背景
2017年6月1日,Checkpoint发布了文章FIREBALL – The Chinese Malware of 250 Million Computers Infected,涉及一款被其命名为FireBall的流氓软件,声称在全球感染了近2亿5千万的机器。报告认为这次感染事件的源头是一家注册于中国北京的名为Rafotech的科技公司,其使用Fireball软件修改用户的Chrome浏览器的默认搜索引擎,将用户的默认搜索指向该公司自己的搜索页面并将用户的查询重定向到yahoo.com或者google.com的页面。这个转向搜索页面可能会用来收集用户的个人信息,此外,报告中认为Fireball有可能被用来下载更多的木马程序。
奇安信威胁情报中心对Checkpoint所发布内容进行了跟踪及信息收集检视,确认了一些存在于相关相关厂商通过共享软件进行流氓推广的行为,涉及的共享软件包括Deal WiFi、SOSO DESK桌面软件、HolaInput 输入法软件、FVP Imageviewer 软件、Mustang Borwer 软件等。初始的报告详见《Fireball流氓推广软件分析》。
在初始报告发布以后,更进一步挖掘让我们发现了更多的影响面更大的流氓推广手法:通过变造流行的浏览器程序,利用其进行流氓推广,在用户系统上安装不必要的软件,甚至可能执行恶意代码,我们将其称为”浏览器变造者”活动,以下为相关的细节。
技术细节
Checkpoint报告中提到了野马浏览器,其基于Chrome浏览器开发,带有正常的数字签名。野马浏览器在安装完成后,会将自身注册成系统服务,以达到开机自启动的目的。软件在安装时并不会要求修改用户的Chrome浏览器首页,自带的两个浏览器扩展:Block ads扩展和VPN扩展都不存在恶意行为。
野马浏览器的更新功能代码在MusUpdate.dll中,MusServer.exe通过MusUpdate.dll的导出函数CreateUpdateManager访问http://mustang.rafoservice.com/update.php来下载新版本的浏览器程序。”-c”为chrome浏览器插件功能安装,”-update”为程序的更新功能。
通过分析野马浏览器中包含的软件更新代码是软件正常的升级代码,虽然代码有被用来下载恶意代码的可能,但是目前还未发现直接的证据。
查询奇安信威胁情报中心,mustang-browser.com域名的注册人信息为:
所使用的注册邮箱为 baoyu430@gmail.com,此邮箱注册的域名有如下这些:
- firefox1.org
- firefox6.net
- firefox1.net
- firefox1.com
- firefox6.com
- pagesnotfound.com
- brobgser.com
- neterrors.com
- answerscome.com
- yulinkeji.xyz
- sbgpnfejb.xyz
- bysenda.com
- deskick.com
- mustang-browser.com
- ghokswa.com
- dealwifi.com
- rafotech.com-
对这些域名的访问来源样本进行搜索,我们发现大量灰样本对于firefox1.com域名的异常访问,对那些样本进行分析确认是流氓推广程序,但这些软件基本都带有正常的数字签名信息。部分样本的数字签名如下图,已知的完整数字签名信息列表位于IOC一节中。
基于以上的分析,我们基本确认流氓软件通过重新打包签名常用的浏览器进行传播,将更新组件替换成自身或加入自己控制的组件以实现流氓推广的能力。目前发现的被变造的浏览器软件主要有:Firefox、Chrome、QQ浏览器。
各被变造后的浏览器中包含的连接C&C服务器的组件主要文件名如下:
| 浏览器 | 文件名 |
|---|---|
| QQ浏览器 | qqbrowserframe.dll |
| Chrome | chrome.dll |
| Firefox | firefoxum.exe |
| Firefox | firefoxupdate.exe |
| Firefox | firefox.exe |
| Firefox | firefoxum.exe |
| 组件所下载的其他程序 |
|---|
| cloud.dll |
| firefoxupdate.exe |
| xul.dll |
| d_box.exe |
| d_box.dll |
| archerbox.dll |
| firefox.exe |
| ssfk.exe |
以下是被重新打包过的Firefox浏览器的例子:
| 文件名 | firefox.exe |
| MD5 | a00cba897a087f7b7d9814d1d79a993e |
| 数字签名 | Mengmeng Wang |
下图左边为被修改的firefox和官网下载的firefox.exe的对比:
除此之外,还有多个模块,用以完成不同的功能:
| 文件名 | MD5 | 数字签名 | 备注 |
|---|---|---|---|
| FirefoxUM.exe | 33f947f63a936498897b65362a9c04e4 | Yongli Zhang | 更新模块 |
| FirefoxCommand.exe | 540449a36140ff21a7d1caaf01d8a46f | Yongli Zhang | 执行命令 |
| Firefox_crashreporter.exe | e44d9a66fb54e3b241fc0da4c14fd4a5 | Yongli Zhang | 注入 |
| FirefoxCloud.exe | e0f8177a795c2132422d61cc9e531df4 | Yongli Zhang | 云控模块 |
| FirefoxInstatller.exe | aaf1f8b888a9ae3c9bc29bcca84fe614 | Yongli Zhang | 安装包(已失效) |
值得注意的是,这些样本的代码和上面提到过的野马浏览器代码有不少相似的地方,例如FirefoxUM.exe样本中解析http返回数据的代码片断和设置调试信息的代码片段,下图左边是FirefoxUM.exe的代码,右边是野马浏览器MusUpdate.dll的代码:
变造过的浏览器安装完成后,会在后台下载其他组件,再由组件去偷偷下载推广软件,下载推广部分组件的代码如下:可以看到其在请求推广软件的下载地址时,HTTP包头的User-Agent的值被设置为“SAM_Updater”:
下载完成后,如果软件的扩展名为”.msi”,就通过ShellExecuteExW调用推广程序进行安装操作。
如果下载的软件的扩展名为“.exe”, 就通过CreateProcessW调用推广程序进行安装操作。
又比如jixmrfr_server.exe(d87df33939c2e7964a8d0b15d16b99e5)这个样本,根据不同的命令行参数有不同的功能,下面是设置默认浏览器的部分:
除了已知的firefox1.com C&C域名,奇安信威胁情报中心通过多维度的关联分析还确认了其他若干C&C服务器,完整列表请参看IOC节的C&C服务器域名列表。
国内影响面评估
基于360网络研究院的DNS解析数据,我们观察到的几个主要C&C服务器最早观察到时间如下,可以看到本次事件相关的活动最早可以追溯到2016年2月:
| cloud.chromlum.info | 2016/4/18 |
| cloud.firefox1.com | 2016/6/28 |
| cs.chromlum.info | 2016/9/12 |
| img.chromlum.info | 2016/4/21 |
| xa.firefox1.com | 2016/6/28 |
| xa.qihuweb.com | 2016/2/27 |
| clouda.firefox1.com | 2016/6/30 |
| test.thewebanswers.com | 2016/3/23 |
近一年的访问量曲线如下:
从流量曲线来看,此流氓推广在2016年5月、10月及2107年4月分别达到过3次高峰。基于对数据的抽样统计分析,奇安信威胁情报中心初步评估国内用户的总感染量在10万量级。
总结
本次对源自Checkpoint公开报告的FireBall恶意代码的活动进行了跟踪分析,从目前的分析结果来看这是影响面很广的基于流氓推广盈利的灰产活动,事件背后的团伙注册了多个公司,大量使用合法数字签名,行为游走于合法与非法之间,从错综复杂的流氓活动相关恶意代码来看我们所发现的活动可能只是一个巨大推广联盟的一部分,如果继续深入挖掘必定还会有更多发现。
恶意代码对用户的直接影响是可能导致用户敏感信息的泄露,机器上被安装无用的垃圾软件,虽然技术上可以对安装了流氓软件的用户系统施加控制执行更加恶意的任务,但还未发现切实的证据。
IOC
| 事件相关恶意代码的数字签名 |
|---|
| Beijing Baijianqi Touzi Guanli Youxiangongsi |
| Beijing Caiyunshidai Technology Co. |
| Beijing Xingyunwang Technology Co. |
| Beijing Xingyunwang Technology Co., Ltd |
| Chao Wei |
| Dening Hu |
| EVANGEL TECHNOLOGY (HK) LIMITED |
| Fuyuan Zhou |
| Hongkong zoekyu Technology Limited |
| Jiang Liu |
| Jinnan Wu |
| Luhong Han |
| Mengmeng Wang |
| Nayun Online Network Technology (Shenzhen) Co. |
| RAFO TECHNOLOGY INC |
| RAFO TECHNOLOGY INC. |
| Shan Feng |
| Shanghai Yuntong Technology Co. |
| Shanghai Yuntong Technology Co., Ltd. |
| Shulan Hou |
| Sice Xing |
| Sivi Technology Limited |
| Tianjing Cheng |
| Wei Liu |
| Wenchao Zhang |
| Yanling Sun |
| Yongli Li |
| Yongli Zhang |
| Yuanyuan Zhang |
| Yupeng Zhang |
| Zhiming Yuan |
| Zhixiong Zhao |
| 上海云瞳科技有限公司 |
| 部分流氓推广程序的PDB路径 |
|---|
| c:\workspace\3461B02E-043F-4C21-9CBF-35459A4CB3FB\src\obj-i686- |
| \browser\app\Firefox.pdb |
| C:\workspace\1AF43C64-354F-44FD-92C8-1907803EACCC\out\Release |
| C:\firefox\installer\out\Release\mem_load_dll.pdb |
| D:\ggg\server_lyl\SvrUpdater1(TargetName).pdb |
| 流氓软件文件名 |
|---|
| %userprofile%\appdata\local\temp[random]\qqbrowserframe.dll |
| \program files[%random%]\cloud.dll |
| %userprofile%\appdata\local\chromium\application\chrome.exe |
| \program files[%random%]\application\chrome.dll |
| \program files\firefox\bin\firefoxum.exe |
| \program files\firefox\bin\firefoxupdate.exe |
| \program files\firefox\firefox.exe |
| \program |
| \program |
| \windows\temp\d_box.dll |
| update.dll-201705101704.dll.exe |
| update.dll-201705151544.dll.exe |
| d_box.exe |
| archerbox.dll |
| ~ms13fe.tmp.dat |
| ~ms14a0.tmp.dat |
| ~ms1558.tmp.dat |
| ~ms19cf.tmp.dat |
| ~ms1a45.tmp.dat |
| \windows\temp~ms1a4d.tmp.dat |
| \windows\temp~ms1c99.tmp.dat |
| \windows\temp~ms1dbc.tmp.dat |
| c:~ms3661.tmp.dat |
| e:\firefox\firefox.exe |
| \windows\fhelper.exe |
| \program+files\ssfk.exe |
| \program+files\sfk\ssfk.exe |
| qqbrowserframe.dll |
| cloud.dll |
| chrome.dll |
| firefoxum.exe |
| firefoxupdate.exe |
| xul.dll |
| fujitsuxmhz2080bhxg2_k60fta22fpg6ta22fpg6x.exe |
| st1000dm003-1ch162_s1dhdcxhxxxxs1dhdcxh.dat |
| d_box.dll |
| update.dll-201705101704.dll.exe |
| update.dll-201705151544.dll.exe |
| update.dll-201705051847.dll.exe |
| update.dll-201705181724.dll.exe |
| d_box.exe |
| archerbox.dll |
| ~ms13fe.tmp.dat |
| ~ms14a0.tmp.dat |
| ~ms1558.tmp.dat |
| ~ms19cf.tmp.dat |
| ~ms1a45.tmp.dat |
| firefox.exe |
| ssfk.exe |
| 流氓推广的HTTP包特征: |
|---|
| User-Agent: |
| SAM_Updater |
| 流氓推广的搜索主页列表 |
|---|
| https://mystart.dealwifi.com/ |
| http://search.ozipcompression.com/ |
| http://start.siviewer.com |
| http://search.sosodesktop.com |
| http://search.fvpimageviewer.com |
| http://search.holainput.com |
| http://attirerpage.com |
| http://s2s.rafotech.com |
| http://trotux.com |
| http://startpageing123.com |
| http://funcionapage.com |
| http://universalsearches.com |
| http://thewebanswers.com |
| http://nicesearches.com |
| http://youndoo.com |
| http://giqepofa.com |
| http://mustang-browser.com |
| http://forestbrowser.com |
| http://luckysearch123.com |
| http://ooxxsearch.com |
| http://search2000s.com |
| http://walasearch.com |
| http://hohosearch.com |
| http://yessearches.com |
| 流氓推广关联的CC地址 |
|---|
| bugreportdmp.chromlum.net |
| bugreportdmp.chromlum.org |
| cl.qbitka.com |
| cloud.chr0me.net |
| cloud.chr0mium.com |
| cloud.chrom1um.com |
| cloud.chromeinform.net |
| cloud.chromlum.com |
| cloud.chromlum.net |
| cloud.chromlum.org |
| cloud.ffgogogo.com |
| clouda.chr0me.net |
| clouda.chr0mium.com |
| clouda.chrom1um.com |
| clouda.chromeinform.net |
| clouda.chromlum.net |
| clouda.chromlum.org |
| clouda.ffgogogo.com |
| cs.chromeinform.net |
| cs.chromlum.net |
| cs.chromlum.org |
| d.palorush.com |
| home.ozipcompression.com |
| home.sosodesktop.com |
| iminentsearch.com |
| isp.aojaso.com |
| nav.dozensearch.com |
| offers.nuesearch.com |
| service.chr0mium.com |
| service.chromlum.org |
| ozipcompression.com |
| service.ffgogogo.com |
| test.thewebanswers.com |
| tj01.thewebanswers.com |
| xa.amisites.com |
| xa.attirerpage.com |
| xa.chr0mium.com |
| xa.chrom1um.com |
| xa.chromlum.net |
| xa.chromlum.org |
| xa.dozensearch.com |
| xa.ffgogogo.com |
| xa.iminentsearch.com |
| xa.nicesearches.com |
| xa.nuesearch.com |
| xa.searchvvay.com |
| xa.xaupdatecloud.com |
| xa.xayescloud.com |
| xa.yessearches.com |
| xa.yoursearchweb.com |
| service.browserinfo.org |
| cloud.chromlum.info |
| cloud.firefox1.com |
| cs.chromlum.info |
| img.chromlum.info |
| xa.firefox1.com |
| xa.qihuweb.com |
| clouda.firefox1.com |
| browsersecurity.info |
| 流氓推广的文件HASH |
|---|
| 0a61fc195b8caa034448482 |
| 4ed87cabf0526ae8ae5476ab |
| 455fb83a7b0e5bdc5a011ba |
| 855b7e738f205f9025da9af0 |
| 898724f6ee22f1bb60bfe1a |
| 8800565e61cbc83dd55821f |
| 7688a16a15ed43d4f668d1a |
| 1f17e07ffdb3609921a609a |
| 9c25f1a08780407764242104 |
| 9a0e900b46ee1e7b02d1d0ab |
| bc6504bc956eb3156388118 |
| db4370c8b370ccc4bfc074d |
| ff6f897e27f6ac71354d354 |
| dea75ffdaf639b930752c47 |
| f5ced9f75a92f4db88c28a5 |
| 64e1ccc864757269a639bd6 |
| a1c39d19e532cf147b06655 |
| 2c6ffd73f0de10b9f5b70b7 |
| 409eedc0e0a86f6bf265f34 |
| 66e1499501d8890a13faa40 |
| 943795651a49e5f224f0c3c |
| 06a4a88402190cd8bf436f8b |
| 73f3198ce318e85eb424f3ad |
| 42b51cf9d7d7dc4e98a45c8 |
| 015438ab81f45a3985dc3a2 |
| 775fdc0c9fc59a634ef8d38 |
| b90315a62f8bf75173e54d7 |
| cf0365127751d172fb2d262 |
| 82bdf83064d7f968ccd259c |
| d05d1f9e8f0a92728b01c490 |
| d7fa15750bf4b6a8581e9ef |
| 2334a50ac6e176b3925a31d0 |
| 18a9e3280393f85529a0dafa |
| 5e11968bcd24b3d422b4a7e |
| 7aa9a22892fd28f983cd968d |
| 5cdef233b09fb63b72019586 |
| 8502bab659375f3c59c5990 |
| 5f2ec72b592e1f6abbc80d80 |
| f9bc973ecd0f56e080c344d |
| 0c204cf6c887561baa98c26 |
| fc320b8e35bded495824274 |
| 8ef3f0df98680731667fc49 |
| 816e0797c0ec3b9c1fe33e7 |
| 6a50c19ef95516f48df00951 |
| bf04cfaf614591c5cd1148b |
| 17d76b01ff8180a8c26df5a |
| 62107e2738e29cb0854a0c |
| e2e447e038d1a38c3c9c1f0 |
| 21e7c22579158a203959fc6 |
| 9a178acd1743adefff55c0d |
| d29b584259888489c4dd4fc2 |
| 60035bcd28ba55a67a79d86 |
| 0be85281b569e39470535ce |
| aebfd333891870405677bc9 |
| d8c4dfdf9b3baf05e2b3d22 |
| b346aafc9e40d726913fee3 |
| d2cbdd7f1994fc01b6e94b8 |
| 6883c17bb792ca55fb15f3e |
| 3ac0af6e1e28a4777067aeb |
| 428ba4e3660b6634ce4f3930 |
| 6c34925850b02fb69e90d21 |
| 9bc9bda2cc60062e99a7a2f2 |
| 1af1dc42cc9898034eaebfa3 |
| fa1fb7a9e54ce4382dbdb50 |
| da4f62ff75d2b6234e2d3bd6 |
| 75629245594031c418769077 |
| edb5d40db2efe2afc0e5c94 |
| a5ef89235ef13041e4f8408 |
| 9a962bc8f9f0621f0dbf34f1 |
| 4c7c9983b0df901aa34d4138 |
| 4d9fdae25dba70071ad04e3 |
| 8f1357b6125519e92cf6887 |
| 03868ce02e46b22654ffce0e |
| 46efd3855f0568fa5409106 |
| 82bb58847896d39ccb05019 |
| f325a542e9e6ec21526dda2 |
| a936498897b65362a9c04e4 |
| 1abca21bfef26f169094507 |
| ac2f367ed855f274720d4f9 |
| f0c71b643d229253db1cb2d |
| 6d72a1aa82831b8d9ef3e9e |
| c8176afc7a2c4dae59c4d64 |
| 2d6211f2ccbd29a57c3d891 |
| 11afa9a801bbec09abf6503 |
| 6507b651ab41ff28d9344e5 |
| eaedc713d5ec13a8c7ec9cd |
| 4c0db6da0580642a6ee5e0e |
| 9287fea508dfa2432beb5e1 |
| c0e35a48b5a946940776186 |
| a42335bf508efb37cc488fd |
| 50b9a26a3326340e61c949a |
| d06dcaef4f6150dc02709655 |
| 5523f2306c6f863026a8137 |
| 899958d067cdb22f6bf5312 |
| 0c22683be436a09b382fabf |
| 1a83864b1b24e06f6960abe2 |
| 4826b0a73be84788ac44b6e |
| 375beb8a67c217d5dab383c |
| 3ba0ebdb38cb0de046464dc |
| 74b4466c8bbb2c6bdd2a72f |
| 1ab38705c7a1f76ae3d46dc |
| 07046c9d2d5ed5761b34ada |
| af43a456ff76c806c24f749 |
| 592d3c20bbfa8fee3195b68 |
| 4b1bcf947c02ac6529e4796 |
| ccaa9e10d640e6a5606da40 |
| 1573ea3ab41a03fd3811c52 |
| d13d096ca40164bd2d28b67 |
| d23ad0104ba9c9a50ca35f6 |
| 43b6c7afdd1dbee5e60891d |
| 154f4b78ff0034adf6845af |
| ec1414f5739a13d9e0404be |
| 32f0aeaed60d2a09c6017de |
| 0f86f2dfb068b3603565316 |
| 75ea71ca50e2a5f98c1c5b5 |
| ceaaaab99e5a680f056685f |
| 4308eac37579ef3d59efb7bf |
| 927d26a5ce8ace59f2c2903 |
| 53c5d7d41a48ed5c5b3fa46 |
| 9fed5aee9ebb18c2d13f4d8d |
| aaff258edabc11dee88c9c3 |
| 516625b17834c012b81944c |
| 7f112544163121517fb3ec5 |
| b5c40a8c2f72095426b215ef |
| 06e21b58de19e4f0b50da8c |
| ed10c86949d2d6b36f31a073 |
| 5d6ffe8a4dab59a77da16d2 |
| e3acdb948c7e12be58a0fa2 |
| 2dab11fe8e87e3d3c496991 |
| 848410595208cd1b06710434 |
| 04594f2221bf2a4426be86b8 |
| 11fdfa8058665862c2491d0 |
| 6dfce40aa0b0210293142c6 |
| 6eff0cf62efdb23b544619a |
| 4a33948583131dba297e7050 |
| b08a464d8a44d3d9b2d7136 |
| c970e810a647f304f3b38a0 |
| df6551a21765b6b2bf38fea |
| 20a535dd73498cde5330dbb6 |
| c0041cda2306cfd34dae4bb |
| 15f149739b983e76c94c7325 |
| 3a494ede215a2b35d5c4fa2 |
| 9ffd354b1ec493a249ada2b |
| bde635666f2070d2228bf68 |
| 2d8bacbfbcee1e2ac34b59e |
| ca035e50a48c5eeca1a1466 |
| 54acb8105603b7cce40cdd11 |
| 1401bd81b21a82f3f93d2c2f |
| bd80a27bd54cdf8cd664ec0 |
| d094db815de2ec0fe74262a |
| d250aa06a2162ef59f8fdd6c |
| 4c4a8769265138f1f5b1328 |
| 2d1f5510e38196bcd372f82 |
| 101e57f0d6e2538f4fbbdb |
| 39e2aa3ef0b189998c1f479c |
| a443a5d73772b6c16bc01c7 |
| bf5c848ac062a22864c57a4a |
| 7fa506d568a227d7ffd61635 |
| 29ed8a96ae0d0f30a888d2ed |
| 569c7c55edcf49a85d8ecba3 |
| 885ff3b62e6e786ea684968 |
| a33a3776c949b288b63fcec |
| 99593b89d1aa0361711f318 |
| 85a42ad643290396f88a29ff |
| cd18711f026a8276e156216 |
| d6abb745973782448913651e |
| e9ad4e23a733bb76cbdc3785 |
| a82370c9de4e21fd509d498 |
| 404ee03ebe5be0d1da99ac6 |
| fe692516b6f78f25824f3a2 |
| e6eebc705ff9a76021a6cd0 |
| ce836231e37e20851564c8e |
| 479e97c7c59c7c13ffddbfc |
| dd753e55ab4cb6d539a5128a |
| c69cb94c40133ab5485bac0 |
| 4d1a72924be52d18ac0e87c |
| 0a966bc2c67201ec5f7428b |
| def40d198e3df5ef3b108641 |
| eb91d33e7cd5ceb56299718 |
| ab84ecb202b31d31de80df4 |
| 7657ce5356dd16d17b48a0e |
| 91e26fa373692f8b2bc48d9b |
| 7bd2b9739040eb0854bdd73 |
| 1216a81945e15ed2ad4cfdbb |
| 4b6c94573df2f49f8cfc1a |
| 3be03650742fd684cbed23e |
| 7bc4e0ea6308422ef8d6ce9 |
| f05e05015055d72b2c45ab6 |
| c7f8765d790f36fdf46ee00 |
| d15f56cce40a1285e9888d2 |
| 21b3af9f0732adae3bd55bcb |
| 06b6bf05dc0de71de6adb7e |
| 9eec51f08dfa78ce40ffe9b |
| 941a8fce41c1c854c83e928 |
| 38218be510f39bd7d44bef12 |
| 9304ae12460533fa865ab1d |
| b97c77df6789a0a051ff6dd |
| d1ad60901472396c7ac5d4f |
| 7e90c9d0152a6e6bcb553ad |
| bdf6a65bfa1add5a4a40036 |
| 4672aa1efb250bbb3fa3620 |
| 51ddbcec36f862e5b639b8ed |
| b7bd6c0cadb47e2eff30b349 |
| 68d0a3c58f9b07471ef9e6f |
| d9c03c645440c6a44780d915 |
| 802fc7548f1cc38d8c5a74a |
| 1346eb18db47a6e46d1e9b0 |
| 4c3518d96c43f6560e93fc3 |
| eb57b2fe96d63e54badceff |
| 35792aece8a3b160a0fa242 |
| 83cb8d24537c364af50c0b34 |
| 4cb4795437418793a4fad53 |
| a6447e55f83f2d0756365a5 |
| 2c850e12d3a9facf1d30983 |
| dbd0425cb3cf293f83341f8 |
| 2af3e9a9c7f9bcd4fcf2ad3 |
| 74b731a329ab4828b87d885 |
| 83d26fbb9ad87ebc911749f |
| a087f7b7d9814d1d79a993e |
| 11bfb73cc21ff837f25f326 |
| 9451693254158630924c715 |
| 06ceed21f370f463ecc5ab7 |
| 30288aee7fff016dfb05c96 |
| dc7023f5344df12a96a6892 |
| 35d1676127b7853393710a3 |
| 2c1e3b7716f2a9b162d305f |
| 42fe4f248f62a11e28fd8a0 |
| 51790e4d6f424ea26c83b0a |
| 27f854538c9427a27a27e9c |
| 89b903424188fd07183aa93 |
| 84a3f821429b77611d6a8ca |
| 47c91727db8191628e846ef |
| 5073701128985dbeb635a84 |
| 3f0bce382c208ff0a085264 |
| 69f28695c02463bbec38f05 |
| 5aca2cb44f15663da9391e2 |
| c93973843b65a2b07a6a0ea |
| e2057e74a843d604d0d4103 |
| 72ac63f4d4fd2884b32248d |
| 21ef2a8eb83e81a8c338f81 |
| adf2fe383abf25fd3ac7e69 |
| 064fb6e0fd1bde0a7eeb800 |
| 3f5c6ffa96cbe4abc5fcd15 |
| b9f097bee8542a72f9ad6f0 |
| cd5f9ab395c87b844a72e35 |
| e8ba436ce9829974141a33a |
| 58ecc95bd53098c6b6f3f9b |
| 8860c4e8c61484c24f0fdac |
| 81d3c19f0c23f2babfeb841 |
| 7cc9c0bc112540728e64f18 |
| d575d64c06a77f1e6667e48 |
| c8a56d4d70bc0d7b5eb74c1 |
| 783e8e92da02571785e9ea1 |
| 3242f7e86f8bfa9a4fe5962d |
| 01b76bde633261caad4deda |
| 9aea62c4c4ad1202adff53c3 |
| 82a53d6ab21562b6fd22bdc |
| 270f0dd5e2e68f527e19320 |
| 9271154b4fac852da8acdcdd |
| 5268509f00c145fb9d34d70 |
| a5ca306bedaefdcc5a32125 |
| c0ca122fe4921a042777356 |
| 4402b259f51cb7179acebd0 |
| fd5d5474ae534e98fc50c03 |
| 568d2f3ad03a80d3059c3844 |
| af42ba7f31660b7a0e5f998 |
| 87773dc8ff063b85c4ae3a6 |
| f5b4830d10ab8128ad6de46 |
| 605aab9a574754de82ac48c8 |
| 3efc6b631010f4154f860b5 |
| 756e1f71bda715a336e68c4d |
| 310b366edcc2278bcee5473 |
| e84a8d59df61f563caf53f8 |
| 50dc97dfebb9b4f4112b6b7 |
| 3693bf04bdb94c33c953e68 |
| f44fbbb67534040ff54d64b |
| a9074edc43ba8d3131117b2 |
| 459d4b18775f666faff639a |
| ff57214ada89ce35b36165d |
| 50443c4950df130bf4dae14 |
| 836d46da90baf413e9e3944b |
| 0ef385e75453b4fd4107c63 |
| 620a19eb23b722cf3bccf85 |
| d586eddd4c4e31c6abfba0a |
| f3e327c7e2360750127cf45 |
| 1aa0165587737c9fc2c9bf4 |
| 9c7266c4b8fc3bd19c90f03f |
| 84fb6b3b17924776285cd2e |
| f673c668ee2dba5248ba6e |
| 409fb7fbb8e79e4f9cced24 |
| c92d439e41a6f3d9a13e38d |
| 06ed5ab207c80c288570685 |
| be1acbacb310081981b9b2e |
| cda0b34787431b63bebf5a8 |
| 394d37d25f67ebe8b5b2580 |
| c5862288e22430dcb094ab4 |
| fa2195e06ee791d94cf1750 |
| 76bfb5186c6ded86b4cb522 |
| 189865fd7810fcef63cd4b |
| 570826da4024a8aa7e3a1e7 |
| a5696e02c86a12fc28db65f |
| 3c19ca75959c5919d1a3a5a |
| 9cf79386712c5ec7f337029 |
| 5779f4715c50d8474e52ed |
| 99b9970141bba3879985c817 |
| c38828d1ca0f5631f249f40 |
| 113a9249d2791c120ad190b |
| 181aa72f9291d779d39e364 |
| f89fb8551f54d4c5959bf24 |
| c69729fca11bdb8983325f7 |
| 84a539471b6af044988ec5e |
| 51407df2c9dbb726195833ac |
| b5ffb15e73f77146dcb7790 |
| eb5aeb1c85a5cf24bdfe88c |
| 375ae0fedd8978132f10315 |
| 754fc7959718795e96cd080 |
| 7d93c8c36a5c07a42a386af |
| dcb268f9874ef6b49c50440d |
| 36e4099e33ca542cfad976b |
| 7a082681d3cef928696511c |
| fce6e5a42c029bf9baadcff |
| 23a2fc0615852f0c14aca6c2 |
| 37c4486d6c183b744773915 |
| ea273ab40f5449ded2a212d |
| 036bc1b9749584061def972 |
| ed974d66bcabc61b1d6fc82 |
| 0520f3c9969fe17cc2199ce |
| 1691db44325ff96b614b7b2d |
| 0c2cb7bf8a685f0a4a0915f9 |
| 72bfdbd01138cea2e7db51a |
| 2bf2a398ff75cbba15f028ec |
| 585b4da5834cb22fda5bc63 |
| 2a1c6a13c901da76f9e9063 |
| f78227f5a17bde974905755 |
| f973e5b9bbfae6f0a17fe24 |
| e0916670e05c59645cfe6e7 |
| 4ffd9d460a90637a10f7a08 |
| d6406b99dd0a8effc7803fd |
| cccbb9064b1f8fa693679ba |
| b5279b6c72058faf800e4e0 |
| 7c363363e6e407f5167f881 |
| 51831fc122687bbbcdb60ed |
| 026616e8f58d510266a1b1b |
| da58a3b3fa2ae76df1941a5 |
| faff92282ace51e8a585a87 |
| 9589a4aac28afda7c5d2ac1 |
| 1b0d864c00b2c546c51f930 |
| d0078c94171e40b0b54f0f0 |
| 3330880fd09cb849411c7d1 |
| 32b4ae706f73025beda525f |
| 0c02d6ef93109bc031a2d3e |
| 2b54381adeaf4398c8e48f4 |
| c34078a7ac98ae5f7af52d4 |
| dc7cbf42b690937cb41b54e |
| 3c4fb350429dbd93a64c4e0 |
| 5ed08e53910df1c218c138 |
| 92b132450c72e5c61b78d34 |
| 1e3c9acc8f4e0b053261458 |
| 30549c1cef1b0bdf2159cdf |
| b94220f94e8308f58b4672b |
参考链接
FIREBALL – The Chinese Malware of 250 Million Computers Infected