In a continuation to the previous post about a computer with “infected” DNS settings….
The same machine also had a Proxy PAC file set.
In the specific computers instance it had this URL set in the automatic proxy settings section:
http://stoppblock.net/wpad.dat?fb4c39d90b3dd1f76bda246b4a60839913671305
stoppblock.net, registered via a whois privacy service, was only registered on the 4th July 2016 and has only been hosting a website from around the 21st July. A similar domain “Stopblock.me” seems to have been registered much longer ago in September 2015 using a privacy service and a similar DNS setup to the new site and is hosted at the same datacenter.
Now – if you download the above URL using something like Notepad or CURL you get a blank file telling software to go DIRECT;
If you use a known browser you instead get the following PAC script found at the end of this blog article.
What is interesting here is they seem to be taking SHA256 hashes of URLs and matching them. Clever idea. This instantly increases the difficulty in identifying which websites they are targeting with their proxy attack.
It looks like they are usurping traffic to 192 domains.
If one of these domains is detected they then currently relay the traffic via the following proxy hosted at FDC Servers:
50.7.182.141:51598
It looks like the above server has thousands of open ports, probably all entirely open and ready to proxy.
If you manually set your proxy to it you can tell which websites are on their intercept list in the PAC file. Any domain they don’t like is greeted with a “403 Forbidden” while domains they do like.. (some that I’ve found so far):
– Google.com
– chrome.google.com
– http://www.google-analytics.com
The above sites get proxied and SSL Man in the middled (MITM). I feel like maybe the malware which setup this PAC comes along with it’s own “Trusted” Root CA so their generated proxy certificates work.
Upon initial investigation the root of google.com doesn’t get modified upon request via the malware proxy.
Here is the proxy PAC code as referenced above.. it was too long to put in the middle of the article:
/* CryptoJS v3.1.2 code.google.com/p/crypto-js (c) 2009-2013 by Jeff Mott. All rights reserved. code.google.com/p/crypto-js/wiki/License */ var CryptoJS = CryptoJS || function(h, s) { var f = {}, t = f.lib = {}, g = function() {}, j = t.Base = { extend: function(a) { g.prototype = this; var c = new g; a && c.mixIn(a); c.hasOwnProperty("init") || (c.init = function() { c.$super.init.apply(this, arguments) }); c.init.prototype = c; c.$super = this; return c }, create: function() { var a = this.extend(); a.init.apply(a, arguments); return a }, init: function() {}, mixIn: function(a) { for (var c in a) a.hasOwnProperty(c) && (this[c] = a[c]); a.hasOwnProperty("toString") && (this.toString = a.toString) }, clone: function() { return this.init.prototype.extend(this) } }, q = t.WordArray = j.extend({ init: function(a, c) { a = this.words = a || []; this.sigBytes = c != s ? c : 4 * a.length }, toString: function(a) { return (a || u).stringify(this) }, concat: function(a) { var c = this.words, d = a.words, b = this.sigBytes; a = a.sigBytes; this.clamp(); if (b % 4) for (var e = 0; e < a; e++) c[b + e >>> 2] |= (d[e >>> 2] >>> 24 - 8 * (e % 4) & 255) << 24 - 8 * ((b + e) % 4); else if (65535 < d.length) for (e = 0; e < a; e += 4) c[b + e >>> 2] = d[e >>> 2]; else c.push.apply(c, d); this.sigBytes += a; return this }, clamp: function() { var a = this.words, c = this.sigBytes; a[c >>> 2] &= 4294967295 << 32 - 8 * (c % 4); a.length = h.ceil(c / 4) }, clone: function() { var a = j.clone.call(this); a.words = this.words.slice(0); return a }, random: function(a) { for (var c = [], d = 0; d < a; d += 4) c.push(4294967296 * h.random() | 0); return new q.init(c, a) } }), v = f.enc = {}, u = v.Hex = { stringify: function(a) { var c = a.words; a = a.sigBytes; for (var d = [], b = 0; b < a; b++) { var e = c[b >>> 2] >>> 24 - 8 * (b % 4) & 255; d.push((e >>> 4).toString(16)); d.push((e & 15).toString(16)) } return d.join("") }, parse: function(a) { for (var c = a.length, d = [], b = 0; b < c; b += 2) d[b >>> 3] |= parseInt(a.substr(b, 2), 16) << 24 - 4 * (b % 8); return new q.init(d, c / 2) } }, k = v.Latin1 = { stringify: function(a) { var c = a.words; a = a.sigBytes; for (var d = [], b = 0; b < a; b++) d.push(String.fromCharCode(c[b >>> 2] >>> 24 - 8 * (b % 4) & 255)); return d.join("") }, parse: function(a) { for (var c = a.length, d = [], b = 0; b < c; b++) d[b >>> 2] |= (a.charCodeAt(b) & 255) << 24 - 8 * (b % 4); return new q.init(d, c) } }, l = v.Utf8 = { stringify: function(a) { try { return decodeURIComponent(escape(k.stringify(a))) } catch (c) { throw Error("Malformed UTF-8 data"); } }, parse: function(a) { return k.parse(unescape(encodeURIComponent(a))) } }, x = t.BufferedBlockAlgorithm = j.extend({ reset: function() { this._data = new q.init; this._nDataBytes = 0 }, _append: function(a) { "string" == typeof a && (a = l.parse(a)); this._data.concat(a); this._nDataBytes += a.sigBytes }, _process: function(a) { var c = this._data, d = c.words, b = c.sigBytes, e = this.blockSize, f = b / (4 * e), f = a ? h.ceil(f) : h.max((f | 0) - this._minBufferSize, 0); a = f * e; b = h.min(4 * a, b); if (a) { for (var m = 0; m < a; m += e) this._doProcessBlock(d, m); m = d.splice(0, a); c.sigBytes -= b } return new q.init(m, b) }, clone: function() { var a = j.clone.call(this); a._data = this._data.clone(); return a }, _minBufferSize: 0 }); t.Hasher = x.extend({ cfg: j.extend(), init: function(a) { this.cfg = this.cfg.extend(a); this.reset() }, reset: function() { x.reset.call(this); this._doReset() }, update: function(a) { this._append(a); this._process(); return this }, finalize: function(a) { a && this._append(a); return this._doFinalize() }, blockSize: 16, _createHelper: function(a) { return function(c, d) { return (new a.init(d)).finalize(c) } }, _createHmacHelper: function(a) { return function(c, d) { return (new w.HMAC.init(a, d)).finalize(c) } } }); var w = f.algo = {}; return f }(Math); (function(h) { for (var s = CryptoJS, f = s.lib, t = f.WordArray, g = f.Hasher, f = s.algo, j = [], q = [], v = function(a) { return 4294967296 * (a - (a | 0)) | 0 }, u = 2, k = 0; 64 > k;) { var l; a: { l = u; for (var x = h.sqrt(l), w = 2; w <= x; w++) if (!(l % w)) { l = !1; break a } l = !0 } l && (8 > k && (j[k] = v(h.pow(u, 0.5))), q[k] = v(h.pow(u, 1 / 3)), k++); u++ } var a = [], f = f.SHA256 = g.extend({ _doReset: function() { this._hash = new t.init(j.slice(0)) }, _doProcessBlock: function(c, d) { for (var b = this._hash.words, e = b[0], f = b[1], m = b[2], h = b[3], p = b[4], j = b[5], k = b[6], l = b[7], n = 0; 64 > n; n++) { if (16 > n) a[n] = c[d + n] | 0; else { var r = a[n - 15], g = a[n - 2]; a[n] = ((r << 25 | r >>> 7) ^ (r << 14 | r >>> 18) ^ r >>> 3) + a[n - 7] + ((g << 15 | g >>> 17) ^ (g << 13 | g >>> 19) ^ g >>> 10) + a[n - 16] } r = l + ((p << 26 | p >>> 6) ^ (p << 21 | p >>> 11) ^ (p << 7 | p >>> 25)) + (p & j ^ ~p & k) + q[n] + a[n]; g = ((e << 30 | e >>> 2) ^ (e << 19 | e >>> 13) ^ (e << 10 | e >>> 22)) + (e & f ^ e & m ^ f & m); l = k; k = j; j = p; p = h + r | 0; h = m; m = f; f = e; e = r + g | 0 } b[0] = b[0] + e | 0; b[1] = b[1] + f | 0; b[2] = b[2] + m | 0; b[3] = b[3] + h | 0; b[4] = b[4] + p | 0; b[5] = b[5] + j | 0; b[6] = b[6] + k | 0; b[7] = b[7] + l | 0 }, _doFinalize: function() { var a = this._data, d = a.words, b = 8 * this._nDataBytes, e = 8 * a.sigBytes; d[e >>> 5] |= 128 << 24 - e % 32; d[(e + 64 >>> 9 << 4) + 14] = h.floor(b / 4294967296); d[(e + 64 >>> 9 << 4) + 15] = b; a.sigBytes = 4 * d.length; this._process(); return this._hash }, clone: function() { var a = g.clone.call(this); a._hash = this._hash.clone(); return a } }); s.SHA256 = g._createHelper(f); s.HmacSHA256 = g._createHmacHelper(f) })(Math); var hashes = [{ "direct": false, "hash": { "url": [ [30, "3641293c700dbf07c69bc819ea7c168efa75c54a953a0c73af7d62edf2e44c0c"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [30, "005acdb782876c1d12cbabd154734baf814d95d0d0cc9a189e161f50850e6e11"] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [37, "091ba1b78804e5415b317554c2d3edcc0fa9b0907109392187a24f22951de9a2"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [34, "85fa4e502c08ba456c3b3e78162a7edf3a3dd251b3f091abf1889ba33eab6f62"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [54, "2fb5d5f6b16a61a5a2463c2918b82a56c1f93e3f610ed11e2d2b4b692e6bd24c"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [31, "69c01b96756640faf07f816ebec4994d054a328c84f32d8f3ad2b4f817ff72aa"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [27, "aab8f002cb79cc9542a001fec8544bc331f0b42292db3a49ee245a6a218eea2a"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "02a0becb3e90c1c50bb9932bffb7c4d130cd6b78558dedbec7c39b1624132894"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "027a1ea4c5fe27134a12fc6b166b58e98d91242e19f89405147b78e5d21c4f8d"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [18, "04d62c424bfe5388333e11b6ccb47f6f78e43bf26b92d5c4a140681fb8cf6a44"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [38, "cbc1c5ba723aa977c56aecdab1a8c71c41c046046e05ca14d2fa28dd10092fb6"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [24, "49dbf639e44e763f59cb09945e0a011e7420d44c179301ab3a09e708d903709e"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [18, "7e8d27eec13ac38216d4edd72d1a29bff2f329c6ed6a8a8a94857834a4836b3f"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [31, "6d3eaddd0cde25e6ec74b5bbbfcb33fdbef5f549b0c94befcbf419475b6979f4"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [28, "4de73617a098f4609a06ec0c77317d64ac361e831390c275d4fb65f2c1cd0649"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [33, "da55e41175f29ad2ef7a82451594d80a55f0976a416aa92204949430a2bcd2bb"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [24, "6a51ab44baf159b7dfd06897c2ee9b109047d648527883b400939723fb51b34e"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "6cdc2695d51e4a71a47b738a2e5da370b69928365f901afa139b0d6e09a4a611"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [20, "da3d05b85e36da5c00d2684f8b6c11a151ef805269628a5e288f11367c85b770"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 2 }, { "direct": true, "hash": { "url": [ [34, "2f65f195f63f3e53bacca32a2ce6807ff0b201845fc435ceea3717cef9784858"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [34, "068af4337f674b90b82cba9b9201749f819a3d0b13e7b807d12cc42cdcd52996"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [25, "16bba5056246699217e8e202a86955a264f1fa4afad31c9bbc2f7c1f7b1950cf"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [6, "2eaab02c6da2d10b1c74431c94246073901239f9cf5d468ce50e972fe10eedec"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [12, "6a6f36afaf2268aee5bb31ca04125b2bc763f08d7ba8711e4bdff70867910553"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [7, "0a6fe22ff241ea94df392b8156568f20391723837ab230318fb077b2375c7cde"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [39, "66a712273426ba40b7b7e106bbbdcaf4b72564e351b3f3f48ce7c20678e648c6"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [32, "a718d72aef8ad2227b48fcb0e41aad227e7df749b181778c1fde42940b43c99a"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [33, "c59e07a5fbde05ed1a56fbcacbd729407e4d2ace0999f1fa7b6d67e1134f16c8"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [20, "7ee2c2d8d2139dde94960b7b10068490709d33396936b3025f4fb084024faacd"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [22, "5cb102dd91d9f0335ceec0d054f9a3534948269494795cf5343db79af0bf1937"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [24, "1e714788036e892cf617e1dd0f2329041329022855b9e740e98e97a6a6b11ef3"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [15, "69f1b962dac671b921437d0f1295291c18c2757d2b35bb4dc0bd417a83544c0d"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [27, "0730a01c9239a112d8f20d388d11f0adbb85ef5cad54ef274ac1f1dcddf592a0"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [18, "ba84717110aa9f1e08279a074c84eac1616a5b1586a723a0f047c6e24873e8a4"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [19, "7a8652ccd303235bf5daa855af51a26ea43ca141af05d29a69068d0a7ce1d308"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [17, "5cbc646b4c93ceb0ceacc82b4d919a0d55c9f4219a37181a857648876f4f8962"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [17, "2ab969e3bb4f21a9c0857a48d7d48959b7579b66d819f5bb5113e0a8daa73837"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "f1fd0a0951825ee7a48ad64357f6b8842c7afa522f2607dbd24676f331be49de"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "28418d5891c9e953da3d34b8196148ca2f5fe2ea8f9410d0158854fac8c259ea"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "24706f423df420f1414ea4fa5b8075795c93ae8744c1274fb5c1a0b153d343f7"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [24, "3f5db3d1f1c2dcca55a962a138f4e89c39ec7d77698d71693029920826215d6f"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [48, "d8de67906050cd51ad3d8dd6e03e9e1a7b95c338282d65c8ea294ded63d2e1ad"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [13, "e8fe445cea211abe733b631f0ed07a4acf73692be6fdcbe8601433686c778d3f"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [17, "a9aff9dbfe5dac558e6cf7885b3cfd7cedb53791b20e5346c858a7ff59bee5ef"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [19, "6392865db408402c48f8a16956719f1fea3a765e4a00608acc7fa6ba4e4cda14"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [22, "5d8c1fbee8589adc33914e3d08be0567e2dc3188da065f889986e7efc4ea4062"], [0] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [18, "9b307d54955bd62e21d6ffdf7078d226c9d3ed7a4a8338c3ac25ec1859deaf25"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [29, "46d18cdcbd926bcdaf11e4bb2173d996bbd0e556a3e123c202447e8e4b01eb9c"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "host": [ [0], [11, "c323094109b3dde96a8b67aa1ebd11c183a3929160a042677a2c6a60e4de1538"] ], "query": [ [1, "8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [27, "07e55167364c91f40142adda36fb3282bd6446f819d5973aa8a7a7c3fa339655"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [30, "8a1a87606ecd96cdeead029c379a6297d0546b1efcf63019d1145db57f8ab754"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [28, "d8f4ce3f051558a4439835f37030ab06002c32a864d531febf09fe3255e90236"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [23, "93d939d480026892d9c8d3049d5d8954784dbc8258907e44653caabb8a9a9494"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [32, "05854e7dfdb0d0f28e13323213aeff271e91109083a6a76a42b51d9ccd18e741"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [17, "b6481263a60e1563a9e2466d54a7ef33fd2ce1179ff224019bf7550c57967a9a"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "63fdd9a9d5ce7c44c7b21c0d6a1237f8f0c97260e55746dcd8f6ef5a4a50af91"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [28, "f8aba15bc5e864b1e557f1ef93414583458d39200f9bda36168fe7383eb9ee58"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [28, "2fb79d03565dc4b4b295f195c51388515f44ce577e7779b2b1cb6197ff5f5b3c"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [17, "2e50b70712b5bbfc38324d5312943c67d53997803aa407e4e8e72b124767b0ad"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [19, "40d5f76b780574f1477b7c9e22ec16630c27f06b2b3cbdeb838f85db9ad35790"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "host": [ [0], [15, "70cce251eeaa07eafa39aa035f7d94475c6a336209873acc9fb4180f0d5d4fa5"] ], "query": [ [8, "d0beddcba48b2cdda553b03c812e27bcfa6d2aaa0d6aa7cb59715b0abd7fae13"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [11, "c509965f343c674675f345d1db0312149080f5d025d2fcf6e1fe13d504723427"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [18, "a8dd9f1252e46a5771e131c437b79659ace18757bd3a8027a2f5b0dc0d5eabff"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [22, "87faaa158280444d037fae86bc1171429c2ea40986a484b2769a0a90a37a5a2a"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 2 }, { "direct": false, "hash": { "host": [ [3, "db9831b53a8574d33f3d7ce6820598c67224687dbe57cbbc10b6070e5aa57744"], [18, "ffc4f10fa9a96a12ed23fe43e7618e984aac46dee8474f3f8443b252fa08f3ae"] ], "query": [ [1, "8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [20, "0c9efdccc14c3d6617b9941985a3a498e4577e0343e38bbda7c2fb364dc54b45"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [12, "59ea2297c48ef6c923b4ca8a8f601d0e06baa1b11c7be1cc139945f05a081cca"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [29, "1d5b888f0582e1221111e49b8c0c4ce405235f26be1c73d90ca4a56664069338"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [42, "d91d4822c7a1d78ffd55bbeba1f80c85b317f1628618138c06d09be65c2a1dda"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [20, "bf9d95f31c6dd46a0d8e48c07f04c1a2f8567b34f82c7a500f8b25798c8b9161"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [22, "3a4bb360cf6dc2998f0156bae6af9e3b4316e69f67e5ab9472dfc0d6b7cf0517"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [19, "84210dcb2a72a50dcec85d433904c20f93b7c0f406a7fc2dc0bf18eead6f37e1"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "308318146fb2df522dea622450a9a3d9db6f4071e9d6e8c5f9626591e80dc859"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [23, "70c2ad9405d9a541e96ad8e0fe090388d6fbdced541e5a60d140e840ed0495df"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [42, "800290b8febd876a5720c5eda59879dcab36cf763bc8a925fbcffca69a7ffb63"] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [20, "7e2979b6da973a47db083d02d42d13ff4325ea25b7aa73bbe940cd147bcb215b"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [39, "0ed60029e32cfbb08d3701acbeb82d5b6a83aa2f2466ba607ec49b5ed28e5eed"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [34, "4582ac7ade5230bb99743495f238b70a897f7c5aee68f38e63782f9889396425"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [23, "39081ae925fe1e452cdd54ec74b0a5dcd51d1c2458ff1885e0f13c239c18bbe4"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [13, "0666fd6cbd4af11cdf72aa9131a49d8e70456f73a86ab758648703bc1e6ebd59"], [0] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [43, "ca722ff8edbbc0a13e840d505dd436dac6ec5cd2330073b6b6124258fb0d5f54"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [45, "024587940dc269ca51329c7f19aadf5954bb2ba00754203b9d98d2281a5dd2c1"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [39, "d5782e7c0f0ed1ba7463a853a81edc9bbac32044fad978f8556bcc57ebceac7e"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [29, "ac014017d245a73e9e6d45a6b41e757acf0424fcbb85684d752d927c5d20ef40"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [31, "8ec75af564cf5f49e429d7816c7713fe00b2fc3dc24b1b1455aa75ac0c447b3a"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [27, "eaeed874a4ae30c4bb37596b5cdc3639c9e08be83fedbbc85f353c7945c2ad8e"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [33, "9635f3c8debbf10e593bc947e73c998dfa7f26cde0be5cf59f9f66a95cf67bba"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [24, "9110da1f80be35f588efddea288804be52d347341fcd19ba3da1d4592dd2c40d"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [23, "c9ceeada3d54916a7fe216fad0f9b017c9876098c16301ea3387b47152320ce8"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [7, "74b3efd95853dcf4e793add5abddf5434b172646063535783522c9208928263d"], [19, "f5ef8ad912a8f643735a69cf45bf603e51f6af9cc60327ba1b2c808d2088d72f"] ] }, "sc": 0 }, { "direct": false, "hash": { "host": [ [0], [11, "97e980a2d03855deff40690b36264e95ef76bba58dcd29737ecdd43081dd2131"] ], "query": [ [20, "b3b035817c027ee98f94a59696cee2cddc94bd6e4ed7c95e040531349b3b992f"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [32, "fbc13b4a05282c9f194c1e9ca0dc7e4a6e51de838849fcdf5f35601d9e8ecf38"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [42, "16e5903adff323829bd0635e950f5f4b85d4f1a8070c832c35909f9bf6af3bd9"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [37, "4fc7023f7dd0aab3b2d2892af568a8c3376760efc059c40530aa0032ae7442f7"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [13, "f892007e07fe563bc8822ca8af66c5389b9e8f31994adb1f5e42ffd7b9899d92"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [12, "327fac694a6f957b74d2d4bc85a43651f5500fd8e055cf6f03bf83da4bfe5418"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [19, "0beed07dc3da6aead4fce6f8cb232927d1b20eb4f7f06d1e66b856a5ba3187ef"], [0] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [32, "856830e365ae3fc8ea6577d8b2d5c1e6155d37fc5a6473baa43029a2e2d2eeae"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "027b77b373d4e927f295d33bf50bb238b007bfd91797fcd551e79a2497c5f7c8"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [31, "6366053930ce7512c068a344739e50297fba40ebd91213db61ee9562701888ba"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [38, "be7c7577e6f1fe9567cedee61118301b1eb4c6a1f476e479adce5a5f34e84a2f"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [35, "6f9994a2e46bd6bed3e739d9d449988303040dd087d9218e5a4b8aa01b342138"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [30, "87470ff28761412da08b3a72cd832411cb8fb8c5c0136f8b96d4949af6bb004d"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [17, "bc77a5508813ed54429d9747ff6af75fc28d140c198c1ee7dfa13fa1ebac09e8"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [11, "a6d0d26d88424e5d1e2a08e3507bfb299b308d1785eb2fdb162d97f18589cea8"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [18, "c05c356d809c3f2d1cdd1b6ff9d16fc1024f5c3925bf61abf50e8e1d0f6b8069"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "50ade07afbe7ca8e094128839dd2191c0c48018d7ff754e3c8b88da614768f13"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [20, "e3e88c17ba9ab684b2be9fa3c950ad9d526a0d2478ed661b37b79c581f158190"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "6cdfbcd0d976405a599053ca4b5ef7cd203f180a9c7eb923351cb4f591d3d599"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [21, "5a50d849d24dae791f2476110627d51bbaf9360731286b25ec82fb1629aa160e"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": true, "hash": { "url": [ [28, "7a1861c931ce0c8bc0fbe4886af66dbca1afca61f8a08b8b34d0b1e7585dadaf"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [22, "2abdb07ed909f1a257a367c0211061ecb3027a9943af06a93a28f12c92aa94ed"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [24, "643af5bb7cf4810537061f5ea81febbde5f4d60cebd7768b41b8c0351a9b6af2"], [0] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [22, "0136db59a7df0d5528f4d29e6ab201bedc2cf04c2d7a9f10b3d58909f36421df"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "027b77b373d4e927f295d33bf50bb238b007bfd91797fcd551e79a2497c5f7c8"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [27, "650e28997cd30194bb5537ade4a74b646b3abb06fee9cb9d4cf4af28288354e1"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [26, "0793f244ecd3c34901023abec5514fbbf5704e6eba76f95461d8d161f4700aa3"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [25, "2c374ab4efaf85e151d9f5fcd845737356047bd9a37ceb55c77ccf4c3b89e480"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [29, "d62fad593a5bdf2d4b0bd3cee4f9589b651b207908d1336d7a69d4b9aa6c53a3"] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [20, "93b81a4fc17695411a51e7d230b9ce2d4ef13325f0983cb81c1db2d0ad8b8238"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [55, "4ced13140e0abf5507c97c64a492c5bf6b0200ccd476713e8fc3417598961f69"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [28, "9a5727d91d00f39ddd5e8063c91928713dc0eb02dec2bb743e8e668e2ef5fccc"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [13, "44d9c55341ba05c18ffc28b8551b18a4adb41d16eb920af0b073930d3621ac38"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [41, "b80aee1049701e1b72f36bd8f338e35801141ce06e12e56f30dc634210401163"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [26, "e7332164ede2a16873960d0e75ce5c840fe0c8260f66a0855823422b6d5ac116"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [15, "691d96c4a9d1bfd8e706f06ecc170dc31c10e9d4309da9b9cf4b9b496a965d62"], [0] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [38, "81fc6084792fb6000dabfe08765fe52d5e33905ae613e7660e0e136052cca206"], [0] ] }, "sc": 2 }, { "direct": false, "hash": { "url": [ [16, "c3387b7ffe31907c8886fa12ead40ec5d785f2d8853f7938c23155a1232f80c8"], [3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [17, "93677c56483c36ee9e8f17e311cdb9161513105fa0cd92ad3df0bf1f43f8aa82"], [0] ] }, "sc": 0 }, { "direct": false, "hash": { "url": [ [16, "c3387b7ffe31907c8886fa12ead40ec5d785f2d8853f7938c23155a1232f80c8"] ] }, "sc": 1 }, { "direct": false, "hash": { "url": [ [20, "1380de9cabcaab06d9fa57b0da79b456fa050194e95978b41974b8d33e5c670d"] ] }, "sc": 1 }]; function checkPattern(hash, string) { if ((hash.length == 1) && (string.length == hash[0][0])) { return (CryptoJS.SHA256(string) == hash[0][1]) } else { var left = false; if (hash[0][0] > 0) { if (CryptoJS.SHA256(string.substring(0, hash[0][0])) == hash[0][1]) { left = true; } } else { left = true; } if (left) { var right = false; if (hash[1][0] > 0) { if (CryptoJS.SHA256(string.substring(string.length - hash[1][0])) == hash[1][1]) { right = true; } } else { right = true; } return (left && right) } } return false } function checkHash(hash, url, host) { if (hash.url) { return checkPattern(hash.url, url.replace(/^https?:\/\//, '')) } else if (hash.host && hash.query) { var query = '/' + url.replace(/.*?\/\/.*?\//, '') return checkPattern(hash.query, query) && checkPattern(hash.host, host) } return false } var proxy = 'PROXY 50.7.182.141:51598; DIRECT'; var have_https = true; function FindProxyForURL(url, host) { if (url == 'https://stoppblock.net/') { return proxy; } var https = url.indexOf('https://') == 0; if ((url.indexOf('http://') !== 0) && (!https || !have_https)) { return 'DIRECT'; } if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "0.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") || isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") || isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") || isInNet(dnsResolve(host), "192.0.2.0", "255.255.255.0") || isInNet(dnsResolve(host), "224.0.0.0", "240.0.0.0") || isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") || isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) return "DIRECT"; for (var i = 0; i < hashes.length; i++) { var hash = hashes[i]; if ((hash.sc == 2) || ((hash.sc == 1) && (https)) || ((hash.sc == 0) && (!https))) { if (checkHash(hash.hash, url, host)) { if (hash.direct) { return 'DIRECT' } return proxy } } } return 'DIRECT' }
Pingback: “104.197.191.4” and “107.178.246.193” Google-Analytics DNS Intercept / Malware. | thecomputerperson