This is our old Q&A Site. Please post any new questions and answers at

I may have some data loss to Romania. How can I decode what I have magaged to capture? Thanks in advance. Please teach me so I can apply this to future captures. And maybe help others.

POST /news/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; InfoPath.1; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 292
Connection: Keep-Alive
Cache-Control: no-cache

... ..6..u...)[email protected]=$.#.M....5"..\s.....}@F....0a\!..oW..u...w.p..XCR...d.^..&wO.t_.^.m...
.3.w...a.....13.,Jh86*.AS#G.m.k..t.B../.]o.jOB..T....R...~a.K[9..Ps...|,&../....Q.R?H.k>.."..._[... ]Yu....E.I....M.`.}..*...

Their response ack the data

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 06 Apr 2011 22:51:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 196

9= ..7|..G[h.d..[[email protected]~.N.Jp....&..DS..2...x..u...

asked 06 Apr '11, 14:18

Onebusytech's gravatar image

accept rate: 0%

retagged 09 Apr '11, 07:35

packethunter's gravatar image


What you got here is trouble.

The request goes out to the domain At this time the domain does not exist (nslookup returns "non-existent domain".

The most remarkable website also hosts the Zeustracker, a website dedicated to tracking computers infected with the Zeus trojan horse.

As the domain does not exist Zeustracker is currently not reporting it. However, the google cache for Zeustracker still has the entry:

Zeustracker Screenshot from Google archive

So your trace file shows the encrypted command & control traffic for Zeus.

Alas, decrypting Zeus traffic is not for the faint of heart. Unfortunately, Zeus does not use a single master key. Finding the key for your infection requires a decent amount of reverse engineering. One possible approach is listed in a blog at

Depending on your version of Zeus this information could already be outdated.

Good hunting, you have a worthy target! :-)

permanent link

answered 09 Apr '11, 07:19

packethunter's gravatar image

accept rate: 8%

edited 09 Apr '11, 07:34

Thanks for your time and assistance in reviewing this for me. I suspected as much. But it does help to strengthen my message that they should take this very seriously. I advised them to inform the user of the risks and possible loss of personal information that could have occurred.

(27 Apr '11, 13:48) Onebusytech

You might want to accept the answer then to get the question off the open questions list ;-)

(27 Apr '11, 14:42) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 06 Apr '11, 14:18

question was seen: 4,104 times

last updated: 27 Apr '11, 14:52

p​o​w​e​r​e​d by O​S​Q​A