In a continuation to the previous post about a computer with “infected” DNS settings….
The same machine also had a Proxy PAC file set.
In the specific computers instance it had this URL set in the automatic proxy settings section:
http://stoppblock.net/wpad.dat?fb4c39d90b3dd1f76bda246b4a60839913671305
stoppblock.net, registered via a whois privacy service, was only registered on the 4th July 2016 and has only been hosting a website from around the 21st July. A similar domain “Stopblock.me” seems to have been registered much longer ago in September 2015 using a privacy service and a similar DNS setup to the new site and is hosted at the same datacenter.
Now – if you download the above URL using something like Notepad or CURL you get a blank file telling software to go DIRECT;
If you use a known browser you instead get the following PAC script found at the end of this blog article.
What is interesting here is they seem to be taking SHA256 hashes of URLs and matching them. Clever idea. This instantly increases the difficulty in identifying which websites they are targeting with their proxy attack.
It looks like they are usurping traffic to 192 domains.
If one of these domains is detected they then currently relay the traffic via the following proxy hosted at FDC Servers:
50.7.182.141:51598
It looks like the above server has thousands of open ports, probably all entirely open and ready to proxy.
If you manually set your proxy to it you can tell which websites are on their intercept list in the PAC file. Any domain they don’t like is greeted with a “403 Forbidden” while domains they do like.. (some that I’ve found so far):
– Google.com
– chrome.google.com
– http://www.google-analytics.com
The above sites get proxied and SSL Man in the middled (MITM). I feel like maybe the malware which setup this PAC comes along with it’s own “Trusted” Root CA so their generated proxy certificates work.
Upon initial investigation the root of google.com doesn’t get modified upon request via the malware proxy.
Here is the proxy PAC code as referenced above.. it was too long to put in the middle of the article:
/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
var CryptoJS = CryptoJS || function(h, s) {
var f = {},
t = f.lib = {},
g = function() {},
j = t.Base = {
extend: function(a) {
g.prototype = this;
var c = new g;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function() {
c.$super.init.apply(this, arguments)
});
c.init.prototype = c;
c.$super = this;
return c
},
create: function() {
var a = this.extend();
a.init.apply(a, arguments);
return a
},
init: function() {},
mixIn: function(a) {
for (var c in a) a.hasOwnProperty(c) && (this[c] = a[c]);
a.hasOwnProperty("toString") && (this.toString = a.toString)
},
clone: function() {
return this.init.prototype.extend(this)
}
},
q = t.WordArray = j.extend({
init: function(a, c) {
a = this.words = a || [];
this.sigBytes = c != s ? c : 4 * a.length
},
toString: function(a) {
return (a || u).stringify(this)
},
concat: function(a) {
var c = this.words,
d = a.words,
b = this.sigBytes;
a = a.sigBytes;
this.clamp();
if (b % 4)
for (var e = 0; e < a; e++) c[b + e >>> 2] |= (d[e >>> 2] >>> 24 - 8 * (e % 4) & 255) << 24 - 8 * ((b + e) % 4);
else if (65535 < d.length)
for (e = 0; e < a; e += 4) c[b + e >>> 2] = d[e >>> 2];
else c.push.apply(c, d);
this.sigBytes += a;
return this
},
clamp: function() {
var a = this.words,
c = this.sigBytes;
a[c >>> 2] &= 4294967295 <<
32 - 8 * (c % 4);
a.length = h.ceil(c / 4)
},
clone: function() {
var a = j.clone.call(this);
a.words = this.words.slice(0);
return a
},
random: function(a) {
for (var c = [], d = 0; d < a; d += 4) c.push(4294967296 * h.random() | 0);
return new q.init(c, a)
}
}),
v = f.enc = {},
u = v.Hex = {
stringify: function(a) {
var c = a.words;
a = a.sigBytes;
for (var d = [], b = 0; b < a; b++) {
var e = c[b >>> 2] >>> 24 - 8 * (b % 4) & 255;
d.push((e >>> 4).toString(16));
d.push((e & 15).toString(16))
}
return d.join("")
},
parse: function(a) {
for (var c = a.length, d = [], b = 0; b < c; b += 2) d[b >>> 3] |= parseInt(a.substr(b,
2), 16) << 24 - 4 * (b % 8);
return new q.init(d, c / 2)
}
},
k = v.Latin1 = {
stringify: function(a) {
var c = a.words;
a = a.sigBytes;
for (var d = [], b = 0; b < a; b++) d.push(String.fromCharCode(c[b >>> 2] >>> 24 - 8 * (b % 4) & 255));
return d.join("")
},
parse: function(a) {
for (var c = a.length, d = [], b = 0; b < c; b++) d[b >>> 2] |= (a.charCodeAt(b) & 255) << 24 - 8 * (b % 4);
return new q.init(d, c)
}
},
l = v.Utf8 = {
stringify: function(a) {
try {
return decodeURIComponent(escape(k.stringify(a)))
} catch (c) {
throw Error("Malformed UTF-8 data");
}
},
parse: function(a) {
return k.parse(unescape(encodeURIComponent(a)))
}
},
x = t.BufferedBlockAlgorithm = j.extend({
reset: function() {
this._data = new q.init;
this._nDataBytes = 0
},
_append: function(a) {
"string" == typeof a && (a = l.parse(a));
this._data.concat(a);
this._nDataBytes += a.sigBytes
},
_process: function(a) {
var c = this._data,
d = c.words,
b = c.sigBytes,
e = this.blockSize,
f = b / (4 * e),
f = a ? h.ceil(f) : h.max((f | 0) - this._minBufferSize, 0);
a = f * e;
b = h.min(4 * a, b);
if (a) {
for (var m = 0; m < a; m += e) this._doProcessBlock(d, m);
m = d.splice(0, a);
c.sigBytes -= b
}
return new q.init(m, b)
},
clone: function() {
var a = j.clone.call(this);
a._data = this._data.clone();
return a
},
_minBufferSize: 0
});
t.Hasher = x.extend({
cfg: j.extend(),
init: function(a) {
this.cfg = this.cfg.extend(a);
this.reset()
},
reset: function() {
x.reset.call(this);
this._doReset()
},
update: function(a) {
this._append(a);
this._process();
return this
},
finalize: function(a) {
a && this._append(a);
return this._doFinalize()
},
blockSize: 16,
_createHelper: function(a) {
return function(c, d) {
return (new a.init(d)).finalize(c)
}
},
_createHmacHelper: function(a) {
return function(c, d) {
return (new w.HMAC.init(a,
d)).finalize(c)
}
}
});
var w = f.algo = {};
return f
}(Math);
(function(h) {
for (var s = CryptoJS, f = s.lib, t = f.WordArray, g = f.Hasher, f = s.algo, j = [], q = [], v = function(a) {
return 4294967296 * (a - (a | 0)) | 0
}, u = 2, k = 0; 64 > k;) {
var l;
a: {
l = u;
for (var x = h.sqrt(l), w = 2; w <= x; w++)
if (!(l % w)) {
l = !1;
break a
}
l = !0
}
l && (8 > k && (j[k] = v(h.pow(u, 0.5))), q[k] = v(h.pow(u, 1 / 3)), k++);
u++
}
var a = [],
f = f.SHA256 = g.extend({
_doReset: function() {
this._hash = new t.init(j.slice(0))
},
_doProcessBlock: function(c, d) {
for (var b = this._hash.words, e = b[0], f = b[1], m = b[2], h = b[3], p = b[4], j = b[5], k = b[6], l = b[7], n = 0; 64 > n; n++) {
if (16 > n) a[n] =
c[d + n] | 0;
else {
var r = a[n - 15],
g = a[n - 2];
a[n] = ((r << 25 | r >>> 7) ^ (r << 14 | r >>> 18) ^ r >>> 3) + a[n - 7] + ((g << 15 | g >>> 17) ^ (g << 13 | g >>> 19) ^ g >>> 10) + a[n - 16]
}
r = l + ((p << 26 | p >>> 6) ^ (p << 21 | p >>> 11) ^ (p << 7 | p >>> 25)) + (p & j ^ ~p & k) + q[n] + a[n];
g = ((e << 30 | e >>> 2) ^ (e << 19 | e >>> 13) ^ (e << 10 | e >>> 22)) + (e & f ^ e & m ^ f & m);
l = k;
k = j;
j = p;
p = h + r | 0;
h = m;
m = f;
f = e;
e = r + g | 0
}
b[0] = b[0] + e | 0;
b[1] = b[1] + f | 0;
b[2] = b[2] + m | 0;
b[3] = b[3] + h | 0;
b[4] = b[4] + p | 0;
b[5] = b[5] + j | 0;
b[6] = b[6] + k | 0;
b[7] = b[7] + l | 0
},
_doFinalize: function() {
var a = this._data,
d = a.words,
b = 8 * this._nDataBytes,
e = 8 * a.sigBytes;
d[e >>> 5] |= 128 << 24 - e % 32;
d[(e + 64 >>> 9 << 4) + 14] = h.floor(b / 4294967296);
d[(e + 64 >>> 9 << 4) + 15] = b;
a.sigBytes = 4 * d.length;
this._process();
return this._hash
},
clone: function() {
var a = g.clone.call(this);
a._hash = this._hash.clone();
return a
}
});
s.SHA256 = g._createHelper(f);
s.HmacSHA256 = g._createHmacHelper(f)
})(Math);
var hashes = [{
"direct": false,
"hash": {
"url": [
[30, "3641293c700dbf07c69bc819ea7c168efa75c54a953a0c73af7d62edf2e44c0c"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[30, "005acdb782876c1d12cbabd154734baf814d95d0d0cc9a189e161f50850e6e11"]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[37, "091ba1b78804e5415b317554c2d3edcc0fa9b0907109392187a24f22951de9a2"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[34, "85fa4e502c08ba456c3b3e78162a7edf3a3dd251b3f091abf1889ba33eab6f62"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[54, "2fb5d5f6b16a61a5a2463c2918b82a56c1f93e3f610ed11e2d2b4b692e6bd24c"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[31, "69c01b96756640faf07f816ebec4994d054a328c84f32d8f3ad2b4f817ff72aa"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[27, "aab8f002cb79cc9542a001fec8544bc331f0b42292db3a49ee245a6a218eea2a"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "02a0becb3e90c1c50bb9932bffb7c4d130cd6b78558dedbec7c39b1624132894"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "027a1ea4c5fe27134a12fc6b166b58e98d91242e19f89405147b78e5d21c4f8d"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[18, "04d62c424bfe5388333e11b6ccb47f6f78e43bf26b92d5c4a140681fb8cf6a44"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[38, "cbc1c5ba723aa977c56aecdab1a8c71c41c046046e05ca14d2fa28dd10092fb6"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[24, "49dbf639e44e763f59cb09945e0a011e7420d44c179301ab3a09e708d903709e"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[18, "7e8d27eec13ac38216d4edd72d1a29bff2f329c6ed6a8a8a94857834a4836b3f"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[31, "6d3eaddd0cde25e6ec74b5bbbfcb33fdbef5f549b0c94befcbf419475b6979f4"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[28, "4de73617a098f4609a06ec0c77317d64ac361e831390c275d4fb65f2c1cd0649"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[33, "da55e41175f29ad2ef7a82451594d80a55f0976a416aa92204949430a2bcd2bb"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[24, "6a51ab44baf159b7dfd06897c2ee9b109047d648527883b400939723fb51b34e"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "6cdc2695d51e4a71a47b738a2e5da370b69928365f901afa139b0d6e09a4a611"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[20, "da3d05b85e36da5c00d2684f8b6c11a151ef805269628a5e288f11367c85b770"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 2
}, {
"direct": true,
"hash": {
"url": [
[34, "2f65f195f63f3e53bacca32a2ce6807ff0b201845fc435ceea3717cef9784858"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[34, "068af4337f674b90b82cba9b9201749f819a3d0b13e7b807d12cc42cdcd52996"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[25, "16bba5056246699217e8e202a86955a264f1fa4afad31c9bbc2f7c1f7b1950cf"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[6, "2eaab02c6da2d10b1c74431c94246073901239f9cf5d468ce50e972fe10eedec"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[12, "6a6f36afaf2268aee5bb31ca04125b2bc763f08d7ba8711e4bdff70867910553"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[7, "0a6fe22ff241ea94df392b8156568f20391723837ab230318fb077b2375c7cde"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[39, "66a712273426ba40b7b7e106bbbdcaf4b72564e351b3f3f48ce7c20678e648c6"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[32, "a718d72aef8ad2227b48fcb0e41aad227e7df749b181778c1fde42940b43c99a"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[33, "c59e07a5fbde05ed1a56fbcacbd729407e4d2ace0999f1fa7b6d67e1134f16c8"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[20, "7ee2c2d8d2139dde94960b7b10068490709d33396936b3025f4fb084024faacd"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[22, "5cb102dd91d9f0335ceec0d054f9a3534948269494795cf5343db79af0bf1937"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[24, "1e714788036e892cf617e1dd0f2329041329022855b9e740e98e97a6a6b11ef3"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[15, "69f1b962dac671b921437d0f1295291c18c2757d2b35bb4dc0bd417a83544c0d"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[27, "0730a01c9239a112d8f20d388d11f0adbb85ef5cad54ef274ac1f1dcddf592a0"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[18, "ba84717110aa9f1e08279a074c84eac1616a5b1586a723a0f047c6e24873e8a4"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[19, "7a8652ccd303235bf5daa855af51a26ea43ca141af05d29a69068d0a7ce1d308"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[17, "5cbc646b4c93ceb0ceacc82b4d919a0d55c9f4219a37181a857648876f4f8962"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[17, "2ab969e3bb4f21a9c0857a48d7d48959b7579b66d819f5bb5113e0a8daa73837"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "f1fd0a0951825ee7a48ad64357f6b8842c7afa522f2607dbd24676f331be49de"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "28418d5891c9e953da3d34b8196148ca2f5fe2ea8f9410d0158854fac8c259ea"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "24706f423df420f1414ea4fa5b8075795c93ae8744c1274fb5c1a0b153d343f7"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[24, "3f5db3d1f1c2dcca55a962a138f4e89c39ec7d77698d71693029920826215d6f"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[48, "d8de67906050cd51ad3d8dd6e03e9e1a7b95c338282d65c8ea294ded63d2e1ad"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[13, "e8fe445cea211abe733b631f0ed07a4acf73692be6fdcbe8601433686c778d3f"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[17, "a9aff9dbfe5dac558e6cf7885b3cfd7cedb53791b20e5346c858a7ff59bee5ef"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[19, "6392865db408402c48f8a16956719f1fea3a765e4a00608acc7fa6ba4e4cda14"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[22, "5d8c1fbee8589adc33914e3d08be0567e2dc3188da065f889986e7efc4ea4062"],
[0]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[18, "9b307d54955bd62e21d6ffdf7078d226c9d3ed7a4a8338c3ac25ec1859deaf25"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[29, "46d18cdcbd926bcdaf11e4bb2173d996bbd0e556a3e123c202447e8e4b01eb9c"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"host": [
[0],
[11, "c323094109b3dde96a8b67aa1ebd11c183a3929160a042677a2c6a60e4de1538"]
],
"query": [
[1, "8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[27, "07e55167364c91f40142adda36fb3282bd6446f819d5973aa8a7a7c3fa339655"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[30, "8a1a87606ecd96cdeead029c379a6297d0546b1efcf63019d1145db57f8ab754"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[28, "d8f4ce3f051558a4439835f37030ab06002c32a864d531febf09fe3255e90236"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[23, "93d939d480026892d9c8d3049d5d8954784dbc8258907e44653caabb8a9a9494"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[32, "05854e7dfdb0d0f28e13323213aeff271e91109083a6a76a42b51d9ccd18e741"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[17, "b6481263a60e1563a9e2466d54a7ef33fd2ce1179ff224019bf7550c57967a9a"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "63fdd9a9d5ce7c44c7b21c0d6a1237f8f0c97260e55746dcd8f6ef5a4a50af91"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[28, "f8aba15bc5e864b1e557f1ef93414583458d39200f9bda36168fe7383eb9ee58"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[28, "2fb79d03565dc4b4b295f195c51388515f44ce577e7779b2b1cb6197ff5f5b3c"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[17, "2e50b70712b5bbfc38324d5312943c67d53997803aa407e4e8e72b124767b0ad"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[19, "40d5f76b780574f1477b7c9e22ec16630c27f06b2b3cbdeb838f85db9ad35790"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"host": [
[0],
[15, "70cce251eeaa07eafa39aa035f7d94475c6a336209873acc9fb4180f0d5d4fa5"]
],
"query": [
[8, "d0beddcba48b2cdda553b03c812e27bcfa6d2aaa0d6aa7cb59715b0abd7fae13"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[11, "c509965f343c674675f345d1db0312149080f5d025d2fcf6e1fe13d504723427"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[18, "a8dd9f1252e46a5771e131c437b79659ace18757bd3a8027a2f5b0dc0d5eabff"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[22, "87faaa158280444d037fae86bc1171429c2ea40986a484b2769a0a90a37a5a2a"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"host": [
[3, "db9831b53a8574d33f3d7ce6820598c67224687dbe57cbbc10b6070e5aa57744"],
[18, "ffc4f10fa9a96a12ed23fe43e7618e984aac46dee8474f3f8443b252fa08f3ae"]
],
"query": [
[1, "8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[20, "0c9efdccc14c3d6617b9941985a3a498e4577e0343e38bbda7c2fb364dc54b45"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[12, "59ea2297c48ef6c923b4ca8a8f601d0e06baa1b11c7be1cc139945f05a081cca"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[29, "1d5b888f0582e1221111e49b8c0c4ce405235f26be1c73d90ca4a56664069338"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[42, "d91d4822c7a1d78ffd55bbeba1f80c85b317f1628618138c06d09be65c2a1dda"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[20, "bf9d95f31c6dd46a0d8e48c07f04c1a2f8567b34f82c7a500f8b25798c8b9161"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[22, "3a4bb360cf6dc2998f0156bae6af9e3b4316e69f67e5ab9472dfc0d6b7cf0517"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[19, "84210dcb2a72a50dcec85d433904c20f93b7c0f406a7fc2dc0bf18eead6f37e1"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "308318146fb2df522dea622450a9a3d9db6f4071e9d6e8c5f9626591e80dc859"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[23, "70c2ad9405d9a541e96ad8e0fe090388d6fbdced541e5a60d140e840ed0495df"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[42, "800290b8febd876a5720c5eda59879dcab36cf763bc8a925fbcffca69a7ffb63"]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[20, "7e2979b6da973a47db083d02d42d13ff4325ea25b7aa73bbe940cd147bcb215b"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[39, "0ed60029e32cfbb08d3701acbeb82d5b6a83aa2f2466ba607ec49b5ed28e5eed"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[34, "4582ac7ade5230bb99743495f238b70a897f7c5aee68f38e63782f9889396425"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[23, "39081ae925fe1e452cdd54ec74b0a5dcd51d1c2458ff1885e0f13c239c18bbe4"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[13, "0666fd6cbd4af11cdf72aa9131a49d8e70456f73a86ab758648703bc1e6ebd59"],
[0]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[43, "ca722ff8edbbc0a13e840d505dd436dac6ec5cd2330073b6b6124258fb0d5f54"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[45, "024587940dc269ca51329c7f19aadf5954bb2ba00754203b9d98d2281a5dd2c1"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[39, "d5782e7c0f0ed1ba7463a853a81edc9bbac32044fad978f8556bcc57ebceac7e"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[29, "ac014017d245a73e9e6d45a6b41e757acf0424fcbb85684d752d927c5d20ef40"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[31, "8ec75af564cf5f49e429d7816c7713fe00b2fc3dc24b1b1455aa75ac0c447b3a"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[27, "eaeed874a4ae30c4bb37596b5cdc3639c9e08be83fedbbc85f353c7945c2ad8e"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[33, "9635f3c8debbf10e593bc947e73c998dfa7f26cde0be5cf59f9f66a95cf67bba"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[24, "9110da1f80be35f588efddea288804be52d347341fcd19ba3da1d4592dd2c40d"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[23, "c9ceeada3d54916a7fe216fad0f9b017c9876098c16301ea3387b47152320ce8"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[7, "74b3efd95853dcf4e793add5abddf5434b172646063535783522c9208928263d"],
[19, "f5ef8ad912a8f643735a69cf45bf603e51f6af9cc60327ba1b2c808d2088d72f"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"host": [
[0],
[11, "97e980a2d03855deff40690b36264e95ef76bba58dcd29737ecdd43081dd2131"]
],
"query": [
[20, "b3b035817c027ee98f94a59696cee2cddc94bd6e4ed7c95e040531349b3b992f"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[32, "fbc13b4a05282c9f194c1e9ca0dc7e4a6e51de838849fcdf5f35601d9e8ecf38"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[42, "16e5903adff323829bd0635e950f5f4b85d4f1a8070c832c35909f9bf6af3bd9"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[37, "4fc7023f7dd0aab3b2d2892af568a8c3376760efc059c40530aa0032ae7442f7"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[13, "f892007e07fe563bc8822ca8af66c5389b9e8f31994adb1f5e42ffd7b9899d92"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[12, "327fac694a6f957b74d2d4bc85a43651f5500fd8e055cf6f03bf83da4bfe5418"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[19, "0beed07dc3da6aead4fce6f8cb232927d1b20eb4f7f06d1e66b856a5ba3187ef"],
[0]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[32, "856830e365ae3fc8ea6577d8b2d5c1e6155d37fc5a6473baa43029a2e2d2eeae"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "027b77b373d4e927f295d33bf50bb238b007bfd91797fcd551e79a2497c5f7c8"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[31, "6366053930ce7512c068a344739e50297fba40ebd91213db61ee9562701888ba"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[38, "be7c7577e6f1fe9567cedee61118301b1eb4c6a1f476e479adce5a5f34e84a2f"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[35, "6f9994a2e46bd6bed3e739d9d449988303040dd087d9218e5a4b8aa01b342138"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[30, "87470ff28761412da08b3a72cd832411cb8fb8c5c0136f8b96d4949af6bb004d"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[17, "bc77a5508813ed54429d9747ff6af75fc28d140c198c1ee7dfa13fa1ebac09e8"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[11, "a6d0d26d88424e5d1e2a08e3507bfb299b308d1785eb2fdb162d97f18589cea8"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[18, "c05c356d809c3f2d1cdd1b6ff9d16fc1024f5c3925bf61abf50e8e1d0f6b8069"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "50ade07afbe7ca8e094128839dd2191c0c48018d7ff754e3c8b88da614768f13"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[20, "e3e88c17ba9ab684b2be9fa3c950ad9d526a0d2478ed661b37b79c581f158190"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "6cdfbcd0d976405a599053ca4b5ef7cd203f180a9c7eb923351cb4f591d3d599"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[21, "5a50d849d24dae791f2476110627d51bbaf9360731286b25ec82fb1629aa160e"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": true,
"hash": {
"url": [
[28, "7a1861c931ce0c8bc0fbe4886af66dbca1afca61f8a08b8b34d0b1e7585dadaf"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[22, "2abdb07ed909f1a257a367c0211061ecb3027a9943af06a93a28f12c92aa94ed"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[24, "643af5bb7cf4810537061f5ea81febbde5f4d60cebd7768b41b8c0351a9b6af2"],
[0]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[22, "0136db59a7df0d5528f4d29e6ab201bedc2cf04c2d7a9f10b3d58909f36421df"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "027b77b373d4e927f295d33bf50bb238b007bfd91797fcd551e79a2497c5f7c8"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[27, "650e28997cd30194bb5537ade4a74b646b3abb06fee9cb9d4cf4af28288354e1"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[26, "0793f244ecd3c34901023abec5514fbbf5704e6eba76f95461d8d161f4700aa3"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[25, "2c374ab4efaf85e151d9f5fcd845737356047bd9a37ceb55c77ccf4c3b89e480"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[29, "d62fad593a5bdf2d4b0bd3cee4f9589b651b207908d1336d7a69d4b9aa6c53a3"]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[20, "93b81a4fc17695411a51e7d230b9ce2d4ef13325f0983cb81c1db2d0ad8b8238"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[55, "4ced13140e0abf5507c97c64a492c5bf6b0200ccd476713e8fc3417598961f69"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[28, "9a5727d91d00f39ddd5e8063c91928713dc0eb02dec2bb743e8e668e2ef5fccc"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[13, "44d9c55341ba05c18ffc28b8551b18a4adb41d16eb920af0b073930d3621ac38"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[41, "b80aee1049701e1b72f36bd8f338e35801141ce06e12e56f30dc634210401163"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[26, "e7332164ede2a16873960d0e75ce5c840fe0c8260f66a0855823422b6d5ac116"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[15, "691d96c4a9d1bfd8e706f06ecc170dc31c10e9d4309da9b9cf4b9b496a965d62"],
[0]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[38, "81fc6084792fb6000dabfe08765fe52d5e33905ae613e7660e0e136052cca206"],
[0]
]
},
"sc": 2
}, {
"direct": false,
"hash": {
"url": [
[16, "c3387b7ffe31907c8886fa12ead40ec5d785f2d8853f7938c23155a1232f80c8"],
[3, "c084fba7baf6b259d2eaf35dc39bdcc0e37737560a022eb6ced4018424c2a3d8"]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[17, "93677c56483c36ee9e8f17e311cdb9161513105fa0cd92ad3df0bf1f43f8aa82"],
[0]
]
},
"sc": 0
}, {
"direct": false,
"hash": {
"url": [
[16, "c3387b7ffe31907c8886fa12ead40ec5d785f2d8853f7938c23155a1232f80c8"]
]
},
"sc": 1
}, {
"direct": false,
"hash": {
"url": [
[20, "1380de9cabcaab06d9fa57b0da79b456fa050194e95978b41974b8d33e5c670d"]
]
},
"sc": 1
}];
function checkPattern(hash, string) {
if ((hash.length == 1) && (string.length == hash[0][0])) {
return (CryptoJS.SHA256(string) == hash[0][1])
} else {
var left = false;
if (hash[0][0] > 0) {
if (CryptoJS.SHA256(string.substring(0, hash[0][0])) == hash[0][1]) {
left = true;
}
} else {
left = true;
}
if (left) {
var right = false;
if (hash[1][0] > 0) {
if (CryptoJS.SHA256(string.substring(string.length - hash[1][0])) == hash[1][1]) {
right = true;
}
} else {
right = true;
}
return (left && right)
}
}
return false
}
function checkHash(hash, url, host) {
if (hash.url) {
return checkPattern(hash.url, url.replace(/^https?:\/\//, ''))
} else if (hash.host && hash.query) {
var query = '/' + url.replace(/.*?\/\/.*?\//, '')
return checkPattern(hash.query, query) && checkPattern(hash.host, host)
}
return false
}
var proxy = 'PROXY 50.7.182.141:51598; DIRECT';
var have_https = true;
function FindProxyForURL(url, host) {
if (url == 'https://stoppblock.net/') {
return proxy;
}
var https = url.indexOf('https://') == 0;
if ((url.indexOf('http://') !== 0) && (!https || !have_https)) {
return 'DIRECT';
}
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "0.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "192.0.2.0", "255.255.255.0") ||
isInNet(dnsResolve(host), "224.0.0.0", "240.0.0.0") ||
isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";
for (var i = 0; i < hashes.length; i++) {
var hash = hashes[i];
if ((hash.sc == 2) || ((hash.sc == 1) && (https)) || ((hash.sc == 0) && (!https))) {
if (checkHash(hash.hash, url, host)) {
if (hash.direct) {
return 'DIRECT'
}
return proxy
}
}
}
return 'DIRECT'
}
thecomputerperson 
Pingback: “104.197.191.4” and “107.178.246.193” Google-Analytics DNS Intercept / Malware. | thecomputerperson