Prosti Screenblaze PUP/Adware with Trojan/Malware Information Stealing Traffic Sample

By | June 20, 2015
File Property Property Value
FileName 5d226a8fd2e686ae85037f3c855dbd55c86d6161.exe
McAfee Artemis Artemis!6a6c793041af
McAfee Detection BackDoor-DUG
Length 1,024,004 bytes
CRC 2F0A0843
MD5 6A6C793041AFD22301A96CA5DD5D1ED1
SHA1 5D226A8FD2E686AE85037F3C855DBD55C86D6161

Other Common Detection Aliases

Company Name Detection Name
avast Win32:Adware-gen [Adw]
Avira TR/Dldr.Delphi.Gen
BitDefender Gen:Adware.Heur.E3728DD8A9
Eset Win32/Adware.ScreenBlaze (application) (variant)
FortiNet Suspicious
F-Prot W32/ScreenBlaze.A.gen!Eldorado
Kaspersky Backdoor.Win32.Prosti.bhr
microsoft backdoor:win32/prosti.f
norman W32/Prosti.AVX
panda Bck/Prosti.BQ
Sophos Troj/Bckdr-QRY
V-Buster Backdoor.Prosti.Gen (mutant)
Vet (Computer Associates) Win32/ScreenBlaze.A

 

 

 

1970-01-01 -3:-59:-46.992179 IP 10.0.2.15.1044 > 174.143.204.60.80: Flags [P.], seq 1:106, ack 1, win 64240, length 105
E….J@…sB
……<…P.ET…..P…….GET /curver.php hxx[/1.1
User-Agent: WinInethxx[
Host: www.screenblaze[.]com
Cache-Control: no-cache
1970-01-01 -3:-59:-46.992235 IP 174.143.204.60.80 > 10.0.2.15.1044: Flags [.], ack 106, win 65535, length 0
E..(. ..@……<
….P…….ET.P…BP..
1970-01-01 -3:-59:-45.117041 IP 174.143.204.60.80 > 10.0.2.15.1044: Flags [P.], seq 1:234, ack 106, win 65535, length 233
E….
..@……<
….P…….ET.P…….hxx[/1.1 200 OK
Date: Thu, 02 Aug 2012 03:43:10 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4
Vary: Accept-Encoding
Content-Length: 6
Content-Type: text/html

2.1.20
1970-01-01 -3:-59:-45.231101 IP 10.0.2.15.1044 > 174.143.204.60.80: Flags [.], ack 234, win 64007, length 0
E..(.K@…s.
……<…P.ET…..P…G_…. FEE
1970-01-01 -3:-59:-45.622015 IP 10.0.2.15.137 > 10.0.2.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
E..`.L….!4

……..L.s..)……… FHEPFCELEHFCEPFFFACACACACACACAAA.. ….. ……….

1970-01-01 -3:-59:-45.712830 IP 10.0.2.15.1044 > 174.143.204.60.80: Flags [P.], seq 106:234, ack 234, win 64007, length 128
E….M@…s(
……<…P.ET…..P…….GET /scr2.php?id=3&serial=0&ver=2.1.20 hxx[/1.1
User-Agent: WinInethxx[
Host: www.screenblaze[.]com
Cache-Control: no-cache

1970-01-01 -3:-59:-45.117041 IP 174.143.204.60.80 > 10.0.2.15.1044: Flags [P.], seq 1:234, ack 106, win 65535, length 233
E….
..@……<
….P…….ET.P…….hxx[/1.1 200 OK
Date: Thu, 02 Aug 2012 03:43:10 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4
Vary: Accept-Encoding
Content-Length: 6
Content-Type: text/html

2.1.20
1970-01-01 -3:-59:-45.712830 IP 10.0.2.15.1044 > 174.143.204.60.80: Flags [P.], seq 106:234, ack 234, win 64007, length 128
E….M@…s(
……<…P.ET…..P…….GET /scr2.php?id=3&serial=0&ver=2.1.20 hxx[/1.1
User-Agent: WinInethxx[
Host: www.screenblaze[.]com
Cache-Control: no-cache
1970-01-01 -3:-59:-45.712919 IP 174.143.204.60.80 > 10.0.2.15.1044: Flags [.], ack 234, win 65535, length 0
E..(….@……<
….P…….EU}P…@…
1970-01-01 -3:-59:-44.372657 IP 10.0.2.15.137 > 10.0.2.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
E..`.N….!2

……..L.s..(……… FHEPFCELEHFCEPFFFACACACACACACAAA.. ….. ……….

1970-01-01 -3:-59:-44.601252 IP 174.143.204.60.80 > 10.0.2.15.1044: Flags [.], seq 234:1654, ack 234, win 65535, length 1420
E…….@..]…<
….P…….EU}P…….hxx[/1.1 200 OK
Date: Thu, 02 Aug 2012 03:43:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4
Set-Cookie: rid=1; expires=Wed, 31-Oct-2012 03:43:11 GMT; path=/
Set-Cookie: tracker=deleted; expires=Wed, 03-Aug-2011 03:43:10 GMT; path=/
Vary: Accept-Encoding
Content-Length: 1175
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/screenblaze/public_html/scr2.php</b> on line <b>36</b><br />
hxx[://www.stores.ebay.co.uk/id=42779777&ssPageName=L2
hxx[://www.viralBomb[.]com/cgi-bin/run.cgi?r=1731
hxx[://pal7.hypermart.net/thesecretpage1.htm
hxx[://www.toolsforthesoul[.]com
hxx[://www.virtualworlddirect[.]com/15483
hxx[://www.market4profit.net/s.cgi?doorway-033
hxx[://www.loopyland.tk
hxx[://www.ez5000[.]com/cgi-bin/view.cgi/LL2416/index.html/dbmembers.cgi/main/LL2416
hxx[://ezinfocenter[.]com/8138371/FREE
hxx[://www.libertyplusplans[.]com/stindall
hxx[://www.bsprewards[.]com
hxx[://phoenixrecommends[.]com/ibc/info.php
hxx[://hxx[;//www.quickgold.biz/?id=898
hxx[://www.affbot1[.]com/link-618993-19504-1208-17250?plan=463
hxx[s://www.quickinfo247[.]com/8232376/FREE
hxx[://www.cognigen.net/bizop/?kamicka
hxx[://www.qlbr[.]com/testpage/
hxx[://amazingdiscoveries.blogspot[.]com/
hxx[://atlantis.zeekrewards[.]com
hxx[://InternetMentorship[.]com
hxx[://big_deals_at.th
1970-01-01 -3:-59:-44.601288 IP 174.143.204.60.80 > 10.0.2.15.1044: Flags [P.], seq 1654:1781, ack 234, win 65535, length 127
E…….@..i…<
….P…..w.EU}P…….ecustomeradvantage[.]com
hxx[://www.waybreaker[.]com
hxx[://www.ScreenBlaze[.]com/42432
hxx[://srhbook[.]com
hxx[://bit.ly/17NKjm

1970-01-01 -3:-59:-44.601521 IP 10.0.2.15.1044 > 174.143.204.60.80: Flags [.], ack 1781, win 64240, length 0
E..(.O@…s.
……<…P.EU}….P…?… FHEPF
1970-01-01 -3:-59:-44.739195 IP 10.0.2.15.1025 > 213.133.98.98.53: 54834+ A? bit.ly. (24)
E..4.P…..r
…..bb…5. …2………..bit.ly…..
1970-01-01 -3:-59:-44.742015 IP 213.133.98.98.53 > 10.0.2.15.1025: 54834 2/4/0 A 69.58.188.40, A 69.58.188.39 (142)
E…….@.6?..bb
….5….U..2………..bit.ly……………..E:.(…………E:.’……..?….ns4.p35.dynect.net………?….ns3.H……..?….ns2.H……..?….ns1.H
1970-01-01 -3:-59:-44.743199 IP 10.0.2.15.1046 > 69.58.188.40.80: Flags [S], seq 2580199435, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.Q@…..
…E:.(…P……..p…$………..
1970-01-01 -3:-59:-44.836971 IP 69.58.188.40.80 > 10.0.2.15.1046: Flags [S.], seq 320001, ack 2580199436, win 65535, options [mss 1460], length 0
E..,….@.mLE:.(
….P……….`…Rb……
1970-01-01 -3:-59:-44.837201 IP 10.0.2.15.1046 > 69.58.188.40.80: Flags [.], ack 1, win 64240, length 0
E..(.S@…..
…E:.(…P……..P…o… FHEPF
1970-01-01 -3:-59:-44.837516 IP 10.0.2.15.1046 > 69.58.188.40.80: Flags [P.], seq 1:201, ack 1, win 64240, length 200
E….T@….B
…E:.(…P……..P…._..GET /17NKjm hxx[/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: bit.ly
Connection: Keep-Alive
1970-01-01 -3:-59:-44.837553 IP 69.58.188.40.80 > 10.0.2.15.1046: Flags [.], ack 201, win 65535, length 0
E..(….@.mOE:.(
….P……….P…iW..
1970-01-01 -3:-59:-44.933921 IP 69.58.188.40.80 > 10.0.2.15.1046: Flags [P.], seq 1:626, ack 201, win 65535, length 625
E…….@.j.E:.(
….P……….P…_…hxx[/1.1 302 Found
Server: nginx
Date: Thu, 02 Aug 2012 03:43:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=5019f750-0012c-06d3b-3e1cf10a;domain=.bit.ly;expires=Tue Jan 29 03:43:12 2013;path=/; hxx[Only
Cache-control: private; max-age=90
Location: hxx[://bitly[.]com/a/warning?url=hxx[%3a%2f%2flsitaf%2ecom%2fwholesale%2fsteamtown%2f&hash=17NKjm
MIME-Version: 1.0
Content-Length: 191

<html>
<head>
<title>bit.ly</title>
</head>
<body>
<a href=”hxx[://bitly[.]com/a/warning?url=hxx[%3a%2f%2flsitaf%2ecom%2fwholesale%2fsteamtown%2f&amp;hash=17NKjm”>moved here</a>
</body>
</html>
1970-01-01 -3:-59:-44.946929 IP 10.0.2.15.1025 > 213.133.98.98.53: 49276+ A? bitly[.]com. (27)
E..7.V…..i
…..bb…5.#…|………..bitly[.]com…..
1970-01-01 -3:-59:-44.949954 IP 213.133.98.98.53 > 10.0.2.15.1025: 49276 2/4/0 A 69.58.188.33, A 69.58.188.34 (145)
E…….@.68..bb
….5…….|………..bitly[.]com……………..E:.!…………E:.”……..$….ns1.p35.dynect.net………$….ns3.K……..$….ns2.K……..$….ns4.K
1970-01-01 -3:-59:-44.950828 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [S], seq 485999858, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.W@…..
…E:.!…P……..p….s……….
1970-01-01 -3:-59:-43.044290 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [S.], seq 384001, ack 485999859, win 65535, options [mss 1460], length 0
E..,….@.mOE:.!
….P……….`….S……
1970-01-01 -3:-59:-43.044530 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [.], ack 1, win 64240, length 0
E..(.Y@…..
…E:.!…P……..P……. ABACF
1970-01-01 -3:-59:-43.044814 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [P.], seq 1:276, ack 1, win 64240, length 275
E..;.Z@…..
…E:.!…P……..P…….GET /a/warning?url=hxx[%3a%2f%2flsitaf%2ecom%2fwholesale%2fsteamtown%2f&hash=17NKjm hxx[/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: bitly[.]com
Connection: Keep-Alive
1970-01-01 -3:-59:-43.044867 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], ack 276, win 65535, length 0
E..(….@.mRE:.!
….P……….P…….
1970-01-01 -3:-59:-43.053904 IP 10.0.2.15.1041 > 239.255.255.250.1900: UDP, length 133
E….\……
……….l..QdM-SEARCH * hxx[/1.1
Host:239.255.255.250:1900
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:”ssdp:discover”
MX:3
1970-01-01 -3:-59:-43.054061 IP 10.0.2.2 > 10.0.2.15: ICMP time exceeded in-transit, length 149
E……….n

………..E….\……
……….l..QdM-SEARCH * hxx[/1.1
Host:239.255.255.250:1900
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:”ssdp:discover”
MX:3
1970-01-01 -3:-59:-43.124287 IP 10.0.2.15.137 > 10.0.2.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
E..`.^….!”

……..L(g..)……… FEEFFBFFEJEMEBECEPEPENECEPEPENCA.. ….. ……….

1970-01-01 -3:-59:-43.124719 IP 10.0.2.15.137 > 10.0.2.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
E..`._….!!

……..L.p. )……… FHEPFCELEHFCEPFFFACACACACACACABO.. ….. ……….

1970-01-01 -3:-59:-43.134058 IP 10.0.2.15.1046 > 69.58.188.40.80: Flags [.], ack 626, win 63615, length 0
E..(.`@…..
…E:.(…P…….sP…nf……..
1970-01-01 -3:-59:-43.159414 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], seq 1:1421, ack 276, win 65535, length 1420
E…….@.g.E:.!
….P……….P…….hxx[/1.1 200 OK
Server: nginx
Date: Thu, 02 Aug 2012 03:43:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 7076
Etag: “ebeb62bb8be294404d4217e377494ad627a6fb78″
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: CP=”CAO PSA OUR”
Set-Cookie: anon_u=cHN1X19mYTMzYWYxZi1kNWJlLTRmODQtODI3ZS0wYTA0YjIwYjdhYmY=|1343878992|11ebaa4f160134c8c910b180a9f31b18626f3af5; expires=Fri, 02 Aug 2013 03:43:12 GMT; hxx[only; Path=/

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”
“hxx[://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns:fb=”hxx[://www.facebook[.]com/2008/fbml”>
<head>
<title>Warning! | There might be a problem with the requested link</title>
<meta hxx[-equiv=”Content-Type” content=”text/html; charset=utf-8″/>
<link rel=”icon” type=”image/png” href=”/s/v426/graphics/favicon.png” />
<style type=”text/css”>
* { padding:0; margin:0; }
body {
font-family:Arial, sans-serif;
font-size:12px;
color:#333;
background:#555;
}
h1,h2,h3,h4,h5,h6,input,select,option {
font-size:12px;
font-family:Arial, sans-serif;
}
ul li { list-style:none; }
.hr { clear:both; float:none; }
.hr hr {display:none;}
a { text-decoration:none; color:#6699ff; }
a:hover { text-decoration:underline; }
.spamContainer {
width:960px;
margin:50px auto 0;
border:1px solid #ccc;
background:white;
text-align:center;
padding-bottom:20px;
}
p {
1970-01-01 -3:-59:-43.159452 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], seq 1421:2841, ack 276, win 65535, length 1420
E…….@.g.E:.!
….P……….P….0..
padding-bottom:10px;
}
.spamWarningHeader {
background:#ccc;
text-align:center;
padding:15px;
margin-top:20px;
font-size:24px;
}
.warningHeaderText {
color:#ff0101;
text-transform:uppercase;
}
.spamWarningMessage {
font-size:16px;
padding:10px 80px;
text-align:center;
}
.spamWarningMessage p {
line-height:1.5em;
}
.spamSuggestionsBox {
width:560px;
margin:0 auto;
background:#ffc;
border:1px solid #eee;
padding:10px 10px 20px;
}
.spamSuggestionsBox h3 {
font-weight:bold;
font-size:16px;
padding-bottom:6px;
}
.spamSuggestionsBox .spamSuggestionsInnerContainer ul {
list-style-position:inside;
}
.spamSuggestionsBox .spamSuggestionsInnerContainer ul li {
list-style-type:disc;
list-style-position:inside;
}
.spamSuggestionsInnerContainer {
text-align:left;
font-size:16px;
width:380px;
margin:0 auto;
}
.spamSuggestionsInnerContainer h3 {
padding:0 0 10px 30px;
}
.spamSuggestionsInnerContainer p {
padding-top:16px;
}
.spamSuggestionsInnerContainer p a {
text-align:center;
}
.spamLearnMoreBox {
border-top:1px solid #ccc;
padding-top:15px;
text-align:left;
padding-left:10px;
}
.spamLearnMoreBox ul li {
padding-bottom:3px;
}
.spamPartnersBox {
}
.spamWarningIconBox {
padding-top:15px;
}
.spamCallToActionBox {
font-size:18px;
font-weight:bold;
}
.spamPartnersBox {
padding-top:20px;
font-size:14px;
}
.spamURLBox {
font-size:16px;
padding-top:20px;
overflow:hidden;
}
.spamURLBox p a {
font-size:12px;
}
.spamWar
1970-01-01 -3:-59:-43.159627 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [.], ack 2841, win 64240, length 0
E..(.a@…..
…E:.!…P……..P………….
1970-01-01 -3:-59:-43.159707 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [P.], seq 2841:2897, ack 276, win 65535, length 56
E..`….@.m.E:.!
….P……….P…0…ningMessageReasonsList {
text-align:left;
padding-bottom
1970-01-01 -3:-59:-43.253092 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], seq 2897:4317, ack 276, win 65535, length 1420
E…….@.g.E:.!
….P…..R….P…`W..:10px;
padding-left:10px;
}
.spamWarningMessageReasonsList li {
list-style-type:disc;
list-style-position:inside;
padding-bottom:5px;
}
</style>
</head>
<body>
<div class=”spamContainer”>
<div class=”spamWarningIconBox”><img src=”/s/v426/graphics/bitly_warning_hand.png” border=”0″ width”77″ height=”78″ alt=”warning, this website may harm your computer icon” /></div>
<h2 class=”spamWarningHeader”><b class=”warningHeaderText”>Stop</b> – there might be a problem with the requested link</h2>
<div class=”spamWarningMessage”>
<p>The link you requested has been identified by bitly as being potentially problematic. This could be because a bitly user has reported a problem, a black-list service reported a problem, because the link has been shortened more than once, or because we have detected potentially malicious content. This may be a problem because:</p>
<ul class=”spamWarningMessageReasonsList”>
<li>Some URL-shorteners re-use their links, so bitly can’t guarantee the validity of this link.</li>
<li>Some URL-shorteners allow their links to be edited, so bitly can’t tell where this link will lead you.</li>
<li>Spam and malware is very often propagated by exploiting these loopholes, neither of which bitly allows for. </li>
</ul>
<p>The link you requested may contain inappropriate content, or even spam or malicious code that could be downloaded to your computer without your consent, or may be a forgery or
1970-01-01 -3:-59:-43.253133 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], seq 4317:5737, ack 276, win 65535, length 1420
E…….@.g.E:.!
….P……….P…….imitation of another website, designed to trick users into sharing personal or financial information.</p>
</div>
<div class=”spamSuggestionsBox”>
<h3>bitly suggests that you</h3>
<div class=”spamSuggestionsInnerContainer”>
<ul>
<li>Change the original link, and re-shorten with bitly</li>
<li>Close your browser window</li>
<li>Notify the sender of the URL</li>
</ul>
</div>
<div class=”spamURLBox”>
<p> Or, continue at your own risk to<br />
<a id=”clickthrough” href=”hxx[://lsitaf[.]com/wholesale/steamtown/”>hxx[://lsitaf[.]com/wholesale/steamtown/</a>
</p>
</div>
<div class=”spamLearnMoreBox”>
<ul>
<li>You can learn more about harmful content at <a href=”hxx[://www.StopBadware.org/” target=”_new”>www.StopBadware.org</a></li>
<li>You can find out more about phishing from <a href=”hxx[://www.antiphishing.org/” target=”_new”>www.antiphishing.org</a></li>
<li>For more information or to report a false positive please contact <a href=”mailto:support@bitly[.]com?body=More information on hxx[://bit.ly/17NKjm as spam”>support@bitly[.]com</a></li>
</ul>
</div>
</div>
<!– <div class=”spamPartnersBox”>
<p>bitly works with world-class partners to protect our users from spam and malware, including:</p>
</div> –>
<div class=”spamPartnersBox”>
<p>Read more about bitly’s spam and antiphishing partners <a href=”hxx[://blog.bit.ly/post/263859706/spam-and-malware-protection”>here</a></p>
</div>
<div class=”spamCallToActionB
1970-01-01 -3:-59:-43.253254 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [.], ack 4317, win 64240, length 0
E..(.c@…..
…E:.!…P……..P….0……..
1970-01-01 -3:-59:-43.253338 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], seq 5737:7157, ack 276, win 65535, length 1420
E…….@.g.E:.!
….P…..j….P…….ox”>
<p>Publish with <a href=”hxx[://bit.ly”>bitly</a> and protect your links</p>
</div>
</div>
<script type=”text/javascript”>
// utils
function addEvent( obj, type, fn ) {
return obj.attachEvent ? obj.attachEvent( ‘on’+type, fn ) : obj.addEventListener( type, fn, false );
}
function removeEvent( obj, type, fn ) {
return obj.detachEvent ? obj.detachEvent( ‘on’+type, fn ) : obj.removeEventListener( type, fn, false );
}
</script>
<script type=”text/javascript”>
try {
var gaJsHost = ((“hxx[s:” == document.location.protocol) ? “hxx[s://ssl.” : “hxx[://www.”);
document.write(unescape(“%3Cscript src='” + gaJsHost + “google-analytics[.]com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));
}catch(e){};
</script>
<script type=”text/javascript”>
try {
var pageTracker = _gat._getTracker(“UA-25224921-3”);
pageTracker._trackPageview();
}catch(e){};
(function() {
var category = “spam:warning_page”,
state = 0;
function trackHover(e) {
try {
state = 1;
pageTracker._trackEvent(category, “Spam interstitial link hovered.”);
removeEvent(document.getElementById(“clickthrough”), “mouseover”, trackHover);
} catch(ex) {}
}
function trackClick(e) {
try {
state = 2
pageTracker._trackEvent(category, “Spam interstitial link clicked.”);
removeEvent(document.getElementById(“clickthrough”), “click”, trackClick);
} catch(ex) {}
}
function trackUnload(e) {
try {
pageTracker._trackEvent(category, “Spam interstitial page unload stat
1970-01-01 -3:-59:-43.253351 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [P.], seq 7157:7574, ack 276, win 65535, length 417
E…….@.k.E:.!
….P……….P…;…e: ” + state);
removeEvent(window, “beforeunload”, trackUnload);
} catch(ex) {}
}
try {
if(pageTracker) {
pageTracker._trackEvent(category, “Spam interstitial page load.”);
addEvent(document.getElementById(“clickthrough”), “mouseover”, trackHover);
addEvent(document.getElementById(“clickthrough”), “click”, trackClick);
addEvent(window, “beforeunload”, trackUnload);
}
} catch(ex) {}
})();
</script>
</body>
</html>

1970-01-01 -3:-59:-43.253422 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [.], ack 7157, win 64240, length 0
E..(.d@…..
…E:.!…P……..P………….
1970-01-01 -3:-59:-43.255478 IP 10.0.2.15.1047 > 69.58.188.33.80: Flags [P.], seq 276:742, ack 7574, win 63823, length 466
E….e@…..
…E:.!…P……..P..O….GET /s/v426/graphics/bitly_warning_hand.png hxx[/1.1
Accept: */*
Referer: hxx[://bitly[.]com/a/warning?url=hxx[%3a%2f%2flsitaf%2ecom%2fwholesale%2fsteamtown%2f&hash=17NKjm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: bitly[.]com
Connection: Keep-Alive
Cookie: anon_u=cHN1X19mYTMzYWYxZi1kNWJlLTRmODQtODI3ZS0wYTA0YjIwYjdhYmY=|1343878992|11ebaa4f160134c8c910b180a9f31b18626f3af5
1970-01-01 -3:-59:-43.255611 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], ack 742, win 65535, length 0
E..(….@.mIE:.!
….P……….P…….
1970-01-01 -3:-59:-43.408942 IP 69.58.188.33.80 > 10.0.2.15.1047: Flags [.], seq 7574:8994, ack 742, win 65535, length 1420
E…….@.g.E:.!
….P……….P…….hxx[/1.1 200 OK
Server: nginx
Date: Thu, 02 Aug 2012 03:43:12 GMT
Content-Type: image/png
Connection: keep-alive
Content-Length: 2496
Expires: Sun, 31 Jul 2022 03:43:12 GMT
Last-Modified: Tue, 10 Jul 2012 19:31:31 GMT
Etag: “b6b83f51c2ecbe118193eb84f7ca8fddac79fa1a”
Cache-Control: public, max-age=315360000

.PNG
.
….IHDR…M…N…..RCk,….PLTE….qn.’%.$..A8……….H?.;1.”..’……….. ……………..)&.6-./).+”………….
…………..40.P@.J:.*..L@….|p.?>.2..N;….<:.IE….D1.d`………. ..A3………….1″….4 .B..8#….;..95….=).31….#…..+……..^[.vp….81.UP……………….\P.&…..B@…..
.n`….TA.H4…….!……………..8’………./..86. ……………..PM……….}z….G9..
.. ……1!……tRNS………………………………………………………………………………………………………………..8.Kg…oIDATx….[…..h”….L..O..R?..8..E…….V..6XW.2O{..T…~.&..C..w]{….}………ld……….p..;h…l…R.;<<..T..o…..Z….{……e.lM..^.}u].I.v.^……..XR++..2D.7v…..!.D.L]\………Z!P…@wZ@..’

Share Button

One thought on “Prosti Screenblaze PUP/Adware with Trojan/Malware Information Stealing Traffic Sample

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria that deceive real business people via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *