Hacking & Security

Postřehy z bezpečnosti: hodný strejda Facebook peče „sušenky bezpečí“

CSIRT.cz - 29 Září, 2015 - 09:48

V aktuálním dílu Postřehů z bezpečnosti, které vycházejí na Root.cz, se podíváme, jak Facebook špehováním uživatelů chrání svět před kybertetoristy, na chytře provedený útok na jablečný App Store, na nový sofistikovaný malware pro Android nebo na vlnu podvodů s „dislike“.

Kategorie: Hacking & Security

Pirate Bay co-founder Gottfrid Svartholm, aka Anakata, Released from Prison

The Hacker News - 29 Září, 2015 - 09:33
Gottfrid Svartholm Warg, the co-founder of the notorious file-sharing website The Pirate Bay, has been released from a Sweden prison following three years behind bars for hacking and copyright offenses. Yes, Svartholm Warg, also known as Anakata, is a free man again. Svartholm was convicted on both Swedish copyright offences and Danish hacking conspiracy connected to The Pirate Bay.
Kategorie: Hacking & Security

Why Word "macro malware" is back, and what you can do about it...

Sophos Naked Security - 28 Září, 2015 - 23:10
Cybercrooks have been getting back into VBA malware, or "macro viruses," as they used to be called. We explain why, and give you 2 tips on what to do.

VeraCrypt Patched Against Two Critical TrueCrypt Flaws

Threatpost - 28 Září, 2015 - 21:29
Two privilege escalation vulnerabilities in the last TrueCrypt build were discovered by James Forshaw of Google Project Zero, and patched in VeraCrypt.
Kategorie: Hacking & Security

Storing secret crypto keys in the Amazon cloud? New attack can steal them

Ars Technica - 28 Září, 2015 - 20:55

(credit: martinak15)

Update: An Amazon spokesman e-mailed Ars the following statement:

I’d point out that this research shows Amazon EC2 continues to strengthen its built-in, base level security measures, even when researchers perform complex attacks with extremely rare, unlikely pre-existing conditions and outdated 3rd party software. AWS customers using current software and following security best practices are not impacted by this situation. Further, a patched version of the open source software targeted by this research (Libgcrypt) is publicly available for Amazon EC2 customers via their operating systems’ standard software update mechanisms or direct download from the Libgcrypt project page at www.gnu.org/software/libgcrypt/. AWS encourages the reporting of any AWS security concerns to AWS Security via aws-security@amazon.com.

Piercing a key selling point of commercial cloud computing services, computer scientists have devised a hack that allows an attacker using Amazon's EC2 platform to steal the secret cryptographic keys of other users.

The proof-of-concept attack is significant because Amazon Web Services and many other cloud service providers already blocked a previous key-recovery attack on co-located virtual machines that was unveiled in 2009. The paper was one of the first to highlight the security risks that come when someone uses the same physical piece of hardware as an advanced attacker. Cloud providers and makers of cryptography and virtual-machine software patched many of the weaknesses that made the attack possible. As a result, many of the techniques that gave the 2009 attack a high degree of accuracy are no longer possible.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Hotel Chain Hilton Worldwide Investigating Potential POS Breach

Threatpost - 28 Září, 2015 - 19:42
Hilton Hotels and Resorts is reportedly looking into claims that some of its point-of-sale devices were compromised, some potentially as far back as November 2014.
Kategorie: Hacking & Security

Revisiting Apple IPC: (1) Distributed Objects

Project Zero - 28 Září, 2015 - 18:43
Posted by Ian Beer of Google Project Zero

Earlier this year I gave a talk at the inaugural Jailbreak Security Summit entitled Auditing and Exploiting Apple IPC [ slides | video ]. As part of my research for that talk I wanted to find at least one bug involving each of the available IPC mechanisms on OS X/iOS; many of which remain unexplored and poorly-documented from a security perspective.
In the end I was only able to speak about three distinct bugs (involving XPC, MIG and raw mach messages) as the other bugs I’d found were still unpatched when I gave the talk. Apple have since fixed these remaining issues and in this short series of blog posts I’ll discuss in more depth some of these more obscure IPC mechanisms and exploit some more bugs.
In this first post we’ll look a series of bugs in a suid root executable which uses Distributed Objects
Distributed Objects
Distributed Objects are a very old Cocoa Objective-C RPC technology. The idea behind them is pretty awesome: it allows you to take Objective-C objects in your process and make them available to other processes. Any other process can look up these objects (via launchd) and instantiate a proxy object in their own address space which functions (almost*) exactly like the real object, with the slight exception that all interactions with the proxy object are transparently marshalled back and forth via IPC between the two processes:

*Mike Ash’s excellent blog has a very detailed post outlining why proxy objects are only almost exactly like the real objects they represent: https://mikeash.com/pyblog/friday-qa-2009-02-20-the-good-and-bad-of-distributed-objects.html
In Objective-C we can define and vend a distributed object like this:
#import <objc/Object.h>#import <Foundation/Foundation.h>
@interface VendMe : NSObject- (oneway void) foo: (int) value;@end
@implementation VendMe- (oneway void) foo: (int) value;{NSLog(@"%d", value);}@end
int main (int argc, const char * argv[]) { VendMe* toVend = [[VendMe alloc] init]; NSConnection *conn = [NSConnection defaultConnection]; [conn setRootObject:toVend]; [conn registerName:@"com.foo.my_test_service"]; [[NSRunLoop currentRunLoop] run]; return 0;}
Here we’ve defined the class VendMe with one method named foo. We create an NSConnection object, passing it our VendMe instance and then call registerName to make this object available to other processes. Behind the scenes this registers a mach port send-right under that name with launchd allowing other processes to look it up and send mach messages.
Here’s the corresponding client side code:
#import <Cocoa/Cocoa.h>
int main(int argc, char** argv){ id theProxy = [[NSConnection   rootProxyForConnectionWithRegisteredName:@"com.foo.my_test_service" host:nil] retain]; [theProxy foo:123]; return 0;}
The NSConnection method rootProxyForConnectionWithRegisteredName is quite self-explanatory; given the object name to look up via launchd (in this case “com.foo.my_test_service”) it returns a proxy object which we can use to interact with the real object published under that name by the remote process. In this case we then call the foo method on the proxy passing the integer literal 123. This method call will be proxied over to the server process where the foo method will actually execute and log the string “123” to the console.
Controlling objects in weird ways
Natalie Silvanovich’s recent Project Zero blog post on redefining object internals in ActionScript demonstrated the kinds of weird things which can happen when objects behave in unexpected ways. Natalie’s work has focused on the the native code underlying the ECMA-script family of languages which are very dynamic, allowing you to redefine surprisingly low-level object behaviour from scripts. Many of the bugs discussed in Natalie’s blog post stem from native code not taking sufficient precautions when interacting with these user-controlled objects. Typically these bugs manifest as use-after-free’s or time-of-check-time-of-use issues due to native code failing to account for callbacks into user-controlled script which modifies state somehow.
Distributed Objects allow us to do similar things with Objective-C :) Of course, this is almost certainly going to be in the context of a local privilege escalation or sandbox escape rather than remote code execution.
In the DO example earlier we called a method passing a simple integer literal as the argument. It’s easy to imagine how this immutable integer can be serialized and reappear in the target process (for example, we could just send the raw bytes representing the value.) But Objective-C is an object-oriented language and we can pass much more complicated objects as function parameters. For example: what happens if we try to pass an instance of a custom Objective-C class as a parameter to a method of a DO proxy object?

If DO doesn’t know how to serialize a parameter (via NSCoding) then it will create a proxy for the client’s object in the server process. Furthermore, if the protocol itself is weakly typed but the code is written expecting a certain type to always be passed we can begin to circumvent the intended logic of functions. For example, if a method prototype declares a parameter :(id)UsuallyAString and then calls string selectors like stringByAppendingPathComponent we could proxy those methods such that, in this example it wouldn’t actually return the concatenation of the two strings but instead something completely different!
Whether or not this is interesting depends upon how DO are used in reality. Are there cases where oddly behaving proxy objects could lead to bugs? Does code actually take precautions to check whether it’s interacting with real native objects or attacker-controlled proxies?
Let’s take a look at some real-world code which uses DO.
Install.framework is a OS X private framework, used when installing packages. Interestingly it contains a setuid-root executable helper named runner:
-rwsr-sr-x  1 root  wheel   115K Apr 28 13:13 /System/Library/PrivateFrameworks/Install.framework/Resources/runner
This means that when we exec this file as a regular user it will actually run with an effective user id of 0.
After performing a handshake with the runner executable we can get a proxy object for an instance of  the IFInstallRunner class (check out the actual exploits linked at the end to see the details of this handshake.)
Looking through the list of exposed IFInstallRunner methods one of them jumps out right away as being worth a closer look:
[IFInstallRunner makeReceiptDirAt:asRoot:]
This method does exactly what it says; given an arbitrary path it will create the subdirectories ‘Library/Receipts’ under there; and if you set the asRoot flag it will create these directories as root! We’ll take a closer look at the implementation of that but first it’s important to note that in the main method of the runner executable, right after it started, it executed:
 if (!(seteuid(getuid())) { fail(); }
 if (!(setegid(getgid())) { fail(); }
This is the standard way for a setuid process to temporarily drop privileges, meaning that when we reach the makeReceiptDirAt method the runner process is actually running with an effective-user-id of the user which exec’d it.
In the makeReceiptDirAt method if we pass a non-zero value for the asRoot parameter then the code regains root privileges privileges like this:
  if (asRoot) {     seteuid(0);     setegid(0);   }
At the end of the function there’s a call to restoreUIDs: which drops privs again.
Being able to to create these directories as root is certainly interesting but it’s hard to see a clear path to actually exploiting that to do anything too useful. Let’s look more closely at the implementation of makeReceiptDirAt. Here’s what I think the source for this function might look like:
@implementation IFInstallRunner- (BOOL) makeReceiptDirAt:(id)pathArg asRoot:(BOOL)asRootArg;{ NSFileManager* file_manager = [NSFileManager defaultManager];
if (![file_manager fileExistsAtPath: [pathArg stringByAppendingPathComponent:         @"Library/Receipts"]] ) {   uid_t real_uid = getuid();   gid_t real_gid = getgid();
  if (asRoot) {     seteuid(0);     setegid(0);   }
  id pathArgSlashLibrary = [pathArg stringByAppendingPathComponent: @"Library"]   if (![file_manager fileExistsAtPath: pathArgSlashLibrary]) {     // create the the "Library" directory and chown it to the right user:     if (asRoot) {       if (!(mkdir([pathArgSlashLibrary fileSystemRepresentation], 0x3fd))) {         goto fail;       }       if (!(chown([pathArgSlashLibrary fileSystemRepresentation], 0, 0x50))) {         unlink([pathArgSlashLibrary fileSystemRepresentation]);         goto fail;       }     } else {       if (!(mkdir([pathArgSlashLibrary fileSystemRepresentation], 0x1ed))) {         goto fail;       }       if (!(chown[pathArgSlashLibrary fileSystemRepresentation], real_uid, real_gid)) {         unlink([pathArgSlashLibrary fileSystemRepresentation]);         goto fail;       }     }   }
  id pathArgSlashLibrarySlashReceipts = [pathArg stringByAppendingPathComponent: @"Receipts"];   if ([file_manager fileExistsAtPath: pathArgSlashLibrarySlashReceipts]) {     // create the the "Receipts" directory under that and chown it to the right user:     if (asRoot) {       if (!(mkdir([pathArgSlashLibrarySlashReceipts fileSystemRepresentation], 0x3fd))) {         goto fail;       }       if (!(chown([pathArgSlashLibrarySlashReceipts fileSystemRepresentation],                 0, 0x50))) {         unlink([pathArgSlashLibrarySlashReceipts fileSystemRepresentation]);         goto fail;       }     } else {       if (!(mkdir([pathArgSlashLibrarySlashReceipts fileSystemRepresentation], 0x1c0))) {         goto fail;       }       if (!(chown[pathArgSlashLibrarySlashReceipts fileSystemRepresentation],                 real_uid, real_gid)) {         unlink([pathArgSlashLibrarySlashReceipts fileSystemRepresentation]);         goto fail;       }     }   } } [self restoreUIDs]; return 1;
fail: [self restoreUIDs]; return 0;}@end
Although this code is clearly written expecting pathArg to be an NSString (stringByAppendingPathComponent is an NSString method) there’s actually nothing enforcing that pathArg is a real NSString object and not a proxy. This means that we could in fact pass an instance of our own FakeString object to this method:
@interface FakeString : NSObject- (id) stringByAppendingPathComponent: (NSString*) aString;@end
@implementation FakeString- (id) stringByAppendingPathComponent: (NSString*) aString;{ NSLog(@”got a callback!”); return @”anything we want!”;}@end
If you pass an instance of that object to the IFInstallRunner proxy’s createReceiptDir method you’ll see the suid executable call back into your process when it calls stringByAppendingPathComponent on the pathArg argument, allowing us to completely control the semantics of this fake string. And we don’t need to stop there! Rather than returning a string literal (@”anything we want!” in this example) we could instead keep on returning controlled custom objects from the callbacks allowing us to completely circumvent almost all the intended logic of the function. If you trace through transitive closure of all the objects we can gain control of as a result of controlling pathArg you’ll find that we can reach calls to mkdir, unlink and chown with controlled arguments. This was CVE-2015-5784; check out the exploit attached to the bug report to see the full implementation. This bug was patched by verifying that the pathArg object isn’t a proxy by calling [pathArg isProxy] at the beginning of the function (and no, unfortunately you can’t just proxy the call to isProxy!)
This is certainly much more interesting than just being able to make subdirectories called “Library/Receipts” as root. But can we do more?
Implicit state machines
We can model the privilege level (the effective-user-id or EUID) of the runner process as a very simple state machine:

We’re only interested in whether the EUID is 0 (we’re root) or non-zero (we’re not root.) In the runner code this state machine is enforced by dropping and re-gaining privileges as we saw earlier. Fundamentally, each IFInstallRunner method assumes that at its entrypoint EUID != 0. It will then regain privileges if required, execute the body of the method and drop privileges before returning.
There is a fundamental problem here: EUID’s are process-wide whereas Distributed Objects are inherently parallel, meaning that we can concurrently be interacting with multiple proxy objects in a process. This means that the “at the entrypoint EUID != 0” invariant which each IFInstallRunner method relies on must be explicitly enforced by locks, as it will no longer implicitly hold when there are multiple proxy connections. However, looking at the code there are no locks enforcing this.
Again, whether or not that’s interesting depends upon two things:
  • Are there DO methods which might do useful things if the EUID != 0 invariant doesn’t hold?
  • Is it possible to win the race condition? (Are DO proxies each separate threads or just runloop sources? Can we actually exercise enough control to get a race condition and win it?)

Looking through the list of IFInstallRunner methods yields an easy answer to the first question: the runTaskSecurely  method allow us to specify a path to an executable and then get the runner to exec it. Note that unlike makeReceiptDirAt this method doesn’t have an “asRoot” parameter. Under normal circumstances it will be executed with EUID of the regular user.
For the second question, looking at the list of threads in the runner process with lldb’s thread list command it seems like individual vended distributed objects don’t get their own threads of control, but with some experimentation it turns out that if we can get a proxy callback from the runner into our code the runner will wait until we reply before continuing. And whilst it’s waiting we can indeed successfully call methods on any other proxy objects we have and they will execute in the target!
Putting it all together
The final exploit looks something like this:

This bug was CVE-2015-5754; you can check out a working exploit (for OS X <= 10.10.3) in the original bug report. Along with the [pathArg isProxy] patch the fix for this issue involved adding NSLocks to make the implicit state machine explicit and enforceable.
Kategorie: Hacking & Security

JavaScript DDoS Attack Peaks at 275,000 Requests-Per-Second

Threatpost - 28 Září, 2015 - 18:24
CloudFlare reports a massive JavaScript-based DDoS attack against one its customers, likely carried out by unsuspecting mobile browsers served a malicious ad.
Kategorie: Hacking & Security

Firefox 42 beta launches with Tracking Protection in Private Browsing

Sophos Naked Security - 28 Září, 2015 - 18:08
Hot on the heels of Firefox 41, Mozilla has released version 42 of its browser in beta, offering a slew of new features including Tracking Protection in Private Browsing.

Virus Bulletin Conference - what's changed in 25 years?

Sophos Naked Security - 28 Září, 2015 - 17:10
The discipline of computer security is barely a few decades old, yet the threats we face have already changed beyond belief. Virus Bulletin's Martijn Grooten takes a look back, and forward.

Challenges Faced By CISOs: Balancing Security versus Manpower

InfoSec Institute Resources - 28 Září, 2015 - 14:00

Cybersecurity is not about buying the latest security monitoring and automation tools to solve the day-to-day problems. Government and banking organizations have increased funding for managing security vulnerabilities and risks. Security tools that are available in the market may identify and solve only part of the problem. The problem can be solved only if we […]

The post Challenges Faced By CISOs: Balancing Security versus Manpower appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Andromeda Bot Analysis part 2

InfoSec Institute Resources - 28 Září, 2015 - 14:00

Bot Analysis: Now, you get the original Andromeda build file. Load the unpacked sample at OllyDBG. As before, after the stack frame at the EP, you see that the malware is looking to load API’s address using the PEB_LDR_DATA structure, but this time instead of kernel32.dll; the malware try to find ntdll.dll base address, then, […]

The post Andromeda Bot Analysis part 2 appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Quantum Teleportation — Scientists Teleported Quantum Data over 60 Miles

The Hacker News - 28 Září, 2015 - 13:26
We are just one step closer to creating a Harry Potter or ‘Star Trek’-style Transporter. However, When we talk about Teleportation, we don't typically mean Teleporting any matter from one place to another as in the Science-fiction Movies. Rather, Teleportation involves capturing the essential information about something — its "quantum state", to recreate it exactly someplace else. <!--
Kategorie: Hacking & Security

What your 99 cents gets you for buying an iOS adblocking app: adverts

Sophos Naked Security - 28 Září, 2015 - 13:21
Crystal, the top adblocking utility on iOS, agreed to a deal to let whitelisted ads through - but at least it offers an opt-out.

New DDoS attack uses smartphone browsers to flood site with 4.5bn requests

LinuxSecurity.com - 28 Září, 2015 - 13:12
LinuxSecurity.com: Researchers suspect a mobile advertising network has been used to point hundreds of thousands of smartphone browsers at a website with the aim of knocking it offline. According to distributed denial-of-service protection service CloudFlare, one customer's site recently came under fire from 4.5 billion page requests during a few hours, mostly from smartphone browsers on Chinese IP addresses.
Kategorie: Hacking & Security

Facebook unfriending was the last straw in workplace bullying case

Sophos Naked Security - 28 Září, 2015 - 12:45
Unfriending someone on Facebook can be "indicative of unreasonable behaviour", a court found.

Monday review - the hot 23 stories of the week

Sophos Naked Security - 28 Září, 2015 - 11:31
Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

'The Hacker News' Weekly Roundup — 14 Most Popular Stories

The Hacker News - 28 Září, 2015 - 10:53
To make the last week’s top cyber security threats and challenges available to you in one shot, we are once again here with our weekly round up. Last week, we came across lots of cyber security threats like the XCodeGhost malware in Apple’s App Store and lockscreen bypass bug in iOS 9 and iOS 9.0.1 that made us sad, but… …we were also thrilled by latest developments such as
Kategorie: Hacking & Security

Salted Hash: Live from DerbyCon 5.0 (Day 0)

LinuxSecurity.com - 28 Září, 2015 - 10:48
LinuxSecurity.com: Salted Hash is in Louisville, Kentucky for DerbyCon 5.0. All weekend long, in-between talks and training, this blog will be updated with various items of note from the show or thoughts form those attending. Today's starter topic is insider threats.
Kategorie: Hacking & Security

Gaza cybergang, where’s your IR team?

Kaspersky Securelist - 28 Září, 2015 - 10:00

Summary information:

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.

One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.

IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.

IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…

The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy

Some more interesting facts about Gaza cybergang:

  • Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable
  • Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets
  • Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used

Other operation names:

  • DownExecute
  • MoleRATs

Kaspersky Lab products and services successfully detect and block attacks by Gaza team.

Political file names targeting Arabic countries

File name: بوادر خلاف جديد بين الامارات والسعودية.exe

Translation: Indications of disagreement between Saudi Arabia and UAE.exe

Filename: “Wikileaks documents on Sheikh ******* *** *****.exe”

File name: صور فاضحـــــة جدا لبعض العسكريين والقضاة والمستشاريين المصريين.exe

Translation: Scandalous pictures of Egyptian militants, judges and consultants

File name: Majed-Abaas.zip -> الرئيس الفلسطيني محمود عباس يشتم ماجد فرج.exe

Translation: President Mahmoud Abbas cursing Majed Faraj.exe

File name: “مكالمة مسربة بين القائد العام للقوات المسلحة المصرية صدقي صبحي.exe”

Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe

File name: tasreb.rar

IT and IR Malware File Names VCSExpress.exe Hex.exe Microsoft Log.exe IMP.exe Win.exe Corss.exe WinRAR.exe AVR.exe ccleaner.exe codeblocks.exe HelpPane.exe Hex_Workshop_Hex_Editor-o.exe Help.exe Decoded.exe vmplayer.exe Decrypted.exe procexp.exe crashreporter.exe RE.exe WindowsUpdate.exe PE.exe AVP.exe PE-Explorr.exe Kaspersky.exe PE-Explorr.exe Kaspersky.exe hworks32.exe Kaspersky Password Manager.exe

Other malware file names

وصية وصور الوالد أتمنى الدعاء له بالرحمة والمغفرة.exe

Military Police less military sexual offenses, drug offenses more.exe






IP addresses and domain names used in the attacks Domains uae.kim natco1.no-ip.net gov.uae.kim natco3.no-ip.net up.uae.kim natco5.no-ip.net uptime.uae.kim nazer.zapto.org google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim noredirecto.redirectme.net ajaxo.zapto.org nrehcnthrtfmyi.strangled.net backjadwer.bounceme.net ns2.negociosdesucesso.info backop.mooo.com offeline.webhop.net bandao.publicvm.com orango.redirectme.net bypasstesting.servehalflife.com redirectlnk.redirectme.net cbbnews.tk removalmalware.servecounterstrike.com cccam.serveblog.net mailchat.zapto.org chromeupdt.tk mp4.servemp3.com cnaci8gyolttkgmguzog.ignorelist.com rgoyfuadvkebxhjm.ddns.net cyber18.no-ip.net rotter2.publicvm.com deapka.sytes.net rotter2.sytes.net depka.sytes.net safar.selfip.com dnsfor.dnsfor.me safara.sytes.net download.likescandy.com safari.linkpc.net downloadlog.linkpc.net spreng.vizvaz.com downloadmyhost.zapto.org store-legal.biz downloadskype.cf su.noip.us duntat.zapto.org tango.zapto.org fastbingcom.sytes.net test.cable-modem.org fatihah.zapto.org test.ns01.info gaonsmom.redirectme.net testcom.strangled.net goodday.zapto.org thenewupdate.chickenkiller.com googlecombq6xx.ddns.net thenewupdatee.redirectme.net gq4bp1baxfiblzqk.mrbasic.com tvnew.otzo.com haartezenglish.redirectme.net update.ciscofreak.com haartezenglish.strangled.net updatee.hopto.org help2014.linkpc.net updatee.serveblog.net httpo.sytes.net updato.ns01.info internetdownloadr.publicvm.com use.mooo.com justded.justdied.com wallanews.publicvm.com kaliob.selfip.org wallanews.sytes.net kaswer12.strangled.net Wcf6f0nqvjtUP4uN.mooo.com kolabdown.sytes.net webfile.myq-see.com ksm5sksm5sksm5s.zzux.com webfile.myq-see.com lastmoon.mooo.com ynet.ignorelist.com lilian.redirectme.net ynet.sytes.net live.isasecret.com IP addresses Malware Hashes 302565aec2cd47bb6b62fa398144e0ad f94385be79ed56ef77c961aa6d9eafbf f6e8e1b239b66632fd77ac5edef7598d a347d25ed2ee07cbfe4baaabc6ff768b 8921bf7c4ff825cb89099ddaa22c8cfd 674dec356cd9d8f24ef0f2ec73aaec88 3bb319214d83dfb8dc1f3c944fb06e3b e20b5b300424fb1ea3c07a31f1279bde 826ab586b412d174b6abb78faa1f3737 42fca7968f6de3904225445312e4e985 5e255a512dd38ffc86a2a4f95c62c13f 3dcb43a83a53a965b40de316c1593bca 058368ede8f3b487768e1beb0070a4b8 e540076f48d7069bacb6d607f2d389d9 62b1e795a10bcd4412483a176df6bc77 699067ce203ab9893943905e5b76f106 39758da17265a07f2370cd04057ea749 11a00d29d583b66bedd8dfe728144850 f54c8a235c5cce30884f07b4a8351ebf d5b63862b8328fb45c3dabdcdf070d0d 9ea2f8acddcd5ac32cfb45d5708b1e1e bc42a09888de8b311f2e9ab0fc966c8c 948d32f3f12b8c7e47a6102ab968f705 c48cba5e50a58dcec3c57c5f7cc3332d 868781bcb4a4dcb1ed493cd353c9e9ab 658f47b30d545498e3895c5aa333ecb1 3c73f34e9119de7789f2c2b9d0ed0440 2b473f1f7c2b2b97f928c1fc497c0650 9dccb01facfbbb69429ef0faf4bc1bda 46cf06848e4d97fb3caa47c17cdd7a9e 4e8cbe3f2cf11d35827194fd016dbd7b 6eb17961e6b06f2472e4518589f66ab9 b4c8ff21441e99f8199b3a8d7e0a61b9 b0f49c2c29d3966125dd322a504799c6 4d0cbb45b47eb95a9d00aba9b0f7daad ca78b173218ad8be863c7e00fec61f2f 18259503e5dfdf9f5c3fc98cdfac6b78 23108c347282ff101a2104bcf54204a8 0b074367862e1b0ae461900c8f8b81b6 76f9443edc9b71b2f2494cff6d4a26a8 89f2213a9a839af098e664aaa671111b Phishing Hashes


Additional references


Syndikovat obsah