Early Click Fraud Malware Trojan using DSPARKING (Domain Sponsor) To Generate Revenue Traffic Sample

By | June 19, 2015

1970-01-01 -3:-59:-42.942193 IP 10.0.2.15.1044 > 208.73.211.152.80: Flags [P.], seq 1:107, ack 1, win 64240, length 106
E….[@…J.
….I…..P.kC…..P…….GET /check_ver.php?version=1.09 HTTP/1.1
User-Agent: –
Host: rc.rizalof[.]com
Cache-Control: no-cache
1970-01-01 -3:-59:-42.942293 IP 208.73.211.152.80 > 10.0.2.15.1044: Flags [.], ack 107, win 65535, length 0
E..(….@….I..
….P…….kD?P…….
1970-01-01 -3:-59:-41.148290 IP 208.73.211.152.80 > 10.0.2.15.1044: Flags [.], seq 1:1421, ack 107, win 65535, length 1420
E…….@..6.I..
….P…….kD?P…H…HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1762
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref=”http://www.dsparking[.]com/w3c/p3p.xml”, CP=”NOI DSP COR ADMa OUR NOR STA”
Set-Cookie: parkinglot=1; domain=.rizalof[.]com; path=/; expires=Sun, 21-Apr-2013 18:10:18 GMT

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Frameset//EN” “http://www.w3.org/TR/html4/frameset.dtd”>
<!– turing_cluster_prod –>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

<title>rizalof[.]com</title>
<meta name=”keywords” content=”rizalof[.]com” />
<meta name=”description” content=”rizalof[.]com” />
<meta name=”robots” content=”index, follow” />
<meta name=”revisit-after” content=”10″ />
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″ />
<script type=”text/javascript”>
cookie_callback = function(val) {
var exdate=new Date();
exdate.setFullYear(exdate.getFullYear() + 1);
document.cookie = “Spusr=” + escape(val) +
“; expires=” + exdate.toUTCString();
document.cookie = “jsc=1″;
}
</script> <script src=”http://dsparking[.]com/?epl=gP88qxQvw4MxlnFHtsrzNIjEdUWQUDhFche_vJrOkTXus_C1wOqhDFeQbLnW2iVhlu0HtTjg0fYAMas8BxiLxKFoJgkGJqOLT4yCrV7tpeZlqpe0
1970-01-01 -3:-59:-41.148332 IP 208.73.211.152.80 > 10.0.2.15.1044: Flags [P.], seq 1421:2210, ack 107, win 65535, length 789
E..=….@….I..
….P…….kD?P…….CU3mShDDrDhlEHSdIoVRXsQflVz1BLqd5_m0x83RIENT_RSb6klP9ZCnGqTpqQeAJtM0jfJUQ5UAIHDc778AAMB9AQAAQIBbCgAAiMR1RVlTJllBMTZoWkKaAAAA8A”>
</script>

</head>
<frameset rows=”100%,*” frameborder=”no” border=”0″ framespacing=”0″>
<frame src=”http://rc.rizalof[.]com?epl=b0NclZaOUzopNOQ3IG5FXiBk0M4OCYVTJHfxl_PNRknMhFxQbBkhEjSvpLKRd4R7IsK4u5N9k4lrnnnwUTcToEKCHJg3T6QZbhprwd0WDrFdipimkR6aemo01E8RAABAQ6NQACAQ3KevAADAfwEAAECAWwYAAEIG7exZUyZZQTE2aFpCXwAAAPA” name=”rizalof[.]com”>

Share Button

One thought on “Early Click Fraud Malware Trojan using DSPARKING (Domain Sponsor) To Generate Revenue Traffic Sample

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *