Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:34:17.152 PDT Gen. Time: 10/15/2011 00:38:07.080 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (00:34:17.152 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->51783 (00:34:17.152 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (00:38:07.080 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49724 (00:38:07.080 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318664057.152 1318664057.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:34:17.152 PDT Gen. Time: 10/15/2011 00:45:29.707 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (00:34:17.152 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->51783 (00:34:17.152 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (00:38:07.080 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49724 (00:38:07.080 PDT) 80->38997 (00:41:36.210 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318664057.152 1318664057.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:52:34.140 PDT Gen. Time: 10/15/2011 00:53:46.165 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (00:52:34.140 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->54187 (00:52:34.140 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.10 (00:53:46.165 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->15586 (00:53:46.165 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318665154.140 1318665154.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:52:34.140 PDT Gen. Time: 10/15/2011 00:57:03.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (00:52:34.140 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->54187 (00:52:34.140 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.144 (00:55:16.846 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39060 (00:55:16.846 PDT) 180.76.5.23 (00:54:46.614 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->15271 (00:54:46.614 PDT) 180.76.5.10 (00:53:46.165 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->15586 (00:53:46.165 PDT) 180.76.5.27 (00:55:47.322 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->15318 (00:55:47.322 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318665154.140 1318665154.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:29:26.647 PDT Gen. Time: 10/15/2011 02:32:41.531 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (02:32:41.531 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->39163 (02:32:41.531 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (02:31:02.832 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45893 (02:31:02.832 PDT) 66.249.68.77 (02:29:26.647 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65281 (02:29:26.647 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318670966.647 1318670966.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.148 Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:56:32.460 PDT Gen. Time: 10/15/2011 03:56:32.460 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.148 (03:56:32.460 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->45004 (03:56:32.460 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.148 (03:56:32.460 PDT) event=1:5648 {tcp} E5[rb] GPL SHELLCODE x86 NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 80->45004 (03:56:32.460 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318676192.460 1318676192.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:47:49.968 PDT Gen. Time: 10/15/2011 04:51:59.706 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (04:51:59.706 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->54487 (04:51:59.706 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (04:49:39.020 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->35163 (04:49:39.020 PDT) 80->46472 (04:51:19.486 PDT) 66.249.68.77 (04:47:49.968 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61433 (04:47:49.968 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318679269.968 1318679269.969 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:29:59.351 PDT Gen. Time: 10/15/2011 05:31:31.345 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (05:31:31.345 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->61406 (05:31:31.345 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.171 (05:29:59.351 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41855 (05:29:59.351 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318681799.351 1318681799.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 77.88.27.26 (2), 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:29:59.351 PDT Gen. Time: 10/15/2011 05:43:54.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 77.88.27.26 (2) (05:38:36.369 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->53137 (05:38:36.369 PDT-05:38:36.369 PDT) 66.249.68.77 (05:31:31.345 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->61406 (05:31:31.345 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.140 (05:39:13.708 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48196 (05:39:13.708 PDT) 67.195.113.243 (4) (05:32:43.807 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41163 (05:32:43.807 PDT) 80->35852 (05:36:05.482 PDT) 80->36988 (05:40:24.256 PDT) 80->52286 (05:42:44.922 PDT) 180.76.5.62 (05:35:37.981 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->6248 (05:35:37.981 PDT) 180.76.5.171 (05:29:59.351 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->41855 (05:29:59.351 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318681799.351 1318682316.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 67.195.113.243 Peer Coord. List: Resource List: Observed Start: 10/15/2011 06:30:26.352 PDT Gen. Time: 10/15/2011 06:30:36.825 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 67.195.113.243 (06:30:26.352 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->34179 (06:30:26.352 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (06:30:36.825 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->35545 (06:30:36.825 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318685426.352 1318685426.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 07:23:59.975 PDT Gen. Time: 10/15/2011 07:27:27.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (2) (07:23:59.975 PDT-07:23:59.990 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->49502 (07:23:59.975 PDT-07:23:59.990 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (07:27:27.966 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45936 (07:27:27.966 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318688639.975 1318688639.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.178 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:00:49.974 PDT Gen. Time: 10/15/2011 10:00:58.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.178 (10:00:58.246 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->50026 (10:00:58.246 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (10:00:49.974 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->43422 (10:00:49.974 PDT) 180.76.5.178 (10:00:58.246 PDT) event=1:5648 {tcp} E5[rb] GPL SHELLCODE x86 NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 80->50026 (10:00:58.246 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318698049.974 1318698049.975 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:19:47.140 PDT Gen. Time: 10/15/2011 10:22:49.100 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (10:22:49.100 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->46895 (10:22:49.100 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (10:19:47.140 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->56925 (10:19:47.140 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318699187.140 1318699187.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.62, 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:19:47.140 PDT Gen. Time: 10/15/2011 10:26:40.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.62 (10:24:32.899 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->17600 (10:24:32.899 PDT) 66.249.68.77 (10:22:49.100 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->46895 (10:22:49.100 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (10:19:47.140 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->56925 (10:19:47.140 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318699187.140 1318699187.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:19:52.494 PDT Gen. Time: 10/15/2011 11:22:10.718 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (11:22:10.718 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->57400 (11:22:10.718 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.77 (2) (11:19:52.494 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49472 (11:19:52.494 PDT) 80->45006 (11:21:20.739 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318702792.494 1318702792.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.99 Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:29:41.649 PDT Gen. Time: 10/15/2011 11:30:23.749 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.99 (11:29:41.649 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->19523 (11:29:41.649 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.77 (11:30:23.749 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65379 (11:30:23.749 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318703381.649 1318703381.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.99 Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:29:41.649 PDT Gen. Time: 10/15/2011 11:33:23.635 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.99 (11:29:41.649 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->19523 (11:29:41.649 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.77 (3) (11:30:23.749 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65379 (11:30:23.749 PDT) 80->61482 (11:31:11.124 PDT) 80->50418 (11:32:39.604 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318703381.649 1318703381.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:35:26.188 PDT Gen. Time: 10/15/2011 11:37:00.611 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (11:35:26.188 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->38806 (11:35:26.188 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.77 (11:37:00.611 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->35944 (11:37:00.611 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318703726.188 1318703726.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:35:26.188 PDT Gen. Time: 10/15/2011 11:40:36.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (11:35:26.188 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->38806 (11:35:26.188 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (11:37:31.950 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45554 (11:37:31.950 PDT) 66.249.68.77 (11:37:00.611 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->35944 (11:37:00.611 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318703726.188 1318703726.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.192 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:47:45.468 PDT Gen. Time: 10/15/2011 11:48:21.742 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.192 (2) (11:47:45.468 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->52459 (11:47:45.468 PDT-11:47:45.468 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.92 (11:48:21.742 PDT) event=1:5648 {tcp} E5[rb] GPL SHELLCODE x86 NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 80->20307 (11:48:21.742 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318704465.468 1318704465.469 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.67 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:02:08.520 PDT Gen. Time: 10/15/2011 14:02:43.866 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.67 (14:02:08.520 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->25643 (14:02:08.520 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (14:02:43.866 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->33571 (14:02:43.866 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318712528.520 1318712528.521 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.12 Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:49:08.154 PDT Gen. Time: 10/15/2011 15:51:26.989 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.12 (15:51:26.989 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->52973 (15:51:26.989 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (15:49:25.996 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46053 (15:49:25.996 PDT) 80->52668 (15:50:18.210 PDT) 208.115.111.67 (15:49:08.154 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57571 (15:49:08.154 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318718948.154 1318718948.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.12 Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:49:08.154 PDT Gen. Time: 10/15/2011 15:53:57.857 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.12 (15:51:26.989 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->52973 (15:51:26.989 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (3) (15:49:25.996 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46053 (15:49:25.996 PDT) 80->52668 (15:50:18.210 PDT) 80->34870 (15:51:52.661 PDT) 208.115.111.67 (15:49:08.154 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57571 (15:49:08.154 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318718948.154 1318718948.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:04:35.466 PDT Gen. Time: 10/15/2011 16:09:13.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (16:09:13.946 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->52117 (16:09:13.946 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (16:04:35.466 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36443 (16:04:35.466 PDT) 80->33258 (16:08:19.769 PDT) 66.249.68.77 (16:05:09.154 PDT) event=1:5648 {tcp} E5[rb] GPL SHELLCODE x86 NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 80->55285 (16:05:09.154 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318719875.466 1318719875.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:37:50.309 PDT Gen. Time: 10/15/2011 18:41:53.490 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (18:41:53.490 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->35716 (18:41:53.490 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.140 (18:37:50.309 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->9278 (18:37:50.309 PDT) 180.76.5.167 (18:39:07.586 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->2111 (18:39:07.586 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318729070.309 1318729070.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:37:50.309 PDT Gen. Time: 10/15/2011 18:46:06.199 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (18:41:53.490 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->35716 (18:41:53.490 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.140 (18:37:50.309 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->9278 (18:37:50.309 PDT) 180.76.5.164 (18:43:31.569 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->2403 (18:43:31.569 PDT) 180.76.5.167 (18:39:07.586 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->2111 (18:39:07.586 PDT) 180.76.5.196 (18:42:13.473 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->2716 (18:42:13.473 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318729070.309 1318729070.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:26:17.844 PDT Gen. Time: 10/15/2011 19:28:11.684 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (19:28:11.684 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->48223 (19:28:11.684 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.92 (19:26:17.844 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->38913 (19:26:17.844 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318731977.844 1318731977.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:26:17.844 PDT Gen. Time: 10/15/2011 19:30:53.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (3) (19:28:11.684 PDT-19:28:11.685 PDT) event=1:2001220 (3) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 3: 80->48223 (19:28:11.684 PDT-19:28:11.685 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.92 (19:26:17.844 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->38913 (19:26:17.844 PDT) 180.76.5.87 (19:28:27.058 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->38853 (19:28:27.058 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318731977.844 1318732091.686 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:42:48.388 PDT Gen. Time: 10/15/2011 19:47:31.092 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (19:47:31.092 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->35764 (19:47:31.092 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 208.115.111.67 (3) (19:45:20.612 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59107 (19:45:20.612 PDT) 80->45233 (19:45:32.828 PDT) 80->34518 (19:45:47.525 PDT) 180.76.5.25 (19:42:48.388 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62458 (19:42:48.388 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318732968.388 1318732968.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:42:48.388 PDT Gen. Time: 10/15/2011 19:58:18.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (19:47:31.092 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->35764 (19:47:31.092 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (2) (19:49:14.209 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49034 (19:49:14.209 PDT) 80->50912 (19:49:32.049 PDT) 208.115.111.67 (3) (19:45:20.612 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59107 (19:45:20.612 PDT) 80->45233 (19:45:32.828 PDT) 80->34518 (19:45:47.525 PDT) 180.76.5.51 (19:56:22.370 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->38982 (19:56:22.370 PDT) 180.76.5.113 (2) (19:50:12.806 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39621 (19:50:12.806 PDT) 80->39807 (19:55:04.641 PDT) 180.76.5.25 (19:42:48.388 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62458 (19:42:48.388 PDT) 180.76.5.182 (19:53:42.880 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->4414 (19:53:42.880 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318732968.388 1318732968.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:57:49.975 PDT Gen. Time: 10/15/2011 20:58:48.584 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (20:58:48.584 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->42463 (20:58:48.584 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (20:57:49.975 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->58042 (20:57:49.975 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318737469.975 1318737469.976 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:13:50.599 PDT Gen. Time: 10/15/2011 21:14:05.865 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (21:13:50.599 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->57888 (21:13:50.599 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (21:14:05.865 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55681 (21:14:05.865 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318738430.599 1318738430.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.67.34 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:21:11.579 PDT Gen. Time: 10/15/2011 21:22:42.462 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.67.34 (21:22:42.462 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->47852 (21:22:42.462 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.147 (21:21:11.579 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->14964 (21:21:11.579 PDT) 67.195.113.243 (21:21:35.126 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50152 (21:21:35.126 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318738871.579 1318738871.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:36:00.006 PDT Gen. Time: 10/15/2011 21:36:42.499 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (21:36:42.499 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->59343 (21:36:42.499 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.185 (21:36:00.006 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->6646 (21:36:00.006 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318739760.006 1318739760.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:43:40.774 PDT Gen. Time: 10/15/2011 21:45:22.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (21:45:22.358 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->62889 (21:45:22.358 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.77 (2) (21:43:40.774 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62429 (21:43:40.774 PDT) 80->34751 (21:44:14.300 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318740220.774 1318740220.775 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.77 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:43:40.774 PDT Gen. Time: 10/15/2011 21:48:41.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.77 (2) (21:45:22.358 PDT-21:45:22.359 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->62889 (21:45:22.358 PDT-21:45:22.359 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.113.243 (21:46:22.184 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48181 (21:46:22.184 PDT) 66.249.68.77 (2) (21:43:40.774 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62429 (21:43:40.774 PDT) 80->34751 (21:44:14.300 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318740220.774 1318740322.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================