ZeroAccess Peer-to-Peer Rootkit Trojan – Loading Click Fraud Module Traffic Sample UDP/16464

By | June 19, 2015

2012-10-04 10:27:07.382847 IP 192.168.248.1.51587 > 192.168.248.255.5002: UDP, length 306
E..N….@.V/………….:..DRINETTM……….?………….@……………@miqn.2005-09.com.drobo.host:admins-Mac-Pro.local4ecbf077…………………………………………………………………………………………………………………………………………………………………………………
2012-10-04 10:27:12.421041 IP 192.168.248.1.51587 > 192.168.248.255.5002: UDP, length 306
E..N….@.x:………….:..DRINETTM……….?………….@……………@miqn.2005-09.com.drobo.host:admins-Mac-Pro.local4ecbf077…………………………………………………………………………………………………………………………………………………………………………………
2012-10-04 10:27:15.945104 IP 192.168.248.165.1110 > 8.8.8.8.53: 13107+ A? j.maxmind.com. (31)
E..;.q….p……….V.5.’B.33………..j.maxmind.com…..
2012-10-04 10:27:15.956553 IP 8.8.8.8.53 > 192.168.248.165.1110: 13107 1/0/0 A 108.168.255.244 (47)
E..K…….W………5.V.7′.33………..j.maxmind.com…………./…l…
2012-10-04 10:27:15.975499 IP 192.168.248.165.1111 > 108.168.255.244.80: Flags [S], seq 251996263, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.r@….j….l….W.P..(g….p…&0……….
2012-10-04 10:27:15.984761 IP 108.168.255.244.80 > 192.168.248.165.1111: Flags [S.], seq 3029000006, ack 251996264, win 64240, options [mss 1460], length 0
E..,……|.l……..P.W…F..(h`….T……..
2012-10-04 10:27:15.984833 IP 192.168.248.165.1111 > 108.168.255.244.80: Flags [.], ack 1, win 64240, length 0
E..(.s@….q….l….W.P..(h…GP…….
2012-10-04 10:27:15.984940 IP 192.168.248.165.1111 > 108.168.255.244.80: Flags [P.], seq 1:71, ack 1, win 64240, length 70
E..n.t@….*….l….W.P..(h…GP…….GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close

2012-10-04 10:27:15.990195 IP 108.168.255.244.80 > 192.168.248.165.1111: Flags [.], ack 71, win 64240, length 0
E..(……|.l……..P.W…G..(.P………….
2012-10-04 10:27:15.990228 IP 108.168.255.244.80 > 192.168.248.165.1111: Flags [FP.], seq 1:722, ack 71, win 64240, length 721
E………z$l……..P.W…G..(.P…….HTTP/1.0 200 OK
Expires: Wed, 07 Aug 2013 19:04:11 GMT
Cache-Control: private, max-age=0
Content-Type: text/javascript; charset=ISO-8859-1
Access-Control-Allow-Origin: *
Content-Length: 523

function geoip_country_code() { return ‘US’; }
function geoip_country_name() { return ‘United States’; }
function geoip_city() { return ‘Washington’; }
function geoip_region() { return ‘DC’; }
function geoip_region_name() { return ‘District of Columbia’; }
function geoip_latitude() { return ‘38.9376’; }
function geoip_longitude() { return ‘-77.0928’; }
function geoip_postal_code() { return ‘20016’; }
function geoip_area_code() { return ‘202’; }
function geoip_metro_code() { return ‘511’; }

2012-10-04 10:27:15.990281 IP 192.168.248.165.1111 > 108.168.255.244.80: Flags [.], ack 723, win 63519, length 0
E..(.u@….o….l….W.P..(…..P…….
2012-10-04 10:27:15.990533 IP 192.168.248.165.1111 > 108.168.255.244.80: Flags [F.], seq 71, ack 723, win 63519, length 0
E..(.v@….n….l….W.P..(…..P…….
2012-10-04 10:27:15.990725 IP 108.168.255.244.80 > 192.168.248.165.1111: Flags [.], ack 72, win 64239, length 0
E..(……|.l……..P.W……(.P………….
2012-10-04 10:27:16.014798 IP 192.168.248.165.1112 > 194.165.17.4.53: 18359 inv_q [b2&3=0xccf] [36508q] [40600a] [18538n] [27661au][|domain]
E..0.w…..N………X.5….G…….Hjl..pzb.o..
2012-10-04 10:27:16.019860 IP 192.168.248.165.1113 > 194.165.17.4.53: 18359 inv_q [b2&3=0xccf] [3740q] [40600a] [18538n] [27709au][|domain]
E..0.x…..M………Y.5…DG…….Hjl=.pzb?B0t

2012-10-04 10:27:24.264561 IP 74.67.204.239.16464 > 192.168.248.165.1129: UDP, length 568
E..T……. JC……@P.i.@..w.NQ(……….3….L…’R..3.8:.bjY.d….,.3….J…L..U..G:3.8-Hf…d…FH.3.. …..L.I/..8:3.hY…..d…*..3…>….Ln..k.8:3u 3.e……h…3%.GgM………8:…..H….\…’6Z…{..$.%……$..’..O.#..x@.L. ..^..gR1T7…;q…..#.Y.<.T....s.....2R.t.45uK…`……..#n.+x….#.d.|…….:..}{..n…8…p=.. .`..t#…….S..9……r..V.V../|Y…C.k.m……_sV/}……K..R
. L..~8……&…W.Y.Xp…Iw.6#.
2012-10-04 10:27:25.243465 IP 192.168.248.165.1129 > 83.21.236.76.16464: UDP, length 16
E..,……Ak….S..L.i@P….)j.C(…….B ..
2012-10-04 10:27:25.587578 IP 83.21.236.76.16464 > 192.168.248.165.1129: UDP, length 568
E..T.!……S..L….@P.i.@…..d(……….3yZ..L……c3.8:…..d…1>/3……..L…m..:3.8……d..j7>.3..i…..L.9qg.8:3.(……d.8g7..3……..LQ.cg.8:3y…d….’/g…3%.GgM………8:…..H….\…’6Z…{..$.%……$..’..O.#..x@.L. ..^..gR1T7…;q…..#.Y.<.T....s.....2R.t.45uK…`……..#n.+x….#.d.|…….:..}{..n…8…p=.. .`..t#…….S..9……r..V.V../|Y…C.k.m……_sV/}……K..R
. L..~8……&…W.Y.Xp…Iw.6#.
2012-10-04 10:27:26.241763 IP 192.168.248.165.1129 > 177.80.26.45.16464: UDP, length 16
E..,…….K…..P.-.i@P….)j.C(…….B ..
2012-10-04 10:27:26.843921 IP 177.80.26.45.16464 > 192.168.248.165.1129: UDP, length 568
E..T.”…….P.-….@P.i.@..B..t(……….3×5..L……c3.8:…..d..W7=/3……..L..Xg..:3.8……d.ig4>.3……..L..cd.8:3……..df/d7..3……..L..`g.8:3….d….>,g…3%.GgM………8:…..H….\…’6Z…{..$.%……$..’..O.#..x@.L. ..^..gR1T7…;q…..#.Y.<.T....s.....2R.t.45uK…`……..#n.+x….#.d.|…….:..}{..n…8…p=.. .`..t#…….S..9……r..V.V../|Y…C.k.m……_sV/}……K..R
. L..~8……&…W.Y.Xp…Iw.6#.
2012-10-04 10:27:27.241597 IP 192.168.248.165.1129 > 206.254.253.254.16464: UDP, length 16
E..,……………..i@P…r)j.C(…….B ..
2012-10-04 10:27:28.241259 IP 192.168.248.165.1129 > 135.254.253.254.16464: UDP, length 16
E..,……………..i@P..Sr)j.C(…….B ..
2012-10-04 10:27:29.242120 IP 192.168.248.165.1129 > 204.254.253.254.16464: UDP, length 16
E..,……………..i@P…r)j.C(…….B ..
2012-10-04 10:27:30.242137 IP 192.168.248.165.1129 > 158.254.253.254.16464: UDP, length 16
E..,……………..i@P.. 197.254.253.254.16464: UDP, length 16
E..,……………..i@P…r)j.C(…….B ..
2012-10-04 10:27:32.242222 IP 192.168.248.165.1129 > 166.254.253.254.16464: UDP, length 16
E..,……………..i@P..4r)j.C(…….B ..
2012-10-04 10:27:33.241771 IP 192.168.248.165.1129 > 190.254.253.254.16464: UDP, length 16
E..,……………..i@P…r)j.C(…….B ..
2012-10-04 10:27:34.241542 IP 192.168.248.165.1129 > 180.254.253.254.16464: UDP, length 16
E..,……………..i@P..&r)j.C(…….B ..
2012-10-04 10:27:35.242180 IP 192.168.248.165.1129 > 184.254.253.254.16464: UDP, length 16
E..,……………..i@P..”r)j.C(…….B ..
2012-10-04 10:27:36.242272 IP 192.168.248.165.1129 > 182.254.253.254.16464: UDP, length 16
E..,……………..i@P..$r)j.C(…….B ..
2012-10-04 10:27:37.242036 IP 192.168.248.165.1129 > 183.254.253.254.16464: UDP, length 16
E..,……………..i@P..#r)j.C(…….B ..
2012-10-04 10:27:38.241366 IP 192.168.248.165.1129 > 24.45.223.226.16464: UDP, length 16
E..,………….-…i@P…_)j.C(…….B ..
2012-10-04 10:27:38.262466 IP 24.45.223.226.16464 > 192.168.248.165.1129: UDP, length 568
E..T.$…….-……@P.i.@.OD{3/(……….3….L…G..c3.8:…..d..U7=/3……..L..#g..:3.8……d.fg4>.3……..L..cd.8:3……..d^/d7..3……..L..`g.8:3E…d….>,g…3%.GgM………8:…..H….\…’6Z…{..$.%……$..’..O.#..x@.L. ..^..gR1T7…;q…..#.Y.<.T....s.....2R.t.45uK…`……..#n.+x….#.d.|…….:..}{..n…8…p=.. .`..t#…….S..9……r..V.V../|Y…C.k.m……_sV/}……K..R
. L..~8……&…W.Y.Xp…Iw.6#.
2012-10-04 10:27:39.242187 IP 192.168.248.165.1129 > 78.142.55.13.16464: UDP, length 16
E..,……. ….N.7..i@P..S.)j.C(…….B ..
2012-10-04 10:27:39.362903 IP 78.142.55.13.16464 > 192.168.248.165.1129: UDP, length 568
E..T.%….a.N.7…..@P.i.@.H.k..(……….3`S..L……k3.8:=….d…..>3…._Q..L……:3.8……d….$.3…c!…L.E…8:3…E;…d……3.I9)….L..a..8:3*Y.md….`m….3%.GgM………8:…..H….\…’6Z…{..$.%……$..’..O.#..x@.L. ..^..gR1T7…;q…..#.Y.<.T....s.....2R.t.45uK…`……..#n.+x….#.d.|…….:..}{..n…8…p=.. .`..t#…….S..9……r..V.V../|Y…C.k.m……_sV/}……K..R
. L..~8……&…W.Y.Xp…Iw.6#.
2012-10-04 10:27:40.242156 IP 192.168.248.165.1129 > 222.254.253.254.16464: UDP, length 16
E..,……………..i@P…q)j.C(…….B ..
2012-10-04 10:27:41.242271 IP 192.168.248.165.1129 > 206.254.253.254.16464: UDP, length 16
E..,……………..i@P…r)j.C(…….B ..
2012-10-04 10:27:42.241928 IP 192.168.248.165.1129 > 204.254.253.254.16464: UDP, length 16
E..,……………..i@P…r)j.C(…….B ..
2012-10-04 10:27:43.242696 IP 192.168.248.165.1129 > 197.254.253.254.16464: UDP, length 16

2012-10-04 10:30:26.289153 IP 192.168.248.165.1129 > 99.109.19.38.16464: UDP, length 16
E..,.i…. w….cm.&.i@P..b.)j.C(…….B ..
2012-10-04 10:30:26.407901 IP 31.184.245.202.12757 > 192.168.248.165.1136: Flags [P.], seq 296:780, ack 123, win 64240, length 484
E……….T……..1..p.5.$.v<.P........srrxrrr.rrr........_........\...]M....O.B.KB.......JA...@.K.@A.F..G@C.........G.A..T OC@T.OET......O....Y.......Y...Y....Y....rzurr....H]]DF\EC\CF@\C@B]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HBrzurr....H]]DG\FK\@A\CFD]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HCr^srr....H]]DG\FK\@A\CFD]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....H@r^srr....H]]DD\@@B\E\@FE]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HAr^srr....H]]DF\EC\CF@\C@B]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HFrrrrr 2012-10-04 10:30:26.508766 IP 31.184.245.202.12757 > 192.168.248.165.1136: Flags [P.], seq 296:780, ack 123, win 64240, length 484
E……….S……..1..p.5.$.v<.P........srrxrrr.rrr........_........\...]M....O.B.KB.......JA...@.K.@A.F..G@C.........G.A..T OC@T.OET......O....Y.......Y...Y....Y....rzurr....H]]DF\EC\CF@\C@B]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HBrzurr....H]]DG\FK\@A\CFD]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HCr^srr....H]]DG\FK\@A\CFD]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....H@r^srr....H]]DD\@@B\E\@FE]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HAr^srr....H]]DF\EC\CF@\C@B]GG...A.@DK.F..D.EAB...K.CCDA...GH.KG.K.....HFrrrrr 2012-10-04 10:30:26.508797 IP 192.168.248.165.1136 > 31.184.245.202.12757: Flags [.], ack 780, win 63461, length 0
E..(.j@…*……….p1..v<..5..P..._o.. 2012-10-04 10:30:27.058279 IP 31.184.245.202.12757 > 192.168.248.165.1136: Flags [.], seq 780:2240, ack 123, win 64240, length 1460
E……………….1..p.5…v<.P....... grrtrrr@rrr...............\...]M....O. 2012-10-04 10:30:34.381377 IP 192.168.248.165.1138 > 81.17.26.187.80: Flags [P.], seq 1:361, ack 1, win 64240, length 360
E…..@………Q….r.Pg.^f.&..P…r…GET /X11HXlhHWF1bR1hbWUZcXA8KCloKW19QCF0NDF8LXlpZCw0IUAtYWF9aCgsNXFMaUFwCUBwTCBMQU1k= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/20.0.782.112 Safari/535.1
Accept-Encoding: gzip, deflate
Host: dgyqimolcqm[.]cm
Connection: Keep-Alive

2012-10-04 10:30:34.381534 IP 81.17.26.187.80 > 192.168.248.165.1138: Flags [.], ack 361, win 64240, length 0
E..(……|.Q……..P.r.&..g._.P….n……..
2012-10-04 10:30:34.488501 IP 81.17.26.187.80 > 192.168.248.165.1138: Flags [FP.], seq 1:133, ack 361, win 64240, length 132
E………|AQ……..P.r.&..g._.P…]…HTTP/1.1 303
Connection: Close
Content-Length: 0
Location: hxxp://64.71.142.120/55fcc3c269a4de6b730bda9b1163cbd5:s95k9uzazy:0

2012-10-04 10:30:40.464937 IP 192.168.248.165.1141 > 64.71.142.120.80: Flags [P.], seq 1:400, ack 1, win 64240, length 399
E…..@…o…..@G.x.u.P?.X…..P…p…GET /55fcc3c269a4de6b730bda9b1163cbd5:s95k9uzazy:0 HTTP/1.1
Accept: */*
Referer: http://egyptian-treasure[.]com/?afdt=z0v90dzttmcm83htf2w9m23b4jj521oqshirksa5i3bs&x=12&y=7&search=pain+patches+for+back+pain
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/20.0.782.112 Safari/535.1
Host: 64.71.142.120
Connection: Keep-Alive

2012-10-04 10:30:40.465142 IP 64.71.142.120.80 > 192.168.248.165.1141: Flags [.], ack 400, win 64240, length 0
E..(……..@G.x…..P.u….?.Z!P………….
2012-10-04 10:30:40.619256 IP 190.221.72.117.16464 > 192.168.248.165.1129: UDP, length 568
E..T……….Hu….@P.i.@u..W..(……….3..o.L……i3.8:2+xx.d……3…4.U^.L……:3.8J..R..d…U..3..
….L..0P=8:3.>.H….d..H…3.Mm…..L…..8:3m*>.d…u……3%.GgM………8:…..H….\…’6Z…{..$.%……$..’..O.#..x@.L. ..^..gR1T7…;q…..#.Y.<.T....s.....2R.t.45uK…`……..#n.+x….#.d.|…….:..}{..n…8…p=.. .`..t#…….S..9……r..V.V../|Y…C.k.m……_sV/}……K..R
. L..~8……&…W.Y.Xp…Iw.6#.
2012-10-04 10:30:40.710115 IP 64.71.142.120.80 > 192.168.248.165.1141: Flags [P.], seq 1:153, ack 400, win 64240, length 152
E……….,@G.x…..P.u….?.Z!P…P[..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 07 Aug 2013 18:34:23 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 2
Connection: close

2012-10-04 10:32:35.603483 IP 192.168.248.165.1153 > 23.13.165.37.80: Flags [P.], seq 1:400, ack 1, win 64240, length 399
E…..@…………%…P..R|.. 192.168.248.165.1153: Flags [.], ack 400, win 64240, length 0
E..(……+a…%…..P…. 23.13.165.37.80: Flags [P.], seq 1:402, ack 1, win 64240, length 401
E…..@…………%…P7.z….?P…#…GET /ly/video/js/jquery.min.js HTTP/1.1
Accept: */*
Referer: http://video.lycos.com/video/view/paula-deen-back-in-crisis-control-mode-after-aunt-jemima-claims-g5154031/?m=c&s=legrab&SRC=SK_LE_US_C_143x121655
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/20.0.782.112 Safari/535.1
Host: ly.lygo.com
Connection: Keep-Alive

2012-10-04 10:32:35.610310 IP 4.2.2.2.53 > 192.168.248.165.53: 44283 3/0/0 CNAME wildcard.lygo.com.edgekey.net., CNAME e6719.b.akamaiedge.net., A 23.60.133.37 (121)
E………………..5.5…7………….ly.lygo.com………………wildcard.lygo.com.edgekey.net..)…….~…e6719.b
akamaiedge.C.T………..<.% 2012-10-04 10:32:35.610323 IP 23.13.165.37.80 > 192.168.248.165.1153: Flags [P.], seq 1:709, ack 400, win 64240, length 708
E………(….%…..P….

Share Button

2 thoughts on “ZeroAccess Peer-to-Peer Rootkit Trojan – Loading Click Fraud Module Traffic Sample UDP/16464

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *