Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.169 Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:21:56.061 PDT Gen. Time: 07/17/2012 01:25:08.647 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.169 (01:21:56.061 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->63878 (01:21:56.061 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 208.115.111.67 (01:25:08.647 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36109 (01:25:08.647 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342513316.061 1342513316.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.67.11 Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:11:18.576 PDT Gen. Time: 07/17/2012 05:13:14.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.67.11 (05:13:14.035 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->48295 (05:13:14.035 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.48 (05:11:18.576 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->63977 (05:11:18.576 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342527078.576 1342527078.577 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.67.11 Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:35:06.071 PDT Gen. Time: 07/17/2012 14:35:57.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.67.11 (14:35:57.459 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->60877 (14:35:57.459 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.48 (14:35:06.071 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62354 (14:35:06.071 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342560906.071 1342560906.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.48 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:21:47.681 PDT Gen. Time: 07/17/2012 16:22:54.802 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.48 (16:22:54.802 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->41208 (16:22:54.802 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.48 (16:21:47.681 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61228 (16:21:47.681 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342567307.681 1342567307.682 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.48 Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:21:47.681 PDT Gen. Time: 07/17/2012 16:28:24.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.48 (16:22:54.802 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->41208 (16:22:54.802 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.58 (16:23:43.807 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57782 (16:23:43.807 PDT) 66.249.68.48 (2) (16:21:47.681 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->61228 (16:21:47.681 PDT) 80->40386 (16:25:24.519 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342567307.681 1342567307.682 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.68.48 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:35:40.092 PDT Gen. Time: 07/17/2012 21:38:49.868 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.68.48 (21:38:49.868 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->53107 (21:38:49.868 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.48 (2) (21:35:40.092 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->52905 (21:35:40.092 PDT) 80->53576 (21:37:29.282 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342586140.092 1342586140.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.157 Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:02:18.092 PDT Gen. Time: 07/17/2012 22:10:53.971 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.157 (22:10:53.971 PDT) event=1:2001220 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 80->50673 (22:10:53.971 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.68.48 (3) (22:02:18.092 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54429 (22:02:18.092 PDT) 80->64961 (22:04:44.361 PDT) 80->37787 (22:07:46.500 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342587738.092 1342587738.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 180.76.5.157 (2) Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:02:18.092 PDT Gen. Time: 07/17/2012 22:17:59.300 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 180.76.5.157 (2) (22:10:53.971 PDT) event=1:2001220 (2) {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->50673 (22:10:53.971 PDT-22:10:53.971 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 180.76.5.52 (22:13:56.870 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59709 (22:13:56.870 PDT) 66.249.68.48 (5) (22:02:18.092 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54429 (22:02:18.092 PDT) 80->64961 (22:04:44.361 PDT) 80->37787 (22:07:46.500 PDT) 80->38015 (22:13:07.524 PDT) 80->57975 (22:16:21.930 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342587738.092 1342588253.972 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================