Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 Peer Coord. List: Resource List: Observed Start: 10/04/2011 01:06:41.116 PDT Gen. Time: 10/04/2011 01:06:58.920 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (01:06:41.116 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->35763 (01:06:41.116 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (01:06:58.920 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50788 (01:06:58.920 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317715601.116 1317715601.117 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (2) Peer Coord. List: Resource List: Observed Start: 10/04/2011 02:27:01.872 PDT Gen. Time: 10/04/2011 02:28:46.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (2) (02:27:01.872 PDT-02:27:01.873 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->55354 (02:27:01.872 PDT-02:27:01.873 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (02:28:46.032 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44344 (02:28:46.032 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317720421.872 1317720421.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.21 Peer Coord. List: Resource List: Observed Start: 10/04/2011 03:03:16.399 PDT Gen. Time: 10/04/2011 03:08:23.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.21 (03:08:23.939 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->52144 (03:08:23.939 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (03:07:17.957 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57596 (03:07:17.957 PDT) 65.52.109.194 (03:03:16.399 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->43001 (03:03:16.399 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317722596.399 1317722596.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (2) Peer Coord. List: Resource List: Observed Start: 10/04/2011 05:10:21.502 PDT Gen. Time: 10/04/2011 05:11:37.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (2) (05:10:21.502 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->46179 (05:10:21.502 PDT-05:10:21.502 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (05:11:37.901 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54583 (05:11:37.901 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317730221.502 1317730221.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 Peer Coord. List: Resource List: Observed Start: 10/04/2011 07:53:42.221 PDT Gen. Time: 10/04/2011 07:57:44.223 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (07:57:44.223 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->64496 (07:57:44.223 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (07:53:42.221 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->60281 (07:53:42.221 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317740022.221 1317740022.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (2) Peer Coord. List: Resource List: Observed Start: 10/04/2011 07:53:42.221 PDT Gen. Time: 10/04/2011 08:02:05.110 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (2) (07:57:44.223 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->64496 (07:57:44.223 PDT-07:57:44.223 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (07:53:42.221 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->60281 (07:53:42.221 PDT) 80->36936 (07:58:52.515 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317740022.221 1317740264.224 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.144 Peer Coord. List: Resource List: Observed Start: 10/04/2011 08:14:18.898 PDT Gen. Time: 10/04/2011 08:14:29.417 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.144 (08:14:29.417 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->6406 (08:14:29.417 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (08:14:18.898 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46563 (08:14:18.898 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317741258.898 1317741258.899 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 Peer Coord. List: Resource List: Observed Start: 10/04/2011 08:37:01.070 PDT Gen. Time: 10/04/2011 08:42:56.381 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (08:42:56.381 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->62777 (08:42:56.381 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (08:37:01.070 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->43569 (08:37:01.070 PDT) 65.52.109.194 (2) (08:38:56.407 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48653 (08:38:56.407 PDT) 80->13840 (08:40:57.924 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317742621.070 1317742621.071 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (2) Peer Coord. List: Resource List: Observed Start: 10/04/2011 12:26:59.230 PDT Gen. Time: 10/04/2011 12:30:45.050 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (2) (12:26:59.230 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->62725 (12:26:59.230 PDT-12:26:59.230 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.52.109.194 (12:30:45.050 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59781 (12:30:45.050 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317756419.230 1317756419.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (2) Peer Coord. List: Resource List: Observed Start: 10/04/2011 12:26:59.230 PDT Gen. Time: 10/04/2011 12:38:18.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (2) (12:26:59.230 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->62725 (12:26:59.230 PDT-12:26:59.230 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (12:34:04.052 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45826 (12:34:04.052 PDT) 80->54964 (12:35:30.255 PDT) 65.52.109.194 (2) (12:30:45.050 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59781 (12:30:45.050 PDT) 80->64495 (12:32:15.344 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317756419.230 1317756419.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/04/2011 15:59:03.701 PDT Gen. Time: 10/04/2011 15:59:03.728 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (15:59:03.728 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->39752 (15:59:03.728 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (15:59:03.701 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39752 (15:59:03.701 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317769143.701 1317769143.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/04/2011 15:59:03.701 PDT Gen. Time: 10/04/2011 16:04:22.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (15:59:03.728 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->39752 (15:59:03.728 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (15:59:03.701 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39752 (15:59:03.701 PDT) 80->50337 (16:00:45.639 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317769143.701 1317769143.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 Peer Coord. List: Resource List: Observed Start: 10/04/2011 19:57:41.434 PDT Gen. Time: 10/04/2011 20:00:53.137 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (19:57:41.434 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->60554 (19:57:41.434 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (20:00:53.137 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50347 (20:00:53.137 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317783461.434 1317783461.435 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/04/2011 21:19:04.187 PDT Gen. Time: 10/04/2011 21:21:11.865 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (21:21:11.865 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->60708 (21:21:11.865 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (21:19:04.187 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40482 (21:19:04.187 PDT) 180.76.5.167 (21:19:23.909 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41310 (21:19:23.909 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317788344.187 1317788344.188 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/04/2011 21:19:04.187 PDT Gen. Time: 10/04/2011 21:31:07.407 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (21:21:11.865 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->60708 (21:21:11.865 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (3) (21:19:04.187 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40482 (21:19:04.187 PDT) 80->47788 (21:25:21.332 PDT) 80->60786 (21:27:14.142 PDT) 180.76.5.167 (21:19:23.909 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41310 (21:19:23.909 PDT) 65.52.109.194 (21:27:19.860 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->56592 (21:27:19.860 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317788344.187 1317788344.188 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (2) Peer Coord. List: Resource List: Observed Start: 10/04/2011 21:57:02.006 PDT Gen. Time: 10/04/2011 21:57:55.343 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (2) (21:57:02.006 PDT-21:57:02.007 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->35365 (21:57:02.006 PDT-21:57:02.007 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (21:57:55.343 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44005 (21:57:55.343 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317790622.006 1317790622.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.71.78 (3) Peer Coord. List: Resource List: Observed Start: 10/04/2011 21:57:02.006 PDT Gen. Time: 10/04/2011 22:04:23.470 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.71.78 (3) (21:57:02.006 PDT-21:57:02.007 PDT) event=1:2001220 (3) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->35365 (21:57:02.006 PDT-21:57:02.007 PDT) 80->50241 (21:59:46.236 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.71.78 (2) (21:59:46.209 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50241 (21:59:48.186 PDT) ------------------------- event=1:5648 {tcp} E5[rb] GPL SHELLCODE x86 NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 80->50241 (21:59:46.209 PDT) 67.195.113.243 (4) (21:57:55.343 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44005 (21:57:55.343 PDT) 80->45178 (21:58:06.660 PDT) 80->52769 (21:59:16.214 PDT) 80->59853 (22:00:22.604 PDT) 65.52.109.194 (2) (21:58:53.321 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46582 (21:58:53.321 PDT) 80->46589 (21:58:53.328 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317790622.006 1317790622.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================