ZeroAccess/Sirefef P2P Trojan Rootkit Botnet Clickfraud Module for Dailyrx

By | June 19, 2015

2012-10-04 01:34:27.552176 IP 192.168.106.131.1161 > 8.8.8.8.53: 13107+ A? promos.fling.com. (34)
E..>M………j……..5.**.33………..promos.fling.com…..
2012-10-04 01:34:27.602073 IP 8.8.8.8.53 > 192.168.106.131.1161: 13107 1/4/0 A 208.91.207.10 (128)
E………xm……j..5……33………..promos.fling.com…………..,…[.
………,…ns1.dpnet………..,…ns2.B………,…ns4.B………,…ns3.B
2012-10-04 01:34:27.640903 IP 192.168.106.131.1162 > 208.91.207.10.80: Flags [S], seq 746089442, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0M.@….J..j..[.
…P,xk…..p… h……….
2012-10-04 01:34:27.682541 IP 208.91.207.10.80 > 192.168.106.131.1162: Flags [S.], seq 836904329, ack 746089443, win 64240, options [mss 1460], length 0
E..,………[.
..j..P..1.%.,xk.`………….
2012-10-04 01:34:27.682609 IP 192.168.106.131.1162 > 208.91.207.10.80: Flags [.], ack 1, win 64240, length 0
E..(M.@….Q..j..[.
…P,xk.1.%.P…….
2012-10-04 01:34:27.682747 IP 192.168.106.131.1162 > 208.91.207.10.80: Flags [P.], seq 1:78, ack 1, win 64240, length 77
E..uM.@…….j..[.
…P,xk.1.%.P…….GET /geo/txt/city.php HTTP/1.0
Host: promos.fling.com
Connection: close

2012-10-04 01:34:27.682935 IP 208.91.207.10.80 > 192.168.106.131.1162: Flags [.], ack 78, win 64240, length 0
E..(………[.
..j..P..1.%.,xl0P….b……..
2012-10-04 01:34:27.732145 IP 208.91.207.10.80 > 192.168.106.131.1162: Flags [FP.], seq 1:678, ack 78, win 64240, length 677
E…………[.
..j..P..1.%.,xl0P…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Oct 2012 11:31:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10
Set-Cookie: city_name=Washington; expires=Fri, 05-Oct-2012 15:18:18 GMT
Set-Cookie: state_code=DC; expires=Fri, 05-Oct-2012 15:18:18 GMT
Set-Cookie: state=District+of+Columbia; expires=Fri, 05-Oct-2012 15:18:18 GMT
Set-Cookie: country_code=US; expires=Fri, 05-Oct-2012 15:18:18 GMT
Set-Cookie: country_name=United+States; expires=Fri, 05-Oct-2012 15:18:18 GMT
Set-Cookie: latitude=38.9376; expires=Fri, 05-Oct-2012 15:18:18 GMT
Set-Cookie: longitude=-77.0928; expires=Fri, 05-Oct-2012 15:18:18 GMT

document.write(“Washington”);

2012-10-04 01:34:32.851433 IP 192.168.106.131.1188 > 82.15.9.23.16464: Flags [S], seq 908911086, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0N.@…&k..j.R. …@P6,……p……………
2012-10-04 01:34:32.852011 IP 192.168.106.131.1189 > 82.15.9.23.16464: Flags [S], seq 3014153347, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0N.@…&j..j.R. …@P..T…..p……………
2012-10-04 01:34:32.852725 IP 192.168.106.131.1190 > 82.15.9.23.16464: Flags [S], seq 815525400, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0N.@…&i..j.R. …@P0…….p….2……….
2012-10-04 01:34:33.011337 IP 82.15.9.23.16464 > 192.168.106.131.1189: Flags [S.], seq 1181180301, ack 3014153348, win 64240, options [mss 1460], length 0
E..,……-.R. …j.@P..Fga…T.`…!………
2012-10-04 01:34:33.011381 IP 192.168.106.131.1189 > 82.15.9.23.16464: Flags [.], ack 1, win 64240, length 0
E..(N.@…&p..j.R. …@P..T.Fga.P…9z..
2012-10-04 01:34:33.011552 IP 192.168.106.131.1189 > 82.15.9.23.16464: Flags [P.], seq 1:13, ack 1, win 64240, length 12
E..4N.@…&c..j.R. …@P..T.Fga.P…5……..p =.4..
2012-10-04 01:34:33.011819 IP 82.15.9.23.16464 > 192.168.106.131.1189: Flags [.], ack 13, win 64240, length 0
E..(……-.R. …j.@P..Fga…T.P…9n……..
2012-10-04 01:34:33.015662 IP 82.15.9.23.16464 > 192.168.106.131.1190: Flags [S.], seq 445448361, ack 815525401, win 64240, options [mss 1460], length 0
E..,……-.R. …j.@P……0…`………….
2012-10-04 01:34:33.015695 IP 192.168.106.131.1190 > 82.15.9.23.16464: Flags [.], ack 1, win 64240, length 0
E..(N.@…&n..j.R. …@P0…….P…….
2012-10-04 01:34:33.015881 IP 192.168.106.131.1190 > 82.15.9.23.16464: Flags [P.], seq 1:13, ack 1, win 64240, length 12
E..4N.@…&a..j.R. …@P0…….P….q………=.T..
2012-10-04 01:34:33.015966 IP 82.15.9.23.16464 > 192.168.106.131.1188: Flags [S.], seq 135603550, ack 908911087, win 64240, options [mss 1460], length 0
E..,……-.R. …j.@P….%^6,..`….P……..
2012-10-04 01:34:33.016001 IP 192.168.106.131.1188 > 82.15.9.23.16464: Flags [.], ack 1, win 64240, length 0
E..(N.@…&l..j.R. …@P6,….%_P…….
2012-10-04 01:34:33.016220 IP 82.15.9.23.16464 > 192.168.106.131.1190: Flags [.], ack 13, win 64240, length 0
E..(……-.R. …j.@P……0..%P………….
2012-10-04 01:34:33.016410 IP 192.168.106.131.1188 > 82.15.9.23.16464: Flags [P.], seq 1:13, ack 1, win 64240, length 12
E..4N.@…&_..j.R. …@P6,….%_P…=……./..=….
2012-10-04 01:34:33.016648 IP 82.15.9.23.16464 > 192.168.106.131.1188: Flags [.], ack 13, win 64240, length 0
E..(……-.R. …j.@P….%_6,..P………….
2012-10-04 01:34:33.155251 IP 82.15.9.23.16464 > 192.168.106.131.1189: Flags [P.], seq 1:1261, ack 13, win 64240, length 1260

2012-10-04 01:37:57.265434 IP 192.168.106.131.1204 > 50.56.71.127.80: Flags [P.], seq 1:1058, ack 1, win 64240, length 1057
E..IOK@…….j.28G….P..E!..g.P…….GET /?utm_source=114396_0_1358612989_1297530&utm_medium=00100 HTTP/1.1
Accept: */*
Referer: http://redirect.ad-feeds.com/results/?partnerid=114396&appid=0&subid=1358612989_1297530&ip=128.164.107.221&cid=259701&entry=gordon%20le%20bleu&ronMin=0.000100&mb=0.000100&qs=IhwIAhVYFXVYB0VNRUJaXlxFRRcxCFlIXFYZfQhFBBweEAYdJ0UcFGRYXUJVQ1Q8HgZPS1YXBgsLHBUWYVxYQF1WBjcPFxdEQFpZX1kREQc3G1BAQlUQcl5TVBoCSVlBXhEWEWNPAxJRVQ51XldASVYXGVJeDxERY1ldDFxLEHVeU0IFQURZQV4RERFjFV1eXFUQdV4fQldARFlfXl0RD2NZWkBcGRZ1QFNCSUBEFVxAERERY1kRQUJVEHVeU1QaGRBUXVsYFhFiTwEZCFgXfV9aRUlCUg0AA0BIT24eGgdCAUEsAhogAV4XBgJIUFUcYlpZSV9QEHFWVVQSB0kbAAAHQkokVEsCCQMdYxwNGURBUh0cHVVARjoNUEJZVRJzWlBBXxcRBhsPRkhFblteRFlSBjAcD08RBAAZSl1ABBM1TF8WGA1PN0AHExAcDRsXQEJOTHZbC1VfA1UxAzwBFgUGCgpLEkUQYl1eSVo6EBpfUEdBRkVbVlYYfhBhUFpFX1UFd1gWBhQvGQwLB1RMBGANXUBdVRA=
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: thor.dailyrx.com
Connection: Keep-Alive

2012-10-04 01:37:57.265679 IP 50.56.71.127.80 > 192.168.106.131.1204: Flags [.], ack 1058, win 64240, length 0
E..(…….:28G…j..P….g…IBP………….
2012-10-04 01:37:57.307877 IP 50.56.71.127.80 > 192.168.106.131.1204: Flags [FP.], seq 1:351, ack 1058, win 64240, length 350
E………..28G…j..P….g…IBP…….HTTP/1.1 302 Found
Date: Thu, 04 Oct 2012 11:36:56 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.7
Location: http://www.dailyrx.com/?utm_source=114396_0_1358612989_1297530&utm_medium=00100
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

………………..
2012-10-04 01:37:57.307916 IP 192.168.106.131.1204 > 50.56.71.127.80: Flags [.], ack 352, win 63890, length 0
E..(OM@…….j.28G….P..IB..h.P…….
2012-10-04 01:37:57.308267 IP 192.168.106.131.1204 > 50.56.71.127.80: Flags [F.], seq 1058, ack 352, win 63890, length 0
E..(ON@…….j.28G….P..IB..h.P…….
2012-10-04 01:37:57.308285 IP 50.56.71.127.80 > 192.168.106.131.1204: Flags [.], ack 1059, win 64239, length 0
E..(…….828G…j..P….h…ICP….+……..
2012-10-04 01:37:57.310313 IP 192.168.106.131.53 > 8.8.8.8.53: 49903+ A? www.dailyrx.com. (33)
E..=OP…..$..j……5.5.)……………www.dailyrx.com…..
2012-10-04 01:37:57.310320 IP 192.168.106.131.53 > 4.2.2.2.53: 49903+ A? www.dailyrx.com. (33)
E..=OQ…../..j……5.5.)……………www.dailyrx.com…..
2012-10-04 01:37:57.330355 IP 8.8.8.8.53 > 192.168.106.131.53: 49903 2/2/2 CNAME dailyrx.com., A 69.167.130.41 (158)
E………wA……j..5.5..c…………..www.dailyrx.com…………..,………….,..E..)………R…coco.ns
cloudflare………..R…ken.P.l…………;..l……….$… I……..;.
2012-10-04 01:37:57.349160 IP 192.168.106.131.1205 > 69.167.130.41.80: Flags [S], seq 964216821, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0OS@….x..j.E..)…P9x……p……………
2012-10-04 01:37:57.390228 IP 69.167.130.41.80 > 192.168.106.131.1205: Flags [S.], seq 648285657, ack 964216822, win 64240, options [mss 1460], length 0
E..,……..E..)..j..P..&…9x..`…o8……..
2012-10-04 01:37:57.390253 IP 192.168.106.131.1205 > 69.167.130.41.80: Flags [.], ack 1, win 64240, length 0
E..(OU@….~..j.E..)…P9x..&…P…….
2012-10-04 01:37:57.390311 IP 192.168.106.131.1205 > 69.167.130.41.80: Flags [P.], seq 1:1057, ack 1, win 64240, length 1056
E..HOV@….]..j.E..)…P9x..&…P…….GET /?utm_source=114396_0_1358612989_1297530&utm_medium=00100 HTTP/1.1
Accept: */*
Referer: http://redirect.ad-feeds.com/results/?partnerid=114396&appid=0&subid=1358612989_1297530&ip=128.164.107.221&cid=259701&entry=gordon%20le%20bleu&ronMin=0.000100&mb=0.000100&qs=IhwIAhVYFXVYB0VNRUJaXlxFRRcxCFlIXFYZfQhFBBweEAYdJ0UcFGRYXUJVQ1Q8HgZPS1YXBgsLHBUWYVxYQF1WBjcPFxdEQFpZX1kREQc3G1BAQlUQcl5TVBoCSVlBXhEWEWNPAxJRVQ51XldASVYXGVJeDxERY1ldDFxLEHVeU0IFQURZQV4RERFjFV1eXFUQdV4fQldARFlfXl0RD2NZWkBcGRZ1QFNCSUBEFVxAERERY1kRQUJVEHVeU1QaGRBUXVsYFhFiTwEZCFgXfV9aRUlCUg0AA0BIT24eGgdCAUEsAhogAV4XBgJIUFUcYlpZSV9QEHFWVVQSB0kbAAAHQkokVEsCCQMdYxwNGURBUh0cHVVARjoNUEJZVRJzWlBBXxcRBhsPRkhFblteRFlSBjAcD08RBAAZSl1ABBM1TF8WGA1PN0AHExAcDRsXQEJOTHZbC1VfA1UxAzwBFgUGCgpLEkUQYl1eSVo6EBpfUEdBRkVbVlYYfhBhUFpFX1UFd1gWBhQvGQwLB1RMBGANXUBdVRA=
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.dailyrx.com
Connection: Keep-Alive

2012-10-04 01:37:57.579727 IP 192.168.106.131.1207 > 184.82.24.134.80: Flags [P.], seq 1:442, ack 1, win 64240, length 441
E…O.@…….j..R…..P….j.[:P…Z…GET /sites/default/files/css/cdn_css_mmKVodjOE_7U1uXBVj9q8PHnwr55Ppmx_pFilrhDJgw.css HTTP/1.1
Accept: */*
Referer: http://www.dailyrx.com/?utm_source=114396_0_1358612989_1297530&utm_medium=00100
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: cdn2.dailyrx.com
Connection: Keep-Alive

2012-10-04 01:37:57.579932 IP 192.168.106.131.1208 > 199.48.130.115.80: Flags [P.], seq 1:442, ack 1, win 64240, length 441
E…O.@…4…j..0.s…P….u…P…….GET /sites/default/files/css/cdn_css_InF8W9FIkIbk6pTZz13WuwYNIXwoTkfdgfQY2kpz2sc.css HTTP/1.1
Accept: */*
Referer: http://www.dailyrx.com/?utm_source=114396_0_1358612989_1297530&utm_medium=00100
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: cdn1.dailyrx.com
Connection: Keep-Alive

2012-10-04 01:37:57.580006 IP 184.82.24.134.80 > 192.168.106.131.1207: Flags [.], ack 442, win 64240, length 0
E..(………R….j..P..j.[:…kP………….
2012-10-04 01:37:57.580134 IP 199.48.130.115.80 > 192.168.106.131.1208: Flags [.], ack 442, win 64240, length 0
E..(……>2.0.s..j..P..u……iP………….
2012-10-04 01:37:57.580192 IP 192.168.106.131.1209 > 199.48.130.115.80: Flags [P.], seq 1:442, ack 1, win 64240, length 441
E…O.@…4…j..0.s…P'[.EE.y.P…_…GET /sites/default/files/css/cdn_css_X-dpLmO2m9QO42SfQPUA-QUoHiDf8K-iNlH8VPFA0yU.css HTTP/1.1
Accept: */*
Referer: http://www.dailyrx.com/?utm_source=114396_0_1358612989_1297530&utm_medium=00100
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: cdn1.dailyrx.com
Connection: Keep-Alive

2012-10-04 01:37:57.580387 IP 199.48.130.115.80 > 192.168.106.131.1209: Flags [.], ack 442, win 64240, length 0
E..(……>1.0.s..j..P..E.y.'[..P………….
2012-10-04 01:37:57.580449 IP 192.168.106.131.1210 > 184.82.24.134.80: Flags [P.], seq 1:435, ack 1, win 64240, length 434
E…O.@…….j..R…..P.m..v.\.P….8..GET /sites/default/files/js/js_r7T3gXhTHJk9b0ULloJsO8h0VWMOP8Z2fwAmHUSCzv0.js HTTP/1.1
Accept: */*
Referer: http://www.dailyrx.com/?utm_source=114396_0_1358612989_1297530&utm_medium=00100
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: cdn2.dailyrx.com
Connection: Keep-Alive

Share Button

One thought on “ZeroAccess/Sirefef P2P Trojan Rootkit Botnet Clickfraud Module for Dailyrx

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *