Cutwail PUSHDO Malware Traffic Sample Weirdest Botnet with PCAP DDoS Spam SEO

By | January 29, 2016

Download PUSHDO Sample PCAP here : pushdo.pcap

Crazy botnet, it is capable of launching DDoS attacks, sending mass spam e-mail, downloading other malware and all blackhat SEO techniques.

2012-10-04 09:27:06.414312 IP 192.168.248.165.53 > 8.8.8.8.53: 40552+ A? accounting.ee. (31)
E..;.r….p……….5.5.’…h……….
accounting.ee…..
2012-10-04 09:27:06.414403 IP 192.168.248.165.53 > 4.2.2.2.53: 40552+ A? accounting.ee. (31)
E..;.s….z……….5.5.’…h……….
accounting.ee…..
2012-10-04 09:27:06.420403 IP 8.8.8.8.53 > 192.168.248.165.53: 40552 1/0/0 A 62.65.252.16 (47)
E..K.)……………5.5.7ZA.h……….
accounting.ee……………..>A..
2012-10-04 09:27:06.421564 IP 192.168.248.165.1113 > 62.65.252.16.443: Flags [S], seq 157294960, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.u@………>A…Y.. `!p….p…c………..
2012-10-04 09:27:06.538732 IP 62.65.252.16.443 > 192.168.248.165.1113: Flags [S.], seq 4110040846, ack 157294961, win 64240, options [mss 1460], length 0
E..,.*……>A………Y..?. `!q`…D………
2012-10-04 09:27:06.538792 IP 192.168.248.165.1113 > 62.65.252.16.443: Flags [.], ack 1, win 64240, length 0
E..(.v@………>A…Y.. `!q..?.P…\T..
2012-10-04 09:27:06.545219 IP 192.168.248.165.1113 > 62.65.252.16.443: Flags [P.], seq 1:71, ack 1, win 64240, length 70
E..n.w@….s….>A…Y.. `!q..?.P………..A…=..Q.”……1 ..Y..Gf. .+….B…Bc……..
. .d.b………c..
2012-10-04 09:27:06.545414 IP 62.65.252.16.443 > 192.168.248.165.1113: Flags [.], ack 71, win 64240, length 0
E..(.+……>A………Y..?. `!.P…\………
2012-10-04 09:27:06.664639 IP 62.65.252.16.443 > 192.168.248.165.1113: Flags [P.], seq 1:1146, ack 71, win 64240, length 1145
E….,……>A………Y..?. `!.P…J…….J…F..Q.”.+.H[.L
X.R..ZN.”V._:c…XY3. .,n.<..K7….&e..H…
.N…….r………………0…0..w…….n.0.. *.H……..0..1.0 ..U….–1.0…U… SomeState1.0…U….SomeCity1.0…U.
..SomeOrganization1.0…U….SomeOrganizationalUnit1.0…U….localhost.localdomain1)0′. *.H…. …root@localhost.localdomain0…070101224135Z..080101224135Z0..1.0 ..U….–1.0…U… SomeState1.0…U….SomeCity1.0…U.
..SomeOrganization1.0…U….SomeOrganizationalUnit1.0…U….localhost.localdomain1)0′. *.H…. …root@localhost.localdomain0..0.. *.H…………0…….\p……9c..O.z..Xv…lzA.H..G./U.Xj……..h ..a.~x…..rm…~…mI…..CK …8….TP.k
.`.Hh.jg..cb9$j1.R…..k:.&…..+..F………..0…0…U……..)..+ $…..0…o..0….U.#…0……)..+ $…..0…o……..0..1.0 ..U….–1.0…U… SomeState1.0…U….SomeCity1.0…U.
..SomeOrganization1.0…U….SomeOrganizationalUnit1.0…U….localhost.localdomain1)0′. *.H…. …root@localhost.localdomain..n.0…U….0….0.. *.H………….zV.?NA…T…i…`:h.P. .`…….d………)N…….6″tf.>……;RU.VA….U.U.7A.&.4…’…………..<.Id…W7U..^P…../…vh………
2012-10-04 09:27:06.668128 IP 192.168.248.165.1113 > 62.65.252.16.443: Flags [P.], seq 71:253, ack 1146, win 63095, length 182
E….x@………>A…Y.. `!…C.P..w……………%&c…..z3x..=TT…..V..4{…YHN^.N#…..u…..S=Iw…1.T/..#V_..b………….L.#.3dW.qe.W.L-..|b.G

….EG.Z.*m………T…………… ..~.)………. ]..#7M…(.’….
2012-10-04 09:27:06.668316 IP 62.65.252.16.443 > 192.168.248.165.1113: Flags [.], ack 253, win 64240, length 0
E..(.-……>A………Y..C. `”mP…V………
2012-10-04 09:27:06.676616 IP 4.2.2.2.53 > 192.168.248.165.53: 40552 1/0/0 A 62.65.252.16 (47)
E..K…….!………5.5.7’L.h……….
accounting.ee……………..>A..

2012-10-04 09:27:07.666181 IP 192.168.248.165.1113 > 62.65.252.16.443: Flags [F.], seq 420, ack 1471, win 64240, length 0
E..(..@………>A…Y.. `#…D.P…T…
2012-10-04 09:27:07.667455 IP 62.65.252.16.443 > 192.168.248.165.1113: Flags [.], ack 421, win 64239, length 0
E..(.b……>A………Y..D. `#.P…T………
2012-10-04 09:27:07.677644 IP 192.168.248.165.53 > 8.8.8.8.53: 37131+ A? 4ever4you.de. (30)
E..:……p……….5.5.&.[………… 4ever4you.de…..
2012-10-04 09:27:07.677744 IP 192.168.248.165.53 > 4.2.2.2.53: 37131+ A? 4ever4you.de. (30)
E..:……z……….5.5.&.g………… 4ever4you.de…..
2012-10-04 09:27:07.683418 IP 8.8.8.8.53 > 192.168.248.165.53: 37131 1/0/0 A 195.225.104.182 (46)
E..J.c……………5.5.6B…………. 4ever4you.de…………..
….h.
2012-10-04 09:27:07.683807 IP 192.168.248.165.1115 > 195.225.104.182.443: Flags [S], seq 2648890378, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….M……h..[…..
….p…”E……….
2012-10-04 09:27:07.748607 IP 4.2.2.2.53 > 192.168.248.165.53: 37131 1/0/0 A 195.225.104.182 (46)
E..J.d……………5.5.6.Z………… 4ever4you.de……………….h.
2012-10-04 09:27:07.787913 IP 195.225.104.182.443 > 192.168.248.165.1115: Flags [S.], seq 369093434, ack 2648890379, win 64240, options [mss 1460], length 0
E..,.e……..h……..[…:….`…6………
2012-10-04 09:27:07.787961 IP 192.168.248.165.1115 > 195.225.104.182.443: Flags [.], ack 1, win 64240, length 0
E..(..@….T……h..[………;P…M…
2012-10-04 09:27:07.788337 IP 192.168.248.165.1115 > 195.225.104.182.443: Flags [P.], seq 1:71, ack 1, win 64240, length 70
E..n..@………..h..[………;P….U……A…=..Q.”.?…|x…I^?…O…..&M..S.V……..
. .d.b………c..
2012-10-04 09:27:07.788482 IP 195.225.104.182.443 > 192.168.248.165.1115: Flags [.], ack 71, win 64240, length 0
E..(.f……..h……..[…;…QP…Mx……..
2012-10-04 09:27:07.893308 IP 195.225.104.182.443 > 192.168.248.165.1115: Flags [P.], seq 1:1103, ack 71, win 64240, length 1102
E..v.g…..4..h……..[…;…QP………..J…F..Q.”.3…..)6.gj$..”……..Tn8,. .4..U..`).0…<ec………..~Y=Y………………0…0..L…… ..X……0.. *.H……..0..1.0 ..U….US1.0…U….Virginia1.0…U….Herndon1.0…U.
..Parallels, GmbH.1.0…U….Parallels Confixx1.0…U….Parallels Confixx1!0.. *.H…. …info@parallels.com0…100125112551Z..110125112551Z0..1.0 ..U….US1.0…U….Virginia1.0…U….Herndon1.0…U.
..Parallels, GmbH.1.0…U….Parallels Confixx1.0…U….Parallels Confixx1!0.. *.H…. …info@parallels.com0..0.. *.H…………0………………dh.$G… …?i.gk….L…..C….[…fC……..\..#G…..2_!..B..$/{P.r):
……MkZ2h4.C……Noe..).a+.{….+DC.Y5A……….0…0…U…….Kz….y0..b. ._L.F80….U.#…0…..Kz….y0..b. ._L.F8……0..1.0 ..U….US1.0…U….Virginia1.0…U….Herndon1.0…U.
..Parallels, GmbH.1.0…U….Parallels Confixx1.0…U….Parallels Confixx1!0.. *.H…. …info@parallels.com. ..X……0…U….0….0.. *.H…………O,d.._a..{,.\.0..7…….M..I…………,……..l……yiey03..M.bf……..B…3->AC7.^…….. a…5..qI.B..fm….Nr.B…].h……….

2012-10-04 09:27:08.239553 IP 192.168.248.165.1115 > 195.225.104.182.443: Flags [.], ack 5557, win 64240, length 0
E..(..@….N……h..[……….P…6h..
2012-10-04 09:27:08.239747 IP 192.168.248.165.1115 > 195.225.104.182.443: Flags [F.], seq 419, ack 5557, win 64240, length 0
E..(..@….M……h..[……….P…6g..
2012-10-04 09:27:08.243458 IP 195.225.104.182.443 > 192.168.248.165.1115: Flags [.], ack 420, win 64239, length 0
E..(.o…..z..h……..[……..P…6h……..
2012-10-04 09:27:08.257162 IP 192.168.248.165.53 > 8.8.8.8.53: 45663+ A? uakron.edu. (28)
E..8……p……….5.5.$_.._………..uakron.edu…..
2012-10-04 09:27:08.257239 IP 192.168.248.165.53 > 4.2.2.2.53: 45663+ A? uakron.edu. (28)
E..8……z……….5.5.$i.._………..uakron.edu…..
2012-10-04 09:27:08.257759 IP 192.168.248.165.53 > 8.8.8.8.53: 42724+ A? suscom.net. (28)
E..8……p……….5.5.$_7………….suscom.net…..
2012-10-04 09:27:08.257834 IP 192.168.248.165.53 > 4.2.2.2.53: 42724+ A? suscom.net. (28)
E..8……z……….5.5.$iC………….suscom.net…..
2012-10-04 09:27:08.259268 IP 192.168.248.165.53 > 8.8.8.8.53: 61328+ A? eastlink.ca. (29)
E..9……p……….5.5.%-3………….eastlink.ca…..
2012-10-04 09:27:08.259345 IP 192.168.248.165.53 > 4.2.2.2.53: 61328+ A? eastlink.ca. (29)
E..9……z……….5.5.%7?………….eastlink.ca…..
2012-10-04 09:27:08.260854 IP 4.2.2.2.53 > 192.168.248.165.53: 45663 1/0/0 A 130.101.217.69 (44)
E..H.p……………5.5.4…_………..uakron.edu…………..V…e.E
2012-10-04 09:27:08.261202 IP 192.168.248.165.53 > 8.8.8.8.53: 8262+ A? mania.com. (27)
E..7……p……….5.5.#.. F………..mania.com…..
2012-10-04 09:27:08.261277 IP 192.168.248.165.53 > 4.2.2.2.53: 8262+ A? mania.com. (27)
E..7……z……….5.5.#.. F………..mania.com…..
2012-10-04 09:27:08.261661 IP 192.168.248.165.1117 > 130.101.217.69.25: Flags [S], seq 2163410893, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….#…..e.E.]……….p……………
2012-10-04 09:27:08.261720 IP 4.2.2.2.53 > 192.168.248.165.53: 42724 1/0/0 A 66.179.151.52 (44)
E..H.q……………5.5.4N…………..suscom.net……………..B..4
2012-10-04 09:27:08.262138 IP 192.168.248.165.53 > 8.8.8.8.53: 60958+ A? merck.com. (27)
E..7……p……….5.5.#……………merck.com…..
2012-10-04 09:27:08.262236 IP 192.168.248.165.53 > 4.2.2.2.53: 60958+ A? merck.com. (27)
E..7……z……….5.5.#……………merck.com…..
2012-10-04 09:27:08.262544 IP 8.8.8.8.53 > 192.168.248.165.53: 45663 1/0/0 A 130.101.217.69 (44)
E..H.r……………5.5.4…_………..uakron.edu…………..U…e.E
2012-10-04 09:27:08.262559 IP 8.8.8.8.53 > 192.168.248.165.53: 42724 1/0/0 A 66.179.151.52 (44)
E..H.s……………5.5.4?…………..suscom.net……………..B..4
2012-10-04 09:27:08.262721 IP 192.168.248.165.1118 > 66.179.151.52.25: Flags [S], seq 176673248, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…f…..B..4.^..
…….p……………
2012-10-04 09:27:08.262834 IP 4.2.2.2.53 > 192.168.248.165.53: 61328 1/0/0 A 71.7.199.81 (45)
E..I.t……………5.5.5……………eastlink.ca……………..G..Q
2012-10-04 09:27:08.263342 IP 192.168.248.165.53 > 8.8.8.8.53: 15873+ A? sscomputing.com. (33)
E..=……p……….5.5.)@w>…………sscomputing.com…..
2012-10-04 09:27:08.263414 IP 192.168.248.165.53 > 4.2.2.2.53: 15873+ A? sscomputing.com. (33)
E..=……z……….5.5.)J.>…………sscomputing.com…..
2012-10-04 09:27:08.263493 IP 8.8.8.8.53 > 192.168.248.165.53: 61328 1/0/0 A 71.7.199.81 (45)
E..I.u……………5.5.5……………eastlink.ca………….._..G..Q
2012-10-04 09:27:08.263842 IP 192.168.248.165.1119 > 71.7.199.81.25: Flags [S], seq 1878104144, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…2l….G..Q._..o..P….p……………
2012-10-04 09:27:08.265880 IP 4.2.2.2.53 > 192.168.248.165.53: 60958 1/0/0 A 155.91.16.2 (43)
E..G.v……………5.5.3……………merck.com…………..7…[..
2012-10-04 09:27:08.266243 IP 192.168.248.165.53 > 8.8.8.8.53: 42758+ A? tartarus.uwa.edu.au. (37)
E..A……p……….5.5.-……………tartarus.uwa.edu.au…..
2012-10-04 09:27:08.266342 IP 192.168.248.165.53 > 4.2.2.2.53: 42758+ A? tartarus.uwa.edu.au. (37)
E..A……z……….5.5.-……………tartarus.uwa.edu.au…..
2012-10-04 09:27:08.266655 IP 192.168.248.165.1120 > 155.91.16.2.25: Flags [S], seq 3831193166, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….b…..[…`…[^N….p…._……….
2012-10-04 09:27:08.267003 IP 4.2.2.2.53 > 192.168.248.165.53: 8262 1/0/0 A 69.64.153.150 (43)
E..G.w……………5.5.3.S F………..mania.com……………..E@..
2012-10-04 09:27:08.267335 IP 192.168.248.165.1121 > 69.64.153.150.25: Flags [S], seq 1517398027, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…a…..E@…a..Zq……p……………
2012-10-04 09:27:08.267522 IP 192.168.248.165.53 > 8.8.8.8.53: 28830+ A? posten.se. (27)

2012-10-04 09:27:08.267620 IP 192.168.248.165.53 > 4.2.2.2.53: 28830+ A? posten.se. (27)
E..7……z……….5.5.#..p…………posten.se…..
2012-10-04 09:27:08.269912 IP 4.2.2.2.53 > 192.168.248.165.53: 15873 2/0/0 A 108.162.204.111, A 108.162.203.111 (65)
E..].x……………5.5.I’.>…………sscomputing.com…………..,..l..o………,..l..o
2012-10-04 09:27:08.269928 IP 4.2.2.2.53 > 192.168.248.165.53: 42758 1/0/0 A 130.95.128.3 (53)
E..Q.y……………5.5.=.K………….tartarus.uwa.edu.au…………. …._..
2012-10-04 09:27:08.269938 IP 8.8.8.8.53 > 192.168.248.165.53: 60958 1/0/0 A 155.91.16.2 (43)
E..G.z……………5.5.3……………merck.com………………[..
2012-10-04 09:27:08.269950 IP 8.8.8.8.53 > 192.168.248.165.53: 8262 1/0/0 A 69.64.153.150 (43)
E..G.{……………5.5.3.H F………..mania.com…………..i..E@..
2012-10-04 09:27:08.270215 IP 192.168.248.165.53 > 8.8.8.8.53: 22148+ A? tinet.org. (27)
E..7……p……….5.5.#.-V…………tinet.org…..
2012-10-04 09:27:08.270318 IP 8.8.8.8.53 > 192.168.248.165.53: 15873 2/0/0 A 108.162.203.111, A 108.162.204.111 (65)
E..].|……………5.5.I_.>…………sscomputing.com……………..l..o…………l..o
2012-10-04 09:27:08.270360 IP 192.168.248.165.53 > 4.2.2.2.53: 22148+ A? tinet.org. (27)
E..7……z……….5.5.#.9V…………tinet.org…..
2012-10-04 09:27:08.272803 IP 192.168.248.165.1123 > 108.162.204.111.25: Flags [S], seq 520463264, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………l..o.c……….p……………
2012-10-04 09:27:08.272890 IP 8.8.8.8.53 > 192.168.248.165.53: 42758 1/0/0 A 130.95.128.3 (53)
E..Q.}……………5.5.=.E………….tartarus.uwa.edu.au………………_..
2012-10-04 09:27:08.281662 IP 192.168.248.165.1124 > 130.95.128.3.25: Flags [S], seq 3396468651, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…>Q….._…d…q……p……………
2012-10-04 09:27:08.281756 IP 8.8.8.8.53 > 192.168.248.165.53: 28830 1/0/0 A 147.14.11.241 (43)
E..G.~……………5.5.3:.p…………posten.se…………..)……
2012-10-04 09:27:08.281771 IP 4.2.2.2.53 > 192.168.248.165.53: 22148 0/1/0 (79)
E..k……………..5.5.W..V…………tinet.org…………..V.(.milu.fut.es..root.’w…..Q…. .’……
2012-10-04 09:27:08.282229 IP 192.168.248.165.53 > 8.8.8.8.53: 63034+ A? tinet.org.localdomain. (39)
E..C……p……….5.5./…:………..tinet.org.localdomain…..
2012-10-04 09:27:08.282329 IP 192.168.248.165.53 > 4.2.2.2.53: 63034+ A? tinet.org.localdomain. (39)
E..C……z……….5.5./…:………..tinet.org.localdomain…..
2012-10-04 09:27:08.286975 IP 192.168.248.165.1125 > 147.14.11.241.25: Flags [S], seq 1543522964, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…………..e..\.J…..p……………
2012-10-04 09:27:08.287674 IP 192.168.248.165.53 > 8.8.8.8.53: 9494+ A? caionline.org. (31)
E..;……p……….5.5.’..%……….. caionline.org…..
2012-10-04 09:27:08.287733 IP 8.8.8.8.53 > 192.168.248.165.53: 22148 0/1/0 (79)
E..k……………..5.5.WI.V…………tinet.org…………….(.milu.fut.es..root.’w…..Q…. .’……
2012-10-04 09:27:08.287773 IP 192.168.248.165.53 > 4.2.2.2.53: 9494+ A? caionline.org. (31)
E..;……z……….5.5.’..%……….. caionline.org…..
2012-10-04 09:27:08.288266 IP 192.168.248.165.53 > 8.8.8.8.53: 14860+ A? mountainmax.net. (33)
E..=……p……….5.5.)u>:…………mountainmax.net…..
2012-10-04 09:27:08.288339 IP 192.168.248.165.53 > 4.2.2.2.53: 14860+ A? mountainmax.net. (33)
E..=……z……….5.5.).J:…………mountainmax.net…..
2012-10-04 09:27:08.288947 IP 192.168.248.165.53 > 8.8.8.8.53: 37271+ A? trib.com. (26)
E..6……p……….5.5.”……………trib.com…..
2012-10-04 09:27:08.289021 IP 192.168.248.165.53 > 4.2.2.2.53: 37271+ A? trib.com. (26)
E..6……z……….5.5.”……………trib.com…..
2012-10-04 09:27:08.292781 IP 4.2.2.2.53 > 192.168.248.165.53: 9494 1/0/0 A 67.192.237.89 (47)
E..K……………..5.5.7.K%……….. caionline.org…………..t..C..Y
2012-10-04 09:27:08.292796 IP 4.2.2.2.53 > 192.168.248.165.53: 14860 1/0/0 A 65.38.128.10 (49)
E..M……………..5.5.9u.:…………mountainmax.net…………..F..A&.

2012-10-04 09:27:08.292805 IP 8.8.8.8.53 > 192.168.248.165.53: 9494 1/0/0 A 67.192.237.89 (47)
E..K……………..5.5.7.4%……….. caionline.org…………..B..C..Y
2012-10-04 09:27:08.292814 IP 8.8.8.8.53 > 192.168.248.165.53: 14860 1/0/0 A 65.38.128.10 (49)
E..M……………..5.5.9..:…………mountainmax.net…………. …A&.

2012-10-04 09:27:08.292823 IP 4.2.2.2.53 > 192.168.248.165.53: 37271 2/0/0 A 192.104.182.209, A 192.104.182.109 (58)
E..V……………..5.5.B.?………….trib.com…………..e…h………..e…h.m
2012-10-04 09:27:08.293422 IP 192.168.248.165.1126 > 67.192.237.89.80: Flags [S], seq 1783651818, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………C..Y.f.PjP]…..p……………
2012-10-04 09:27:08.293482 IP 8.8.8.8.53 > 192.168.248.165.53: 37271 2/0/0 A 192.104.182.109, A 192.104.182.209 (58)
E..V……………..5.5.B……………trib.com………….
….h.m……..
….h..

2012-10-04 09:27:08.333309 IP 192.168.248.165.1127 > 130.101.217.69.80: Flags [P.], seq 1:485, ack 1, win 64240, length 484: HTTP: POST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe HTTP/1.1
E…..@……….e.E.g.P…..t,.P…p…POST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 193
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: uakron.edu
Connection: Keep-Alive
Cache-Control: no-cache

g.P#…#…#…$..5$…$…$7S.$^.3%xQf%…%.O.%…&.Md&…&;L.&U..’o.H’…’…’…(..F(..
.2..(O..(.
…. …\+..p,.z..*.u*)t.*?>.-.p’+.<Z+.n.+.:.+…,.9X, ..,G7.,a.
-{.<-…-…-……:…m.>
2012-10-04 09:27:08.333447 IP 192.168.248.165.1126 > 67.192.237.89.80: Flags [P.], seq 1:441, ack 1, win 64240, length 440: HTTP: POST / HTTP/1.1
E…..@………C..Y.f.PjP]../U.P…S…POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 184
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: caionline.org
Connection: Keep-Alive
Cache-Control: no-cache

.go..3…e….:.<…V…}…..Q..,…^…+..3]i.Z………M……….$..7Ve..”…T….0….y………..yg.%z\b..^….R.z.}……….o.v.s……..D[..v…C..)u&.P.r.w………=.. …<..
2012-10-04 09:27:08.333511 IP 130.101.217.69.80 > 192.168.248.165.1127: Flags [.], ack 485, win 64240, length 0
E..(…….G.e.E…..P.g.t,…..P….i……..
2012-10-04 09:27:08.333665 IP 192.168.248.165.1128 > 208.104.2.209.80: Flags [P.], seq 1:256, ack 1, win 64240, length 255: HTTP: POST / HTTP/1.1
E..’..@…lZ…..h…h.P7…2WmjP…=…POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: comporium.net
Connection: Keep-Alive
Cache-Control: no-cache

 

2012-10-04 09:27:08.358594 IP 192.168.248.165.1130 > 192.104.182.209.80: Flags [P.], seq 1:462, ack 1, win 64240, length 461: HTTP: POST /?ptrxcz_0368BEHJMPSUXadfiloruxz258ADGI HTTP/1.1
E…..@……….h…j.P-..SOC.&P…….POST /?ptrxcz_0368BEHJMPSUXadfiloruxz258ADGI HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 172
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: trib.com
Connection: Keep-Alive
Cache-Control: no-cache

2012-10-04 09:27:08.400602 IP 192.168.248.165.1131 > 67.208.33.32.80: Flags [P.], seq 1:271, ack 1, win 64240, length 270: HTTP: POST / HTTP/1.1
E..6..@………C.! .k.P.Y.].:..P….q..POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 22
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: iw.com
Connection: Keep-Alive
Cache-Control: no-cache

2012-10-04 09:27:08.403007 IP 192.168.248.165.1132 > 74.113.233.77.80: Flags [P.], seq 1:304, ack 1, win 64240, length 303: HTTP: POST /?ptrxcz_hkmpsuwy03579CEGILNPRUWYadfhjl HTTP/1.1
E..W..@………Jq.M.l.PzOL.$…P….e..POST /?ptrxcz_hkmpsuwy03579CEGILNPRUWYadfhjl HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 14
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: myway.com
Connection: Keep-Alive
Cache-Control: no-cache

……O..o.. .
2012-10-04 09:27:08.403121 IP 74.113.233.77.80 > 192.168.248.165.1132: Flags [.], ack 304, win 64240, length 0
E..(…….”Jq.M…..P.l$…zOM.P…4………
2012-10-04 09:27:08.406374 IP 74.113.233.77.80 > 192.168.248.165.1132: Flags [P.], seq 1:579, ack 304, win 64240, length 578: HTTP: HTTP/1.1 302 Found
E..j……..Jq.M…..P.l$…zOM.P…0…HTTP/1.1 302 Found
Date: Thu, 16 May 2013 18:17:46 GMT
Server: Apache/2.0.43 (Unix)
Location: http://www.myway.com/index1.html?ptrxcz_hkmpsuwy03579CEGILNPRUWYadfhjl
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

 

2012-10-04 09:27:08.526371 IP 192.168.248.165.1140 > 128.205.7.144.80: Flags [P.], seq 1:500, ack 1, win 64240, length 499: HTTP: POST / HTTP/1.1
E….3@…………..t.P.P….3vP…y…POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 245
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: buffalo.edu
Connection: Keep-Alive
Cache-Control: no-cache

W..i..sj…j..?kA..ku.#l.K.l.I.m+H.m_..m..kn.v.n..7oI..o}..p.=.p.;.q&.eqZl.q..cr.h.r3./sQ.>….t./ytR[..@,..Bsuwk[.x.aB.3.&wY..w…{.!qx. .x6.UyjP.y.N:z…z ..{a..{.{.|..i|
..|>.M}rB.}.@2~…~.q.~i….m….a…..F.E.z4…2*…..0…dat……]r..
2012-10-04 09:27:08.526489 IP 128.205.7.144.80 > 192.168.248.165.1140: Flags [.], ack 500, win 64240, length 0
E..(……^[………P.t..3v.P..P………….
2012-10-04 09:27:08.534228 IP 217.70.184.38.80 > 192.168.248.165.1137: Flags [S.], seq 2515311338, ack 2620880304, win 64240, options [mss 1460], length 0
E..,……UF.F.&…..P.q…..7u.`…
………
2012-10-04 09:27:08.534292 IP 192.168.248.165.1137 > 217.70.184.38.80: Flags [.], ack 1, win 64240, length 0
E..(.4@……….F.&.q.P.7u…..P…”…
2012-10-04 09:27:08.534432 IP 192.168.248.165.1137 > 217.70.184.38.80: Flags [P.], seq 1:469, ack 1, win 64240, length 468: HTTP: POST /?ptrxcz_MORUWZcehkmqtvy1369BEHJMPRUXZc HTTP/1.1
E….5@……….F.&.q.P.7u…..P…T*..POST /?ptrxcz_MORUWZcehkmqtvy1369BEHJMPRUXZc HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 175
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: wildmail.com
Connection: Keep-Alive

 

Share Button

One thought on “Cutwail PUSHDO Malware Traffic Sample Weirdest Botnet with PCAP DDoS Spam SEO

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *