Category Archives: Click Fraud Malware

Early Dirtjumper botnet performing Click Fraud Adware instead of DDoS Traffic Sample

2011-10-03 21:42:49.094609 ARP, Reply 172.16.165.2 is-at 00:50:56:e0:b4:af, length 28 ………PV………)……. 2011-10-03 21:42:49.094710 IP 172.16.165.128.49770 > 172.16.165.2.53: 17008+ A? asdaddddaaaa[.]com. (34) E..>……. ………j.5.*..Bp………..asdaddddaaaa[.]com….. 2011-10-03 21:42:49.109841 IP 172.16.165.2.53 > 172.16.165.128.49770: 17008 1/0/0 A 195.3.145.87 (50) E..N.6……………5.j.:. Bp………..asdaddddaaaa[.]com………………..W 2011-10-03 21:42:49.114307 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [S], seq 2900643694, win 16384, options [mss 1460,nop,nop,sackOK], length 0 E..0..@…S……..W…P..On….p.@…………. 2011-10-03 21:42:49.232779… Read More »

Share Button

Early Click Fraud Malware Trojan using DSPARKING (Domain Sponsor) To Generate Revenue Traffic Sample

1970-01-01 -3:-59:-42.942193 IP 10.0.2.15.1044 > 208.73.211.152.80: Flags [P.], seq 1:107, ack 1, win 64240, length 106 E….[@…J. ….I…..P.kC…..P…….GET /check_ver.php?version=1.09 HTTP/1.1 User-Agent: – Host: rc.rizalof[.]com Cache-Control: no-cache 1970-01-01 -3:-59:-42.942293 IP 208.73.211.152.80 > 10.0.2.15.1044: Flags [.], ack 107, win 65535, length 0 E..(….@….I.. ….P…….kD?P……. 1970-01-01 -3:-59:-41.148290 IP 208.73.211.152.80 > 10.0.2.15.1044: Flags [.], seq 1:1421, ack 107, win… Read More »

Share Button

ZeroAccess Peer-to-Peer Rootkit Trojan – Loading Click Fraud Module Traffic Sample UDP/16464

2012-10-04 10:27:07.382847 IP 192.168.248.1.51587 > 192.168.248.255.5002: UDP, length 306 E..N….@.V/………….:..DRINETTM……….?………….@……………@miqn.2005-09.com.drobo.host:admins-Mac-Pro.local4ecbf077………………………………………………………………………………………………………………………………………………………………………………… 2012-10-04 10:27:12.421041 IP 192.168.248.1.51587 > 192.168.248.255.5002: UDP, length 306 E..N….@.x:………….:..DRINETTM……….?………….@……………@miqn.2005-09.com.drobo.host:admins-Mac-Pro.local4ecbf077………………………………………………………………………………………………………………………………………………………………………………… 2012-10-04 10:27:15.945104 IP 192.168.248.165.1110 > 8.8.8.8.53: 13107+ A? j.maxmind.com. (31) E..;.q….p……….V.5.’B.33………..j.maxmind.com….. 2012-10-04 10:27:15.956553 IP 8.8.8.8.53 > 192.168.248.165.1110: 13107 1/0/0 A 108.168.255.244 (47) E..K…….W………5.V.7′.33………..j.maxmind.com…………./…l… 2012-10-04 10:27:15.975499 IP 192.168.248.165.1111 > 108.168.255.244.80: Flags [S], seq 251996263, win 64240,… Read More »

Share Button

Purplehaze Malware Botnet Doing Click Fraud Traffic Sample

2012-01-30 23:17:47.265333 IP 172.29.0.116.1025 > 75.75.75.75.53: 20155+ A? howtodoitman[.]com. (34) E..>.E…..B…tKKKK…5.*.vN…………howtodoitman[.]com….. 2012-01-30 23:17:47.284888 IP 75.75.75.75.53 > 172.29.0.116.1025: 20155 1/0/0 A 141.136.16.156 (50) E@.N..@.9..7KKKK…t.5…:.FN…………howtodoitman[.]com…………..X…… 2012-01-30 23:17:47.285176 IP 172.29.0.116.1263 > 141.136.16.156.80: Flags [S], seq 1631912176, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0.F@……..t…….PaE……p…………… 2012-01-30 23:17:47.423618 IP 141.136.16.156.80 > 172.29.0.116.1263: Flags [S.], seq 1417974632, ack 1631912177, win 65535,… Read More »

Share Button