Early Dirtjumper botnet performing Click Fraud Adware instead of DDoS Traffic Sample

By | June 19, 2015

2011-10-03 21:42:49.094609 ARP, Reply 172.16.165.2 is-at 00:50:56:e0:b4:af, length 28
………PV………)…….
2011-10-03 21:42:49.094710 IP 172.16.165.128.49770 > 172.16.165.2.53: 17008+ A? asdaddddaaaa[.]com. (34)
E..>……. ………j.5.*..Bp………..asdaddddaaaa[.]com…..
2011-10-03 21:42:49.109841 IP 172.16.165.2.53 > 172.16.165.128.49770: 17008 1/0/0 A 195.3.145.87 (50)
E..N.6……………5.j.:.
Bp………..asdaddddaaaa[.]com………………..W
2011-10-03 21:42:49.114307 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [S], seq 2900643694, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…S……..W…P..On….p.@………….
2011-10-03 21:42:49.232779 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [S.], seq 3750550834, ack 2900643695, win 64240, options [mss 1460], length 0
E..,.7………W…..P…..2..Oo`…9…….
2011-10-03 21:42:49.232916 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [.], ack 1, win 17520, length 0
E..(..@…S……..W…P..Oo…3P.Dp. ..i…..
2011-10-03 21:42:49.233181 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [P.], seq 1:245, ack 1, win 17520, length 244
E…..@…R……..W…P..Oo…3P.Dpa>..POST /678/index.php HTTP/1.0
Host: asdaddddaaaa[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

k=426924814555748
2011-10-03 21:42:49.233225 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [.], ack 245, win 64240, length 0
E..(.8………W…..P…..3..PcP…P…
2011-10-03 21:42:49.354072 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [P.], seq 1:846, ack 245, win 64240, length 845
E..u.9…..^…W…..P…..3..PcP…/…HTTP/1.1 200 OK
Server: nginx
Date: Tue, 04 Oct 2011 01:40:42 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 644

02|411|260http://www.tadawulfx[.]com/public/
http://www.tadawulfx[.]com/public/trading-accounts/standard-forex-account.html
http://www.tadawulfx[.]com/public/trading-accounts/premium-forex-account.html
http://www.tadawulfx[.]com/public/education/gold-and-silver-overview.html
http://www.tadawulfx[.]com/public/platforms/mt4-mobile.html
http://www.tadawulfx[.]com/
https://pepperstone[.]com/
https://pepperstone[.]com/company-profile/about-us.php
https://pepperstone[.]com/trading-accounts/accounts-types.php
https://pepperstone[.]com/forex-news/
http://ukashsepeti[.]com/ukash.asp
http://ukashsepeti[.]com/iletisim.html
http://ukashsepeti[.]com/kurumsal.html
2011-10-03 21:42:49.354422 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [F.], seq 245, ack 846, win 16675, length 0
E..(..@…S……..W…P..Pc….P.A#……6v.S
2011-10-03 21:42:49.354485 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [.], ack 246, win 64239, length 0
E..(.:………W…..P……..PdP…MG..
2011-10-03 21:42:49.366629 IP 172.16.165.128.54851 > 172.16.165.2.53: 64012+ A? ukashsepeti[.]com. (33)
E..=……………..C.5.).-………….ukashsepeti[.]com…..
2011-10-03 21:42:49.372987 IP 172.16.165.128.60365 > 172.16.165.2.53: 34684+ A? pepperstone[.]com. (33)
E..=……………….5.)=..|………..pepperstone[.]com…..
2011-10-03 21:42:49.382578 IP 172.16.165.2.53 > 172.16.165.128.54851: 64012 1/0/0 A 87.251.2.2 (49)
2011-10-03 21:42:49.411963 IP 172.16.165.2.53 > 172.16.165.128.59650: 47838 1/0/0 A 199.16.81.167 (51)
E..O.=……………5…;.n………….www tadawulfx[.]com……………….Q.
2011-10-03 21:42:49.412643 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [S], seq 3282053038, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….r……Q….P..’…..p.@..(……….
2011-10-03 21:42:49.420273 IP 172.16.165.128.1040 > 199.16.81.167.80: Flags [S], seq 430702874, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….q……Q….P……..p.@………….
2011-10-03 21:42:49.435950 IP 172.16.165.128.1041 > 199.16.81.167.80: Flags [S], seq 2216717930, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….p……Q….P. nj….p.@………….
2011-10-03 21:42:49.452640 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [S], seq 1157140421, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…N*….W……PD…….p.@..q……….
2011-10-03 21:42:49.468225 IP 172.16.165.128.1043 > 113.20.8.41.443: Flags [S], seq 1095803889, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………q..)….AP……p.@..A……….
2011-10-03 21:42:49.470663 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [FP.], seq 846, ack 246, win 64239, length 0
E..(.>………W…..P……..PdP…M>..
2011-10-03 21:42:49.471029 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [.], ack 847, win 16675, length 0
E..(..@…S……..W…P..Pd….P.A#….!..T1<
2011-10-03 21:42:49.483304 IP 172.16.165.128.1044 > 87.251.2.2.80: Flags [S], seq 990382298, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…N’….W……P;…….p.@.OK……….
2011-10-03 21:42:49.499522 IP 172.16.165.128.1045 > 199.16.81.167.80: Flags [S], seq 2177499891, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….k……Q….P……..p.@.O………..
2011-10-03 21:42:49.504899 IP 199.16.81.167.80 > 172.16.165.128.1039: Flags [S.], seq 3751556528, ack 3282053039, win 64240, options [mss 1460], length 0
E..,.?…..D..Q……P….5…’.`…-…….
2011-10-03 21:42:49.505401 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(..@….r……Q….P..’…5.P.Dp………B
2011-10-03 21:42:49.505936 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [P.], seq 1:196, ack 1, win 17520, length 195
E…..@………..Q….P..’…5.P.Dp….GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)
2011-10-03 21:42:49.506212 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [F.], seq 196, ack 1, win 17520, length 0
E..(..@….p……Q….P..(r..5.P.Dp.Z…..9.p
2011-10-03 21:42:49.506251 IP 199.16.81.167.80 > 172.16.165.128.1039: Flags [.], ack 196, win 64240, length 0
E..(.@…..G..Q……P….5…(rP…D…
2011-10-03 21:42:49.506335 IP 199.16.81.167.80 > 172.16.165.128.1039: Flags [.], ack 197, win 64239, length 0
E..(.A…..F..Q……P….5…(sP…D…
2011-10-03 21:42:49.515199 IP 172.16.165.128.1046 > 87.251.2.2.80: Flags [S], seq 3948358325, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…N”….W……P.W*…..p.@.}………..
2011-10-03 21:42:49.517633 IP 199.16.81.167.80 > 172.16.165.128.1040: Flags [S.], seq 3851165357, ack 430702875, win 64240, options [mss 1460], length 0
E..,.B…..A..Q……P……….`….|……
2011-10-03 21:42:49.518082 IP 172.16.165.128.1040 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(..@….n……Q….P……..P.Dp….U.2..~
2011-10-03 21:42:49.518546 IP 172.16.165.128.1040 > 199.16.81.167.80: Flags [P.], seq 1:205, ack 1, win 17520, length 204
E…..@………..Q….P……..P.DpL…GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.00 (Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)
2011-10-03 21:42:49.542686 IP 172.16.165.128.1036 > 87.251.2.2.80: Flags [P.], seq 1:188, ack 1, win 17520, length 187
E…. @…Mg….W……P..+=..f.P.Dp….GET /iletisim.html HTTP/1.0
Host: ukashsepeti[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [ru]
2011-10-03 21:42:49.542724 IP 87.251.2.2.80 > 172.16.165.128.1036: Flags [.], ack 188, win 64240, length 0
E..(.F……W……..P….f…+.P…]L..
2011-10-03 21:42:49.542924 IP 172.16.165.128.1036 > 87.251.2.2.80: Flags [F.], seq 188, ack 1, win 17520, length 0
E..(.!@…N!….W……P..+…f.P.Dp……….
2011-10-03 21:42:49.542958 IP 87.251.2.2.80 > 172.16.165.128.1036: Flags [.], ack 189, win 64239, length 0
E..(.G……W……..P….f…+.P…]L..
2011-10-03 21:42:49.544158 IP 172.16.165.128.1050 > 113.20.8.41.443: Flags [S], seq 965525719, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.”@………q..)….9…….p.@.x………..
2011-10-03 21:42:49.561624 IP 172.16.165.128.1051 > 113.20.8.41.443: Flags [S], seq 3514100108, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.#@………q..)…..t……p.@..y……….
2011-10-03 21:42:49.562914 IP 172.16.165.128.1052 > 199.16.81.167.80: Flags [S], seq 1706709337, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.$@….[……Q….Pe.QY….p.@..W……….
2011-10-03 21:42:49.577122 IP 172.16.165.128.1053 > 113.20.8.41.443: Flags [S], seq 3473707901, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.%@………q..)…….}….p.@………….
2011-10-03 21:42:49.593383 IP 172.16.165.128.1054 > 199.16.81.167.80: Flags [S], seq 453730116, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.&@….Y……Q….P.._D….p.@.Z………..
2011-10-03 21:42:49.597617 IP 199.16.81.167.80 > 172.16.165.128.1039: Flags [FP.], seq 1:154, ack 197, win 64239, length 153
E….H……..Q……P….5…(sP…….HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /RVikU/public/trading-accounts/premium-forex-account.html
2011-10-03 21:42:49.598175 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [R.], seq 197, ack 154, win 0, length 0
E..(.’@….`……Q….P..(s..6JP…?… FHEPF
2011-10-03 21:42:49.608226 IP 172.16.165.128.1055 > 199.16.81.167.80: Flags [S], seq 565710976, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.(@….W……Q….P!…….p.@../……….
2011-10-03 21:42:49.610726 IP 87.251.2.2.80 > 172.16.165.128.1042: Flags [S.], seq 3566852552, ack 1157140422, win 64240, options [mss 1460], length 0
E..,.I……W……..P……D…`…j…….
2011-10-03 21:42:49.611142 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [.], ack 1, win 17520, length 0
E..(.)@…N…..W……PD…….P.Dp8R…o..B.
2011-10-03 21:42:49.611633 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [P.], seq 1:139, ack 1, win 17520, length 138
E….*@…M…..W……PD…….P.Dp$…GET /ukash.asp HTTP/1.0
Host: ukashsepeti[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.0 (Windows NT 5.1; U; en)
2011-10-03 21:42:49.614916 IP 199.16.81.167.80 > 172.16.165.128.1040: Flags [FP.], seq 1:154, ack 206, win 64239, length 153
E….L……..Q……P……….P…….HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /RVikU/public/trading-accounts/premium-forex-account.html
2011-10-03 21:42:49.615354 IP 172.16.165.128.1040 > 199.16.81.167.80: Flags [R.], seq 206, ack 154, win 0, length 0
E..(.,@….[……Q….P…….GP… … ABACF
2011-10-03 21:42:49.624691 IP 172.16.165.128.1056 > 113.20.8.41.443: Flags [S], seq 2501464318, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.-@………q..). ….P…..p.@..^……….
2011-10-03 21:42:49.626053 IP 172.16.165.128.1057 > 113.20.8.41.443: Flags [S], seq 1320295395, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………q..).!..N…….p.@………….
2011-10-03 21:42:49.628380 IP 199.16.81.167.80 > 172.16.165.128.1049: Flags [S.], seq 2113646213, ack 4030347471, win 64240, options [mss 1460], length 0
E..,.M…..6..Q……P..}….:8.`………..
2011-10-03 21:42:49.628780 IP 172.16.165.128.1049 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(./@….X……Q….P.:8.}…P.Dp.&….*V4.
2011-10-03 21:42:49.629254 IP 172.16.165.128.1049 > 199.16.81.167.80: Flags [P.], seq 1:252, ack 1, win 17520, length 251
E..#.0@….\……Q….P.:8.}…P.Dp….GET /public/education/gold-and-silver-overview.html HTTP/1.0
Host: www.tadawulfx[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; ; Linux armv5tejl; U) Opera 8.02 [en_US] Maemo browser 0.4.31 N770/SU-18
2011-10-03 21:42:49.629373 IP 199.16.81.167.80 > 172.16.165.128.1049: Flags [.], ack 252, win 64240, length 0
E..(.N…..9..Q……P..}….:9.P…….
2011-10-03 21:42:49.629758 IP 172.16.165.128.1049 > 199.16.81.167.80: Flags [F.], seq 252, ack 1, win 17520, length 0
E..(.1@….V……Q….P.:9.}…P.Dp.*..k… .
2011-10-03 21:42:49.629857 IP 199.16.81.167.80 > 172.16.165.128.1049: Flags [.], ack 253, win 64239, length 0
E..(.O…..8..Q……P..}….:9.P…….
2011-10-03 21:42:49.639448 IP 87.251.2.2.80 > 172.16.165.128.1044: Flags [S.], seq 927048915, ack 990382299, win 64240, options [mss 1460], length 0
E..,.P……W……..P..7A..;…`….;……
2011-10-03 21:42:49.639873 IP 172.16.165.128.1044 > 87.251.2.2.80: Flags [.], ack 1, win 17520, length 0
E..(.2@…N…..W……P;…7A..P.Dp.y….B|.e
2011-10-03 21:42:49.640441 IP 172.16.165.128.1044 > 87.251.2.2.80: Flags [P.], seq 1:197, ack 1, win 17520, length 196
E….3@…MK….W……P;…7A..P.Dp.Q..GET /iletisim.html HTTP/1.0
Host: ukashsepeti[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
2011-10-03 21:42:49.640532 IP 87.251.2.2.80 > 172.16.165.128.1044: Flags [.], ack 197, win 64240, length 0
E..(.Q……W……..P..7A..;. .P….4..
2011-10-03 21:42:49.640814 IP 172.16.165.128.1044 > 87.251.2.2.80: Flags [F.], seq 197, ack 1, win 17520, length 0
E..(.4@…N…..W……P;. .7A..P.Dp…….2g_
2011-10-03 21:42:49.640900 IP 87.251.2.2.80 > 172.16.165.128.1044: Flags [.], ack 198, win 64239, length 0
E..(.R……W……..P..7A..;. .P….4..
2011-10-03 21:42:49.642669 IP 172.16.165.128.1058 > 113.20.8.41.443: Flags [S], seq 3786260161, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.5@………q..).”……….p.@………….
2011-10-03 21:42:49.643753 IP 172.16.165.128.1059 > 199.16.81.167.80: Flags [S], seq 2282681895, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.6@….I……Q..#.P…’….p.@.V-……….
2011-10-03 21:42:49.654042 IP 172.16.165.128.1060 > 199.16.81.167.80: Flags [S], seq 3563311842, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.7@….H……Q..$.P.c……p.@.-………..
2011-10-03 21:42:49.654980 IP 199.16.81.167.80 > 172.16.165.128.1052: Flags [S.], seq 3321640252, ack 1706709338, win 64240, options [mss 1460], length 0
E..,.S…..0..Q……P….5<e.QZ`…|#……
2011-10-03 21:42:49.655401 IP 172.16.165.128.1052 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(.8@….O……Q….Pe.QZ..5=P.DpJa… L.@T
2011-10-03 21:42:49.655845 IP 172.16.165.128.1052 > 199.16.81.167.80: Flags [P.], seq 1:202, ack 1, win 17520, length 201
E….9@………..Q….Pe.QZ..5=P.Dp …GET /public/education/gold-and-silver-overview.html HTTP/1.0
Host: www.tadawulfx[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [en]
2011-10-03 21:42:51.535132 IP 172.16.165.128.1278 > 199.16.81.167.80: Flags [P.], seq 1:192, ack 1, win 17520, length 191
E…..@………..Q….P$….A.wP.DpU…GET /public/education/gold-and-silver-overview.html HTTP/1.0
Host: www.tadawulfx[.]com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1
2011-10-03 21:42:51.535312 IP 199.16.81.167.80 > 172.16.165.128.1278: Flags [.], ack 192, win 64240, length 0
E..(……….Q……P…A.w$…P….U..
2011-10-03 21:42:51.535700 IP 172.16.165.128.1278 > 199.16.81.167.80: Flags [F.], seq 192, ack 1, win 17520, length 0
E..(..@………..Q….P$….A.wP.Dp……….
2011-10-03 21:42:51.535853 IP 199.16.81.167.80 > 172.16.165.128.1278: Flags [.], ack 193, win 64239, length 0
E..(……….Q……P…A.w$…P….U..
2011-10-03 21:42:51.547085 IP 172.16.165.128.1289 > 199.16.81.167.80: Flags [S], seq 1676684084, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………..Q.. .Pc.+4….p.@.DY……….
2011-10-03 21:42:51.548094 IP 172.16.165.128.1290 > 199.16.81.167.80: Flags [S], seq 2100119357, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………..Q..
.P}-G=….p.@………….
2011-10-03 21:42:51.559747 IP 199.16.81.167.80 > 172.16.165.128.1282: Flags [S.], seq 2844008361, ack 1795410698, win 64240, options [mss 1460], length 0
E..,……….Q……P……k..
`….O……
2011-10-03 21:42:51.560105 IP 199.16.81.167.80 > 172.16.165.128.1270: Flags [FP.], seq 1:192, ack 199, win 64239, length 191
E………….Q……P..a)y&….P…….HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 65

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *