Tbot Tor The Onion Router Botnet Malware – checkip.dyndns.org good indicator – Traffic Sample

By | June 19, 2015

2012-10-07 10:44:48.472379 IP 4.2.2.2.53 > 172.16.253.130.53: 57268 4/0/0 CNAME checkip.dyndns[.]com., A 216.146.38.70, A 216.146.39.70, A 91.198.22.70 (116)
E….>……………5.5.|……………checkip.dyndns.org………………checkip.dyndns[.]com..0…………&F.0…………’F.0……….[..F
2012-10-07 10:44:48.472399 IP 8.8.8.8.53 > 172.16.253.130.53: 57268 4/0/0 CNAME checkip.dyndns[.]com., A 216.146.39.70, A 91.198.22.70, A 216.146.38.70 (116)
E….?…..z………5.5.|……………checkip.dyndns.org………………checkip.dyndns[.]com..0…………’F.0……….[..F.0…………&F
2012-10-07 10:44:48.483982 IP 172.16.253.130.1079 > 216.146.38.70.80: Flags [S], seq 1372600659, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.R@…R
……&F.7.PQ.9S….p…P………..
2012-10-07 10:44:48.512370 IP 216.146.38.70.80 > 172.16.253.130.1079: Flags [S.], seq 4187463446, ack 1372600660, win 64240, options [mss 1460], length 0
E..,.@……..&F…..P.7….Q.9T`…._……..
2012-10-07 10:44:48.512400 IP 172.16.253.130.1079 > 216.146.38.70.80: Flags [.], ack 1, win 64240, length 0
E..(.S@…R…….&F.7.PQ.9T….P…….
2012-10-07 10:44:48.512565 IP 172.16.253.130.1079 > 216.146.38.70.80: Flags [P.], seq 1:70, ack 1, win 64240, length 69
E..m.T@…Q…….&F.7.PQ.9T….P…….GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache
2012-10-07 10:44:48.514223 IP 216.146.38.70.80 > 172.16.253.130.1079: Flags [.], ack 70, win 64240, length 0
E..(.A…..”..&F…..P.7….Q.9.P………….
2012-10-07 10:44:48.532365 IP 216.146.38.70.80 > 172.16.253.130.1079: Flags [FP.], seq 1:261, ack 70, win 64240, length 260
E..,.B……..&F…..P.7….Q.9.P…,…HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 74.217.91.121</body></html>

2012-10-07 10:44:48.532443 IP 172.16.253.130.1079 > 216.146.38.70.80: Flags [.], ack 262, win 63980, length 0
E..(.U@…R…….&F.7.PQ.9…..P…….
2012-10-07 10:44:48.532659 IP 172.16.253.130.1079 > 216.146.38.70.80: Flags [F.], seq 70, ack 262, win 63980, length 0
E..(.V@…R…….&F.7.PQ.9…..P…….
2012-10-07 10:44:48.533170 IP 216.146.38.70.80 > 172.16.253.130.1079: Flags [.], ack 71, win 64239, length 0
E..(.C….. ..&F…..P.7….Q.9.P………….
2012-10-07 10:44:49.399366 IP 172.16.253.130.1086 > 213.115.239.118.80: Flags [S], seq 2203376452, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.o@……….s.v.>.P.T.D….p……………
2012-10-07 10:44:49.524688 IP 213.115.239.118.80 > 172.16.253.130.1086: Flags [S.], seq 2047334304, ack 2203376453, win 64240, options [mss 1460], length 0
E..,.D….%
.s.v…..P.>z….T.E`…y………
2012-10-07 10:44:49.524712 IP 172.16.253.130.1086 > 213.115.239.118.80: Flags [.], ack 1, win 64240, length 0
E..(..@……….s.v.>.P.T.Ez…P…….
2012-10-07 10:44:49.526638 IP 172.16.253.130.1086 > 213.115.239.118.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217
E…..@……….s.v.>.P.T.Ez…P…%…………..P….Q..%.`..M.%-w…+..zohf:..G..:.
…9.8…..5… …..3.2…………./……………
…..m…%.#.. www.m42yk3wrvudrleldb53kmwfe[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:44:49.526876 IP 213.115.239.118.80 > 172.16.253.130.1086: Flags [.], ack 218, win 64240, length 0
E..(.E….%..s.v…..P.>z….T..P………….
2012-10-07 10:44:50.423721 IP 172.16.253.130.1389 > 208.83.223.34.80: Flags [S], seq 2379741658, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.c@….[…..S.”.m.P……..p……………
2012-10-07 10:44:50.508562 IP 208.83.223.34.80 > 172.16.253.130.1389: Flags [S.], seq 3801535463, ack 2379741659, win 64240, options [mss 1460], length 0
E..,.F….:|.S.”…..P.m……..`….-……..
2012-10-07 10:44:50.508586 IP 172.16.253.130.1389 > 208.83.223.34.80: Flags [.], ack 1, win 64240, length 0
E..(.@@……….S.”.m.P……..P…….
2012-10-07 10:44:50.513706 IP 172.16.253.130.1389 > 208.83.223.34.80: Flags [P.], seq 1:211, ack 1, win 64240, length 210
E….C@……….S.”.m.P……..P………………P…….2..$C…..T&.a…………:.
…9.8…..5… …..3.2…………./……………
…..f………www.pwq6ifne7sbloftmi[.]com………
.4.2…………….. .
2012-10-07 10:45:22.115430 IP 172.16.253.130.2094 > 204.11.50.131.9001: Flags [P.], seq 1:198, ack 1, win 64240, length 197
E…+.@…& ……2…#).p.:…eP………………P….w..L/.s..d.’……… ..!tf..:.
…9.8…..5… …..3.2…………./……………
…..Y………www.d6dh[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:45:22.115466 IP 165.254.32.197.9001 > 172.16.253.130.2092: Flags [.], ack 410, win 64240, length 0
E..(.B…..7.. …..#).,.v……P………….
2012-10-07 10:45:22.115676 IP 172.16.253.130.2084 > 91.121.245.171.443: Flags [P.], seq 1:204, ack 1, win 64240, length 203
E…+.@………[y…$….\Y.$.;P…d…………..P…….pm…..O.<^……… 3-…:.
…9.8…..5… …..3.2…………./……………
….._………www.6bwdgj3gw3[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:45:22.115711 IP 204.11.50.131.9001 > 172.16.253.130.2094: Flags [.], ack 198, win 64240, length 0
E..(.C…..j..2…..#)…..e.p..P…R………
2012-10-07 10:45:22.115821 IP 91.121.245.171.443 > 172.16.253.130.2084: Flags [.], ack 204, win 64240, length 0
E..(.D……[y………$.$.;..]$P…E………
2012-10-07 10:45:22.116331 IP 172.16.253.130.2090 > 208.53.158.59.9001: Flags [P.], seq 208:406, ack 920, win 63321, length 198
E…+.@….:…..5.;.*#)……..P..Y……………7.Pf1…zgVl…p..OT>./..6..`…..=.\…..U..3..:Vv…i.P^.f..v{..*D.;?..9h”..N….p|. =D’……h2.>..$…….Z..w..S./…!R..q………..0..m…5..`..8j..=.B..b….03…?.
…..n.q.xw..O
2012-10-07 10:45:22.123883 IP 208.53.158.59.9001 > 172.16.253.130.2090: Flags [.], ack 406, win 64240, length 0
E..(.E….w..5.;….#).*……..P………….
2012-10-07 10:45:22.123895 IP 213.163.64.43.9001 > 172.16.253.130.2073: Flags [P.], seq 1:926, ack 201, win 64240, length 925
E….F……..@+….#)…..,.gG3P………..1…-..P…t.L…
:…….Q … ..E@.
..9…………………..0…0..”…….P…0.. *.H……..0&1$0″..U….www.im4s4f6mwi5f56kj2sd.net0…121224024047Z..131224024047Z0.1.0…U….www.zmctydua4.net0..0.. *.H…………0……..1.lQ…y.T.z.]%..uiI.9.H…<)..B.U.V…I..(g..r.\.Ok…iW.[)Q$..V…..O..f…..<..G….J|.k ……Vm[.d]Z!..`../……_..!………0.. *.H………….`..\;._A2……/`g.x….@.s.B-..1o..8..@nqa…..V…..>.q.%..j.MI..’.V..G..\._?e…=.'<…q.S….6…5.<.eP…Y.;..H.. ……7………….}.@….6…J.
….9._R…t….Q….c.r……~..Z.y.B.*).2JFzc^..Y.7{…3..F..;r….x.[….xt.}…….3…b….t}…..h..9>.$!……..6.a.b ……i^…2.?….Uf.v.N……….w.'(2}~..M……`<.gW…..l..V..1<……….X….]Q..j.0R…_.H……zp…………x..?..04…^!g….,…..;..V|Z}o_.j<..X<…q.y.r.vM.E..sL..z…T:.#..#.aT..;v..[.ii{Pn…~T.5Z..tN..j.-..^.F..2.6.A…_…p.g*..bL………….
2012-10-07 10:45:22.127178 IP 172.16.253.130.2076 > 68.169.35.102.443: Flags [P.], seq 210:408, ack 942, win 63299, length 198
E…+.@………D.#f……O~..’.P..C……………E….:…M…#.V~..)qE….R.i.Y..A.Pg……G_.. \.’….S.u….N..R.;..’..Df!….R……I………..F.
….D.!…..}.g]..’/W;.^…………0….o..M..8…z..E…… 7..vA….w….(.”%.p..

2012-10-07 10:45:22.132745 IP 172.16.253.130.2077 > 77.247.181.163.443: Flags [P.], seq 211:409, ack 934, win 63307, length 198
E…+.@…!…..M…….ae.8..%.P..KZk………….]v{..;PSO.K’LtEn;..u . 6T+{…_.M@.B…..V.@Ost”;R..Y.9..)…O{6A..W…………..\A…N.h…t..l …..j.I….:.,…S…` j.H8…………0.*.8..ItB..j…..c,…….=…c….!9…..Sg..x.
2012-10-07 10:45:22.132785 IP 68.169.35.102.443 > 172.16.253.130.2076: Flags [.], ack 408, win 64240, length 0
E..(.G….}.D.#f……….’…PDP…<………
2012-10-07 10:45:22.132797 IP 91.121.121.151.9001 > 172.16.253.130.2074: Flags [P.], seq 1:939, ack 207, win 64240, length 938
E….H…..:[yy…..#)…<…..cP….*……1…-..P….9.0%).I..XEHnY..4.].._…^…9…………………..0…0../…… ….:…I0.. *.H……..0&1$0″..U….www.2cuov4lwv5ls5dxcpif[.]com0…121224023743Z..131224023743Z0$1″0 ..U….www.6vxohviabuenhgik2.net0..0.. *.H…………0……….”V…l…’+….N..”..:6.a?…..@..x….^VN…G.’…S.j.-.M…z…K……….v2.&.:3….7<…3..*5#8..n…&..&.0(…0..?:g6…….0.. *.H………….^….Wz… ./._G.WU..#…E
.*…6%M.{}]……….d,.D.”dj51R^.a.K-$oj.5?…..*……….y….”%…QRm.5..%.i.IhS.*..Z>5..X…H………….}.@….6…J.
….9._R…t….Q….c.r……~..Z.y.B.*).2JFzc^..Y.7{…3..F..;r….x.[….xt.}…….3…b….t}…..h..9>.$!…….E.`…o.G..):.V.F.2.’.6……Mh.D.g…@..#Ep…f1.1.^../$v…..*….|………Ec…&.P”.L…c.c.*..?….(i.m..1..A.O…F…c.L.]..d8zq..dq..n…y…M….8…YQ.`|….”.y……6._s…n……C<…..>……Zx….9L…….q…9.Kk.p..6RV.)8.Ol.7.x.`*zCT..M..\…………
2012-10-07 10:45:22.132963 IP 77.247.181.163.443 > 172.16.253.130.2077: Flags [.], ack 409, win 64240, length 0
E..(.I…..XM………….%.ae..P………….
2012-10-07 10:45:22.133046 IP 172.16.253.130.2081 > 96.47.226.21.443: Flags [P.], seq 411:624, ack 992, win 63249, length 213
E…+.@….T….`/…!……..x.P….V…….p.R…s…B….<h..b.&…@….”…………a…Q…………VDl.e….m.jM.m.)..:.p.o..!.u.?.|..I…..f..=…Ub”
Y.lq.$..2:..G..6.j.`.2.. .. …9..@.eC…… .Y
..:……o;……..|.;+….p….0…..’$.’.H…I
2012-10-07 10:45:22.133271 IP 172.16.253.130.2088 > 195.191.16.63.443: Flags [P.], seq 1:215, ack 1, win 64240, length 214
E…+.@…P……..?.(…
..d.O.P…=…………..P…E…Y`..K…?…^1……2o’…:.
…9.8…..5… …..3.2…………./……………
…..j…”. …www.o4rtqjectd6cr7xj2plup[.]com………
.4.2…………….. .
………………………….#..
2012-10-07 10:45:22.133307 IP 96.47.226.21.443 > 172.16.253.130.2081: Flags [.], ack 624, win 64240, length 0
E..(.J……`/………!..x…..P….p……..
2012-10-07 10:45:22.133495 IP 172.16.253.130.2085 > 83.86.102.16.443: Flags [P.], seq 1:206, ack 1, win 64240, length 205
E…+.@…k9….SVf..%…..a..g-P…’L………….P…….F..0……..7….k….HR..:.
…9.8…..5… …..3.2…………./……………
…..a………www.nhoqywktzrxr[.]com………
.4.2…………….. .

Share Button

One thought on “Tbot Tor The Onion Router Botnet Malware – checkip.dyndns.org good indicator – Traffic Sample

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *