TBOT TOR Botnet The Onion Router Malware – Very Successful Campaign – Traffic Sample

By | June 19, 2015

2012-10-07 10:34:34.639954 IP 172.16.253.129.53 > 8.8.8.8.53: 56315+ A? checkip.dyndns.org. (36)
E..@.f……………5.5.,./………….checkip.dyndns.org…..
2012-10-07 10:34:34.640077 IP 172.16.253.129.53 > 4.2.2.2.53: 56315+ A? checkip.dyndns.org. (36)
E..@.g……………5.5.,.<………….checkip.dyndns.org…..
2012-10-07 10:34:34.654005 IP 4.2.2.2.53 > 172.16.253.129.53: 56315 4/0/0 CNAME checkip.dyndns[.]com., A 216.146.38.70, A 216.146.39.70, A 91.198.22.70 (116)
E…
……$………5.5.|.&………….checkip.dyndns.org………………checkip.dyndns[.]com..0…………&F.0…………’F.0……….[..F
2012-10-07 10:34:34.655124 IP 8.8.8.8.53 > 172.16.253.129.53: 56315 4/0/0 CNAME checkip.dyndns[.]com., A 216.146.38.70, A 216.146.39.70, A 91.198.22.70 (116)
E…
…..v……….5.5.|.%………….checkip.dyndns.org…………..A…checkip.dyndns[.]com..0…….A….&F.0…….A….’F.0…….A..[..F
2012-10-07 10:34:34.708429 IP 172.16.253.129.1132 > 216.146.38.70.80: Flags [S], seq 3917296735, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.i@…P…….&F.l.P.}4_….p….*……….
2012-10-07 10:34:34.737238 IP 216.146.38.70.80 > 172.16.253.129.1132: Flags [S.], seq 331228416, ack 3917296736, win 64240, options [mss 1460], length 0
E..,
………&F…..P.l..%..}4“….b……..
2012-10-07 10:34:34.737280 IP 172.16.253.129.1132 > 216.146.38.70.80: Flags [.], ack 1, win 64240, length 0
E..(.j@…P…….&F.l.P.}4`..%.P…….
2012-10-07 10:34:34.737562 IP 172.16.253.129.1132 > 216.146.38.70.80: Flags [P.], seq 1:70, ack 1, win 64240, length 69
E..m.k@…P…….&F.l.P.}4`..%.P…….GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache
2012-10-07 10:34:34.737680 IP 216.146.38.70.80 > 172.16.253.129.1132: Flags [.], ack 70, win 64240, length 0
E..(
………&F…..P.l..%..}4.P………….
2012-10-07 10:34:34.751188 IP 216.146.38.70.80 > 172.16.253.129.1132: Flags [FP.], seq 1:261, ack 70, win 64240, length 260
E..,
………&F…..P.l..%..}4.P…….HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 74.217.91.121</body></html>

2012-10-07 10:34:34.751266 IP 172.16.253.129.1132 > 216.146.38.70.80: Flags [.], ack 262, win 63980, length 0
E..(.l@…P…….&F.l.P.}4…&.P…….
2012-10-07 10:34:34.751620 IP 172.16.253.129.1132 > 216.146.38.70.80: Flags [F.], seq 70, ack 262, win 63980, length 0
E..(.m@…P…….&F.l.P.}4…&.P…….
2012-10-07 10:34:34.752289 IP 216.146.38.70.80 > 172.16.253.129.1132: Flags [.], ack 71, win 64239, length 0
E..(
………&F…..P.l..&..}4.P………….
2012-10-07 10:34:35.495760 IP 172.16.253.129.1136 > 128.31.0.39.9101: Flags [S], seq 2758289129, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.}@….r…….’.p#..h&…..p…k………..
2012-10-07 10:34:35.521977 IP 128.31.0.39.9101 > 172.16.253.129.1136: Flags [S.], seq 3422471763, ack 2758289130, win 64240, options [mss 1460], length 0
E..,
……K…’….#..p…S.h&.`………….
2012-10-07 10:34:35.522009 IP 172.16.253.129.1136 > 128.31.0.39.9101: Flags [.], ack 1, win 64240, length 0
E..(..@…………’.p#..h&….TP….h..
2012-10-07 10:34:35.531666 IP 172.16.253.129.1136 > 128.31.0.39.9101: Flags [P.], seq 1:203, ack 1, win 64240, length 202
E…..@….1…….’.p#..h&….TP………………P….s.b…)./.@……….W.N$._..:.
…9.8…..5… …..3.2…………./……………
…..^………www.seu4oxkf6[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:35.531899 IP 128.31.0.39.9101 > 172.16.253.129.1136: Flags [.], ack 203, win 64240, length 0
E..(
……N…’….#..p…T.h’.P………….
2012-10-07 10:34:35.558570 IP 128.31.0.39.9101 > 172.16.253.129.1136: Flags [P.], seq 1:926, ack 203, win 64240, length 925
E…
……….’….#..p…T.h’.P………..1…-..P…
X*..=C[…….DM…….%5.y..9…………………..0…0..”……..5.Z…k0.. *.H……..0.1.0…U….www.tbajutyf[.]com0…121224024002Z..131224024002Z0#1!0…U….www.tl6ou6ap7fjroh2o.net0..0.. *.H…………0………P5.<….f
………/=k.^.Ig>}….J#….+..`s.2.27………nJ]…..W=…MNq…$…*-…..A..rZ…:…..e…p.^.. U.\X/.g. 7R.q…..0.. *.H………….m….%..Dc…..QGMB.|..m……..^…\..*j…5]L…D0.#s..|.Ul.v._.l…..l.c..M&.4S..)…2..P..q..igdPi…<{..HT…”_.N…..X..E…………}.@….6…J.
….9._R…t….Q….c.r……~..Z.y.B.*).2JFzc^..Y.7{…3..F..;r….x.[….xt.}…….3…b….t}…..h..9>.$!…….&………f4v..X5.D.5g….~.B.”?F
…..h…kb.n.
.W{.m…vb.y.:.X..Wl…c..E*n%…..’.V…y.5:.TQ…3…+wccof.4[…
%.t..X&.J….E.7f.*.$H……:.W…..G04{.r+i..`-.+…t.!H.]3…MA….B…Al…….( ….p….Gr..H…..2C……..O..!%u.@M……..’;.Q.x{..-o………
2012-10-07 10:34:35.564364 IP 172.16.253.129.1136 > 128.31.0.39.9101: Flags [P.], seq 203:401, ack 926, win 63315, length 198
E…..@…………’.p#..h’…..P..Scx…………….9a…..RM”..u.]..XY.?.|h…N.,4..K…u…..q..(…t.q……u.t..m.5.[..fH..j……..~2…y….1.w..%.
yC……G…)^.C.\.nQK!……….0………]N`…7hi%p..
.Z……8..j.9Y.khe./%.F.
2012-10-07 10:34:35.564549 IP 128.31.0.39.9101 > 172.16.253.129.1136: Flags [.], ack 401, win 64240, length 0
E..(
……L…’….#..p…..h(zP….;……..
2012-10-07 10:34:35.590756 IP 128.31.0.39.9101 > 172.16.253.129.1136: Flags [P.], seq 926:985, ack 401, win 64240, length 59
E..c
……….’….#..p…..h(zP….6…………0…rz.S..\,..#……g…..`….y….&…9)…_.|
2012-10-07 10:34:35.590984 IP 172.16.253.129.1136 > 128.31.0.39.9101: Flags [P.], seq 401:598, ack 985, win 63256, length 197
E…..@….e…….’.p#..h(z…,P………….’.YSBv.(.G.VG…v..pD.Ds…oNE6pCu$5ZO~…zRW.tm*…!..L…’…lDr….&g..[vr..L.7x.t..ap.:…..L.O,y..e…4 0M..;f_.’…’UH…[iw……..j…..vy/Q$……..c…#..sh..oy….I. ….M…(I.r..
2012-10-07 10:34:48.890493 IP 172.16.253.129.2494 > 86.59.21.38.443: Flags [P.], seq 1:198, ack 1, win 64240, length 197
E…?V@………V;.& …..T…..P….f………….P…….+.l…..U..w_..?z5.U.!….:.
…9.8…..5… …..3.2…………./……………
…..Y………www.fjpv[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:48.890769 IP 86.59.21.38.443 > 172.16.253.129.2494: Flags [.], ack 198, win 64240, length 0
E..(
…….V;.&…… …….U.P…’o……..
2012-10-07 10:34:49.012094 IP 86.59.21.38.443 > 172.16.253.129.2494: Flags [P.], seq 1:923, ack 198, win 64240, length 922
E…
……pV;.&…… …….U.P….S……1…-..P………!…HK….b..U>.eb.o….9…………………..0…0……….v.fA.>.Y0.. *.H……..0 1.0…U….www.ohqnkijzzo5vt[.]com0…121224024323Z..131224024323Z0.1.0…U….www.vklxa6kz.net0..0.. *.H…………0………(U.$g..^…’W..J.+.v.“;..V….h..t…
a.’.A..”..<..C….”.@…!………g.S..%t..C.8…J+…..fB..Qn. 9wl.6G…….1….(……..0.. *.H…………Fvt.~ Bt…..1X}.@.i1.pe…..s.V.jL…&..Y…….q..E..j:UuZ…s.U…….=..+I..8………yK#.^.w.Nb.”;.BR……}.A.X…./..,……………}.@….6…J.
….9._R…t….Q….c.r……~..Z.y.B.*).2JFzc^..Y.7{…3..F..;r….x.[….xt.}…….3…b….t}…..h..9>.$!………#..c.g..;.*.}=n”5s.`!.’…=m._.B2].W.H…….7bt….A/..s……..B.C…Z.Y.B.[.{.H….EY..=B.g.]d…$|……..b1 x…..\..N…..i&KbK.C..!….@.M…Qwdr.j..V…$0UgH8…o.b..8……|…q`W67….o…..zd…..P.[.}..G…….”.XgUV….tOj..V…*I..X”%……r……….
2012-10-07 10:34:49.022194 IP 172.16.253.129.2494 > 86.59.21.38.443: Flags [P.], seq 198:396, ack 923, win 63318, length 198
E…Dm@………V;.& …..U….mP..V……………p..$|..N.\C……o.z.F..R……….Ca_.. .Z….6……i….`..U).9.9.!dM…lG..H.j>3.:f…)..&.H……1.B….t.s.+…….q.=.t.u……….0.[}….3.{2..:.{~._.A.1.l`….=.ff.f…y..h….@
2012-10-07 10:34:55.456287 IP 172.16.253.129.3121 > 77.247.181.164.443: Flags [P.], seq 1:206, ack 1, win 64240, length 205
E…V.@….5….M….1…….X’.P…#…………..P…h…….uzIp=:.A…w…6…D..:.
…9.8…..5… …..3.2…………./……………
…..a………www.cmeh4agzyphi[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.456417 IP 77.247.181.164.443 > 172.16.253.129.3121: Flags [.], ack 206, win 64240, length 0
E..(……..M……….1.X’…..P….+……..
2012-10-07 10:34:55.456652 IP 172.16.253.129.3122 > 87.106.249.118.443: Flags [P.], seq 1:218, ack 1, win 64240, length 217
E…V.@………Wj.v.2…..Qjr..P………………P….|..x…<.g..OB._G..U.c…~…:.
…9.8…..5… …..3.2…………./……………
…..m…%.#.. www.qnqxclmrk2cqskkb732czjma[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.456875 IP 87.106.249.118.443 > 172.16.253.129.3122: Flags [.], ack 218, win 64240, length 0
E..(……4.Wj.v…….2jr…..*P…{………
2012-10-07 10:34:55.457016 IP 172.16.253.129.3123 > 37.130.227.134.443: Flags [P.], seq 1:214, ack 1, win 64240, length 213
E…V.@………%….3…-…i..P………………P….#V..3.d….)FN.#….ry..w-…:.
…9.8…..5… …..3.2…………./……………
…..i…!…..www.uabjbwhkanlomodm5xst[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.457133 IP 37.130.227.134.443 > 172.16.253.129.3123: Flags [.], ack 214, win 64240, length 0
E..(……|y%……….3.i…-..P…
………
2012-10-07 10:34:55.457400 IP 172.16.253.129.3124 > 78.108.63.46.443: Flags [P.], seq 1:201, ack 1, win 64240, length 200
E…V.@…l9….Nl?..4..ZV.~…9P………………P…..{Y.E.X.T….w
.G5…\..^….:.
…9.8…..5… …..3.2…………./……………
…..\………www.b6lwb6v[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.457524 IP 78.108.63.46.443 > 172.16.253.129.3124: Flags [.], ack 201, win 64240, length 0
E..(……..Nl?……..4…9ZV.FP………….
2012-10-07 10:34:55.457756 IP 172.16.253.129.3106 > 31.172.30.1.443: Flags [P.], seq 1:206, ack 1, win 64240, length 205
E…V.@…. ………”….i8p…P…C…………..P…Y..J……4…$.;… 3-.O.v…:.
…9.8…..5… …..3.2…………./……………
…..a………www.ebd7caljnsax[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.457885 IP 31.172.30.1.443 > 172.16.253.129.3106: Flags [.], ack 206, win 64240, length 0
E..(……G…………”p…..j.P………….
2012-10-07 10:34:55.458119 IP 172.16.253.129.3107 > 209.240.71.9.9001: Flags [P.], seq 1:200, ack 1, win 64240, length 199
E…V.@………..G .##)x.7…..P….g………….P…:..(.I%…..B…S..Z……….:.
…9.8…..5… …..3.2…………./……………
…..[………www.pdpqsu[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.458262 IP 209.240.71.9.9001 > 172.16.253.129.3107: Flags [.], ack 200, win 64240, length 0
E..(……l…G ….#).#….x.8[P…~
……..
2012-10-07 10:34:55.458520 IP 172.16.253.129.3108 > 38.229.79.2.443: Flags [P.], seq 1:206, ack 1, win 64240, length 205
E…V.@………&.O..$..J)..>”N4P….Z………….P…6.e..C.(..4.<.&.s[.En*……..:.
…9.8…..5… …..3.2…………./……………
…..a………www.vkojgy6imcvg[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.458642 IP 38.229.79.2.443 > 172.16.253.129.3108: Flags [.], ack 206, win 64240, length 0
E..(……..&.O……..$>”N4J)..P….A……..
2012-10-07 10:34:55.458868 IP 172.16.253.129.3109 > 87.236.194.158.443: Flags [P.], seq 1:199, ack 1, win 64240, length 198
E…V.@….F….W….%….c.>…P………………P………P6(.+v..6.P…%{.y..<d..:.
…9.8…..5… …..3.2…………./……………
…..Z………www.bxstw[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.458980 IP 87.236.194.158.443 > 172.16.253.129.3109: Flags [.], ack 199, win 64240, length 0
E..(……j.W……….%>…..c.P………….
2012-10-07 10:34:55.459194 IP 172.16.253.129.3110 > 84.19.178.7.9001: Flags [P.], seq 1:207, ack 1, win 64240, length 206
E…V.@………T….&#)6:..Z2w.P………………P….4y….K.?M.x.x….z.Xs.#.c7..:.
…9.8…..5… …..3.2…………./……………
…..b………www.7dezfrpxuvmtr[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.459321 IP 84.19.178.7.9001 > 172.16.253.129.3110: Flags [.], ack 207, win 64240, length 0
E..(…….aT…….#).&Z2w.6:.rP………….
2012-10-07 10:34:55.459562 IP 172.16.253.129.3111 > 96.47.226.21.443: Flags [P.], seq 1:219, ack 1, win 64240, length 218
E…V.@….v….`/…’..vr.wG…P………………P…F.$.jG..e..-v.J[NHU|,..F.W….:.
…9.8…..5… …..3.2…………./……………
…..n…&.$..!www.xqwf7xs6nycmciil3t5e4fy5v[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:34:55.459774 IP 96.47.226.21.443 > 172.16.253.129.3111: Flags [.], ack 219, win 64240, length 0
E..(……C6`/………’G…vr.QP………….
2012-10-07 10:34:55.459886 IP 172.16.253.129.3112 > 37.130.227.132.443: Flags [P.], seq 1:215, ack 1, win 64240, length 214
E…V.@………%….(..t.8.5…P………………P…_.5v[H..@.H;..e..X.. d..’=G…:.
…9.8…..5… …..3.2…………./……………
…..j…”. …www.xf3225vc7drvcgborjll3[.]com………
.4.2…………….. .
………………………….#..

Share Button