 113.171.224.20, 74.107.91.65, 178.239.54.160, 117.20.121.100, 180.182.148.172, 108.227.132.147, 80.219.123.61, 199.59.243.109 (2) Resource List: Observed Start: 07/10/2013 17:28:51.261 PDT Gen. Time: 07/10/2013 17:32:16.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 113.171.224.20 (17:31:13.793 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52012->16881 (17:31:13.793 PDT) 74.107.91.65 (17:28:51.261 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->26713 (17:28:51.261 PDT) 178.239.54.160 (17:30:51.033 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51976->3310 (17:30:51.033 PDT) 117.20.121.100 (17:32:16.747 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21011 (17:32:16.747 PDT) 180.182.148.172 (17:30:12.764 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51849->51413 (17:30:12.764 PDT) 108.227.132.147 (17:29:53.912 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (17:29:53.912 PDT) 80.219.123.61 (17:30:55.308 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30473 (17:30:55.308 PDT) 199.59.243.109 (2) (17:29:51.799 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51827->80 (17:29:51.799 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 51827->80 (17:29:51.799 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:31:00.207 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51992->6099 (17:31:00.207 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373502531.261 1373502531.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 123.91.43.185, 24.69.60.170, 199.59.243.109 (2) Resource List: Observed Start: 07/10/2013 21:30:48.449 PDT Gen. Time: 07/10/2013 21:32:51.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 123.91.43.185 (21:32:01.198 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->1142 (21:32:01.198 PDT) 24.69.60.170 (21:30:48.449 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30991 (21:30:48.449 PDT) 199.59.243.109 (2) (21:32:20.706 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61656->80 (21:32:20.706 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61656->80 (21:32:20.706 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:32:51.032 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61793->6099 (21:32:51.032 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373517048.449 1373517048.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.160, 69.136.191.153, 123.91.43.185, 84.228.62.231, 24.69.60.170, 199.59.243.109 (2) Resource List: Observed Start: 07/10/2013 21:30:48.449 PDT Gen. Time: 07/10/2013 21:34:01.236 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.160 (21:34:01.236 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62008->3310 (21:34:01.236 PDT) 69.136.191.153 (21:33:27.169 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 61899->6890 (21:33:27.169 PDT) 123.91.43.185 (21:32:01.198 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->1142 (21:32:01.198 PDT) 84.228.62.231 (21:33:07.741 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14110 (21:33:07.741 PDT) 24.69.60.170 (21:30:48.449 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30991 (21:30:48.449 PDT) 199.59.243.109 (2) (21:32:20.706 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61656->80 (21:32:20.706 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF9%FFW%97%12%FFV%1B%A0%A8%0C%16Q%02%0D%A2] MAC_Src: 00:01:64:FF:CE:EA 61656->80 (21:32:20.706 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:32:51.032 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 61793->6099 (21:32:51.032 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373517048.449 1373517048.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================