Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.170 Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:57:48.106 PST Gen. Time: 11/29/2011 01:18:32.939 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.170 (01:18:32.939 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->44954 (01:18:32.939 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.161 (01:02:00.767 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->43454 (01:02:00.767 PST) 180.76.5.183 (01:01:49.346 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52073 (01:01:49.346 PST) 180.76.5.52 (01:15:33.019 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52293 (01:15:33.019 PST) 180.76.5.190 (01:14:01.032 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55721 (01:14:01.032 PST) 66.249.68.7 (4) (00:58:53.703 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->38905 (00:58:53.703 PST) 80->39695 (01:01:08.108 PST) 80->36946 (01:05:04.545 PST) 80->54998 (01:08:01.484 PST) 180.76.5.182 (00:57:59.568 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54551 (00:57:59.568 PST) 180.76.5.197 (01:06:27.881 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55651 (01:06:27.881 PST) 180.76.5.166 (01:15:10.012 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45766 (01:15:10.012 PST) 180.76.5.66 (01:04:32.841 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53250 (01:04:32.841 PST) 180.76.5.194 (01:12:06.080 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54595 (01:12:06.080 PST) 180.76.5.140 (01:11:08.721 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54375 (01:11:08.721 PST) 180.76.5.48 (00:57:48.106 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46745 (00:57:48.106 PST) 180.76.5.178 (2) (01:00:40.509 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54513 (01:00:40.509 PST) 80->54890 (01:07:13.910 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322557068.106 1322557068.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.51 Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:07:50.308 PST Gen. Time: 11/29/2011 02:11:51.305 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.51 (02:07:50.308 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55273 (02:07:50.308 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (02:11:51.305 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53142 (02:11:51.305 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322561270.308 1322561270.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.63 Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:23:53.952 PST Gen. Time: 11/29/2011 04:26:53.972 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.63 (04:23:53.952 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->3685 (04:23:53.952 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (04:26:53.972 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44257 (04:26:53.972 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322569433.952 1322569433.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.63 Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:23:53.952 PST Gen. Time: 11/29/2011 04:32:06.494 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.63 (04:23:53.952 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->3685 (04:23:53.952 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (2) (04:26:53.972 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44257 (04:26:53.972 PST) 80->50402 (04:28:04.039 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322569433.952 1322569433.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.56, 180.76.5.195 Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:36:21.995 PST Gen. Time: 11/29/2011 04:40:22.941 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.56 (04:36:21.995 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->3104 (04:36:21.995 PST) 180.76.5.195 (04:37:31.515 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->65066 (04:37:31.515 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (04:40:22.941 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34051 (04:40:22.941 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322570181.995 1322570181.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.56, 180.76.5.195 Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:36:21.995 PST Gen. Time: 11/29/2011 04:52:52.949 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.56 (04:36:21.995 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->3104 (04:36:21.995 PST) 180.76.5.195 (04:37:31.515 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->65066 (04:37:31.515 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (4) (04:40:22.941 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34051 (04:40:22.941 PST) 80->51749 (04:43:26.969 PST) 80->61800 (04:47:02.066 PST) 80->63511 (04:48:27.045 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322570181.995 1322570181.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.143 Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:41:25.938 PST Gen. Time: 11/29/2011 05:42:12.674 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.143 (05:42:12.674 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->6995 (05:42:12.674 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.98 (05:41:25.938 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->7306 (05:41:25.938 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322574085.938 1322574085.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.143, 180.76.5.94 Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:41:25.938 PST Gen. Time: 11/29/2011 05:50:40.579 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.143 (05:42:12.674 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->6995 (05:42:12.674 PST) 180.76.5.94 (05:46:37.528 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->10790 (05:46:37.528 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (2) (05:44:59.481 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47440 (05:44:59.481 PST) 80->42597 (05:47:00.361 PST) 180.76.5.98 (05:41:25.938 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->7306 (05:41:25.938 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322574085.938 1322574085.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.56 Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:13:51.207 PST Gen. Time: 11/29/2011 06:15:41.975 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.56 (06:13:51.207 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->11786 (06:13:51.207 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (06:15:41.975 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50080 (06:15:41.975 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322576031.207 1322576031.208 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.67 Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:25:38.801 PST Gen. Time: 11/29/2011 06:27:21.534 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.67 (06:27:21.534 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->14456 (06:27:21.534 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (06:25:38.801 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47225 (06:25:38.801 PST) 155.95.80.253 (06:26:33.068 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->30749 (06:26:33.068 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322576738.801 1322576738.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.67 (2) Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:25:38.801 PST Gen. Time: 11/29/2011 06:32:10.754 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.67 (2) (06:27:21.534 PST-06:27:21.535 PST) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->14456 (06:27:21.534 PST-06:27:21.535 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (2) (06:25:38.801 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->47225 (06:25:38.801 PST) 80->33840 (06:28:01.034 PST) 155.95.80.253 (06:26:33.068 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->30749 (06:26:33.068 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322576738.801 1322576841.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.185 Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:00:55.954 PST Gen. Time: 11/29/2011 07:02:48.020 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.185 (07:02:48.020 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->8117 (07:02:48.020 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (07:00:55.954 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->58747 (07:00:55.954 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322578855.954 1322578855.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.185 Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:00:55.954 PST Gen. Time: 11/29/2011 07:07:38.273 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.185 (07:02:48.020 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->8117 (07:02:48.020 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (3) (07:00:55.954 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->58747 (07:00:55.954 PST) 80->49234 (07:03:27.476 PST) 80->54800 (07:03:38.160 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322578855.954 1322578855.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 212.113.37.105 Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:59:08.788 PST Gen. Time: 11/29/2011 08:00:06.844 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 212.113.37.105 (08:00:06.844 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->47616 (08:00:06.844 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (2) (07:59:08.788 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55787 (07:59:08.788 PST) 80->51309 (07:59:59.493 PST) 212.113.37.105 (2) (08:00:05.628 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46810 (08:00:05.628 PST) 80->47616 (08:00:06.631 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322582348.788 1322582348.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 212.113.37.105 Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:59:08.788 PST Gen. Time: 11/29/2011 08:11:41.438 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 212.113.37.105 (08:00:06.844 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->47616 (08:00:06.844 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (5) (07:59:08.788 PST) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55787 (07:59:08.788 PST) 80->51309 (07:59:59.493 PST) 80->48579 (08:02:31.360 PST) 80->65132 (08:05:03.173 PST) 80->38052 (08:05:53.893 PST) 212.113.37.105 (12) (08:00:05.628 PST) event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->46810 (08:00:05.628 PST) 80->47616 (08:00:06.631 PST) 80->48053 (08:00:07.541 PST) 80->48592 (08:00:08.987 PST) 80->49417 (08:00:15.013 PST) 80->55389 (08:01:41.691 PST) 80->46238 (08:02:57.846 PST) 80->50068 (08:03:04.355 PST) 80->36374 (08:04:12.180 PST) 80->40135 (08:04:18.935 PST) 80->38750 (08:05:42.552 PST) 80->46486 (08:06:03.673 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322582348.788 1322582348.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.6.37 Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:50:57.271 PST Gen. Time: 11/29/2011 09:53:28.686 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.6.37 (09:53:28.686 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->17944 (09:53:28.686 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.181 (09:50:57.271 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->20773 (09:50:57.271 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322589057.271 1322589057.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.6.37 Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:50:57.271 PST Gen. Time: 11/29/2011 10:00:33.606 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.6.37 (09:53:28.686 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->17944 (09:53:28.686 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (09:56:22.615 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61687 (09:56:22.615 PST) 180.76.5.181 (09:50:57.271 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->20773 (09:50:57.271 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322589057.271 1322589057.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.192 Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:26:15.958 PST Gen. Time: 11/29/2011 15:32:44.052 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.192 (15:32:44.052 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->37493 (15:32:44.052 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (3) (15:26:15.958 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55171 (15:26:15.958 PST) 80->35499 (15:28:18.625 PST) 80->39990 (15:30:19.826 PST) 180.76.5.192 (15:32:44.052 PST) event=1:5648 {tcp} E5[rb] GPL SHELLCODE x86 NOOP, [] MAC_Src: 00:01:64:FF:CE:EA 80->37493 (15:32:44.052 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322609175.958 1322609175.959 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:14:45.781 PST Gen. Time: 11/29/2011 18:14:45.781 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 64.56.64.18 (18:14:45.781 PST) event=1:9910023 {tcp} E8[rb] BotHunter Malware propagation attack source, [] MAC_Src: 00:30:48:30:03:AF 445->3665 (18:14:45.781 PST) tcpslice 1322619285.781 1322619285.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.85 Infector List: 64.56.64.18 Egg Source List: 64.56.64.18 C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:14:45.781 PST Gen. Time: 11/29/2011 18:18:52.614 PST INBOUND SCAN EXPLOIT 64.56.64.18 (18:14:45.997 PST) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 445<-3768 (18:14:45.997 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.56.64.18 (3) (18:14:46.124 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1028<-8119 (18:14:46.124 PST) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-8119 (18:14:46.124 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1028<-8119 (18:14:46.124 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 64.56.64.18 (2) (18:14:45.781 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:30:48:30:03:AF 1028->8119 (18:14:46.091 PST) ------------------------- event=1:9910023 {tcp} E8[rb] BotHunter Malware propagation attack source, [] MAC_Src: 00:30:48:30:03:AF 445->3665 (18:14:45.781 PST) tcpslice 1322619285.781 1322619285.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.143 Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:07:55.251 PST Gen. Time: 11/29/2011 20:09:49.389 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.143 (20:09:49.389 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->57106 (20:09:49.389 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (2) (20:07:55.251 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36906 (20:07:55.251 PST) 80->47903 (20:08:41.280 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322626075.251 1322626075.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.143 (2), 180.76.5.192 Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:07:55.251 PST Gen. Time: 11/29/2011 20:19:35.234 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.143 (2) (20:09:49.389 PST) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->57106 (20:09:49.389 PST-20:09:49.389 PST) 180.76.5.192 (20:12:19.578 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->52484 (20:12:19.578 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (4) (20:07:55.251 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36906 (20:07:55.251 PST) 80->47903 (20:08:41.280 PST) 80->55208 (20:10:13.284 PST) 80->58950 (20:15:32.345 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322626075.251 1322626189.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.138 Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:43:25.390 PST Gen. Time: 11/29/2011 21:45:12.120 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.138 (21:43:25.390 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->62984 (21:43:25.390 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.52.108.67 (21:45:12.120 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61820 (21:45:12.120 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322631805.390 1322631805.391 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.138 Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:43:25.390 PST Gen. Time: 11/29/2011 21:48:09.990 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.138 (21:43:25.390 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->62984 (21:43:25.390 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.52.108.67 (21:45:12.120 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61820 (21:45:12.120 PST) 157.55.17.195 (21:45:43.088 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->56248 (21:45:43.088 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322631805.390 1322631805.391 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.53 Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:20:51.082 PST Gen. Time: 11/29/2011 22:21:35.395 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.53 (22:21:35.395 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->36638 (22:21:35.395 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (22:20:51.082 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48243 (22:20:51.082 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322634051.082 1322634051.083 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.53 (2) Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:20:51.082 PST Gen. Time: 11/29/2011 22:27:39.831 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.53 (2) (22:21:35.395 PST) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->36638 (22:21:35.395 PST-22:21:35.395 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.7 (3) (22:20:51.082 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->48243 (22:20:51.082 PST) 80->40371 (22:22:47.642 PST) 80->45408 (22:23:44.285 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322634051.082 1322634095.396 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.95 Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:27:46.113 PST Gen. Time: 11/29/2011 22:35:21.922 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.95 (22:35:21.922 PST) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->36139 (22:35:21.922 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE