NORMAN SHARK The Chinese Malware Complexes: The Maudi Surveillance Operation Snorre Fagerland, Principal Security Researcher 1 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Introduction Maudi is a series of small malwares that share similar configuration and behaviour. The naming of this family has not been very established, but some samples are detected by some vendors as Maudi or PoisonIvy. This is partly accurate as Maudi trojans in almost all cases install the well known PoisonIvy remote access trojan. These malwares are not particularly new - they have been in circulation for a long time, probably going back to at least 2009. Still, they provide a backdrop to other attacks that is interesting. Behaviour The malware itself is not very complex. These are small installers that create two files – one library (typically called msacm32.drv, ntshrui.dll or wdmaud.drv) in the Windows folder, and a raw PoisonIvy shellcode blob called user.dat, user.db, temp.db or something along those lines. The installer then spawns explorer.exe, which then automatically loads the malicious library through a mechanism called DLL hijacking aka DLL preloading (1). There are innocent libraries with the same names in the Windows System folder, but since the malicious libraries are placed in the Windows folder, they sneak in the queue and Explorer loads them first. The malicious library then reads and directly calls the PoisonIvy code in user.dat, which establishes an encrypted communication with the configured C&C server. When communication is established, the attacker has unauthorized access to the computer. 2 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Configuration PoisonIvy code blobs are preconfigured in the PoisonIvy builder program to contain information about which Command & Control server to contact, which port to establish connection on, and various other parameters. The PoisonIvy builder The Maudi PoisonIvy droppers contain their own small xor-encoded configuration block which overrides the default settings stored in the PoisonIvy blob. This usually contains the name of the C&C server, port and what corresponds to the PoisonIvy profile ID. Example Maudi configuration: 171088046.gnway.org Profile ID: xfish C&C: port: 0x0D84 = 3460 The ID xfish is used in many of these malwares and may be a default value, but there are many others in use. 3 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k PoisonIvy uses the Camellia 256-bit block cipher for its encrypted communication. The password for this communication is usually hardcoded in the malware itself; the default value used by the builder is “admin”. The passwords used by Maudi droppers vary. Sometimes the default value is used, other times the password is set to longer strings. There seems to be an affinity for passwords of length 11 (0x0b). A few are shown below. 20110105110 12345678901 beijing2011 41232619820 20110228001 20110000000 11111111111 Some Maudi-PoisonIvy server passwords 4 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Certificates The interesting bit with these trojans is that practically all of them are digitally signed using self-made test certficates. These certificates vary somewhat, but most contain the recognizable string “WWW.CeleWare.NET” or “WWW.AeleWare.NET” in their Organizational Unit (OU) section. The CeleWare strings are default values left by the free code signing tool CeleSign.exe from Yonsm.NET. Though the tool itself seems innocent enough, many files signed by it are malicious. There were a number of different such certificates, and it may be that the varying certificates denote different campaigns, projects or other contexts – for example, all samples we have seen signed “DataBase@Hotmail.com” are droppers that install Maudi components signed “MogolSoft@Hotmail.com” or “SoftSign@HotMail.com”. 5 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Stolen certificates Though by far most of these malwares use test certificates, not all follow this pattern. A few are not signed at all, and in two cases we have seen the use of a stolen certificate. The certificate in question belongs to YNK Japan Inc. This is the configuration block from one of the YNK-signed Maudi samples. C&C is p.hannmaill.net, port is 3460 (0xD84), and tag is xfish. These two trojans are configured to connect to p.hannmaill.net and s.hiinet.net, respectively. These domains appear registered by the same entity (sofoxman@gmail.com). Both the domains and the certificate have been connected to targeted attack campaigns before. 6 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Infrastructure By combining certificates and command&control infrastructure we can construct a partial image of this malware operation Note: A high-resolution version of this graphic is appended to this report. In this diagram the samples are organized in clusters signed similarly. What quickly becomes obvious is that most of the samples are connected; either they use the same certificate, or their certificate cluster is connected with other clusters through common Command&Control servers. Some clusters (shown at the lower right and left side) seem unconnected beyond the fact that they use the same malware. The Command&Control servers used are in many cases organized through well-known dynamic DNS providers such as 3322.org, zapto.org and so on, but there are also a few seemingly directly registered second level domains. A full list of these is provided in the appendix. 7 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Targeting Local Chinese interests and human rights activists We do not have extensive data on which targets have been exposed to Maudi malware, but we have some examples which give decent hints. Some Maudi droppers display images, like the ones below: This picture was widely distributed in 2009, and allegedly showed results of violence during an Uighur riot. However, it was later reported to be taken from a car accident. This picture from Xinhuanet is reportedly from the 2008 riots in Lhasa, Tibet. 8 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k These are classic examples of decoys used in targeted campaigns against activists working for the rights of ethnic minorities within the Chinese borders. Other decoy documents contain small messages in Chinese; and Chinese name listings. This gives the general impression that this family is used mostly against domestic Chinese targets and human rights activists. Other research has confirmed this impression. In his 2010 article “Human Rights and Malware Attacks” (2), security researcher Nart Villeneuve documents the use of Maudi as the downloaded payload of spearphishing attacks. The initial payload in that case was a mail attachment, an exploited PDF file (readme.pdf, md5 72bdca7dd12ed04b21dfa60c5c2ab6c4) which downloaded and decoded an encoded blob (md5 ec16143a14c091100e7af30de03fce1f) from the site www.humanright-watch.org, not to be confused with the legitimate Human Rights’ Watch website hrw.org. The decoded file was a Maudi dropper, self-signed using the name “soft@hotmail.com”, and the dropped component belonged to the “JinDiQIAO@hotmail.com”-signed cluster. Mongolia There are hints at other targets as well. A group of Maudis use domain names and other strings that seem to indicate a focus on a specific region, namely Mongolia. Mongolia is an interesting country. It is democratic with a multi-party system, and has a market-driven economy. It is squeezed between two very powerful nations – Russia to the North and China to the South. It is also a country rich on geological natural resources. The initial hints about this targeting are vague. Some of the Maudi samples are signed using self-signed certificate issued to “mogolsoft@hotmail.com”. Others use the Command & Control domain “mol-goverment.com”. This domain was registered by a known targeted attack actor, hlemonk@163.com, who has registered a string of other malware- connected domains – among others goodmongol.com. However, when looking more closely, more solid ties to Mongolian targets can be found. The Maudi domain bodologetee.com (registered by the email entity mongolianews@yahoo.com) can be documented used in other attacks on apparent Mongolian targets. For example, the malware dropper cc1a806d25982acdb35dd196ab8171bc, a WinRAR SFX executable installed through the use of the Word exploit CVE-2012-0158, contained a PlugX component configured to connect to ppt.bodologetee.com. This is documented in the Norman Shark blog post “The Chinese Malware Complexes: PlugX Used against Mongolian Targets”. (3) 9 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Connections to other attacks Indirectly, we see that the Maudi infrastructure shares parameters with several well known targeted attack campaigns. o qwer.wekby.com - domain Three samples connect to qwer.wekby.com, known from the RSA breach in 2011 (4). These samples are (md5, profile ID): 28b5241ca13603636dbf626792231161, qwerw 6a83dc3f53079e17ecc49cbc0dacc8f5, qwerw cf45dbdb3718b4b728c2dd894032464b, qwerw The malwares used in the RSA intrusion itself were also PoisonIvy, though used a different dropper mechanism and were signed using a different digital certificate. o jeno_1980@hotmail.com – domain registration Two samples connect to ns2.adultstick.com. This domain was registered by jeno_1980@hotmail.com, an email address also used to register domains used both in the Mirage (5) and Sin Digoo (6) malware campaigns. 7d36ad6aafbf1f9496ccc6ac1a8bb57e, Irqdz 64718689ee3ff695c55ea1ec213434d1, Irqdz o enbtcd@yahoo.com.co – domain registration Some Maudi samples connect to windows-liveupdate.com or windowsliveupdatecache.com, domains registered by the entity enbtcd@yahoo.com.co. This address has also registered domains used in Briba (aka c0d0so0) malware, which has been used for many targeted attacks. bd9a1fbd76c00015a59a3b5c93d4030e, zwdb c64aab79e5107fc8ffd4699288c2e3be, gzzx c9f33d544c5657d4ba55a92e06e38d06, Qbxt 49c7cae0fda8e5089e993a169c6c4197, krgqy 914fdaf7aa098ac00067a2b265fc91da, qq 10 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k o hlemonk@163.com - domain registration This address was used to register the Maudi domains mol-government.com and newsyandex.com, used to host C&C for these samples: c93f8a7a899142db1e92138b76407588 227636fb88e19eca33a02cbb46f279fb 6e88c39c270e259c4472f6eceb8a241f 865fec48937686c2d0708847f30b1264 c07e857d2602d2a813fd23d711871571 a25e5bcc52c386eb046149799ed81b2b 3563c21cf5c46e8e39f17e733c2b9b1e, h511b0 e78d39d1862338e4c711238223618e44, h511b0 This registrant has also registered a great deal of other dodgy domains. Mol-government.com and these other domains have been used as C&C by Sogu/Thoper trojans in attacks on apparent Korean and Mongolian targets, as well as by other malwares like PcClient. o yt.bodologetee.com – domain This domain has been used as Command & Control domain for a number of samples. It has also been documented used by PlugX malware in campaigns apparently against Mongolian targets (3). The same registration information was used to register yahoomesseges.com, which has been used by EvilGrab (7) malware. 0cf15b88b18cdedfaae598e9498768e3, beijingnew 1e60824de00ce3c1f62fddc54a9c5c93, jiagu c64dd5393a17226b208b049a4b766bd6, jiagu 646cfe960219f1948eac580e3bd836f8, text1 ef404a76bd11e1d675b7686775ed7f1c, nsc01 o YNK JAPAN Inc – digital certificate As previously mentioned, two samples were digitally signed using a certificate belonging to YNK JAPAN Inc.; a subsidiary of a Korean game producer. This certificate has been used in several hundred samples spanning various campaigns and incidents. One of these was the SK intrusion (8) in 2011, where one of the initial malwares - a Sogu/Thoper trojan - was signed with it. 771a376df6aba0ce31e0c8e43cdf0800, xfish c3d14ee0bd01ebc9e5844578babe462f, xfish 11 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k Conclusion The Maudi malware family seems to have been mostly used against Chinese/South-East Asian targets. However, it shares some indicators (C&C domains, registration information) with other, more high-profile attacks. What these connections mean is unclear. It might be just sharing of information between groups; we know that there is quite a bit of sharing going on, particularly of malware and source code. Less is known about how much is shared in terms of infrastructure (ex. domains). It is our opinion, however, that the Maudi system hints at something else. There is for example a large amount of samples that use the same self-signed certificates in addition to overlaps in other indicators. Self-signed certificates have little value in the underground as they can be freely made; so there is little reason for sharing these. Instead the impression is that these malwares have been signed by the same malware creation system. Another aspect is the architecture where default PoisonIvy shellcode blobs are overridden with configuration information from the dropper. This also may indicate homegrown build tools, possibly to alleviate language issues with the PoisonIvy builder itself. There is a possibility that this indicates a large group of attackers, but might also be a part of a Digital Quartermaster function, as recently postulated by FireEye (9). 12 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k References 1. Windows Incident Response. It's those darned DLLs again... . [Online] http://windowsir.blogspot.no/2010/08/its- those-darned-dlls-again.html. 2. Villeneuve, Nart. Human Rights and Malware Attacks. [Online] http://www.nartv.org/2010/07/29/human-rights-and- malware-attacks/. 3. Fagerland, Snorre. PlugX used against Mongolian targets. Norman Shark Blog. [Online] http://normanshark.com/blog/plugx-used-mongolian-targets/. 4. Branco, Rodrigo. Into the Darkness: Dissecting Targeted Attacks. [Online] https://community.qualys.com/blogs/securitylabs/2011/11/30/dissecting-targeted-attacks. 5. Cutler, Silas. The Mirage Campaign. [Online] http://www.secureworks.com/cyber-threat-intelligence/threats/the- mirage-campaign/. 6. Stewart, Joe. The Sin Digoo Affair. [Online] http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/. 7. Trend Micro, Inc. 2Q Report on Targeted Attack Campaigns. [Online] http://about-threats.trendmicro.com/ent- primers/#2q-report-on-targeted-attack-campaigns. 8. Command Five Pty Ltd. Command and Control in the Fifth Domain. www.commandfive.com. [Online] http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf. 9. Moran, Ned and Bennett, James T. Supply Chain Analysis: From Quartermaster to Sunshop. [Online] http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf. 13 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k MD5 14e04fcd7d769512b8a5e6e4905cd541 68fbf9f48878ccd4d5addb255aea62d1 bf50a4810e1bd9485822ec026fbcc176 cc2397095e848f585970f1224bc24313 d049654602597df24ca07c3bce885e8d 09d07702e68abcfd6ab092e3c07624a6 4390c478c960c09c7a1a745a2fc14059 4b7f6d184952b6cd7a793b620d04f94d 740828346fa3b403255fa50f24de0b33 937f44857ab11320e3f73bbde559d019 a48bd91396b98124cc278221f96fdf7c ccbb7928ae3b53464690d523860fbeb4 da7e73ad2092ecf4aba68d7934df6d85 01c1481a275c11f16979cad33975205a 03287af69ef4828b1d1e6664eafe7cc1 04f16f2729d7c3347deb747fb06c4e5a 0c3963e90c6652b17f0f31c6821d41b0 0f9d9caa21e3cf2dcdca14e3d7ccc337 0fc9ed37c5cca5bfb726718c77cb7b0d 106ae2f5128e9d54334b82f6e16ebd84 1321e4bbcf0ec423d2fd4c556c7a10a9 150aaf3de22afbb13a443be33123e411 216011f19981aedf78346d5a7e59d318 22e81ed5f4b3e8bb109a328c43e50b78 24f1ccbc64587281be2ff87d3ef0c381 28b5241ca13603636dbf626792231161 2977209445d17781f793e7a684be9bb8 2addee24fabdcb6f210140bc7e65502b 2dca87e53573148ff4f8238f39004271 31e4783c9bdfe17d8fb6976b79127c77 343bea185561b5baad1da9b8a6c7e38e 3783c0c404564fa2e7feef966ffa1d64 38f82f67cdb48ec33a39deba4a6444b7 3dcd1ea6a9943f99299bdeb6f38680de 3fc1ec32376569389ea6db6463d474a3 401e2a036d9d4956805d67117697193b 4069a5690e64ffefbcae25ddef1f7017 40de9d48dd7add3001da8a6e81e75850 4159f6ec7da5ac9e79f4463c0994ce39 433f123423136569a8fcc8bad96638d0 44937bb4dd5320f4225c0ae74587f28e 451a68f622493eb57f3450d3065a53e4 46029bb9623bb37698354a9b80a3c63d 463d308a7b1b3e2279cf5ae724cb887c 46e14a7ad7dff5eb2b90c5ae1020df6f 4a4dbfb626f3a04b152e5d702517f556 4a8b86c8627b2a0da1a786a94c08a263 4aa7f0c8980fe529594f52772693caca 4bf956e04d08640bf51cd60f887c7274 4c2df9200775d5e6f0cef469eb9f55a8 4d45559794e2f9a3385f84fb43bc199e 567eac46e43baa23d6f7f488e7cbc372 57ee371849907f6215a9642da189c2e5 6179bbfd346a0fa2a020dcee06efd91a 627b3dcf0461b6ff388c0dac71074ee5 C&C domain xboyu.dlinkddns.com xboyu.dlinkddns.com xboyu.dlinkddns.com wang981200.3322.org updatewin.3322.org 127.0.0.1 zeropan007.3322.org 8852.vicp.cc qytianzheng.3322.org 220.175.13.250 127.0.0.1 zeropan007.3322.org 127.0.0.1 asiondragon2008.3322.org yanfengjiaoxp.gicp.net mail.lufare.com bmw.webhop.net q944642367.gicp.net yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net news.lufare.com 2yanfengjiaoxp.gicp.net services.servebbs.org cttwxsw.gicp.net sophia.8800.org qwer.wekby.com jiang2368131.3322.org black203.blogdns.com 2yanfengjiaoxp.gicp.net 127.0.0.1 infasd.crabdance.com 2yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net 222.134.42.62 q944642367.gicp.net yanfengjiaoxp.gicp.net wang2368131.gicp.net mail.sufare.com surpriseing.homeftp.org 117.40.239.20 yanfengjiaoxp.gicp.net 123.151.193.236 df611.gicp.net zeropan007.3322.org 360liveupdate.com df611.gicp.net mail.lufare.com 2yanfengjiaoxp.gicp.net cttwxsw.gicp.net cttwxsw.gicp.net 127.0.0.1 360liveupdate.com dongtaiwang.vicp.net apple.buypn.com 2yanfengjiaoxp.gicp.net Signed 20120508 20120508 20120508 20120508 13@CeleWare.NET 360SE@hotmail.com 360SE@hotmail.com 360SE@hotmail.com 360SE@hotmail.com 360SE@hotmail.com 360SE@hotmail.com 360SE@hotmail.com 360SE@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com PoisonIvy Profile ID spy0611 za_germany 201205 h511b0+ xfish 0912 xfish xfish xfish xfish new xfish v1752 xfish xz880 xlsxx kor xfish yanf xnl80 yanf IN xfish mayul qwerw dos lfish yanf xfish shego yanf xfish 00001 heilo xfish 8888 sjx80 628 xfisb xfish hack 12345 1.75 526 12345 kelu6 yanf xfish xfish xfish wzq xxxxx xxapp yanf Port 8080 8080 8080 3460 8000 3460 80 3461 3460 8080 9090 8080 3460 3460 10012 8080 80 6666 10012 10010 80 10010 443 80 8080 80 6666 3009 10010 3460 80 10010 10012 3460 3460 10012 8888 80 443 8081 10012 80 3460 8080 3460 3460 25 10010 80 80 3460 3460 3460 80 10010 14 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k 64c28ef1701a21e631c2089284eb6da5 65f9e138947d288c8e9426d820db6eea 6848f8440227d06a308655f7638a6bee 6a31e0f0a058e182aaebe512d12803d3 6a4b549ca3689b71d26702335d95a842 6a83dc3f53079e17ecc49cbc0dacc8f5 6aa3ba5dd70a19745de9a8558648ef2d 6af3587423d3afae735bebcd882d147a 6e13a34dcfefa70ba341759c6636a951 6e913d943a1e79af2990cc13d28344ac 71ca1cae7ad22313ed14ad7e312b432f 74a83fa5c9698019204432e99ce60fae 75b8916a63ec1b4bb46ffeb755bc6641 77d94d99bf89bd2421efd0d66ebcf25a 798d926306e2e328f8147dc31b37d148 7b13fd4d47c7e789a94bd304070af13a 864fffd48523d9cbcd24917f7a54dc3d 8651d46164a52da00188ad7760342b23 86fa2e505cbbe4abf94b891caf46ec6e 884323fc4c51e4ce4cc258fce243672a 891d15fd331f79829acb489617333b79 8cd87b8d5ca0715d1605a70f500924bb 8f1073b2dba950152fd96a4c5057bc13 9322ff4e14f75fe3ea032714b5038c20 93a98e2049ffe3ba660b0eab8827f8bb 96181a03770b612c5f4a57194018ef30 97da1db01d59f2852989a3c152ed39c1 981f9c704c671dc36cf553c4bb620ea7 9c8f0ce512cdb21bf4e4953094bd1e46 9e2dfa8c509ee179d2283fbe8512b6dd 9f6143aa4b6f50d28f858c70388a3c73 a079ff3fd8fbc398f0361f9105e93733 a3bfba7870d87f726bb97a85db17942c a3ce301622f326fe436e3f275ab7d1be a51628c49fc15bec7363d598d749934d a66fc5a5b1b7fe127140386d784a3e80 a77fe3562f1c89a1263edbbedec56ca4 a791342a49c08d22b1a1bd7a93328d77 a84e6d38f43f0ca50c60731fa6f8f8cc ab8be1ed0d1c2ec03c847d43434551f0 aee71a96f11c183c0ddd424228376dbc b18f2c7c1631d94457e3c3226692a5b4 b52f72a86b621948f1b094334d23c50f b7597172097e4105f027e2c65d2eaf64 b7fb766f3ab6926d9f42c91b649a2943 bbda06be8132e34c5d91e08e55a4d814 bf0aa8e722df5e1f8124d51021206622 bf87188b9af91a054053ec1becd6eaf0 c030d67c8696b9cbcc600867363ef9bd c7534dcb83991745ab5db0aba47d47cd c839ab78db5a0b8715a4f829c845a9c2 cc10483d846bffbe19f133f951eb908c cc5ba76ee1cf77f7547632f44c517673 cf30b0d831d3123027a20520a213a09f cf45dbdb3718b4b728c2dd894032464b cf7df0a7a87fa110262b26571438969d d0bc80cb9522ff749185f5493b89dfa1 d52ef63fdc5c5452d9da23bd6d4bf0f5 2yanfengjiaoxp.gicp.net cttwxsw.gicp.net yanfengjiaoxp.gicp.net surpriseing.homeftp.org qq907433815.3322.org qwer.wekby.com 2yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net sm888.8800.org 360liveupdate.com bmw.webhop.net mail.lufare.com bmw.webhop.net bmw.webhop.net yanfengjiaoxp.gicp.net okia.3322.org 2yanfengjiaoxp.gicp.net wang2368131.gicp.net 123.151.193.236 dnsxyz.webhop.net yanfengjiaoxp.gicp.net q944642367.gicp.net 127.0.0.1 i_lied@3322.org bmw.webhop.net df611.gicp.net 222.134.42.62 117.40.239.20 2yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net 222.134.42.62 yanfengjiaoxp.gicp.net northsince.homelinux.org asiondragon2008.3322.org yanfengjiaoxp.gicp.net 360liveupdate.com bysex.mooo.com 2yanfengjiaoxp.gicp.net 360liveupdate.com 127.0.0.1 123.151.193.236 wang2368131.gicp.net dongtaiwang.vicp.net yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net cttwxsw.gicp.net dongtaiwang.vicp.net bmw.webhop.net yahooforusa.vicp.net q944642367.gicp.net zeropan007.3322.org qwer.crabdance.com yanfengjiaoxp.gicp.net qwer.wekby.com 360liveupdate.com cttwxsw.gicp.net 360liveupdate.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com yanf xfish yanf 628 99999 qwerw yanf xfish stock ilove newuu xml88 newuu newuu xfish zhanj yanf 8888 hack 12345 xfish kor xfish xfish newuu 12345 xfish lwwn1 yanf xfish 00001 xfish MOFA G1753 yanf ilove xserv yanf 526 xfish xfish 8888 xfish xfish yanf yanf xfish xfish newuu 00001 heilo 0630 fanhe yanf qwerw wzq xfish 526 10010 80 1009 443 3460 80 10010 10012 3460 3460 80 8080 80 80 10012 3460 10010 8888 80 80 10012 6666 3460 3460 80 3460 3460 8071 10010 10012 3460 10012 80 3460 1009 3460 80 10010 3460 3460 50 8888 3460 10012 10010 10010 80 3460 80 443 3460 8080 80 10009 80 3460 80 3460 15 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k d6dbf1ff2d93e95a4379ecc5c71eb709 d8097ba0e2077ebb841c7b98b48437fb db88d89c58f344308c37a08e913caf02 dd016c17ea3e2dbdefe8bdcf73346cbd df41a63c679fe1374aa191ea892e5650 e10152dd505853dddf59ae570e0a3abb e120cdb2811407c48e94098d2190d4e2 e1ac803a816265db2ace8140e06edad3 e3984f30a5362bd97a15915bb8ac3ea4 e3b16d46c81fc7ae23738795cf38f671 e53f502d82d2ac5558ff59a6f8038db7 e6408b5120fb53769e8e6faa084966a3 e78ddb3a1c715a5c93d064bd053a570d ea9ff690b68eac6904931b0ab1c60fd4 ed517981e73a616ba4ab60a16c94cfe0 f08ca265043bba868ff3133ca9bc74cc f2414a1a3994faf0a2a6a68c5e02c7b2 f3b3438a1a69e7290823492c517a8ee7 f6df06b5d97cc9185a4b6d3bf36df8dd f71627384a8b41062de77ba9aa32928b f9eadd5762a634fa703956be48aa69c0 fa3e62ec64d10a9accb2fa8c580a2efa fa72e26105b43349b4b50d127d3614a3 fad40c701654454f2b1a4abc7c707c06 0344fb12551a2721ce1642ebbaded310 0b7c0a464f8eba9da0073bcafb61be88 128b4d567b1474949c4389785397cc1b 1b1d855a357c337ea3fdf015265b1445 1ddda11f7521c092ea6095ac3919676d 364c806a053f29f5dd175d09f373250a 391479e5579206b6831e00bbf7c99826 474da1e418763cf0c9fcc0ddecc99928 4e94978943a8c8d41c9b66fa4dc6cfaf 51de6aad847ba7b38cd7aca8783b1c81 5a953c5a922885ac0bbb3f8abbecdc2e 5da12bdd0c23862b68d9599faa4caad7 728365a26dc9600ef10b2abd5fa11afd 72c28b58aebc7ab97008f803ade71c76 7b019bd7e91874692b510fa8c218e5d9 8df121cd3b79db7ae772b32d70f6c9d8 90acf5aba3170978dc585640f34d74d3 a6fd61ed931dccc961635b8e43f35215 b6f732c391d34acba419f20eba8efebd bb2185d8eae91fc105a4d92c6f9cec74 cddae65009d91d88b49fd6eebd0b28e7 dcf85cd73cca9fc032e055be18375d9a f175f7598648471d085f1909d36390ce f5c939f6973acae6160b92f32bb2dd27 f615afeffe7b8da50712f2ef40aff6b9 fca5b719d18b950e59c6bc66f71e7274 17981807f7394d78f984b9104584e3ab 2da5243310403b7fdedbf2911d09ec24 559f72390ecb028d799b0aea594c9b7d 070e0226f5d0d588731361c0b5569379 0f482f1acabe3a980705d66cd6e4bf52 16d2175d190bbbd572cb3e33079f7d72 5cc4daa7d3bd4b17c8067ec8a947ce83 84b5f0cfc4a787d013d8f0f605a876c3 2yanfengjiaoxp.gicp.net 360liveupdate.com mail.lufare.com qq907433815.3322.org 127.0.0.1 surpriseing.homeftp.org surpriseing.homeftp.org dongtaiwang.vicp.net cttwxsw.gicp.net bmw.webhop.net yanfengjiaoxp.gicp.net mail.sufare.com 360liveupdate.com yanfengjiaoxp.gicp.net bmw.webhop.net yzkker.3322.org 2yanfengjiaoxp.gicp.net 117.40.239.20 qq907433815.3322.org surpriseing.homeftp.org 2yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net services.servebbs.org 2yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net 117.40.239.20 yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net dnsxyz.webhop.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net wang2368131.gicp.net sm888.8800.org yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net q944642367.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net services.servebbs.org qwer.crabdance.com qwer.crabdance.com qwer.crabdance.com 2yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com yanf 526 xml88 60001 xfish 628 628 10406 xfish xlsxx xfish fax80 ilove yanf newuu shoes yanf lwwn1 99999 628 yanf yanf IN yanf xfish xfish xfish xfish xfish xfish lwwn1 xfish xfish xfish 12345 xfish xfish xfish xfish xfish 8888 stock xfish xfish xfish kor xfish xfish xfish IN fanhe fanhe fanhe yanf yanf yanf yanf yanf 10010 3460 8080 3460 3460 443 443 3460 80 80 10012 80 3460 10009 80 3460 10010 8071 3460 443 10010 10010 443 10010 10012 10012 10012 10012 10012 10012 8071 10012 10012 10012 80 10012 10012 10012 10012 10012 8888 3460 10012 10012 10012 6666 10012 10012 10012 443 50 50 50 10010 10010 10010 10010 10010 16 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k a2ce5549749d258a3d53a19ebf0dfef9 acf4d4159bcb730a6c86469b74326181 f75009f6423433db2fc5673ab278e3d1 68411315d3321b744552f50d15a97308 008dc2e22ba7e6f96342a29083344512 00fd48c9ddeb7c7b9271f4a6e0ca4a16 036a2da8bde3af55f8c492afeeddd65b 069120f92ffadbfb2a22c6e51a257236 06f788c2e5285e63545baad22af2e5ce 06f9e365fe8bbe926c5fd992d1ff4b95 09e49a46ffc9135682740ef0b709a28a 0efb08ce780b5a50749f850805e2d663 1d35952034267cb1a865ad4f8b76a22c 1e8a59cd725d949a140497d0462b63c7 21013250e90e559c0b5ab7fd5cd57722 22b6fbae0b2ecfb51c194b98c1cff692 24f09152a40c5231f9e006ca3a27dbbb 2530c356ccaa7272a56145b7300daf80 269fa8fa755b6d067e9818f89b182042 26eaf715124382f1ca0c29fc3661d00c 2bd6d0231789b1b207bd18c93fe877bb 2c7ff79125c4b1f02a436010cfd71b21 2defc101ebccce4baa9779f4fcef53bb 304e3b07f1d1802488ed80a5be1eaf8d 317da2fd6635b45570edb2c2df75b0fe 31b188114c8a75d117e129b2446a9310 320cd6bb76a8cb768de42ba6697e7590 3215133be590fa47089989502381ca31 34156792fac87719e9c8a4665fe2f9b9 36895b649536ed3905d3f90e2004f03b 375b6d4987d015ebf9414c19681001ba 37f95b4906fb3b6f5935e2a397f69e21 3c6cce8b6f8d55d931959d39044fab76 40fcdebb382907cbbfaee44f154ecb02 425ee721db80ce85b338a073b37c2e12 45f569bc817a17f0e0487bb05ae71137 485ecdaa0482b35f510f40f3b2f683ff 4c84d6447587330d544f5200196f2603 4d0b6f59628d4d3fba569315140dedde 52dd8f9a8be5692014186af755a9257d 574d3725d5f161b8f7615d8867ee427e 605accc6bee731be5ac0f6531ac9e8d7 66cfc9d3c6fa3107b0d004789384a6bd 6b009e689cad6896d28102af04569bf2 6b475742f795fe8b6439bd931dccf045 6e218ced252ca18ea12a58e8c14ae618 747ad8a7bc8ded87169d1bd40d4f3aa3 765b599cb055df9034b71e54c795193e 7ca3acf38cf256650aa8c15ef51fd7cc 7ccaf82b2594c18f368aa94536448aa3 83213cf9fe303d916789cef295d07b6b 84c23286b9b141d2f501a55228de96ee 8d6b5815157422ee97c01925d72a22ed 919e4ddef8f294dfeb798f7a5e34ba39 9c29b5ab62f130dedb52e7661a8b3cb3 9ec832ed678e81a8e0a2c253beeadd00 9f55bc93d26ec674e754545be9513f3d 9ffd9fb7b493aec58f88b823a426d1b0 2yanfengjiaoxp.gicp.net yanfengjiaoxp.gicp.net 2yanfengjiaoxp.gicp.net oa.sanymh.com apple.buypn.com black204.dyndns-work.com dyn-microsoft.blogdns.net boyfriend101.kicks-ass.org fh.buypn.com dongdong603.3322.org dongdong603.3322.org black204.dyndns-work.com 220.175.13.250 subscription.dyndns-home.com dongdong603.3322.org a5g17mail.3322.org user2011.8800.org cat.aumoni.com www6.intarnetservice.com 220.175.13.250 dnsxyz.dyndns.biz 220.175.13.250 user2011.8800.org www6.intarnetservice.com apple.buypn.com wang2368131.gnway.net wqdf.3322.org dongdong603.3322.org dongdong603.3322.org 114.202.2.83 p.hannmaill.net l2009l20091.3322.org dongdong603.3322.org mylover.dyndns-free.com stop204.3322.org friend101.7766.org www.microsoft.com dongdong603.3322.org wang2368131.gnway.net dongdong603.3322.org s.hiinet.net dongdong603.3322.org black204.dyndns-work.com dongdong603.3322.org wang2368131.gnway.net dyn-microsoft.blogdns.net dongdong603.3322.org wang2368131.gnway.net friend101.7766.org dongdong603.3322.org dongdong603.3322.org dongdong603.3322.org boyfriend101.kicks-ass.org dongdong603.3322.org rabit.aumoni.com manager.serveblog.net leftpaper.dyndns.biz xk.buypn.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com JinDiQIAO@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com yanf yanf yanf szc xappl 0504 lfish xfish fanhe xfish xfish 0623 ie0da in216 xfish 1215 cfish xcm80 1f2s8 linze yfish ie0da fish 1f2s8 xappl xfish xiaoc xfish xfish xfish xfish xfish xfish fish 03 nfish update xfish xfish xfish xfish xfish bl xfish xfish lfish xfish xfish nfish xfish xfish xfish xfish xfish syi21 in926 Lef726 serve 10010 10009 10010 3460 80 80 8080 5379 80 7777 7777 80 8080 80 7777 6200 80 80 8080 8080 80 8080 80 8080 80 7188 3460 7777 7777 7088 3460 7750 7777 80 110 1723 80 7777 7788 7777 3460 7777 80 7777 7188 8080 7777 9900 1723 7777 7777 7777 5379 7777 21 80 80 80 17 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k a122dfa22543b04322a4713c5a3a3fc1 a3cba2c23fccbe9944fbdeeb418a0cbb a4b299b309c2f9643bac07c379833b2a a54321aa3ff23aba7766f6aa7096d3b0 a5526d3d01a287410f28b123f3d9688b a676a1a444e63fe8d95b9cb1b17cfa4d a7db6b46945f322e8b78fc33e6819544 a9180562680acc35c41ba3e6578d9d7e afbe79c53bb5cd28345d9888667607ab b1f611adc6402aa45770a2e7e1c1e0d8 bf375d30d08fdecc270a0621d33b439f c113015b07587de8f55e6ba1f85a203a c30f036f67a82b38e653e07acba56246 c601b9da3c1761a691a74f525cf7b379 c7653c7415c30d1eb7b8ce065b76cdc1 c9bf29d298862c708f2982e82f78c69f cbf831cff50212e7cb2b9540204bda06 cdce8791df7c971cb4e609b27a2b5f8f cddd77de9de609568cf11b8cad35d2de d374631c910fca5df9727d77b0c797ec d4bdb78d43fd15cf76ded19216691459 d556399e1c541af75c39052aac9e6727 d56cd7a068634fbe2f0d2cbccf2df763 d68f4f986177ea3baafaabb54f7f3325 d6e2f6c607564544116f491fc70faa08 d845ee0d409bd284eb0a8dee67c03f98 de1a532e2e387d2003d9f7e82e4e6d35 dee184d74a84cf138cc4caa8d3e1b32e e76d287a2bf8c4b466875e2da744596c e79cbb7590744564c110284294273dac e7e48e4212822de6c1c685a1478d7ad5 ea46b3ce1187ea9de89a08c2756fccfc ec212491ac34169afe19be9272059c0d ec2e8d3e1eeb65e873db7992311b560b ef5c8649251816dc77e121d68881cde6 f0e3c8d6f2f9579ae3cfbad9ae2f6d32 f1d4dc470b0a0a7ffd4f6bfacf9d1024 f1f7672498128e0c4839ac9a1093b84c f4fea7af0e7a6023f29a01aa06d37aa3 f5d659ddf4ae5d52eafac621dddc1bab f7ee5dd3af96b8847134037b769988c4 fbbe7e88cf53d225c299996aeb0cbf8f fc1a61250356ddd94dceaf90169e8256 ff9eb9ecdb1fc068312d1480354a4d85 0958d15b1510b394d6a17a7b9f1db69b 0a06d8e4e77a822f47e2fc3ba83ccfe6 10bafddc35c32226171e32a3325a97e4 11baf7fcbf963ddf8446366f749e7d9e 2b6f563f8cf3b64c1425e04ba7743962 308af461eb46128af9c5589b550a7fb0 3da84e6e2dd5ab898f6d31fda1d3148e 46b6a1239dce346b926b8f22521eb8bc 55824c42743c6fde39f69dd790d640c3 55be601a18eeb89c0d1aedd5a49edae0 6724cbd34516cf79c0361fdaf6a2d77f 6951bedba7f9d7b8003b4c5aae83d0bb 6e4510000cc03366288c8f12d209d3d7 88f8eb2caf80e5a5e68e6813d2f75dc8 mysql.sql01.com dongdong603.3322.org dongdong603.3322.org dongdong603.3322.org 114.202.2.83 wuliao678.8866.org 114.202.2.83 mysql.sql01.com xc.winniqi.com dongdong603.3322.org dongdong603.3322.org mysql.sql01.com black204.dyndns-work.com dongdong603.3322.org dyn-microsoft.blogdns.net single.dyndns.biz dongdong603.3322.org dnsxyz.dyndns.biz l2009l20091.3322.org boyfriend101.kicks-ass.org dnsxyz.dyndns.biz 220.175.13.250 mysql.sql01.com dongdong603.3322.org bmw.webhop.net s.hiinet.net xk.buypn.com dongdong603.3322.org user2011.8800.org dongdong603.3322.org yunlong123.3322.org yhm20060330.3322.org wang2368131.gnway.net xk.buypn.com dongdong603.3322.org dongdong603.3322.org stop204.3322.org xc.winniqi.com dongdong603.3322.org dongdong603.3322.org dongdong603.3322.org p.hannmaill.net dongdong603.3322.org 727609693.gnway.net leftpaper.dyndns.biz shinubi.chickenkiller.com black204.dyndns-work.com misson.mysq1.net rabit.aumoni.com black204.dyndns-work.com boyfriend101.kicks-ass.org s.hiinet.net cat.aumoni.com s.hiinet.net user2011.8800.org dnsluck.3322.org hostname.dyndns-mail.com indiaarmy.djkcc.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com 12 xfish xfish xfish xfish xfish xfish 1201 x1224 xfish xfish 1201 bl xfish lfish jxt61 xfish yfish xfish xfish yfish ie0da 1014 xfish 3 xfish serve xfish xfish xfish yl 01 xfish serve xfish xfish 03 x1224 xfish xfish xfish xfish xfish xfish Lef726 pk 0504 xfish syi21 0623 xfish xfish xcm80 xfish fish https in248 dj 80 7777 7777 7777 7088 12874 7088 110 4000 7777 7777 110 80 7777 8080 80 7777 80 7750 5379 80 8080 80 7777 80 3460 80 7777 80 7777 3460 3460 7188 80 7777 7777 110 4000 7777 7777 7777 3460 7777 7777 80 443 80 80 21 80 5379 3460 80 3460 80 443 80 80 18 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k 9501dcad273c806a06818c8f648f4994 963ca2e9a82a9fd235de4895043144c0 baee14a8acf0ef71ef0cbfdda79f0fd6 cc87e0fe570488a38d76294e969eadc2 cfd49a32870abec83781249872ed6be4 d52af4bd0c9a66411a562f5c681550a6 d8b8420ac6da7dee391c2e3a4ae3afdc d94fbcc1fa7c9245afba7a3568db61d6 e10d08a1fb8760881de3ee875240df1e f3ed1321e8f2fd6f8c523136dbdb6dd9 f563c267eab33a3e49a73f825e2c0846 f5d0803e3e4ad1d288ca4aedf5d26fba 6b2e6cecc45d3cb7c8d005f1698dcea0 cf747c51da4d36a6055f48dc804ad9d6 e4b84120c95335f6524dbb2f6b17bb52 14076b1b50be21f6c2f85acfee2bc24a 4709cbdb3d990369fe35f1aed45be09e 543bdf2a8665c9f5ca1bb0b1000c5856 c6e01836ffd3b229dac4a98b595cb002 0d201e4b7679b99722abca1ed767f13a 0e95b864771484f833df294f4cbf4e06 3ce828f70dacc390164fcd921c5e8b98 48791d1cf2165c5d85680aa18b209190 4cfe7436fecb4a9e5a4621843fc25762 5c107b4ff5f314623929fffd94021cba 688d1ad103f00400b7f3b92329dd48b7 6b0609f80e5c37ded32d36380a0b2256 6bd265f6c8475fa0960c7d044a209ac7 6daed5c526ca48199055dd4ff9b7a224 897f25fc7069584fe8ffeb0fa1354c7f 9f2bfebde725c45ea28293e565042791 c4e655bd456286e33074848d678b75e2 d430ac30417084c462d8fafea82f4988 d569bbf270f079587c3232a9dff7e62a d943bcd358d0fe244565ad20e41213ff df383425f83184b8f4c1b33920d783bf e11591816b9da6e9ae8cf24a8a441f16 e37f67153e1c0de0254cd913ede07189 ea95945fbc95db7789188a04c715b25d ed71401d451bb2b870d1141bf1044055 f57cc074a44ad7d01bf8539aa2a7aa97 031bfe6310e55cf37b431895b4d6e7b1 06c6b86dd9e860a50babce8b30a9105c 0d912cc3eb75a84968f31d2dc3388309 122596ebc648be17f6c135a35aebff6c 2f784ecdea8f367c923ec3e5ca31e4e1 3357bbbf1919605cd1ecbbe8883a90b8 52c7f247f0ee37e50dc218c78fa0af6b 71f9eb0d957ab9a98cf7386f42802fc5 77de512dca26e078e866b2782809366d 781987ff8f295bc70a35136aae9d44f0 7caaf2a6428f98f6b408ff687e681c34 7d95d5a34e4cf1d11b4066c08d966bab 7dcf1cbd989a3064631aea4cdfa057a7 90259884e04cb5cd9d511bec0b551f57 9beffe50ee0c4006724050b295928471 9ea6e2cb17154cc8e3e5a84bd81c6346 ad9349a84778094273f5efbc9779139a subscription.dyndns-home.com 127.0.0.1 dnsluck.3322.org kfcmakelc.zapto.org mylover.dyndns-free.com www.microsoft.com mysql.sql01.com worldnews.zapto.org manager.serveblog.net blog.cnmgd.org 127.0.0.1 dnsabcd.dyndns.biz qwer.crabdance.com qwer.crabdance.com l2009l20091.3322.org yhm20060330.3322.org fh.buypn.com fh.buypn.com yunlong123.3322.org hostname.dyndns-mail.com shinubi.chickenkiller.com mylover.dyndns-free.com single.dyndns.info blog.cnmgd.org blog.cnmgd.org mysql.sql01.com dnsabc.3322.org dnsluck.3322.org 127.0.0.1 worldnews.zapto.org dnsluck.3322.org hhcc365.zapto.org boyfriend101.kicks-ass.org subscription.dyndns-home.com bbs.avjkv.com subscription.dyndns-home.com dnsluck.3322.org single.dyndns.biz mysql.sql01.com indiaarmy.djkcc.com 127.0.0.1 p.hannmaill.net wang2368131.gnway.net dnsxyz.dyndns.biz mysql.sql01.com friend101.7766.org boyfriend101.kicks-ass.org 127.0.0.1 a5g17mail.3322.org misson.mysq1.net black204.dyndns-work.com a5g17mail.3322.org a5g17mail.3322.org wang2368131.gnway.net wang2368131.gnway.net 171088046.gnway.net 114.202.2.83 limingliang1988.gnway.net soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com in1206 DD Https 789 fish update 1014 zfish in926 blog xfish zfish fanhe fanhe xfish 01 fanhe fanhe yl in248 pk xfish j0220 blog 05 45 bfish kfish DD zfish Https 0216 xfish in1206 0509 in216 https jxt1206 12 dj xfish xfish xfish yfish xfish nfish xfish xfish xfish xfish bl IN IOTY xfish xfish wind xfish xfish 80 3460 443 80 80 80 80 443 80 80 3460 80 80 80 7750 3460 80 80 3460 80 443 80 80 80 80 110 80 443 3460 443 443 443 5379 80 8080 80 443 80 80 80 3460 3460 7788 80 80 1723 5379 3460 6200 80 80 4014 6200 9900 7188 8899 7088 8899 19 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k d2c61fde3b73f7ee8203df78171587d1 2b849ee3af6557717282682e803cfef1 2c34afcd76256fd8bdbe1129bd01897a 360e5b617649a3b6c9a646aae1d2920a 6315c282ee83eeef8ea9508291f20a92 889dbaeb54629fd311083bc828b13b6a 9f8a187dbe2c8b06f542c4dc43fd1e80 a90f5d080952426d3f16838d20de9f1d ab23e48eb498a8f601e3c8ed52a7e712 cc77bf82a6546039c14a37b18901e626 e62560b1f03f3bebfd10726a4c0777bc f007fa65ffe2f12524aced70c29abf2a fe7ce50cbfbe8ca7bd601f49de648d84 0083267bc3d259028f6ccb4a2598e8c9 4c8690b04bb8c996e8ac384ed300f6e3 9d67585daed1a011634b3a53bf545f63 04fac410eefd0329d037dcaaf063a54c 0f84951213319e0ab09f94d5eedd932f 2940e44d8df1eeee9bd7f0a046cbd3bd cde25bb92a592a806042629d7e2b8b4c cfd8906425ffa8358e7300bbf468e40f 184b3cb15d5df6f9d8063e4ce197206d 82e64f6dadde344885c60b02f488e3b3 f9b5f626a2587081c5cb008ac9ba2395 20d29980a228aad1058583d5b7dc413b 0136ea74a5194649ae8c760604a59cd9 0146877e42a63a65ebac61648e2605fe 3d409c193b4ee5336acaf0fb2d79e1f8 4018d44d810efcd3db260e94991ef3ee 640cc84d9f12ab2edd65eee6d6241a48 6a5d2ab03b34009f497d186cc7d0aa8f 7ebfbf3e1b8fe79b45f814174418f2f1 9af111f0f35db2c234b83f2ac5da6289 b74a964fd5c8dea5b7cbe8a686708e00 b8276b916938d6f5ac156817817c728a 9e309be6824bc99429fe037f41587beb cdc6f442f8b576b7c461ea25891f2905 0cf15b88b18cdedfaae598e9498768e3 2b640b94a8abe4767ba17e4036e827f2 49c7cae0fda8e5089e993a169c6c4197 7c27572d9ce8bd94ea044e7980a09a60 840e670aec18db73ae1c0db204eed229 914fdaf7aa098ac00067a2b265fc91da bd9a1fbd76c00015a59a3b5c93d4030e bdc80843e8c2da96880b752308307933 c64aab79e5107fc8ffd4699288c2e3be c9f33d544c5657d4ba55a92e06e38d06 037d6fbb28222321c6b0ace6305c41ef 1a473ae0967d141a6aadc6731663b37d 1e60824de00ce3c1f62fddc54a9c5c93 3817374b73d31d46d74489f36f04b8e6 3a29f097c281b82593220f2ed466f3d6 409580363a869a861c667c37fbf7212c 434b3f6a2176290ba2980bb568bae6db 46de60abab981fb29ed263a94002c8ff 474ae7cb12e77f43e3b07423e8d2e707 48499fdbeab3277c3c2cd71e363535c7 552b5252ff52be814e23b1506eeb50ee a5g17mail.3322.org blog.cnmgd.org misson.mysq1.net 127.0.0.1 171088046.gnway.org rich-yong.gnway.net misson.mysq1.net mylover.dyndns-free.com rich-yong.gnway.net mysql.sql01.com 171088046.gnway.net 371611121.gnway.net 118.194.238.43 infasd.crabdance.com q944642367.gicp.net boyfriend101.kicks-ass.org imacarpe.dyndns.tv hostname.webhop.net whitebird.dyndns.org xc.winniqi.com game.winniqi.com configure.selfip.org a5g17mail.3322.org dnsabc.webhop.net a5g17mail.3322.org wang2368131.gicp.net yahooforusa.vicp.net q944642367.gicp.net news.lufare.com zeropan007.3322.org surpriseing.homeftp.org services.servebbs.org wang2368131.gicp.net 127.0.0.1 117.40.239.20 oa.sanymh.com 220.175.13.250 yt.bodologetee.com okia.3322.org www.windowsliveupdatecache.com qqpass.kittyeah.com qqpass.kittyeah.com www.windowsliveupdatecache.com www.windows-liveupdate.com bbaolong.vicp.net www.windows-liveupdate.com www.windows-liveupdate.com a5g17mail.3322.org a5g17mail.3322.org yt.bodologetee.com a5g17mail.3322.org a5g17mail.3322.org a5g17mail.3322.org a5g17mail.3322.org a5g17mail.3322.org a5g17mail.3322.org 127.0.0.1 a5g17mail.3322.org soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com soft@hotmail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com SoftSign@HotMail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com CeleSign@hotmail.com 1215 04 xfish xfish xfish hl xfish kfish hl xfish wind aabbc xfish sssss hl xfish 0419 IN01 xfish c1130 s1115 in819 xfish BINGO xfish 8888 00001 kor xnl80 0630 628 IN 8888 xfish lwwn1 szc 4khxb-do612 beijingnew 2011a krgqy \xB6\xCE\xBA\xBA\xBD\xDC \xC1\xD6\xCA\xC0\xB3\xE7 qq zwdb 0417zhang gzzx Qbxt IN xfish jiagu 0427 IN bsbbs xfish 0427 IN xfish xfish 6200 80 80 3460 3460 3460 80 80 3460 80 8899 3460 3460 80 3460 5379 80 80 5496 4000 31 443 6200 80 6200 8888 443 6666 80 8080 443 443 8888 3460 8071 3460 8080 4500 3480 3460 35 35 3460 3460 3460 3460 3460 4014 6200 80 6200 4014 6200 6200 6200 4014 3460 6200 20 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k 5bcf43e49d6bfbc26ec1f1cd6968ed3e 5d2d6d9fe58355c01e31c0f12ab99bd3 5db6e16c286363115454690bc5c3da77 6648c9ffc4f4e705545daaa3c09373fd 69238872045ab0148c581bb8d99a6a1c 6a71157ee541a78f580f5eebc53b86eb 6e7fc8bac73410b58d4d1b2ce0dcc44e 7fc18dedcc7728b3103d4108557e8fb4 8fff7ca54103d5de1734b940d165b871 b443f9a521d7ea56b387d36484df1900 b5ff5a76ab4cca4a8fc3d2c39b30c997 b756fb047aff38fb8a2f2778d4b2d392 c64dd5393a17226b208b049a4b766bd6 cf8861ae0c0525d345a72ac43a767548 d13e4ef3e3791927397baf292182c583 e1fe9adfc62dfe5aee7d7cf3d6e51c29 f52d6ba37ae65bd02ee5485309c87cdd f6edfa0c8d35f74374d62309a8436a46 faffe9b9182709f62de4da91cffe3a5f e2a063d5afb6cf892431246013cc3919 01c142c7bfb0d8655f02eaac5cbe0baf 09cadcb2af2d06dae3a120ff43aa97ac 1a0ab794b8b590964c9c2d024956ad01 3d4545c40e4f359ad38dde0dae375f18 52e8c0d7b2572054198b2d4dc401bc47 538da437660a6a3ff64e9eba44d27423 55f75ea088c723958bf880391747b7a3 5de88d845578b8782a570c1f808a164c 64cd92c40c4249dfc03aa9e211605f55 68ac613a97afdd9a0c58c05908e15e82 9335bbd44567f56d4f4027cf2d105156 a085e20215ffed7056ddeb49b0fa8c8c a7756ffb6fafc866e9c6ba7a51f162e5 a7a4fb56c8e7a74490e00146a14d641d be7ac4097e8740a280c2daabbc8aac2c cf3a539bd308964b357c6d7fdb8e77cd d745cd51b8497638a8bc7d65f6aea302 da981c3c8acfdd7a4b1982ceb53d2105 e2ccc17ad7428516b22d73d7f3d04c88 eb99559000fa4bffb09f0095b5771f64 f451140e7ad709b239bfe5b9a9e85ec7 f7427898041410dec0d6ac1a2250838c 14259ca243aa80e733bdd7d65e518c6d a27b30f1dedf64900eac64fdb22d51c9 2fd59b0af3858688487aa5d98f5927d1 31890debe88cd057c351a64e260682f8 3ec57887caa14d1c7b83a0f7a441b52a 41d985d0b3a9dfd79da0b39f9a1aa4bf 46ebbc42670e8e2a0a03654559d54983 60064d648bc533a38a708dbe5f759034 60111cd0e8372f84df471e71ef9909a7 64bc0eee75c62da0e997ca3f4e257cdb 827604d4811d2dfbf34e7de87a48a08e 8423599f6ffd07d5bc9cc02b3610b0f8 86142a2eddfadb5d3d879e8a377bec7d 8891b5aa1125c2b9b4e06158346b1f21 936721205de8e825b02099f036ad1b61 96f19f590ebc84ded2a7af4c052fccf2 a5g17mail.3322.org CeleSign@hotmail.com 127.0.0.1 CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com yt.bodologetee.com CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com a5g17mail.3322.org CeleSign@hotmail.com zfyxu.gicp.net CeleSign@hotmail.com bbaolong.vicp.net DataBase@Hotmail.com olk4.3322.org DataBase@Hotmail.com olk4.3322.org DataBase@Hotmail.com www.windowsliveupdatecache.com DataBase@Hotmail.com DataBase@Hotmail.com dog.aumoni.com DataBase@Hotmail.com okia.3322.org tigertigertiger.3322.org DataBase@Hotmail.com DataBase@Hotmail.com www.windows-liveupdate.com DataBase@Hotmail.com www.windows-liveupdate.com DataBase@Hotmail.com liyanyanzy.3322.org DataBase@Hotmail.com tb801.co.cc tigertigertiger.3322.org DataBase@Hotmail.com DataBase@Hotmail.com www.windows-liveupdate.com DataBase@Hotmail.com qqpass.kittyeah.com DataBase@Hotmail.com liyanyanzy.tk qqpass.kittyeah.com DataBase@Hotmail.com DataBase@Hotmail.com sunnyrone.coyo.eu DataBase@Hotmail.com okia.3322.org DataBase@Hotmail.com tb-20110112.3322.org yangjinxiu.vicp.net DataBase@Hotmail.com DataBase@Hotmail.com liyanyanzy.3322.org DataBase@Hotmail.com veidu.uicp.net goodw@hotmail.com xyxf110.3322.org goodw@hotmail.com csfox.3322.org jiangshan2368131.3322.org laker@gmail.com laker@gmail.com 127.0.0.1 laker@gmail.com yunlong123.3322.org laker@gmail.com asiondragon2008.3322.org bafeite518.vicp.net laker@gmail.com laker@gmail.com www.zone.qpoe.com laker@gmail.com terry0707.vicp.cc laker@gmail.com bbaolong.vicp.net laker@gmail.com axna.5166.info jiangshan2368131.3322.org laker@gmail.com laker@gmail.com jiangshan2368131.3322.org laker@gmail.com axna.5166.info laker@gmail.com jiangshan2368131.3322.org jiangshan2368131.3322.org laker@gmail.com IN xfish bsbbs IOTY xfish IN IN IN bsbbs xfish IOTY xfish jiagu 0427 IOTY IN xfish bsbbs xfish 301 0417zhang xzang xfish qq d0306 2011a tiger gzzx Qbxt juesh hktbb tiger zwdb Lobsternz tkkkk \xB6\xCE\xBA\xBA\xBD\xDC 12345 fant1 tb 12345 shenf 12345 xfish BoerS xfish se xfish GM164 eeeee 71 xfish 1012 xfish xfish xfish xxx xfish xfish 4014 3460 6200 6200 6200 4014 4014 4014 6200 6200 6200 6200 80 6200 6200 4014 6200 6200 6200 1983 3460 3460 3460 3460 1258 3480 80 3460 3460 80 3460 80 3460 5960 80 35 80 3480 3460 80 80 80 3460 3460 3460 32 5555 3460 3460 80 3460 3460 3460 3460 3460 3460 3460 3460 21 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k 97cba74ed66a650403c16c6aca96d608 9e890216c8c880c5c4859a77894c8210 b13352f5a17d3eb3937ea9cbbdd142cf b5ba974dadb886bcdd826a3692915d3a bf973493fd8d7c097d26ecc1c1a75b96 c364c68e36f7d864dc78a1778eb0b262 d0f62109a38e0dbafcc1a3fefecfd09c df5be665924cfd5898c189c91a79322f f07b20c47dee2362ea66b57a96acc7ed c93f8a7a899142db1e92138b76407588 a25e5bcc52c386eb046149799ed81b2b 646cfe960219f1948eac580e3bd836f8 e3ef377d4ed4b8c0fca7b893f4074ce0 04ce6965a52bb87cc070077678f5e323 081e01fecdd47346a55e5a8a13b0720c 0bdacf6e88263c85a669b84692a337b1 b030c0d878997350a7dd1f0533090846 e95432553f5d6ddaadad8a634a9a3e7d ef1de280764dfa67abdfe3928932a6a2 da52a58fa6f45fd8ede22a0618cb7260 103b21042f60d6904a819d504a7b1be1 10cfadfb49b1ca15563b20e72ffde76f 772447c014c0ef465313fb8865d3c501 7d36ad6aafbf1f9496ccc6ac1a8bb57e 882b1e94652a6ee0377380d2b7c74de5 1ce83eb64757f30737aebfc177ff681b 429bc1afd27b39a26494c868a4013eaa 64718689ee3ff695c55ea1ec213434d1 8a3ca42ee9b67c4d030ee9d5193fd8b8 8ae26d583509b9eea207126b29121459 fda1664e10e36c833a1aceae3688fc73 04045fd7863c2512da99d69bbe7ceb43 09a291e91adc6a994499fb27e7fae65c 1a087cdeac6ee8169fa9f0359403091b 1f3065accfe697c56f45b641659f6418 3e7ba528aa87d0ec6a24c643e5527391 4b386d215a650280b685837e3a11b126 51c318d9f127a1f2fc112e22105cb5fb 6abf57bc4621a8f5e3153cb3c10353a2 84ae8974750c2993aa409e048c940c69 9f33a565837211d126ef48a518b14971 a07f6cf0029adbf16e8b7c644c26ce81 aa056a0ac5d81d0fb7974702861ea827 b38b53f6a04c2f42433bef80df18998a b65f394d07a665dadab98b3fdcfec25f e866043cf627b6ef4d13a820e314a99c fe4df2b266a570fc041a1a1cdd5451f2 0ca360ef2797bee54b53e5a34d47f3e4 8f0b13f9111241132e1c0738f5b03227 6d869c47d1930ea7fc054f22d49402ff 044d8a1f538cc875c4222272984a6193 0eb634f8e1ce366b8b7216024590df2b 20aa76dcd2bb2925d8d5fda4a39f5947 2e81515f8323a4481e1bdcc4e5193d99 35c355c051d911d34bf9fae984973fb9 48a8e6dc1e9b11a0c2aecf6fcd1d8d03 4dd04d65e16f6147a8427f548fd1f9a3 55b2c4e0d2d036910a014167dab5c8f9 bafeite518.vicp.net axna.5166.info bafeite518.vicp.net bafeite518.vicp.net bafeite518.vicp.net axna.5166.info atneh.vicp.net terry0707.vicp.cc bafeite518.vicp.net www.mol-government.com www.newsyandex.com yt.bodologetee.com bafeite518.vicp.net jiangshan2368131.3322.org jiangshan2368131.3322.org long1235.3322.org long1235.3322.org long1235.3322.org long1235.3322.org bafeite518.vicp.net monalisa88188.3322.org 220.175.13.250 asion-2009.gicp.net ns2.adultstick.com asion-2009.gicp.net bafeite518.vicp.net iamflying.3322.org ns2.adultstick.com monalisa88188.3322.org asion-2009.gicp.net xxxxxxxxxx asiondragon2008.3322.org yunlong123.3322.org axna.5166.info bbaolong.vicp.net axna.5166.info xyxf110.3322.org xyxf110.3322.org bafeite518.vicp.net 59.50.99.83 www.zone.qpoe.com csfox.3322.oRg jiangshan2368131.3322.org 127.0.0.1 CsFoX.3322.OrG jiangshan2368131.3322.org terry0707.vicp.cc jiangshan2368131.3322.org long1235.3322.org bafeite518.vicp.net csfox.3322.org bafeite518.vicp.net csFOX.3322.orG csfox.3322.oRg jiangshan2368131.3322.org csFOX.3322.orG asion-2009.gicp.net asion-2009.gicp.net laker@gmail.com laker@gmail.com laker@gmail.com laker@gmail.com laker@gmail.com laker@gmail.com laker@gmail.com laker@gmail.com laker@gmail.com micro@CeleWare.NET microsoft@CeleWare.NET microsoft@hotmail.com xyblack@gmail.com xyblack@gmail.com xyblack@gmail.com xyblack@gmail.com xyblack@gmail.com xyblack@gmail.com xyblack@gmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com eeeee xfish eeeee eeeee eeeee xfish xfish xfish eeeee text1 shiww xfish xfish xfish xfish xfish xfish fjian mengn xfish ND906 lrqdz ND906 minzh baiyi lrqdz mengn ND906 xxxxx GM164 xfish xfish 1012 xxx xfish new6 eeeee xfish 71 TWB xfish se foxtt xfish xfish xfish xfish shiww R3461 tuya T9158 TWB xfish T9158 GM1.6 GM1.6 3460 3460 3460 3460 3460 3460 3600 3460 3460 3460 80 6006 3460 3460 3460 6000 6000 6000 6000 3460 3480 8080 3460 3460 3460 3460 3460 3460 3480 3460 94 3460 5555 3460 3460 3460 3460 3460 3460 8080 80 3460 3460 32 3460 3460 3460 3460 6000 3460 3461 3460 3460 3460 3460 3460 3460 3460 22 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k 570a80412467a33ffddc94ad443b92fc 59c22dca8bfcae8a6c3f9f6c6834ad33 5bb9ce4a13c1aab97a3923d8b857fdfd 5d36836932d43389780b8100245b28d0 5fa7bbabb2463fcc56c13dae5826784a 615fe8b63bcb6575185dfc996ca18e04 7279b27dfd686f41d212c06d40bc09a0 89819111ce917666c5865b98041db9c4 ad317df6bcc6a9cd5ec08a5177d3300b b424b010732c6b21c3d811e26fdedeaf c9ee85547bca1825514e921c66fbc2fc dca6b6a12df13964bc4d56a7a2e5690c e8fc2905195b38945649b38018c395e0 4dcc921959c7769fdfe0e6a65bff29a3 6a51c68b272fa6364cf812c6c488f399 d75140218ffbba6663704b6a4be1d752 03d576b3d29ea70714ca28a8704d2063 0bd321879f9e7949ea2bf8c82496d404 36af416dd751d2531f69877469b601d9 4108daddc9cbc28e812c4325ae9c22de b6ebe0a76cbf24bc4b0a8bf0b8f20205 c067c295fa72381c0bdeea4273b4bb4c d26f9684c391f69fc6326fa3d71c1018 ef4a862e2ba601053647a4b297d2b8b3 f057ccc37f20cb8425b7f8975047bba8 fbfecc5078c3336ae53db41a148e8c74 542f45c05e68e0884d25f3a2681b2235 86fa64581f38f423085339d0e0639a44 dedc3879f1af489cbcf2b85b3b25f13f fa1379f3e680dfe7b679cb38ac66b758 42c3cc80a11ad69afcaca051ce23392a 5ad33406e1c7f36034b99ab4d820e39f 623e3db25c43184ec044d646dd1df4a2 6d9234f17a16dabdc83c757fc7052849 d2235d2276f0dc410db5422c6e0f716c da203dcaee67c1b7d9094e77e0b61d21 f0baccf99bae6fbdde4463b87e0e8733 3f95b9dd7547044b23e31ee01745fd8f 0db89a0cc2cf2a88c40ea8e76c7c0834 0f4d03353b172639ed43410061f5eb8f 4d95a416bef7eeffee2837596755a476 52427aabdf5bf61e818ca343ed35b5fd b8d0556df19fee8485f5581ddc4fea8c e75150f613f593ffe8ade4ce3db6fc7e ef404a76bd11e1d675b7686775ed7f1c 3f795be50edfe011167a479e735078e2 49dcf66fe12703789cf5074a5c222211 74eabedd7a9bce6973f5ac5d2e1404c5 f554c212f314e15388e33a62ce88cd34 1042efb418f845f362f302b63d4d3c77 d9203e00ff7b2edb01f52b378e3386be 7d4d78d1dacfeaad46c6506522ad61c2 95881cd633b682cda181d22b5f5efc12 ba9d43b3f1e81e0cca615e19a0f20bdc f3f29866a50b82da0eee22b016af5bdc csfox.3322.org jiangshan2368131.3322.org jiangshan2368131.3322.org bafeite518.vicp.net xyxf110.3322.org CsFoX.3322.OrG bafeite518.vicp.net csfox.3322.org CsFoX.3322.OrG jiangshan2368131.3322.org CSfox.3322.Org bafeite518.vicp.net 59.50.99.83 paladin666.gicp.net paladin666.gicp.net paladin666.gicp.net xyxf110.3322.org sbwfn007.3322.org sbwfn007.3322.org freedom8964.ddns.info xyxf110.3322.org sbwfn007.3322.org heiantiankong.gicp.net xyxf110.3322.org csfox.3322.org sbwfn007.3322.org 127.0.0.1 zeropan007.3322.org zeropan007.3322.org 123.151.192.105 zfyxu.gicp.net hh-mr.gicp.net qq907433815.3322.org fun010.vicp.net axna.5166.info iamflying.vicp.net fun010.vicp.net paladin666.gicp.net tigertigertiger tigertigertiger.3322.org liyanyanzy.3322.org liyanyanzy.tk tb-20110112.3322.org liyanyanzy.3322.org yt.bodologetee.com 127.0.0.1 hqhaha.hk221.hqidc.net hqhaha.hk221.hqidc.net hqhaha.hk221.hqidc.net yangjinxiu.vicp.net 127.0.0.1 xiaoya.oicp.net zooosi.com veidu.uicp.net sunnyrone.coyo.eu xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com xfish@hotmail.com wugong@hotmail.com wugong@hotmail.com wugong@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com spring@hotmail.com qianming@CeleWare.NET mogolsoft@Hotmail.com mogolsoft@Hotmail.com mogolsoft@Hotmail.com mogolsoft@Hotmail.com mogolsoft@Hotmail.com mogolsoft@Hotmail.com mogolsoft@Hotmail.com VerySign@CeleWare.NET VerySign@CeleWare.NET VerySign@CeleWare.NET VerySign@CeleWare.NET R3461 xfish xfish mg xfish foxtt tuya R3461 foxtt xfish T5888 tuya xfish palad palad palad xfish hyrf hyrf WS xfish hyrf xfish xfish BoerS hyrf xfish new 0912 tibet CN xfish 99999 xmddd xfish 1.730 xmddd palad tige1 tiger juesh tkkkk tb shenf nsc01 xfish flg pdf zd 12345 xfish 12345 12345 12345 12345 3461 3460 3460 3460 3460 3460 3460 3461 3460 3460 3460 3460 8080 3460 3460 3460 3460 7975 7975 53 3460 7975 3460 3460 3460 7975 3460 8080 80 3460 3460 3460 3460 9090 3460 80 9090 3460 80 80 80 80 3460 80 80 80 80 80 80 80 3460 80 80 80 80 23 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k 1855 1st Ave., Suite 201 San Diego, CA 92101 USA 1.888.466.6267 Strandveien 37 Lysaker, Norway +47.67.10.97.00 www.normanshark.com 24 | T h e C h i n e s e M a l w a r e C o m p l e x e s : M a u d i N o r m a n S h a r k rabitTaumoniTcom dongdongHJITIIQQTorg subscriptionTdyndnsEhomeTcom myloverTdyndnsEfreeTcom hostnameTdyndnsEmailTcom dnsabcdTdyndnsTbiz indiaarmyTdjkccTcom friendDJDTBBHHTorg catTaumoniTcom qytianzhengTIIQQTorg Code5signing5certificate Command4Control5domain Malware5sample olkATIIQQTorg tbVJDTcoTcc yangjinxiuTvicpTnet sunnyroneTcoyoTeu dogTaumoniTcom VVOQTvicpTcc IHJSE@hotmailTcom veiduTuicpTnet wwwTwindowsliveupdatecacheTcom wwwTwindowsEliveupdateTcom DataBase@HotmailTcom tigertigertigerTIIQQTorg tbEQJDDJDDQTIIQQTorg tigertigertiger liyanyanzyTIIQQTorg liyanyanzyTtk SoftSign@HotMailTcom CeleSign@hotmailTcom aOgDBmailTIIQQTorg okiaTIIQQTorg qqpassTkittyeahTcom ytTbodologeteeTcom mogolsoft@HotmailTcom microsoft@hotmailTcom wwwHTintarnetserviceTcom leftpaperTdyndnsTbiz blackQJATdyndnsEworkTcom configureTselfipTorg hostnameTwebhopTnet missonTmysqDTnet singleTdyndnsTbiz worldnewsTzaptoTorg DDATQJQTQTVI dynEmicrosoftTblogdnsTnet hhccIHOTzaptoTorg zfyxuTgicpTnet dnsxyzTdyndnsTbiz yunlongDQITIIQQTorg DDVTDYATQIVTAI QJDQJOJV wangYVDQJJTIIQQTorg xiaoyaToicpTnet iamflyingTvicpTnet heiantiankongTgicpTnet spring@hotmailTcom funJDJTvicpTnet hhEmrTgicpTnet sbwfnJJBTIIQQTorg DQITDODTDYQTDJO freedomVYHATddnsTinfo xyxfDDJTIIQQTorg nsQTadultstickTcom zooosiTcom csfoxTIIQQTorg xboyuTdlinkddnsTcom microsoft@CeleWareTNET VerySign@CeleWareTNET goodw@hotmailTcom xfish@hotmailTcom wwwTnewsyandexTcom hqhahaThkQQDThqidcTnet longDQIOTIIQQTorg asionEQJJYTgicpTnet bbaolongTvicpTnet iamflyingTIIQQTorg monalisaVVDVVTIIQQTorg OYTOJTYYTVI axnaTODHHTinfo jiangshanQIHVDIDTIIQQTorg wwwTzoneTqpoeTcom terryJBJBTvicpTcc xyblack@gmailTcom bafeiteODVTvicpTnet lQJJYlQJJYDTIIQQTorg bbsTavjkvTcom xcTwinniqiTcom wuliaoHBVTVVHHTorg wangQIHVDIDTgnwayTnet limingliangDYVVTgnwayTnet imacarpeTdyndnsTtv richEyongTgnwayTnet QQJTDBOTDITQOJ kfcmakelcTzaptoTorg boyfriendDJDTkicksEassTorg blogTcnmgdTorg whitebirdTdyndnsTorg soft@hotmailTcom IBDHDDDQDTgnwayTnet yhmQJJHJIIJTIIQQTorg shinubiTchickenkillerTcom YNK5JAPAN5Inc xkTbuypnTcom sThiinetTnet pThannmaillTnet surpriseingThomeftpTorg northsinceThomelinuxTorg IHJliveupdateTcom blackQJITblogdnsTcom jiangQIHVDIDTIIQQTorg servicesTservebbsTorg yahooforusaTvicpTnet mailTlufareTcom yzkkerTIIQQTorg mysqlTsqlJDTcom DDBTAJTQIYTQJ appleTbuypnTcom qwerTcrabdanceTcom sophiaTVVJJTorg infasdTcrabdanceTcom newsTlufareTcom oaTsanymhTcom wangQIHVDIDTgicpTnet qYAAHAQIHBTgicpTnet fhTbuypnTcom managerTserveblogTnet stopQJATIIQQTorg dnsabcTwebhopTnet userQJDDTVVJJTorg zeropanJJBTIIQQTorg qqYJBAIIVDOTIIQQTorg QyanfengjiaoxpTgicpTnet bmwTwebhopTnet JinDiQIAO@hotmailTcom cttwxswTgicpTnet mailTsufareTcom dongtaiwangTvicpTnet QQQTDIATAQTHQ dnsabcTIIQQTorg DBDJVVJAHTgnwayTorg DBDJVVJAHTgnwayTnet BQBHJYHYITgnwayTnet singleTdyndnsTinfo wqdfTIIQQTorg gameTwinniqiTcom dnsluckTIIQQTorg asiondragonQJJVTIIQQTorg qwerTwekbyTcom DQITDODTDYITQIH dnsxyzTwebhopTnet smVVVTVVJJTorg dfHDDTgicpTnet bysexTmoooTcom yanfengjiaoxpTgicpTnet wugong@hotmailTcom updatewinTIIQQTorg qianming@CeleWareTNET DI@CeleWareTNET micro@CeleWareTNET wwwTmolEgovernmentTcom paladinHHHTgicpTnet laker@gmailTcom atnehTvicpTnet The5Maudi5Infrastructure