Ramnit Sneaky DNS Exfiltrating Credential Stealing Malware – Using MSN as TTP and Hundreds of crafted domain names

By | June 19, 2015

2011-07-30 00:09:33.828441 IP 172.29.0.116.1026 > 68.87.73.246.53: 13898+ A? google[.]com. (28)
E..8*……;…tDWI….5.$v.6J………..google[.]com…..
2011-07-30 00:09:33.857089 IP 68.87.73.246.53 > 172.29.0.116.1026: 13898 6/0/0 A 74.125.113.105, A 74.125.113.104, A 74.125.113.106, A 74.125.113.103, A 74.125.113.147, A 74.125.113.99 (124)
E@….@.9..7DWI….t.5……6J………..google[.]com…………..A..J}qi………A..J}qh………A..J}qj………A..J}qg………A..J}q……….A..J}qc
2011-07-30 00:09:33.857945 IP 172.29.0.116.1487 > 74.125.113.105.80: Flags [S], seq 4276131041, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…g….tJ}qi…P……..p……………
2011-07-30 00:09:33.890833 IP 74.125.113.105.80 > 172.29.0.116.1487: Flags [S.], seq 1630166197, ack 4276131042, win 5720, options [mss 1430,nop,nop,sackOK], length 0
E .0. ..-./’J}qi…t.P..a*\…..p..X…………
2011-07-30 00:09:33.890904 IP 172.29.0.116.1487 > 74.125.113.105.80: Flags [.], ack 1, win 64240, length 0
E..(*.@…g….tJ}qi…P….a*\.P…….
2011-07-30 00:09:35.819679 IP 172.29.0.116.1026 > 68.87.73.246.53: 23951+ A? star-trakers[.]com. (34)
E..>*……2…tDWI….5.*.,]…………star-trakers[.]com…..
2011-07-30 00:09:35.899406 IP 68.87.73.246.53 > 172.29.0.116.1026: 23951 1/0/0 A 207.223.0.140 (50)
E@.N..@.9…DWI….t.5…:..]…………star-trakers[.]com…………………
2011-07-30 00:09:35.899748 IP 172.29.0.116.1488 > 207.223.0.140.443: Flags [S], seq 867836568, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…S,…t……..3.”…..p….T……….
2011-07-30 00:09:38.820452 IP 172.29.0.116.1488 > 207.223.0.140.443: Flags [S], seq 867836568, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…S+…t……..3.”…..p….T……….
2011-07-30 00:09:44.728939 IP 172.29.0.116.1488 > 207.223.0.140.443: Flags [S], seq 867836568, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…S*…t……..3.”…..p….T……….
2011-07-30 00:09:45.901035 IP 172.29.0.116.1026 > 68.87.73.246.53: 10515+ A? star-trakers[.]com. (34)
E..>*……….tDWI….5.*$.)…………star-trakers[.]com…..
2011-07-30 00:09:45.934019 IP 68.87.73.246.53 > 172.29.0.116.1026: 10515 1/0/0 A 207.223.0.140 (50)
E@.N..@.9…DWI….t.5…:..)…………star-trakers[.]com…………………
2011-07-30 00:09:45.934377 IP 172.29.0.116.1489 > 207.223.0.140.443: Flags [S], seq 1010670280, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…S(…t……..<=……p…,………..
2011-07-30 00:09:48.934987 IP 172.29.0.116.1489 > 207.223.0.140.443: Flags [S], seq 1010670280, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…S’…t……..<=……p…,………..
2011-07-30 00:09:54.943623 IP 172.29.0.116.1489 > 207.223.0.140.443: Flags [S], seq 1010670280, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…S&…t……..<=……p…,………..
2011-07-30 00:09:55.936411 IP 172.29.0.116.1026 > 68.87.73.246.53: 23649+ A? ufxsqnjtryrny[.]com. (35)
E..?*……)…tDWI….5.+<(\a………..ufxsqnjtryrny[.]com…..
2011-07-30 00:09:55.937814 IP 172.29.0.116.1491 > 68.87.73.246.53: 45333+ A? stleikxkbjwo[.]com. (34)
E..>*……)…tDWI….5.*……………stleikxkbjwo[.]com…..
2011-07-30 00:09:55.938104 IP 172.29.0.116.1490 > 68.87.73.246.53: 54629+ A? lrqxvrqsihwtudox[.]com. (38)
E..B*……$…tDWI….5..}E.e………..lrqxvrqsihwtudox[.]com…..
2011-07-30 00:09:55.939051 IP 172.29.0.116.1492 > 68.87.73.246.53: 22222+ A? eeuprbpohspwje[.]com. (36)
E..@*……%…tDWI….5.,.iV…………eeuprbpohspwje[.]com…..
2011-07-30 00:09:55.939339 IP 172.29.0.116.1493 > 68.87.73.246.53: 57609+ A? tlxfrilp[.]com. (30)
E..:*……*…tDWI….5.&Wn. ………..tlxfrilp[.]com…..
2011-07-30 00:09:55.940121 IP 172.29.0.116.1494 > 68.87.73.246.53: 8187+ A? itehtxcch[.]com. (31)
E..;*……(…tDWI….5.’f…………. itehtxcch[.]com…..
2011-07-30 00:09:55.940689 IP 172.29.0.116.1496 > 68.87.73.246.53: 46658+ A? ovgucbrrvxqufkwq[.]com. (38)
E..B*…… …tDWI….5…{.B………..ovgucbrrvxqufkwq[.]com…..
2011-07-30 00:09:55.940960 IP 172.29.0.116.1495 > 68.87.73.246.53: 12188+ A? snkbcptiqgqmlvw[.]com. (37)
E..A*…… …tDWI….5.-../…………snkbcptiqgqmlvw[.]com…..
2011-07-30 00:09:55.941454 IP 172.29.0.116.1497 > 68.87.73.246.53: 30414+ A? rykgnuncbedueeuevxg[.]com. (41)
E..E*……….tDWI….5.1..v…………rykgnuncbedueeuevxg[.]com…..
2011-07-30 00:09:55.941788 IP 172.29.0.116.1498 > 68.87.73.246.53: 48158+ A? yssrqxyljwrioko[.]com. (37)
E..A*……….tDWI….5.-f#………….yssrqxyljwrioko[.]com…..
2011-07-30 00:09:55.952799 IP 68.87.73.246.53 > 172.29.0.116.1490: 54629 NXDomain 0/1/0 (111)
E@….@.9..DDWI….t.5…wgK.e………..lrqxvrqsihwtudox[.]com…………..V.=.a.gtld-servers.net..nstld.verisign-grs..O………… :…Q.
2011-07-30 00:09:55.952998 IP 172.29.0.116.1490 > 68.87.73.246.53: 18949+ A? lrqxvrqsihwtudox[.]com.hsd1.va[.]comcast.net. (58)
E..V*……….tDWI….5.BO.J…………lrqxvrqsihwtudox[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:55.958811 IP 68.87.73.246.53 > 172.29.0.116.1491: 45333 NXDomain 0/1/0 (107)
E@….@.9..HDWI….t.5…sbf………….stleikxkbjwo[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:55.959063 IP 172.29.0.116.1491 > 68.87.73.246.53: 42677+ A? stleikxkbjwo[.]com.hsd1.va[.]comcast.net. (54)
E..R*……….tDWI….5.>……………stleikxkbjwo[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:55.980955 IP 68.87.73.246.53 > 172.29.0.116.1490: 18949 NXDomain 0/1/0 (138)
E@….@.9..)DWI….t.5….n.J…………lrqxvrqsihwtudox[.]com.hsd1.va[.]comcast.net……!…….X.D.dns1.inflow.pa.bo.).dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:55.984981 IP 68.87.73.246.53 > 172.29.0.116.1491: 42677 NXDomain 0/1/0 (134)
E@….@.9..-DWI….t.5…..`………….stleikxkbjwo[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.%.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.021599 IP 68.87.73.246.53 > 172.29.0.116.1026: 23649 NXDomain 0/1/0 (108)
E@….@.9..GDWI….t.5…t.N\a………..ufxsqnjtryrny[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:56.021777 IP 172.29.0.116.1490 > 68.87.73.246.53: 32871+ A? ufxsqnjtryrny[.]com.hsd1.va[.]comcast.net. (55)
E..S*…… …tDWI….5.?@q.g………..ufxsqnjtryrny[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.042240 IP 172.29.0.116.1496 > 68.87.73.246.53: 3548+ A? ovgucbrrvxqufkwq[.]com.hsd1.va[.]comcast.net. (58)
E..V*……….tDWI….5.B……………ovgucbrrvxqufkwq[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.046375 IP 68.87.73.246.53 > 172.29.0.116.1490: 32871 NXDomain 0/1/0 (135)
E@….@.9..,DWI….t.5….R..g………..ufxsqnjtryrny[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.&.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.054693 IP 68.87.73.246.53 > 172.29.0.116.1497: 58106 NXDomain 0/1/0 (141)
E@….@.9..&DWI….t.5…..3………….rykgnuncbedueeuevxg[.]com.hsd1.va[.]comcast.net……$…….X.D.dns1.inflow.pa.bo.,.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.062427 IP 68.87.73.246.53 > 172.29.0.116.1498: 54018 NXDomain 0/1/0 (137)
E@….@.9..*DWI….t.5……………….yssrqxyljwrioko[.]com.hsd1.va[.]comcast.net…… …….X.D.dns1.inflow.pa.bo.(.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.066425 IP 68.87.73.246.53 > 172.29.0.116.1493: 32634 NXDomain 0/1/0 (130)
E@….@.9..1DWI….t.5…..y.z………..tlxfrilp[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.!.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.066801 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N*……:…t………:…v………. FEEMFIEGFCEJEMFACOEDEPENCACACAAA.. ..
2011-07-30 00:09:56.067037 IP 68.87.73.246.53 > 172.29.0.116.1496: 3548 NXDomain 0/1/0 (138)
E@….@.9..)DWI….t.5…..M………….ovgucbrrvxqufkwq[.]com.hsd1.va[.]comcast.net……!…….X.D.dns1.inflow.pa.bo.).dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.168194 IP 68.87.73.246.53 > 172.29.0.116.1495: 12188 0/1/0 (105)
E@….@.9..JDWI….t.5…q7./…………snkbcptiqgqmlvw[.]com………….*0.8.ns1.nameself…support.regtime.net.O…..*0….. :…Q.
2011-07-30 00:09:56.168423 IP 172.29.0.116.1490 > 68.87.73.246.53: 4051+ A? snkbcptiqgqmlvw[.]com.hsd1.va[.]comcast.net. (57)
E..U*……….tDWI….5.A]…………..snkbcptiqgqmlvw[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.183505 IP 68.87.73.246.53 > 172.29.0.116.1492: 22222 1/0/0 A 176.31.62.76 (52)
E@.P..@.9…DWI….t.5…<^.V…………eeuprbpohspwje[.]com…………..X….>L
2011-07-30 00:09:56.183809 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [S], seq 3503633909, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…5….t..>L……5…..p……………
2011-07-30 00:09:56.188616 IP 68.87.73.246.53 > 172.29.0.116.1494: 8187 1/0/0 A 176.31.62.76 (47)
E@.K..@.9…DWI….t.5…7………….. itehtxcch[.]com…………..X….>L
2011-07-30 00:09:56.188857 IP 172.29.0.116.1500 > 176.31.62.76.443: Flags [S], seq 2279586642, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…5….t..>L…….R….p….h……….
2011-07-30 00:09:56.191319 IP 68.87.73.246.53 > 172.29.0.116.1490: 4051 NXDomain 0/1/0 (137)
E@….@.9..*DWI….t.5….l’………….snkbcptiqgqmlvw[.]com.hsd1.va[.]comcast.net…… …….X.D.dns1.inflow.pa.bo.(.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.285796 IP 176.31.62.76.443 > 172.29.0.116.1499: Flags [S.], seq 2172809880, ack 3503633910, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E .0..@.1…..>L…t……r…5.p……………
2011-07-30 00:09:56.285829 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [.], ack 1, win 64240, length 0
E..(*.@…5….t..>L……5…r.P….i..
2011-07-30 00:09:56.286214 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [P.], seq 1:7, ack 1, win 64240, length 6
E…*.@…5….t..>L……5…r.P….[….K…
2011-07-30 00:09:56.302542 IP 176.31.62.76.443 > 172.29.0.116.1500: Flags [S.], seq 2165460878, ack 2279586643, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E .0..@.-…..>L…t……O….Sp……………
2011-07-30 00:09:56.302568 IP 172.29.0.116.1500 > 176.31.62.76.443: Flags [.], ack 1, win 64240, length 0
E..(*.@…5….t..>L…….S..O.P….z..
2011-07-30 00:09:56.302888 IP 172.29.0.116.1500 > 176.31.62.76.443: Flags [P.], seq 1:7, ack 1, win 64240, length 6
E…*.@…5….t..>L…….S..O.P….m….K…
2011-07-30 00:09:56.457898 IP 176.31.62.76.443 > 172.29.0.116.1499: Flags [.], ack 7, win 5840, length 0
E .(..@.1.*…>L…t……r…5.P………\./.
2011-07-30 00:09:56.457995 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [P.], seq 7:82, ack 1, win 64240, length 75
E..s*.@…4….t..>L……5…r.P……… …..07F……\…….bP..c.H…..r. …..57……._……Vb[..7.G…..%
2011-07-30 00:09:56.458604 IP 176.31.62.76.443 > 172.29.0.116.1499: Flags [F.], seq 1, ack 7, win 5840, length 0
E .(.A@.1..q..>L…t……r…5.P………….
2011-07-30 00:09:56.458632 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [.], ack 2, win 64240, length 0
E..(*.@…5….t..>L……6G..r.P…….
2011-07-30 00:09:56.458908 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [F.], seq 82, ack 2, win 64240, length 0
E..(*.@…5….t..>L……6G..r.P…….
2011-07-30 00:09:56.473686 IP 176.31.62.76.443 > 172.29.0.116.1500: Flags [.], ack 7, win 5840, length 0
E .(..@.-…..>L…t……O….YP……….f%m
2011-07-30 00:09:56.473719 IP 172.29.0.116.1500 > 176.31.62.76.443: Flags [P.], seq 7:82, ack 1, win 64240, length 75
E..s*.@…4….t..>L…….Y..O.P……… …..07F……\…….bP..c.H…..r. …..57……._……Vb[..7.G…..%
2011-07-30 00:09:56.473941 IP 176.31.62.76.443 > 172.29.0.116.1500: Flags [F.], seq 1, ack 7, win 5840, length 0
2011-07-30 00:09:56.476071 IP 172.29.0.116.1492 > 68.87.73.246.53: 24878+ A? bunxomdqokknkkllvkr[.]com. (41)
E..E*……….tDWI….5.1.da…………bunxomdqokknkkllvkr[.]com…..
2011-07-30 00:09:56.486033 IP 172.29.0.116.1491 > 68.87.73.246.53: 64968+ A? xioyjfiguiuluff[.]com. (37)
E..A*……….tDWI….5.-N…………..xioyjfiguiuluff[.]com…..
2011-07-30 00:09:56.498204 IP 68.87.73.246.53 > 172.29.0.116.1492: 24878 NXDomain 0/1/0 (114)
E@….@.9..ADWI….t.5…zR.a…………bunxomdqokknkkllvkr[.]com…… ………=.a.gtld-servers.net..nstld.verisign-grs. O..L……… :…Q.
2011-07-30 00:09:56.498373 IP 172.29.0.116.1492 > 68.87.73.246.53: 35434+ A? bunxomdqokknkkllvkr[.]com.hsd1.va[.]comcast.net. (61)
E..Y*……….tDWI….5.E.G.j………..bunxomdqokknkkllvkr[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.543946 IP 68.87.73.246.53 > 172.29.0.116.1492: 35434 NXDomain 0/1/0 (141)
E@….@.9..&DWI….t.5…….j………..bunxomdqokknkkllvkr[.]com.hsd1.va[.]comcast.net……$…….X.D.dns1.inflow.pa.bo.,.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.546108 IP 172.29.0.116.1492 > 68.87.73.246.53: 26125+ A? elieidkolpc[.]com. (33)
E..=*…… …tDWI….5.).bf…………elieidkolpc[.]com…..
2011-07-30 00:09:56.546572 IP 172.29.0.116.1026 > 68.87.73.246.53: 42911+ A? wbjatshumpre[.]com. (34)
E..>*……….tDWI….5.*……………wbjatshumpre[.]com…..
2011-07-30 00:09:56.556174 IP 172.29.0.116.1497 > 68.87.73.246.53: 58918+ A? oluddrbaeb[.]com. (32)
E..<*……….tDWI….5.(…&……….
oluddrbaeb[.]com…..
2011-07-30 00:09:56.562079 IP 176.31.62.76.443 > 172.29.0.116.1499: Flags [.], ack 7, win 5840, options [nop,nop,sack 1 {82:83}], length 0
E .4.B@.1..d..>L…t……r…5……0…..
..6G..6H
2011-07-30 00:09:56.562103 IP 172.29.0.116.1499 > 176.31.62.76.443: Flags [P.], seq 7:82, ack 2, win 64240, length 75
E..s*.@…4….t..>L……5…r.P……… …..07F……\…….bP..c.H…..r. …..57……._……Vb[..7.G…..%
2011-07-30 00:09:56.562188 IP 176.31.62.76.443 > 172.29.0.116.1499: Flags [.], ack 83, win 5840, options [nop,nop,sack 1 {82:83}], length 0
E .4.C@.1..c..>L…t……r…6H………..
..6G..6H
2011-07-30 00:09:56.565084 IP 68.87.73.246.53 > 172.29.0.116.1491: 64968 NXDomain 0/1/0 (110)
E@….@.9..EDWI….t.5…v……………xioyjfiguiuluff[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:56.565252 IP 172.29.0.116.1491 > 68.87.73.246.53: 13105+ A? xioyjfiguiuluff[.]com.hsd1.va[.]comcast.net. (57)
E..U*……….tDWI….5.ACH31………..xioyjfiguiuluff[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.565455 IP 68.87.73.246.53 > 172.29.0.116.1492: 26125 NXDomain 0/1/0 (106)
E@….@.9..IDWI….t.5…r1.f…………elieidkolpc[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:56.565619 IP 172.29.0.116.1492 > 68.87.73.246.53: 39642+ A? elieidkolpc[.]com.hsd1.va[.]comcast.net. (53)
E..Q*……….tDWI….5.=……………elieidkolpc[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.566126 IP 172.29.0.116.1498 > 68.87.73.246.53: 52532+ A? idseneqmupdijjklvtm[.]com. (41)
E..E*……….tDWI….5.1.H.4………..idseneqmupdijjklvtm[.]com…..
2011-07-30 00:09:56.575141 IP 68.87.73.246.53 > 172.29.0.116.1497: 58918 NXDomain 0/1/0 (105)
E@….@.9..JDWI….t.5…q…&……….
oluddrbaeb[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:56.575306 IP 172.29.0.116.1497 > 68.87.73.246.53: 22213+ A? oluddrbaeb[.]com.hsd1.va[.]comcast.net. (52)
E..P*……….tDWI….5.<.gV………..
oluddrbaeb[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:56.586310 IP 68.87.73.246.53 > 172.29.0.116.1492: 39642 NXDomain 0/1/0 (133)
E@….@.9…DWI….t.5…../………….elieidkolpc[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.$.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.586481 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N*……!…t………:l..w………. EFEMEJEFEJEEELEPEMFAEDCOEDEPENAA.. ..
2011-07-30 00:09:56.587847 IP 176.31.62.76.443 > 172.29.0.116.1500: Flags [.], ack 7, win 5840, options [nop,nop,sack 1 {82:83}], length 0
E .4.W@.-..O..>L…t……O….Y….%t…..
……..
2011-07-30 00:09:56.587915 IP 172.29.0.116.1500 > 176.31.62.76.443: Flags [P.], seq 7:82, ack 2, win 64240, length 75
E..s*.@…4….t..>L…….Y..O.P……… …..07F……\…….bP..c.H…..r. …..57……._……Vb[..7.G…..%
2011-07-30 00:09:56.588116 IP 176.31.62.76.443 > 172.29.0.116.1500: Flags [.], ack 83, win 5840, options [nop,nop,sack 1 {82:83}], length 0
E .4.X@.-..N..>L…t……O………%(…..
……..
2011-07-30 00:09:56.589052 IP 68.87.73.246.53 > 172.29.0.116.1491: 13105 NXDomain 0/1/0 (137)
E@….@.9..*DWI….t.5….Q.31………..xioyjfiguiuluff[.]com.hsd1.va[.]comcast.net…… …….X.D.dns1.inflow.pa.bo.(.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.596266 IP 68.87.73.246.53 > 172.29.0.116.1497: 22213 NXDomain 0/1/0 (132)
E@….@.9../DWI….t.5……V………..
oluddrbaeb[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.#.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:56.596464 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N*……….t………:…x………. EPEMFFEEEEFCECEBEFECCOEDEPENCAAA.. ..
2011-07-30 00:09:56.642963 IP 68.87.73.246.53 > 172.29.0.116.1026: 42911 1/0/0 A 207.223.0.140 (50)
E@.N..@.9…DWI….t.5…:……………wbjatshumpre[.]com…………………
2011-07-30 00:09:56.643224 IP 172.29.0.116.1501 > 207.223.0.140.443: Flags [S], seq 2111694420, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…R….t……..}..T….p….g……….
2011-07-30 00:09:56.664858 IP 68.87.73.246.53 > 172.29.0.116.1498: 52532 NXDomain 0/1/0 (114)
E@….@.9..ADWI….t.5…z.i.4………..idseneqmupdijjklvtm[.]com…… ………=.a.gtld-servers.net..nstld.verisign-grs. O..L……… :…Q.
2011-07-30 00:09:58.389409 IP 68.87.73.246.53 > 172.29.0.116.1491: 61379 1/0/0 A 207.223.0.140 (48)
E@.L..@.9…DWI….t.5…8.”…………
ujypninrop[.]com…………………
2011-07-30 00:09:58.389695 IP 172.29.0.116.1503 > 207.223.0.140.443: Flags [S], seq 3457109475, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…R….t……….M…..p……………
2011-07-30 00:09:58.629262 IP 172.29.0.116.1492 > 68.87.73.246.53: 46225+ A? qpvvabbaqcn[.]com. (33)
E..=*……….tDWI….5.)z…………..qpvvabbaqcn[.]com…..
2011-07-30 00:09:58.718666 IP 68.87.73.246.53 > 172.29.0.116.1492: 46225 NXDomain 0/1/0 (106)
E@….@.9..IDWI….t.5…r……………qpvvabbaqcn[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:58.718880 IP 172.29.0.116.1492 > 68.87.73.246.53: 64555+ A? qpvvabbaqcn[.]com.hsd1.va[.]comcast.net. (53)
E..Q*……….tDWI….5.=]K.+………..qpvvabbaqcn[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:58.744096 IP 68.87.73.246.53 > 172.29.0.116.1492: 64555 NXDomain 0/1/0 (133)
E@….@.9…DWI….t.5….s..+………..qpvvabbaqcn[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.$.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:58.744310 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N*……….t………:…{………. FBFAFGFGEBECECEBFBEDEOCOEDEPENAA.. ..
2011-07-30 00:09:58.819843 IP 172.29.0.116.1492 > 68.87.73.246.53: 17513+ A? ttjerkrdrrowibsipjr[.]com. (41)
E..E+……….tDWI….5.1′.Di………..ttjerkrdrrowibsipjr[.]com…..
2011-07-30 00:09:58.829471 IP 172.29.0.116.1491 > 68.87.73.246.53: 40539+ A? nrcmbkxssydac[.]com. (35)
E..?+……….tDWI….5.+…[………..nrcmbkxssydac[.]com…..
2011-07-30 00:09:58.900864 IP 68.87.73.246.53 > 172.29.0.116.1491: 40539 NXDomain 0/1/0 (108)
E@….@.9..GDWI….t.5…tq..[………..nrcmbkxssydac[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:58.901066 IP 172.29.0.116.1491 > 68.87.73.246.53: 12229+ A? nrcmbkxssydac[.]com.hsd1.va[.]comcast.net. (55)
E..S+……….tDWI….5.?.R/…………nrcmbkxssydac[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:58.912507 IP 68.87.73.246.53 > 172.29.0.116.1492: 17513 1/0/0 A 207.223.0.140 (57)
E@.U..@.9..zDWI….t.5…A’.Di………..ttjerkrdrrowibsipjr[.]com…………………
2011-07-30 00:09:58.912809 IP 172.29.0.116.1504 > 207.223.0.140.443: Flags [S], seq 3598274810, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+.@…R….t………yP…..p….”……….
2011-07-30 00:09:58.939240 IP 68.87.73.246.53 > 172.29.0.116.1491: 12229 NXDomain 0/1/0 (135)
E@….@.9..,DWI….t.5……/…………nrcmbkxssydac[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.&.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:09:58.989453 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+……….t………:…y………. FDELFCEPEBEDELFBFDCOEDEPENCACAAA.. ..
2011-07-30 00:09:59.119629 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+……….t………:…z………. FAECEGFEFEEGEHFHCOEDEPENCACACAAA.. ..
2011-07-30 00:09:59.340282 IP 172.29.0.116.1492 > 68.87.73.246.53: 62819+ A? ghxctletck[.]com. (32)
E..<+……….tDWI….5.(…c……….
ghxctletck[.]com…..
2011-07-30 00:09:59.350164 IP 172.29.0.116.1491 > 68.87.73.246.53: 36140+ A? fybdqchsheqiul[.]com. (36)
E..@+……….tDWI….5.,b..,………..fybdqchsheqiul[.]com…..
2011-07-30 00:09:59.406199 IP 68.87.73.246.53 > 172.29.0.116.1491: 36140 1/0/0 A 207.223.0.140 (52)
E@.P..@.9…DWI….t.5…<P..,………..fybdqchsheqiul[.]com…………………
2011-07-30 00:09:59.406503 IP 172.29.0.116.1505 > 207.223.0.140.443: Flags [S], seq 2982375298, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+.@…R….t……….o…..p….O……….
2011-07-30 00:09:59.440395 IP 172.29.0.116.1491 > 68.87.73.246.53: 13155+ A? kojadineqlbbfvtwlff[.]com. (41)
E..E+ ………tDWI….5.1?G3c………..kojadineqlbbfvtwlff[.]com…..
2011-07-30 00:09:59.445174 IP 68.87.73.246.53 > 172.29.0.116.1492: 62819 NXDomain 0/1/0 (105)
E@….@.9..JDWI….t.5…q…c……….
ghxctletck[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..L……… :…Q.
2011-07-30 00:09:59.445355 IP 172.29.0.116.1492 > 68.87.73.246.53: 20746+ A? ghxctletck[.]com.hsd1.va[.]comcast.net. (52)
E..P+
………tDWI….5.<..Q
……….
ghxctletck[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:09:59.490161 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+……….t………:…{………. FBFAFGFGEBECECEBFBEDEOCOEDEPENAA.. ..
2011-07-30 00:09:59.524209 IP 68.87.73.246.53 > 172.29.0.116.1491: 13155 1/0/0 A 207.223.0.140 (57)
E@.U..@.9..zDWI….t.5…A@.3c………..kojadineqlbbfvtwlff[.]com…………………
2011-07-30 00:09:59.524526 IP 172.29.0.116.1506 > 207.223.0.140.443: Flags [S], seq 3072224390, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+.@…R….t……….l…..p……………
2011-07-30 00:09:59.539897 IP 68.87.73.246.53 > 172.29.0.116.1492: 20746 NXDomain 0/1/0 (132)
E@….@.9../DWI….t.5……Q
……….
ghxctletck[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.#.dnsadmin.cable[.]comcast[.]com..<i…*0….. :..
2011-07-30 00:10:07.422730 IP 68.87.73.246.53 > 172.29.0.116.1491: 54902 NXDomain 0/1/0 (130)
E@….@.9..1DWI….t.5…….v………..gccadwuf[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.!.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:07.422918 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+T………t………:………….. EHEDEDEBEEFHFFEGCOEDEPENCACACAAA.. ..
2011-07-30 00:10:07.426631 IP 68.87.73.246.53 > 172.29.0.116.1492: 36983 1/0/0 A 207.223.0.140 (55)
E@.S..@.9..|DWI….t.5…?of.w………..rhfdjaecmygcrdgep[.]com…………………
2011-07-30 00:10:07.426892 IP 172.29.0.116.1508 > 207.223.0.140.443: Flags [S], seq 1450960939, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+U@…Rv…t……..V{.+….p……………
2011-07-30 00:10:07.488274 IP 68.87.73.246.53 > 172.29.0.116.1497: 35992 1/0/0 A 207.223.0.140 (48)
E@.L..@.9…DWI….t.5…8.S…………
ppgessnvvn[.]com…………………
2011-07-30 00:10:07.489654 IP 172.29.0.116.1509 > 207.223.0.140.443: Flags [S], seq 3191752609, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+V@…Ru…t………>G…..p……………
2011-07-30 00:10:07.622386 IP 172.29.0.116.1491 > 68.87.73.246.53: 58101+ A? fiblolpp[.]com. (30)
E..:+W…..}…tDWI….5.&O…………..fiblolpp[.]com…..
2011-07-30 00:10:07.640154 IP 68.87.73.246.53 > 172.29.0.116.1491: 58101 NXDomain 0/1/0 (103)
E@….@.9..LDWI….t.5…o……………fiblolpp[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..[……… :…Q.
2011-07-30 00:10:07.640330 IP 172.29.0.116.1491 > 68.87.73.246.53: 34977+ A? fiblolpp[.]com.hsd1.va[.]comcast.net. (50)
E..N+X…..h…tDWI….5.:……………fiblolpp[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:07.679709 IP 68.87.73.246.53 > 172.29.0.116.1491: 34977 NXDomain 0/1/0 (130)
E@….@.9..1DWI….t.5…..w………….fiblolpp[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.!.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:07.679916 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+Y………t………:………….. EGEJECEMEPEMFAFACOEDEPENCACACAAA.. ..
2011-07-30 00:10:07.862209 IP 172.29.0.116.1504 > 207.223.0.140.443: Flags [S], seq 3598274810, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+Z@…Rq…t………yP…..p….”……….
2011-07-30 00:10:07.952326 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+[………t………:c…………. EMEHFDEKFHEJFIFHEPEDENCOEDEPENAA.. ..
2011-07-30 00:10:08.172649 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+\………t………:………….. EHEDEDEBEEFHFFEGCOEDEPENCACACAAA.. ..
2011-07-30 00:10:08.362919 IP 172.29.0.116.1505 > 207.223.0.140.443: Flags [S], seq 2982375298, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+]@…Rn…t……….o…..p….O……….
2011-07-30 00:10:08.423001 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+^………t………:………….. EGEJECEMEPEMFAFACOEDEPENCACACAAA.. ..
2011-07-30 00:10:08.463060 IP 172.29.0.116.1506 > 207.223.0.140.443: Flags [S], seq 3072224390, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0+_@…Rl…t……….l…..p……………
2011-07-30 00:10:08.703410 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+`………t………:c…………. EMEHFDEKFHEJFIFHEPEDENCOEDEPENAA.. ..
2011-07-30 00:10:08.894009 IP 172.29.0.116.1491 > 68.87.73.246.53: 3708+ A? nwoyejym[.]com. (30)
E..:+a…..s…tDWI….5.&…|………..nwoyejym[.]com…..
2011-07-30 00:10:08.923930 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+b………t………:………….. EHEDEDEBEEFHFFEGCOEDEPENCACACAAA.. ..
2011-07-30 00:10:08.985323 IP 68.87.73.246.53 > 172.29.0.116.1491: 3708 NXDomain 0/1/0 (103)
E@….@.9..LDWI….t.5…o…|………..nwoyejym[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..[……… :…Q.
2011-07-30 00:10:08.985535 IP 172.29.0.116.1491 > 68.87.73.246.53: 22001+ A? nwoyejym[.]com.hsd1.va[.]comcast.net. (50)
E..N+c…..]…tDWI….5.:..U…………nwoyejym[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:09.012508 IP 68.87.73.246.53 > 172.29.0.116.1491: 22001 NXDomain 0/1/0 (130)
E@….@.9..1DWI….t.5….,.U…………nwoyejym[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.!.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:09.012829 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+d………t………:o…………. EOFHEPFJEFEKFJENCOEDEPENCACACAAA.. ..
2011-07-30 00:10:09.174086 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N+e………t………:………….. EGEJECEMEPEMFAFACOEDEPENCACACAAA.. ..
2011-07-30 00:10:09.414743 IP 172.29.0.116.1491 > 68.87.73.246.53: 36531+ A? cascotqhij[.]com. (32)
2011-07-30 00:10:46.858261 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N,……<…t………:f…………. FJECENEIFFENEIFJENFBEKCOEDEPENAA.. ..
2011-07-30 00:10:46.893858 IP 68.87.73.246.53 > 172.29.0.116.1491: 26233 NXDomain 0/1/0 (106)
E@….@.9..IDWI….t.5…rB.fy………..pfkilgedjhq[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..z……… :…Q.
2011-07-30 00:10:46.893998 IP 172.29.0.116.1491 > 68.87.73.246.53: 50006+ A? pfkilgedjhq[.]com.hsd1.va[.]comcast.net. (53)
E..Q,……….tDWI….5.=.#.V………..pfkilgedjhq[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:46.918660 IP 68.87.73.246.53 > 172.29.0.116.1491: 50006 NXDomain 0/1/0 (133)
E@….@.9…DWI….t.5…….V………..pfkilgedjhq[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.$.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:46.918865 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N,……:…t………:x…………. FAEGELEJEMEHEFEEEKEIFBCOEDEPENAA.. ..
2011-07-30 00:10:47.249175 IP 172.29.0.116.1491 > 68.87.73.246.53: 27256+ A? djeuagtquwwhera[.]com. (37)
E..A,……….tDWI….5.-..jx………..djeuagtquwwhera[.]com…..
2011-07-30 00:10:47.281374 IP 68.87.73.246.53 > 172.29.0.116.1491: 27256 1/0/0 A 207.223.0.140 (53)
E@.Q..@.9..~DWI….t.5…=..jx………..djeuagtquwwhera[.]com…………………
2011-07-30 00:10:47.281656 IP 172.29.0.116.1538 > 207.223.0.140.443: Flags [S], seq 4047941810, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0,.@…Q….t………F……p…a{……….
2011-07-30 00:10:47.499186 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N,……7…t………:………….. FBEPFAEEFJFAEGFIEIEEEBCOEDEPENAA.. ..
2011-07-30 00:10:47.669442 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N,……6…t………:x…………. FAEGELEJEMEHEFEEEKEIFBCOEDEPENAA.. ..
2011-07-30 00:10:48.110327 IP 172.29.0.116.1491 > 68.87.73.246.53: 50772+ A? rfngjynkypsphqfmkh[.]com. (40)
E..D,……….tDWI….5.09..T………..rfngjynkypsphqfmkh[.]com…..
2011-07-30 00:10:48.232197 IP 68.87.73.246.53 > 172.29.0.116.1491: 50772 NXDomain 0/1/0 (113)
E@….@.9..BDWI….t.5…y…T………..rfngjynkypsphqfmkh[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..z……… :…Q.
2011-07-30 00:10:48.232393 IP 172.29.0.116.1491 > 68.87.73.246.53: 9513+ A? rfngjynkypsphqfmkh[.]com.hsd1.va[.]comcast.net. (60)
E..X,……….tDWI….5.D”*%)………..rfngjynkypsphqfmkh[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:48.250259 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N,……3…t………:………….. FBEPFAEEFJFAEGFIEIEEEBCOEDEPENAA.. ..
2011-07-30 00:10:48.257115 IP 68.87.73.246.53 > 172.29.0.116.1491: 9513 NXDomain 0/1/0 (140)
E@….@.9..’DWI….t.5….@.%)………..rfngjynkypsphqfmkh[.]com.hsd1.va[.]comcast.net……#…….X.D.dns1.inflow.pa.bo.+.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:48.351249 IP 172.29.0.116.1491 > 68.87.73.246.53: 1317+ A? ckgryagcibbcf[.]com. (35)
E..?,……….tDWI….5.+…%………..ckgryagcibbcf[.]com…..
2011-07-30 00:10:48.420492 IP 68.87.73.246.53 > 172.29.0.116.1491: 1317 NXDomain 0/1/0 (108)
E@….@.9..GDWI….t.5…t;..%………..ckgryagcibbcf[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..z……… :…Q.
2011-07-30 00:10:48.420581 IP 172.29.0.116.137 > 172.29.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N,……1…t………:x…………. FAEGELEJEMEHEFEEEKEIFBCOEDEPENAA.. ..
2011-07-30 00:10:48.420901 IP 172.29.0.116.1491 > 68.87.73.246.53: 30457+ A? ckgryagcibbcf[.]com.hsd1.va[.]comcast.net. (55)
E..S,……….tDWI….5.?.(v…………ckgryagcibbcf[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:48.447786 IP 68.87.73.246.53 > 172.29.0.116.1491: 30457 NXDomain 0/1/0 (135)
E@….@.9..,DWI….t.5……v…………ckgryagcibbcf[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.&.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:48.520655 IP 172.29.0.116.1537 > 207.223.0.140.443: Flags [S], seq 1313647404, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0,.@…Q …t……..NL.,….p… ………..
2011-07-30 00:10:48.751210 IP 172.29.0.116.1491 > 68.87.73.246.53: 32371+ A? jnpquwdupgauq[.]com. (35)
E..?,……….tDWI….5.+.u~s………..jnpquwdupgauq[.]com…..
2011-07-30 00:10:48.790740 IP 68.87.73.246.53 > 172.29.0.116.1491: 32371 NXDomain 0/1/0 (108)
E@….@.9..GDWI….t.5…t.m~s………..jnpquwdupgauq[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..z……… :…Q.
2011-07-30 00:10:48.790894 IP 172.29.0.116.1491 > 68.87.73.246.53: 10485+ A? jnpquwdupgauq[.]com.hsd1.va[.]comcast.net. (55)
E..S,……….tDWI….5.?..(…………jnpquwdupgauq[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:48.816144 IP 68.87.73.246.53 > 172.29.0.116.1491: 10485 NXDomain 0/1/0 (135)
E@….@.9..,DWI….t.5……(…………jnpquwdupgauq[.]com.hsd1.va[.]comcast.net…………..X.D.dns1.inflow.pa.bo.&.dnsadmin.cable[.]comcast[.]com..<i…*0….. :….X
2011-07-30 00:10:48.941483 IP 172.29.0.116.1491 > 68.87.73.246.53: 29468+ A? gsbwxfecgbmuysm[.]com. (37)
E..A,……….tDWI….5.-.\s…………gsbwxfecgbmuysm[.]com…..
2011-07-30 00:10:48.963685 IP 68.87.73.246.53 > 172.29.0.116.1491: 29468 NXDomain 0/1/0 (110)
E@….@.9..EDWI….t.5…v2Ss…………gsbwxfecgbmuysm[.]com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..z……… :…Q.
2011-07-30 00:10:48.963807 IP 172.29.0.116.1491 > 68.87.73.246.53: 53855+ A? gsbwxfecgbmuysm[.]com.hsd1.va[.]comcast.net. (57)
E..U,……….tDWI….5.A.8._………..gsbwxfecgbmuysm[.]com.hsd1.va[.]comcast.net…..
2011-07-30 00:10:48.987112 IP 68.87.73.246.53 > 172.29.0.116.1491: 53855 NXDomain 0/1/0 (137)

2011-07-30 00:13:49.776172 IP 172.29.0.116.1812 > 65.54.80.177.80: Flags [P.], seq 1:295, ack 1, win 64240, length 294
E..N5K@……..tA6P….P.4..!.klP…….GET /br/sc/css/37/ec9da238a81ebb4538a1a066dfdaec.css HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stc.s-msn[.]com
Connection: Keep-Alive
2011-07-30 00:13:49.797000 IP 65.54.80.177.80 > 172.29.0.116.1813: Flags [S.], seq 1806258020, ack 2867331759, win 65535, options [mss 1460,sackOK,eol], length 0
E .0.M@.7…A6P….t.P..k.Od….p……………
2011-07-30 00:13:49.801891 IP 172.29.0.116.1813 > 65.54.80.177.80: Flags [.], ack 1, win 64240, length 0
E..(5M@….
…tA6P….P….k.OeP….`..
2011-07-30 00:13:49.802053 IP 65.54.80.177.80 > 172.29.0.116.1812: Flags [.], seq 1:1461, ack 295, win 65535, length 1460
E ….@.7…A6P….t.P..!.kl.4.#P… j..HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Content-Type: text/css
Content-Encoding: gzip
Accept-Ranges: bytes
ETag: “08e3060d1b9cc1:0″,
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Server: co1mppstca02
P3P: CP=”BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo”
Content-Length: 1252
Age: 291870
Date: Sat, 07 Jan 2012 04:28:50 GMT
Last-Modified: Tue, 13 Dec 2011 19:57:00 GMT
Expires: Wed, 02 Jan 2013 19:24:20 GMT
Connection: keep-alive

………..WK..8…”……j7..U…..i$Q.j.’…i.0..%p……S……C.#……u.’..T……K_..~….[f………,.!….m..I..Z=J.X6\7^4.l..:.,…..lv^……8n.B..%.A……w…….G).i……a2P…..>s. .yt.j..\..6%.>.Y…<@6….I.a..|.EooJdcZO.=…)1../(i!..M..3[&.U.*.<a.ae)..`D.7..B.R..qZ…….E.. .t…
T.1+..=.h.-..c……`..?>E……….Q…f)a…U…j &]..r@d}..J3.7.?g.+..y..R..7Q.+.(..)..RSh.!.Cn…)`r.6J.Bn.C6.).`..0..Z;..d.#..n..9^.v“S.. e…E…….y..E8.~.dS….^/..jl.c..I.R…..$…….U…xA-vSB.Z…Uo\_b!Og…R7….~F
.!.n..].>…c.8#.r……..c..bx..|O..+…C…%%.H..96I.8.t.J.gy.o.Mu.%….”M..y.`….Q.+…….U.7….W2.CtZ..-.E..z..=.0..!…{…P.>..O?.C.bb.x)…^I/v.0..bP4.vS..i.M….P……..R…….L*h. .X…p.GH …Rec…4…SM’h.g…|G..M.(.Ih….H4.2*………{..I….Fx..Y..”….}W0~.Z………..G.e……….5..k….v..>….9V…..].u…I._.p.k.X!T..=I..f..t……-…$…….b.x..hJ.L.Y..eb….4.0
.~….rx{9.#.xNG..g.0.c..I.H..U.&N(..^……..%{l.B
2011-07-30 00:13:49.802076 IP 65.54.80.177.80 > 172.29.0.116.1812: Flags [P.], seq 1461:1735, ack 295, win 65535, length 274
E .:..@.7…A6P….t.P..!.q .4.#P…G….+kW.’..U….Q…;.k|…”‘..,….x;z”
i..t./……A_…-.I..u.g……..5.ZA….Ic…dU{;.|..{YZ…..8…U……..V.p;….9.=……Q..n…..vC….[x<._.P<……+…61…..l…
.$..p……+.m..+.V\.p…1..5.U:..=\……?.S…..y..a……]1..5.?…`(..{<V.E.XYi.=8.
………..
2011-07-30 00:13:49.802096 IP 172.29.0.116.1812 > 65.54.80.177.80: Flags [.], ack 1735, win 64240, length 0
E..(5N@…. …tA6P….P.4.#!.r2P…di..
2011-07-30 00:13:49.802362 IP 172.29.0.116.1813 > 65.54.80.177.80: Flags [P.], seq 1:295, ack 1, win 64240, length 294
E..N5O@……..tA6P….P….k.OeP…9K..GET /br/sc/css/de/02208d211b3366ebb915d602e70ebf.css HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stc.s-msn[.]com
Connection: Keep-Alive
2011-07-30 00:13:49.803600 IP 172.29.0.116.1812 > 65.54.80.177.80: Flags [P.], seq 295:589, ack 1735, win 64240, length 294
E..N5Q@……..tA6P….P.4.#!.r2P…J…GET /br/sc/css/6d/df1d7d61446cec7602dc18f98fe3fd.css HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stc.s-msn[.]com
Connection: Keep-Alive

2011-07-30 00:13:50.705175 IP 172.29.0.116.1825 > 65.54.81.218.80: Flags [P.], seq 1:376, ack 1, win 64240, length 375
E…5.@……..tA6Q..!.P@”.+…eP…….GET /i/B7/EB75D45B8948F72EE451223E95A96.gif HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 10 Mar 2010 08:15:43 GMT
If-None-Match: “a2c8ece029c0ca1:0”, “”
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stb.s-msn[.]com
Connection: Keep-Alive
2011-07-30 00:13:50.705502 IP 172.29.0.116.1826 > 65.54.81.218.80: Flags [P.], seq 1:287, ack 1, win 64240, length 286
E..F5.@….;…tA6Q..”.P….*;.oP…….GET /i/65/CDAB2F44A1591D2B308C20C6C15375.jpg HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stb.s-msn[.]com
Connection: Keep-Alive

2011-07-30 00:13:51.003372 IP 172.29.0.116.1813 > 65.54.80.177.80: Flags [P.], seq 965:1257, ack 32728, win 62831, length 292
E..L6.@….%…tA6P….P…sk..<P..odQ..GET /br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gif HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stc.s-msn[.]com
Connection: Keep-Alive
2011-07-30 00:13:51.003978 IP 172.29.0.116.1823 > 66.235.139.152.80: Flags [P.], seq 723:1554, ack 1199, win 63042, length 831
E..g6.@…Fl…tB……P…….EP..B.p..GET /b/ss/msnportalhome/1/H.7-pdv-2/1325910528670?AQB=1&pccr=true&vidn=2783E5018515A4C4-40000175000246B1&&v=Y&j=1.3&ns=msnportalhome&v1=1%2F2012&v2=1%2F6%2F2012&t=6%2F0%2F2012+23%3A28%3A48+5+300&server=Msn[.]com&cc=USD&c1=Portal&c=32&bh=453&bw=771&g=http%3A%2F%2Fwww.msn[.]com%2F&s=1280×960&k=Y&c29=http%3A%2F%2Fwww.msn[.]com%2F&c42=0&ct=LAN&r=&pageName=US+HPMSFT3W&c3=V14&c2=en-us&ch=MSFT&hp=N&c19=fb%3Af%2Ctw%3Af&c7=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook&c23=&c22=False&c25=&c26=&AQE=1 HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: msnportal.112.2o7.net
Connection: Keep-Alive
Cookie: s_vi=[CS]v1|2783E5018515A4C4-40000175000246B1[CE]
2011-07-30 00:13:51.004588 IP 172.29.0.116.1825 > 65.54.81.218.80: Flags [.], ack 15823, win 61106, length 0
E..(6.@……..tA6Q..!.P@”….Q3P…] ..
2011-07-30 00:13:51.005162 IP 172.29.0.116.1825 > 65.54.81.218.80: Flags [.], ack 15823, win 64240, length 0
E..(6.@……..tA6Q..!.P@”….Q3P…P…
2011-07-30 00:13:51.007798 IP 65.55.33.49.80 > 172.29.0.116.1818: Flags [.], ack 325, win 64240, length 0
E .(.&@…,.A7!1…t.P….V….}P…>d……
2011-07-30 00:13:51.015454 IP 172.29.0.116.1828 > 65.55.239.146.80: Flags [P.], seq 1:497, ack 1, win 64240, length 496
E…6.@….p…tA7…$.P……;7P….G..GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&tp=http%3A%2F%2Fwww.msn[.]com%2Fdefaultwpe3w.aspx&rid=65b8a99187064b33908c4da42917382e&rnd=1325910528670&rf=&scr=1280×960&RedC=c.msn[.]com&MXFR=07CA69B77E7B686F27546B577A7B680A HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: c.atdmt[.]com
Connection: Keep-Alive
Cookie: AA002=1290834635-1430752
2011-07-30 00:13:51.016390 IP 172.29.0.116.1825 > 65.54.81.218.80: Flags [P.], seq 661:946, ack 15823, win 64240, length 285
E..E6.@……..tA6Q..!.P@”….Q3P….Q..GET /i/A2/5646B129595E84DA9176F0644F8DD.jpg HTTP/1.1
Accept: */*
Referer: http://www.msn[.]com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: col.stb.s-msn[.]com
Connection: Keep-Alive

Share Button

One thought on “Ramnit Sneaky DNS Exfiltrating Credential Stealing Malware – Using MSN as TTP and Hundreds of crafted domain names

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *