-
-
Save Wack0/17c56b77a90073be81d3 to your computer and use it in GitHub Desktop.
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now. | |
Superfish isn't the only product to use that sdk. there's others too. | |
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private | |
key pair. Seems a lot of people think they all use the superfish cert. That is | |
NOT the case. | |
First thing I checked was komodia's own parental control software, | |
Keep My Family Secure. (mentioned on komodia's own website). | |
Of course it used it.. | |
-----BEGIN CERTIFICATE----- | |
MIID8jCCA1ugAwIBAgIJAKrphUL0Z06XMA0GCSqGSIb3DQEBBQUAMIGtMSgwJgYD | |
VQQKEx9QYXJlbnRhbCBDb250cm9sIFNvbHV0aW9ucyBMdGQuMTEwLwYJKoZIhvcN | |
AQkBFiJwYXJlbnRhbGNvbnRyb2xzb2x1dGlvbnNAZ21haWwuY29tMREwDwYDVQQH | |
EwhQYXJkZXNpYTERMA8GA1UECBMIUGFyZGVzaWExCzAJBgNVBAYTAklMMRswGQYD | |
VQQDExJLZWVwTXlGYW1pbHlTZWN1cmUwHhcNMTIxMDE2MTM1ODIzWhcNMzIxMDEx | |
MTM1ODIzWjCBrTEoMCYGA1UEChMfUGFyZW50YWwgQ29udHJvbCBTb2x1dGlvbnMg | |
THRkLjExMC8GCSqGSIb3DQEJARYicGFyZW50YWxjb250cm9sc29sdXRpb25zQGdt | |
YWlsLmNvbTERMA8GA1UEBxMIUGFyZGVzaWExETAPBgNVBAgTCFBhcmRlc2lhMQsw | |
CQYDVQQGEwJJTDEbMBkGA1UEAxMSS2VlcE15RmFtaWx5U2VjdXJlMIGfMA0GCSqG | |
SIb3DQEBAQUAA4GNADCBiQKBgQDFNKNbpDaQJYPebNA1tDVuUlDM4Hg5O/uxOeo5 | |
IddDmQ9ECo/TIIdvyD0DMR7rk4u4PWqIvir4azBahXavk4e52BD2a8QOldZ8JLY8 | |
KSSWwWzjAjLC5Gd5P2y8JJVBsMDpdvSKIpO6UtKs0Z07lm9W35kdwpwtHV4E7ejC | |
1wpO7wIDAQABo4IBFjCCARIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUDHqAI8uS | |
erLj7lnvN0ABN6XNQzgwgeIGA1UdIwSB2jCB14AUDHqAI8uSerLj7lnvN0ABN6XN | |
QzihgbOkgbAwga0xKDAmBgNVBAoTH1BhcmVudGFsIENvbnRyb2wgU29sdXRpb25z | |
IEx0ZC4xMTAvBgkqhkiG9w0BCQEWInBhcmVudGFsY29udHJvbHNvbHV0aW9uc0Bn | |
bWFpbC5jb20xETAPBgNVBAcTCFBhcmRlc2lhMREwDwYDVQQIEwhQYXJkZXNpYTEL | |
MAkGA1UEBhMCSUwxGzAZBgNVBAMTEktlZXBNeUZhbWlseVNlY3VyZYIJAKrphUL0 | |
Z06XMA0GCSqGSIb3DQEBBQUAA4GBAFWSg0LU74SaE5/Q9tN5Q00vfNUpTN2yk6/f | |
Lxh+uujava9MRtreZ58JNQyHsc5sIKnTDcgTuslsci9ki4Fj2CFBjQd5X0NleFfY | |
vifsntPXFWkHm9qXpK9iSruOnPBfmFiAGBBvqKCXw7MNvnqEw6tSad9/DM3kWsHN | |
v6RWTHzi | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQILF34Px9hQRECAggA | |
MBQGCCqGSIb3DQMHBAintK5HPgUPJgSCAoBtd66eQ9l6a2IbjtQdWLFxBHMgnayE | |
oG0Oj2o22wsOfYPmhM08Q3L3C0GDWc6A64rDd6Ja7SNBbg2Pt4+0Gt5Xc8S4Ep4n | |
B1/+Qg9wRPPNRNzPQkvsHIAgCepSFiSBEnvA4LdEnkmExgEOC6boPveBqZeWrGMQ | |
RlekxiFPV3h+VFn12Az3+DZZLINno/X+u3BUPnkVoTIOiLOiPKr2M34upx4ZqvoO | |
KQENG3cPF3Q8n4AfsWMFM+2bPlwfFMQSEQ8qV54gRmGHQ4vFyjZE48G7LIyCN6Kx | |
qKRy7TBR9DvXrO73XWxNyiaEqpX1u4BFGYPYAhwfQGYDHafZ/gnIlTw4c9snZvoT | |
+5GLB5+duTJPEXw5uxlSEWaHZ8+KEMDGi+FMQNnnXHeUrMXVVN2DimlFXwINwaVK | |
CxWfWUyEP6PosOjF2ft5RbWNbctTWPzSa7qhlKftacMxMaoZoPN/AQ2xJfMHrP1e | |
jHZqemO/8yTPwYmIUDsUsduF02N7tPmCXJ+0DaziBcGR7vd48afAZ4oOPgOHVIFT | |
eEhgm/ITQozGJJ5TMmVXC+XajKKjQpAl+0D+BNODnescaZVpAEUTgk3q+dVJR2zV | |
y9PY4O1sOTLYDx7wQg4uYI66vu0usCZIz+vNoO0lZRt/cZj7tuWfFSvX1NwSgJSB | |
MVZ126eOgv6IMXuovp/lBX8FAMPppLZB6sZiwty2chY+uxz/69osFa7Ol1JRZvUk | |
/hruS5iWoOgYHc0XS6s5fTuHbesaluHkJgTidcXyNTZYxU/H3ejV6/ONJl1w8Ixg | |
BosVSS/WNDnkLW8MJ67dCHZsSQIoARtOvUlCmrsXftB7T8/njnH/D0vS | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXAIBAAKBgQDFNKNbpDaQJYPebNA1tDVuUlDM4Hg5O/uxOeo5IddDmQ9ECo/T | |
IIdvyD0DMR7rk4u4PWqIvir4azBahXavk4e52BD2a8QOldZ8JLY8KSSWwWzjAjLC | |
5Gd5P2y8JJVBsMDpdvSKIpO6UtKs0Z07lm9W35kdwpwtHV4E7ejC1wpO7wIDAQAB | |
AoGAV2YFxBaaC/ZkZA5LlJGCYJtgrfwJrCv2V0w4jwt9cLsD9f7MUSCIhbTzvVdm | |
wbcJZCTr8yB8wM4YhvXBbPzwWFfGkIQRmKmhu9U01eALkTxfZaOjl2aBtbXC6XHc | |
o6lNrAW+a+9KFJY+sOOT7h4OEcfuwn3S+VrLmVXqfhCtosECQQD4uMiDYPIgSYqX | |
NMmZMTnhNXCpmpSy0jdokgKUfWsnb3bImq7vhSsRGwXwdSjlsLayBxAQexKvsWJj | |
A7Y0BCYPAkEAyvnwPXVAp+jlHeppYReM2/r3K97ioZSV3e9vi693yZGQ+IZjD0Ew | |
Eor7V0F1snq1CB2OavYyD3+GMUbCsgcpIQJBANpK23krKfaadO+WneU85g65p2LD | |
0AROKeE2XNtUZCpdUsRntmdz2kOOEx1ixn0pJn+DYV8FlXXr2m0KgeyPQ5MCQAH1 | |
4g0l6cb1Z+kfD3+Bk7m4NdT1pSi8X6oyGti1jCmlP0o3OhO2pHk5YG4aUsGzj7YR | |
WwPLdvZRXAFz1oOTsCECQC5lYMFYxWudct6AjlaTRnfUuUg8xcNwGO5w3iOiI50e | |
N/BjkPidMO2n4ENpvfLnDw7sVKxWqZaHb2XpxyM4lVY= | |
-----END RSA PRIVATE KEY----- | |
So I decided to google for parental control software and checked | |
them. The first one I came across was Qustodio. (page 1 of google | |
search results) And naturally, it uses Komodia's sdk. | |
-----BEGIN CERTIFICATE----- | |
MIIDbDCCAtWgAwIBAgIJAMv8ogGSpFLEMA0GCSqGSIb3DQEBBQUAMIGBMREwDwYD | |
VQQKEwhRdXN0b2RpbzEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBxdXN0b2Rpby5j | |
b20xEjAQBgNVBAcTCUJhcmNlbG9uYTETMBEGA1UECBMKQmFyY2Vsb25hIDELMAkG | |
A1UEBhMCRVMxETAPBgNVBAMTCFF1c3RvZGlvMB4XDTExMDIwMTEzMzQyNFoXDTE2 | |
MDEzMTEzMzQyNFowgYExETAPBgNVBAoTCFF1c3RvZGlvMSMwIQYJKoZIhvcNAQkB | |
FhRzdXBwb3J0QHF1c3RvZGlvLmNvbTESMBAGA1UEBxMJQmFyY2Vsb25hMRMwEQYD | |
VQQIEwpCYXJjZWxvbmEgMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIUXVzdG9kaW8w | |
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLxJr+osZyBbsYVabr0uqHQlOJi | |
VlSZ6xc1lF4qv3pwF/nLpMbRCxp7nurb3YqquxvlGc5v+CTZRb8VFTgl1XziyF0h | |
bXS66E9+fjfZHQJS42nZpT5+vmkN0HnvM1cAlwqD9zTkK5O2/ivvsAAx1MLs+pGc | |
UDYEP5a3J7Q197cNAgMBAAGjgekwgeYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU | |
SWswaxdVEERUUNtnx2cWQikSDr8wgbYGA1UdIwSBrjCBq4AUSWswaxdVEERUUNtn | |
x2cWQikSDr+hgYekgYQwgYExETAPBgNVBAoTCFF1c3RvZGlvMSMwIQYJKoZIhvcN | |
AQkBFhRzdXBwb3J0QHF1c3RvZGlvLmNvbTESMBAGA1UEBxMJQmFyY2Vsb25hMRMw | |
EQYDVQQIEwpCYXJjZWxvbmEgMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIUXVzdG9k | |
aW+CCQDL/KIBkqRSxDANBgkqhkiG9w0BAQUFAAOBgQBvd6viZ3FTxRZeAlUjfaTB | |
Dp//MOOQLIJqES8+dHfKZsP5Y+AAon59IVukvlhnW1UIkkWkdh8U40EWHcuSFEbh | |
o3cobml5TReZmvZnO3kX7iEk4wr6HshzitH3ZQNzUe9aPqeUodKe2iC5TVhDuoJ0 | |
yCSHm5bFYByC35DAZeQ5lA== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIPMnoaCa0ZU0CAggA | |
MBQGCCqGSIb3DQMHBAicfkSaJH8cbwSCAoC2jhlkXNoTvUY0fAp3eVY80p2ue45i | |
yIQnpCsF282T+K5RpIC5E9PvUxeO5kLAOO+Xg4HwUOXUOh2fo/eC8b4GMzVdeLT0 | |
OmsgNn8sK0irPcyyHRr6cUwdxchMZjNE5w5pucVRLvyNc3txfAtW2ZcVRDPufZc+ | |
thQqnGeYU4DHM5XGdh0k/yaa6S8P1HjKlY2D1pASscEuTNh4rn6OClF7EUr/ajDY | |
nuntl6XTI/FYXphwD9ObDunVlXLU0t3sTWYlfmuimc9fBxvYuwybIvTosb4Gsf54 | |
mROTwSXXR+QNkPYyfPABd6/dPR9BjAJD6Jfdday2g5GT1ACIs6YBwyYnZ4PC/2fa | |
C56KcO9mB+dSyA/T+ApQ59FexOwQeEZ1BIj4tdwRaHe3ajy3nlAOhpxrDVhk1NrT | |
gihIfSdTxJKJO9XvX//StFUIqexugXAI/x6LglI0fc9rdXuuKJnYNJDvL0ocmm25 | |
TVx5WirpI7MR+TE09I6jjSB2tuVxM7ebOOJSmXfmIIfeYzZZfpoqDY5O2x+9/C/g | |
MngR2xj8WyD5ObX1l92eEcMVbQwu/22kGeRxw8VAJCWHd2WSvKbIPeno6Looadhg | |
6QD3b1MJVADKdvZJ3GugDwzlOQS+n5+7Gl5BjI9ec/EPRFzJo64EzXR5lewArtWq | |
vMNFAF6UEAEv/6A5RK93zWnJohgZfLL3uya8/eKQ1LSOnNONz5wVIeR9CtLQ0jDI | |
OH0PW3ne+HQdOvu3K9rWhhiu5xQYbjbyMvW1Wqbvoi0wWUyQb2mnY2IHbIMcTA8/ | |
5D8tUO2UuhNjfI14Hf6kWd+yPf/jSovkQuQPYwNyVtN8O0FY3FNPT7jF | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICWwIBAAKBgQDC8Sa/qLGcgW7GFWm69Lqh0JTiYlZUmesXNZReKr96cBf5y6TG | |
0Qsae57q292Kqrsb5RnOb/gk2UW/FRU4JdV84shdIW10uuhPfn432R0CUuNp2aU+ | |
fr5pDdB57zNXAJcKg/c05CuTtv4r77AAMdTC7PqRnFA2BD+Wtye0Nfe3DQIDAQAB | |
AoGAIMIvdcOeXSNu/wB4LP+VIT4Q1t4ZjcvzsonBbfWXCbcugD6VaQeV6xRdBzB9 | |
USERokVkiclNFLwiOVMMpsvMzQ2gMc+OYFN7MTmiG+S64YdIX1PfAKT3uWApVTMD | |
iZTnAUz9pZJ7zWhgRliegJW4MRRkUrAm9D9wxOxHjhRubK0CQQDlIP7l10Fr7L54 | |
4aD8fu+f/qiDFXzy32Fsel1BCGtXldLYtvUrt4kXtnNlU5vL7o80tFV7lNEvf1DW | |
rSa7YhSHAkEA2c3ISI2gK1vg35kRKKhvNgutRZW31J7LkTANGRQmTDgkKpEDWXza | |
ndipVy2qGvwmdNqPnSAtDnf4xW7x5g8QywJAMgilgL0jjRSydyUWCW0SmIZ8d7tu | |
gH6lAJIr4PKcthCCbU5udTBr4GC4DC1YvQyH+wNSE11o3I1Zsrc22P5O6wJAT/2A | |
kgzZhzMOKnBn2dvKRDoTn9u1kPPk5WSVWuGIkzOHLM7nQQVWsOPyhV7y+0ghw4bF | |
ebpoccjj53awhoJ/8wJAOP7iMDN+nKLBJg5+g6H25/y+kXOYNSb07I+Kghir5QjP | |
X/iEs55sM1OyGMc77GZnRB7BzzDkOvAd8/2j0G0Tuw== | |
-----END RSA PRIVATE KEY----- | |
Then I came across some parental control software of brazilian | |
origin, called kurupira webfilter. Naturally, it uses komodia sdk too! | |
-----BEGIN CERTIFICATE----- | |
MIIDjTCCAvagAwIBAgIJALtt/7AtN33EMA0GCSqGSIb3DQEBBQUAMIGMMRUwEwYD | |
VQQKEwxLdXJ1cGlyYS5ORVQxJDAiBgkqhkiG9w0BCQEWFWt1cnVwaXJhQGt1cnVw | |
aXJhLm5ldDEcMBoGA1UEBxMTUGVkcm8gTGVvcG9sZG8gLSBNRzELMAkGA1UECBMC | |
TUcxCzAJBgNVBAYTAkJSMRUwEwYDVQQDEwxLdXJ1cGlyYS5ORVQwHhcNMTEwOTA1 | |
MTU0NDM1WhcNMTYwOTAzMTU0NDM1WjCBjDEVMBMGA1UEChMMS3VydXBpcmEuTkVU | |
MSQwIgYJKoZIhvcNAQkBFhVrdXJ1cGlyYUBrdXJ1cGlyYS5uZXQxHDAaBgNVBAcT | |
E1BlZHJvIExlb3BvbGRvIC0gTUcxCzAJBgNVBAgTAk1HMQswCQYDVQQGEwJCUjEV | |
MBMGA1UEAxMMS3VydXBpcmEuTkVUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB | |
gQDFODmSmiBhKTnfdGY66jv0Y2ANhocrYm9HPmcR5ARBtAeN/b9l5i2kRdFn4kQt | |
jOgVRbYa290zoxLuZOiI7r6nULEux0HRcusneefdPtHXrAIO24hV+57kuj9IUz/I | |
eWhNU1LStbt448YswRzhLkaHGjdCKaj032L7nqORI2L0ywIDAQABo4H0MIHxMAwG | |
A1UdEwQFMAMBAf8wHQYDVR0OBBYEFBI8It2RXk0k1eruND3XOAa3Ehv4MIHBBgNV | |
HSMEgbkwgbaAFBI8It2RXk0k1eruND3XOAa3Ehv4oYGSpIGPMIGMMRUwEwYDVQQK | |
EwxLdXJ1cGlyYS5ORVQxJDAiBgkqhkiG9w0BCQEWFWt1cnVwaXJhQGt1cnVwaXJh | |
Lm5ldDEcMBoGA1UEBxMTUGVkcm8gTGVvcG9sZG8gLSBNRzELMAkGA1UECBMCTUcx | |
CzAJBgNVBAYTAkJSMRUwEwYDVQQDEwxLdXJ1cGlyYS5ORVSCCQC7bf+wLTd9xDAN | |
BgkqhkiG9w0BAQUFAAOBgQCWJW5TwVWYmiZDCc7aiICZh+YB1y0G2bJEjEZWd2Bu | |
siArM43Y1XH6eQDy8o2NdDQV/M135R4n8qnHA+SOnuezVtU0vlKm1vyflTWdNUC4 | |
CoGRdIlbR35Uc2xO8ta99y+2x/yeUazt5ybRAI640kp7G+zvKsxA5+cS5bFB4DNM | |
Zw== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIk/p2jZeBM3UCAggA | |
MBQGCCqGSIb3DQMHBAhZRlk2yUVsRASCAoAxHkd01SYdfv0FUSrc8umraHsoZqpG | |
eZUJ0UK/PVDXuF5z+ywjM1AiAU6y9hlnUaEQe0zBWZH+/M2xXZqDQ3tE6DUYSXVi | |
FoSGH8zea/1NhEPOCkACmdCYGW5rHMYqnMR5lNgVV38RoQ8p4gxYMKm9CkdbCucw | |
7DwTq5BvT06T6pE18uhHtd9IcdfHqXe6iimShOISFMJAqIi3wqR5Uh8Im0jWRAvF | |
BigZuGrrfVyEQmo9rBbaJHvNBWzu2pt39AUMHxNzCKNynU9rF0W2xQmmPKg3Bp+D | |
97siScfCrHanOHP/S8Ud1NyKUk8z4vDqytvXUPj+RyFjb/9etMjP/WIpBwoM6OFe | |
omaL4aiwK+1M22eIS7BgGluiJNcRqX9fRlk69kq4JMwWZcvrq3St9bG1VGyQGoZr | |
NJvsE224KwM1D4/6P0Jfkwuz+qYWJ/erCIXHryJAKPHw0VzLfAbSkwigYBCrTnN1 | |
eidlLB9CmLRyaVlAF7y3TB/lUSI6z1ATCv2glawxku6bFaEzOqKanR8w/QKJG9Dp | |
yARQSbv63FuzimNJJOAdlGBI/7qz3EyIlVgV+1l6s+2Lnw0daqhShUj8nrEARLQZ | |
SzQlUx4ErjDLfqigJ+ajXV7l5/Oja4aiRycG9ur/EW1iwR0nKGvMM0Du3K3ARipK | |
jrx3fiXywWZh6/NeWbKoUJxTtdecVfJdp+2jMM53gT8LvtZHeSiQUV2DM9siooPu | |
SVPoVEmucIiZA+AECm7Bs+wsokFrYcM+elZEimRhIjRFEwoKdEiYr5wzF1zg6WRT | |
KMUeB8XV90MLwZzRVjnt6Gz2y43Srn9FMniy8+ICo1l0wiew8VArQcD+ | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXAIBAAKBgQDFODmSmiBhKTnfdGY66jv0Y2ANhocrYm9HPmcR5ARBtAeN/b9l | |
5i2kRdFn4kQtjOgVRbYa290zoxLuZOiI7r6nULEux0HRcusneefdPtHXrAIO24hV | |
+57kuj9IUz/IeWhNU1LStbt448YswRzhLkaHGjdCKaj032L7nqORI2L0ywIDAQAB | |
AoGBAKoMfLfHZTvhjCD8AFm0NdXXCa8f29SwnzpSuBRZAsKUNB9eN3XpLlmCSbjF | |
A/wyjroozYgDI4uuhFhBca8ADCo8f99YNOr9IuhVirKvhnMDmbFmbpibmxxSXsq8 | |
iBkVmNC06ebdFa7LCKQuVG27r7vA8Jd48Re3OOB1gWbhYWdhAkEA5Ov7lI2KlXZB | |
e/GAEZhIiNkAW03pmmnuRBNbU8gQLAN4Loifb5NkYQXFrHCH3hdtszT5DEwg2FXY | |
Yv5+x88EhwJBANyMQ3PZZJfFg3bfS2O6iQVrig0xrNPKELsXTHbR66spw8aQs8uL | |
kRd1L0DsOe0y2lZMq/pLl4TdcZjQ9bai4p0CQFmtG+OowtYj+ikchMffuOJq55nc | |
3psPzje6wXcDk1o6jbTk7lgeDB95zGLtvjvBP8cJBFrN47v7fQXinjWVojcCQD7g | |
TiqtA5yxVrWBG4EnIQFGk2kHjHok1XhBQC9v0XxOv93QSzHwbED/y6T6s9kH8m9A | |
FJebDWt3pncmu6aB8ZECQFZPdEWEKEPCquEY2USliLCGx0qvKgSxedLp4u3BHsXe | |
CGn6rJFDMhaZotNSzcZYkdJgQadVJH1H0rfslozkyCE= | |
-----END RSA PRIVATE KEY----- | |
As I said on Twitter, the password is always komodia... | |
I wonder what else uses komodia's sdk.. | |
Checked the CERT page and it's been updated with more products | |
that use komodia's sdk. So here's the cert and privkey for | |
StaffCop. Interestingly CERT page says only 5.6 is affected, | |
but I checked the latest 5.8 and it also uses komodia.. | |
-----BEGIN CERTIFICATE----- | |
MIIDpTCCAw6gAwIBAgIJAIA+vDW44Q02MA0GCSqGSIb3DQEBBQUAMIGUMR4wHAYD | |
VQQKExVBdG9tUGFyayBTb2Z0d2FyZSBJbmMxIzAhBgkqhkiG9w0BCQEWFHBldGVy | |
X3hAYXRvbXBhcmsuY29tMRMwEQYDVQQHEwpBbGV4YW5kcmlhMQswCQYDVQQIEwJW | |
QTELMAkGA1UEBhMCVVMxHjAcBgNVBAMTFUF0b21QYXJrIFNvZnR3YXJlIEluYzAe | |
Fw0xMTExMjMwMDIxMjFaFw0xNjExMjEwMDIxMjFaMIGUMR4wHAYDVQQKExVBdG9t | |
UGFyayBTb2Z0d2FyZSBJbmMxIzAhBgkqhkiG9w0BCQEWFHBldGVyX3hAYXRvbXBh | |
cmsuY29tMRMwEQYDVQQHEwpBbGV4YW5kcmlhMQswCQYDVQQIEwJWQTELMAkGA1UE | |
BhMCVVMxHjAcBgNVBAMTFUF0b21QYXJrIFNvZnR3YXJlIEluYzCBnzANBgkqhkiG | |
9w0BAQEFAAOBjQAwgYkCgYEAvDOcOoa7uJ+Ifwx1TZC8hdBsYrsBGrhFsaALF6Kr | |
sv1xbCxZhp7OqnU0ygPtSqsHzVU9fVjAHlmglzeZ8G4X5VoVfMjqD/o7RYsjAUhS | |
AL+PYpSnKwzJZKyXBDZQ88DAKNUguUfOLF4wqZ/oLuvgyiVrVFtkq/fFoaeA8bmP | |
MssCAwEAAaOB/DCB+TAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRslW1gfzL9PhrR | |
vMNmeYPYcE3FjDCByQYDVR0jBIHBMIG+gBRslW1gfzL9PhrRvMNmeYPYcE3FjKGB | |
mqSBlzCBlDEeMBwGA1UEChMVQXRvbVBhcmsgU29mdHdhcmUgSW5jMSMwIQYJKoZI | |
hvcNAQkBFhRwZXRlcl94QGF0b21wYXJrLmNvbTETMBEGA1UEBxMKQWxleGFuZHJp | |
YTELMAkGA1UECBMCVkExCzAJBgNVBAYTAlVTMR4wHAYDVQQDExVBdG9tUGFyayBT | |
b2Z0d2FyZSBJbmOCCQCAPrw1uOENNjANBgkqhkiG9w0BAQUFAAOBgQB2naAppBRR | |
tVnWog54Bgy58j7f9OTirpzpAURgRIA/XllV8woUJsHNYhwsib/738lhJ3cla0bH | |
vcVOWQQZkF/WrhUEFkjhIoZfeCbEhwIzIDy54EAkDB8Fng7zyIESAAl6F2SO4MAG | |
4CyNTW9UGq5lkTrrSkARYI38v2XW49pl7Q== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIORD8avHP7ngCAggA | |
MBQGCCqGSIb3DQMHBAjYrv5+LIP6IASCAoCze5x4doMj3EFYwDafsohSDKrrz75+ | |
zQbzbiE4w2wEOe/WBRw41aQvFs3C9HAvAFs9zH6g6ojzcvUzEve3vW3+D7pw5PBc | |
j43UOEsR65tiWHG+aoGe0RDRkBWMfNiJ7uDfoSAQnZ/OXrxAvT03rqmd4oELb8Lh | |
cDbrq22YlVxMOS++K/l4G5NdC1PlgtUjK24u35yI7U1KIQ544IivjEBryk619KXx | |
qraZm3bj9+cLRq/BDXq9yWFNQbKYRFQRBnaJ1EVSzVzQzH1b8D4e7/JcoQLUsJvk | |
o2JwtcwvhNQyBNzmzxqPYkIRoQZhjlMBqOtt38RZq8swl/tXIxNIBq4KM6EngUYd | |
N0w8+UWrjQ85wUHKyffEEWRQC/uoyEHRw4YueIknpRuHrzyP6MQ6hZhrHua636O1 | |
yvpICaqhu5CwsARtz3xu89zbynK7L+hArF3SbAbAZvqFCQqeVdNLQy3JTcPVHFN0 | |
6Mnghye40Sboz6Ps1Xl2e9Bp4p45Z1cCJkY3uKBkR+uNsI5zm2CboZSGOGPuP4Ab | |
8msQAT16wUJRqImG03IsJayzIYIwXkoE6TfvE+6vdTHUMQUsU0w/BYsCudWRpymQ | |
3hG8mwVRzulx9vvMieLYLdQXTnBq5r4UJAW3IPa22n1ejukDfnvH0XzYFyPS/lP/ | |
BcGF+pBqsNu9A4rFzr2XkQ1z6wPzioV/HwugP9onEzuaZ6xC3QeFW/UnWGfJ+5Ka | |
CZsvjvuJh8oBHayHenKgiFWZP+he7ST63aWqSEA30J0rL/n3M1cBR+ECoCy49NcV | |
ARGbt4ADGoyvokm8iqFbY+7jxrqhuytALNiB3S5x/5+fOPPRxxD3Dzq0 | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXQIBAAKBgQC8M5w6hru4n4h/DHVNkLyF0GxiuwEauEWxoAsXoquy/XFsLFmG | |
ns6qdTTKA+1KqwfNVT19WMAeWaCXN5nwbhflWhV8yOoP+jtFiyMBSFIAv49ilKcr | |
DMlkrJcENlDzwMAo1SC5R84sXjCpn+gu6+DKJWtUW2Sr98Whp4DxuY8yywIDAQAB | |
AoGBAIgTJN1oN2iI6K87ucDIapayGPvVzDmejL2eQwbm1hBHkW+uLVjZkAHNVsrN | |
xg9b0/tRq3Dq75XCJgvP5tzhLSKmqQ/Qx2xK5Q1H9y/yW3cn+LLSzV+7cuJ1mjqW | |
0E0JXDlh6j/4DZhwb8lko49vNT9YckgqgyD8615Km/l7933RAkEA939KCROUdTj8 | |
c5KBUHuzrQEmjLKctXWdc7Mv3w1eqzZBu14ndQgJd84cMeT+wJ5omTu997BkQSGG | |
46vsqQIZ6QJBAMKq0pcVx0chsexQgdF4qqiXOFVBA/YI5Nd/84/fXwcsAJmUvuwW | |
WGre3bsiWCNpPnhxCp8Bpx3rcxSkXoligpMCQHAZo3sA91kw+oeOcCv4G6Xcw40u | |
yXQXVb22B5TMBXkfFh67wrtrbH5rSLIAurKcDVx6hszNhFtLyEEO+h6C6SECQCoT | |
7o1F4dtYRzNDe6whnxHuDfkvooGODpkeSTFyIQJV2pNX+aTid54yKk+G7vJIj35N | |
QPR50PvApxFxLhYYOw0CQQDPBr+gVUkJGn3lcZSuAtla8Ed19dZjBqRt2/1Ssb/P | |
+Rt9Pw7HLUyh236AzV19iolJrCQ+nV8IcbfxCOE0fcZQ | |
-----END RSA PRIVATE KEY----- | |
Another one from CERT's page, "easy hide ip classic". Why would | |
a VPN MITM SSL connections? Definitely not for a good reason. | |
-----BEGIN CERTIFICATE----- | |
MIIDkDCCAvmgAwIBAgIJAINOfAMrW56oMA0GCSqGSIb3DQEBBQUAMIGNMREwDwYD | |
VQQKEwhFYXN5VGVjaDEnMCUGCSqGSIb3DQEJARYYc3VwcG9ydEBlYXN5LWhpZGUt | |
aXAuY29tMREwDwYDVQQHEwhWYWxlbmNpYTEcMBoGA1UECBMTU3RhdGUgb3IgUHJv | |
dmlkZW5jZTELMAkGA1UEBhMCRVMxETAPBgNVBAMTCEVhc3lUZWNoMB4XDTEwMDcy | |
OTE2NDcwOVoXDTE1MDcyODE2NDcwOVowgY0xETAPBgNVBAoTCEVhc3lUZWNoMScw | |
JQYJKoZIhvcNAQkBFhhzdXBwb3J0QGVhc3ktaGlkZS1pcC5jb20xETAPBgNVBAcT | |
CFZhbGVuY2lhMRwwGgYDVQQIExNTdGF0ZSBvciBQcm92aWRlbmNlMQswCQYDVQQG | |
EwJFUzERMA8GA1UEAxMIRWFzeVRlY2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ | |
AoGBALCbDSE2ltg0phas1eai1RwHHpzKbAappVNsGMBV84i8Khpi38nL6p8cCTXW | |
70gyY8/Hp1/EERfAxBVgnJb5oeMZI6x9zli8cZqaF2m4qbGy3/tUkml5jqSN/Ds7 | |
xjVFAIcW4VtU14ZH0Kf6JEEq5wlfbneLcELt2OiB0XgwgOMnAgMBAAGjgfUwgfIw | |
DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUvnkX9NQFZUztCAeAL8oso9q54fUwgcIG | |
A1UdIwSBujCBt4AUvnkX9NQFZUztCAeAL8oso9q54fWhgZOkgZAwgY0xETAPBgNV | |
BAoTCEVhc3lUZWNoMScwJQYJKoZIhvcNAQkBFhhzdXBwb3J0QGVhc3ktaGlkZS1p | |
cC5jb20xETAPBgNVBAcTCFZhbGVuY2lhMRwwGgYDVQQIExNTdGF0ZSBvciBQcm92 | |
aWRlbmNlMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIRWFzeVRlY2iCCQCDTnwDK1ue | |
qDANBgkqhkiG9w0BAQUFAAOBgQBrlLJMjMNsK/bgtY9QRcv/5/1uNn1v+XYqGF4d | |
gTXUrscsTveQV+w9/UOW1T2SxDvkOB+8CIzORXbP3kSlfOUw2own+QgS8KuMd7Zp | |
qdMzJi6tSq/j7m/CGvNcSnZtu+z/xj69p4ymHhfMF2HC8F24eWxo+tf7iPnJbFkO | |
llmh3w== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfLEkMdPr8uECAggA | |
MBQGCCqGSIb3DQMHBAhtkX+wc6jGEwSCAoCJonscPt4iBrcBmeFodEqdTsikl0w3 | |
F6/bkL/5enituWjmN8P9hI8XWFFMW5xfC3v5zpOVHh4WZtVMSanEXxnoXGGLQ2CW | |
U+LKHD0GI9o2Yphty6LrchvTcohnPUojTI7gRLxdPYFNK4TA1zlB9oe3tsO9IlEH | |
H9TL+LcekWBQ4C5E+EHxi1UDpOgdOn3PLSJ/hBpoSbt0CBDl+dGS/HHYIsNYJDFD | |
sEonfl1pejr4BtMojFyR103oLUwha/KvIkjan8jtgOogSHUKHrclPVIt7TpnqqPi | |
AzHjnnN6pNt6UFNrbQYw9KNwy/NrCqvEXvYld2bctvTgvi/G6O/7uKECjRUuG/rZ | |
W0V9iUw1dpE5y4emj2aK8+Cp470iOfxfQTc3SXK/TPw1CHZbQjY94ApHPC+Ug6C/ | |
CkDQ7idrZnnqyTv+Bw/51/cAlx6tFW1ePjvGjDTJDjHLOE4VdYySWzkgUwPLTsZa | |
KQpyoeh1eEbnM3iAj3ydnGsSEYoubwoDRleXiQUf28dLNEhPjev6NuLFLIHAKSx/ | |
4HXw0VTGcBm98cIsxsr2AI3Cad5217qdT+Ihbj+gnwH21cXD10GN65KLs7BkWKPu | |
aE9ehUaQB+Cb46EEzlL/JKecGYnIN3lNHSSc4cig1OLmw2S58XbLp+Fjb/KI7Pck | |
wc/WMynW0DGK+yMqR4scgRfhb2/pC0szCfcz2ExQ/GlF6b8Yjj8kSUe2WRejMDAI | |
mtK6M8Xbb7Z4WrZi4FF9SoRpnhAzdA2uriraFZ7R05MFNc6wKyE0IZnVozkoq/hP | |
+lgzGOxYrje4GWnDdjDVhQO3r3jlpT06KoUA1dQgjaX6uf1rR6Qv5kPS | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXgIBAAKBgQCwmw0hNpbYNKYWrNXmotUcBx6cymwGqaVTbBjAVfOIvCoaYt/J | |
y+qfHAk11u9IMmPPx6dfxBEXwMQVYJyW+aHjGSOsfc5YvHGamhdpuKmxst/7VJJp | |
eY6kjfw7O8Y1RQCHFuFbVNeGR9Cn+iRBKucJX253i3BC7djogdF4MIDjJwIDAQAB | |
AoGASWx9PfTDLCpfbwf2ekfykA+Js6gY14BKgu9rLvPNJ2kLnCLFZdGIvxPZ5G9y | |
1jJU+vrH5HHQpW54V2buU3p/ygh+WWF7BoGVVEZWM5G19LTifO/yyJZmp5dkBlby | |
CDQ/my0HSQD9vKX8DA9Z9aIw+q7LBlRmNrmMlebkdFrCV6kCQQDpuE+D6cTztlnM | |
T9w1z2aAzQ/NDnbN/ZRZQ5Wn/N4ERQX7OGSou9E354rmvEJDpO9JkdOLnWkAaviD | |
SThv31KjAkEAwXDtMJIwISBLQ6HvGAx9ePrqh4I20HEb8y6BwJ5TogjJuFq1OG7S | |
0gZtXcMkUwdQtCkXROKUBuXWyBTvdM15rQJBAL0yEkw6pNCUwMR/sUduCRAi77OT | |
DeFacQiBiVhffmn+ZgUjdXiR8Z9LtElsBEg17+6iOZk/Z4yLC3lbgHAvW/kCQQCr | |
HvHEMN5Av6e1CbBPruTkO9tyyn8g/55BDtgbhDPpuCpyWlPLu0XmI2dmNXWRuXvs | |
FBmQh3t5aqMI1nRJ+Gb1AkEAnBUw8rjlFRK9ZS/rJLdKs2dvoT8z1MQ4CefTp/Om | |
ahrmca6RUFF/rfajE+IT5E+tIKJ7F4azTQpTY5rPwWEm/A== | |
-----END RSA PRIVATE KEY----- | |
Next: Lavasoft Ad-Aware Web Companion. Lavasoft should know | |
better in my opinion, but given that this one is only the third | |
I've seen to use komodia's "anti-av", and this one uses XXTEA | |
not blowfish... (and it caused me some trouble unpacking, at least | |
now I know an easy way to unpack all of komodia's anti-av stuff!) | |
-----BEGIN CERTIFICATE----- | |
MIIDkDCCAvmgAwIBAgIJAMQx2ndXqbSzMA0GCSqGSIb3DQEBBQUAMIGNMRkwFwYD | |
VQQKExBMYXZhc29mdCBMaW1pdGVkMSYwJAYJKoZIhvcNAQkBFhduaWdlbC5zaGF3 | |
QGxhdmFzb2Z0LmNvbTEPMA0GA1UEBxMGU2xpZW1hMQ8wDQYDVQQIEwZTbGllbWEx | |
CzAJBgNVBAYTAk1UMRkwFwYDVQQDExBMYXZhc29mdCBMaW1pdGVkMB4XDTEzMDgw | |
OTAxMjMxNFoXDTMzMDgwNDAxMjMxNFowgY0xGTAXBgNVBAoTEExhdmFzb2Z0IExp | |
bWl0ZWQxJjAkBgkqhkiG9w0BCQEWF25pZ2VsLnNoYXdAbGF2YXNvZnQuY29tMQ8w | |
DQYDVQQHEwZTbGllbWExDzANBgNVBAgTBlNsaWVtYTELMAkGA1UEBhMCTVQxGTAX | |
BgNVBAMTEExhdmFzb2Z0IExpbWl0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ | |
AoGBAKV1FdSpS6ZFNQpzkSPa4W9yTjwo76vBj7OLRoQHjk/mNk7oAnN8haNeWujm | |
K582Osyw/39mBqmpTX1QK5Bo9sxRRVxvTfeFXdmiTa2ZYbSrrpGTi+z1NVNq8JFA | |
tOeIZI50o8X5pStpBiRnJN4hS0ulz4r4UxK5rpLj9SkVjzPPAgMBAAGjgfUwgfIw | |
DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUaCHzkvDvsDxg5mDPrqkxx3cmX14wgcIG | |
A1UdIwSBujCBt4AUaCHzkvDvsDxg5mDPrqkxx3cmX16hgZOkgZAwgY0xGTAXBgNV | |
BAoTEExhdmFzb2Z0IExpbWl0ZWQxJjAkBgkqhkiG9w0BCQEWF25pZ2VsLnNoYXdA | |
bGF2YXNvZnQuY29tMQ8wDQYDVQQHEwZTbGllbWExDzANBgNVBAgTBlNsaWVtYTEL | |
MAkGA1UEBhMCTVQxGTAXBgNVBAMTEExhdmFzb2Z0IExpbWl0ZWSCCQDEMdp3V6m0 | |
szANBgkqhkiG9w0BAQUFAAOBgQBfzeeRgrhoxhtwhLzNBTS27SI8IimngEvbK9kB | |
exdbzcT3E+ZnihNQreTrE0vHk0wchIb2yefmKarUrmT9eB1xAPjKxO5u4QSsJ74u | |
GdVGrHhVlAs44pIK0icvBuD/ueMmIrPCTt0F1+UtygZV88/07J6DHgMNeaqzQYOh | |
i0khSw== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsZoM/h+RxVICAggA | |
MBQGCCqGSIb3DQMHBAjA21LLZfOuhQSCAoDWi8ibEBP+mjkLAKeZPGxPmDjaiEuX | |
gDDWhNjEK6lyEyA6zlpcfHr7ffb+9DGopF4HZsD50Bt9GpAS0wEm94kAfv05/ULC | |
chD3HCJjW7KnScsnvcaAnLGysJH2fz1Vno7/9FI31OOZrxEMNDJ8TgQXYQBcWFAJ | |
TnSIB5UDnFE105k5mfJ2N0HrZqAZ6WhaoSRGSEJ0ry5dne/mdMzGN772r1xDZftb | |
LqdIk1GYlssCtfrWl6Zz/pSqDS9hCPpLNNdtz8B1McqSk80cKZfYvesX7ox/xopj | |
IKUKj7/bOfq3g2TN4qSE4q8ltNxA1jDmC5L7q2JME9A4voPi6msYrIzQf5yeEKSS | |
f3pd+Plx0V0VENdqufLIEa9LMOrICKbVHXsGBcRFUhoYmr/7VAN6BIFltVEtR57e | |
FtWFt1FHAygXiMe270dVcrJMGvMfTQ+dlKTdPfwWHy5l++p7B7cvJvh9XatPqGnt | |
cXYWKhS6gZ071VYa8xYjoGc2ywbH8MTAoLZqu2EBgyP//neqytMOGgWFMwmghkCZ | |
Q9wLoB74EF0i3muOv7eXKMfb9eMmsgzlB48+QmcYN2mHWx2EjU7X90QHZ9k9tX5I | |
rnk1F1NrmEJhbk2A6jRMs3XAsUh32vgvXIYlQ1RS5QQIJvqL+awMv1V7gK8+igRx | |
Y1uFNE7BC1B+gBkcy28FZIAkAttgt4wp9TD3Ojv8M/FRgc2eD8ZfFO0TKJB44BQz | |
2+vwh3BJxJX8xoR3g5/PzPqZXyFyRdtEe46H2Smq7t3I6vHGOEUICIbf6U2gJS7B | |
dHUOKOzwerL6drcPc3AvNUjZVcU6vi50dv/k4Ya4kOE0SOiEGnRoNkN0 | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXAIBAAKBgQCldRXUqUumRTUKc5Ej2uFvck48KO+rwY+zi0aEB45P5jZO6AJz | |
fIWjXlro5iufNjrMsP9/ZgapqU19UCuQaPbMUUVcb033hV3Zok2tmWG0q66Rk4vs | |
9TVTavCRQLTniGSOdKPF+aUraQYkZyTeIUtLpc+K+FMSua6S4/UpFY8zzwIDAQAB | |
AoGALI/7YDp0kISlQ3paxfBmtTBxF8ziuDy6ql3BkT/DuYtEZz4fouEP0S9Rhtav | |
OwNNFOI6/iIJe1qI705PXWaXyYKlj9l8tcQ4JVaH1tpvaUC8ka4nt4alhWQteDi3 | |
IOrtiPLVzRZHhNkowlD9WjPRoEuWCtw6LdxmY89GGPX7JsECQQDbnVETWvoP9VwE | |
zbNEYSVGgurfjW6bHqwV3u09i8IxftL8+mZtgAdKUgzcOx50OHFqJgACR6hnena2 | |
Y7af2N3hAkEAwN7CNANcWwcXkuU0ypeWvw0DjtwNc7Nrrx9pw47g0w3+373pRVSf | |
m1ZOT6vf0+MmJ8mlnU/ifPS91oyG7EpnrwJBAIT8BS1ISOZC+D68ZNKCVPUWr61B | |
UnnCIAh6XoSHTcd0+cRQyJeEEGYTu0/cyLsttpfFfPnkdHh8ssgNJ3gx9WECQBAf | |
z26XxVXa3u6p+OLjD3hDd0OvQ/SjUGJgpu/xdvxOFDvSXbktHPbYnU1t2hWVzO/Q | |
nObs8ctujpxsPS9t/QMCQDt+7+Ta99o/9K0QKFFvHtdbHDEA6l/TV3qFdmtg74+v | |
0IGnEazpJbNOGrpY+MJ2NmvrOD3LkLLsL3EM5CupYIg= | |
-----END RSA PRIVATE KEY----- | |
This one wasn't on the CERT website when I found it. The PUP | |
PureLeads uses komodia, with ssl mitm. Here's the cert and privkey. | |
Also, the PUP Sendori (which contains Komodia's ring0 rootkit also) | |
uses this same cert and privkey. | |
-----BEGIN CERTIFICATE----- | |
MIIDpTCCAw6gAwIBAgIJAM7mVQAE4U4kMA0GCSqGSIb3DQEBBQUAMIGUMRUwEwYD | |
VQQKEwxTZW5kb3JpLCBJbmMxMDAuBgkqhkiG9w0BCQEWIXNlbmRvcmlzaXRlcHJv | |
ZHVjdGlvbkBzZW5kb3JpLmNvbTEQMA4GA1UEBxMHT2FrbGFuZDETMBEGA1UECBMK | |
Q2FsaWZvcm5pYTELMAkGA1UEBhMCVVMxFTATBgNVBAMTDFNlbmRvcmksIEluYzAe | |
Fw0xMjEwMDgyMzM1MzBaFw0zMjEwMDMyMzM1MzBaMIGUMRUwEwYDVQQKEwxTZW5k | |
b3JpLCBJbmMxMDAuBgkqhkiG9w0BCQEWIXNlbmRvcmlzaXRlcHJvZHVjdGlvbkBz | |
ZW5kb3JpLmNvbTEQMA4GA1UEBxMHT2FrbGFuZDETMBEGA1UECBMKQ2FsaWZvcm5p | |
YTELMAkGA1UEBhMCVVMxFTATBgNVBAMTDFNlbmRvcmksIEluYzCBnzANBgkqhkiG | |
9w0BAQEFAAOBjQAwgYkCgYEA4JpneuIhc8avf1OXl2Wv3JAUL7jfPJSTFcJdxk1W | |
jCe/t9kxArQE0MUxuqsjHO6RiIzQapEv+kmL8b94h94syTuKjx4VsznX5rtkkTdE | |
4CNS/OZD8M8gc0ZoiQTkjePTlVcBFE0vbJ9z6ehZCAfcEKyFekPUcgAxyq3S15Hk | |
gg8CAwEAAaOB/DCB+TAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTnnoZ3LXjC/P/E | |
XbhhJGL0sQnZ6zCByQYDVR0jBIHBMIG+gBTnnoZ3LXjC/P/EXbhhJGL0sQnZ66GB | |
mqSBlzCBlDEVMBMGA1UEChMMU2VuZG9yaSwgSW5jMTAwLgYJKoZIhvcNAQkBFiFz | |
ZW5kb3Jpc2l0ZXByb2R1Y3Rpb25Ac2VuZG9yaS5jb20xEDAOBgNVBAcTB09ha2xh | |
bmQxEzARBgNVBAgTCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxT | |
ZW5kb3JpLCBJbmOCCQDO5lUABOFOJDANBgkqhkiG9w0BAQUFAAOBgQCQznLVgYFd | |
vTrdQDQeEXTQACaV795qGyVkvJ03VnudO/JVa2CAcdHiCfuf+43CV+RoDFT66LxJ | |
/BYxQMO0j9yZB8R/abplTk53kP6ks820wzpPMl5a8DaClHLkM64zaBZsnl7SROkA | |
gg9u8igTnxVroFD1BgRBTw6lJxhA7Yz56g== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIXtNls0qhzx0CAggA | |
MBQGCCqGSIb3DQMHBAiW5hw82IAjCASCAoBN0ACZbk1Z78ewidEgytBXHeE/OcuU | |
6Gm2WxKFzMA3DnrEfxuT78vUbGNqlVCAV7GFcMtuFbhNSXmkgdA7To3c9Nla6/UQ | |
09TePKP/NKYTg/frafMb1WDFMuNDpqU3BmHuN4G137nPKR8rhakoXKbG1G2DmYwE | |
KO03HaO3msXhhnWzlmaSvQX0Vx6dJNmhlNL4T9uMFelkWwq+nQa6ssoKP5hPVvNZ | |
TEa47/1uCy+C6dx8X14WID5y5UA+r2NIQFollUrGn8rhFxQIZdiIQnIz0u1h3Mlj | |
hZc28mkO2H+5TeqcPvjKnmA5StU+TT0C8r6zFKbksG3gzfLk6hg1ikNh7nkmxx3k | |
lajLAtwZOzWg28Nt4SWhPDKGBe1OAbzds8LMsM9qSu+6OVTLBKLI/8EzUvHZTeme | |
MfHCxgJJfLS1C0mRFS62Yul6pkO51Rb74T0hge1Ti6moOnqweRMXQYjGgkHWyV8n | |
HJIXYZZYzbJoJzfAkr2gNOItbVomMPT4I12TNUIoTCIxLVqkDsB/XfPzfJYgyisi | |
fZ4xVVii1C/vptXvKQlXRjidaDCCwK3D7zXrCCbnGsJLvSTHFQPL2z6Q2U9tTitH | |
Xz7aV8oeFFPWgLm+IIND9uWAjnnM1RpMOXuifShl7UpsI1gZhsm0kmFDeF6A4f+o | |
Kf55s95Sm0WHKw9rWw2iEbhR3ys84jQIx7EgwLvzXO0PWuTKsCYjD/NBe15s2FKD | |
05B6eq2IPEhkk2Py/BDhM1yE4+cheossl72R39zS+pjtbFs3HkeYTlT4JM4YmcMJ | |
dEQSm+oAPwlCafAGmL1FhgQqIHCrEpgWkaqF5bV0INqNCNLEMviM36sC | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXgIBAAKBgQDgmmd64iFzxq9/U5eXZa/ckBQvuN88lJMVwl3GTVaMJ7+32TEC | |
tATQxTG6qyMc7pGIjNBqkS/6SYvxv3iH3izJO4qPHhWzOdfmu2SRN0TgI1L85kPw | |
zyBzRmiJBOSN49OVVwEUTS9sn3Pp6FkIB9wQrIV6Q9RyADHKrdLXkeSCDwIDAQAB | |
AoGBALS1ZlanRBT7oc4G+qu0BAeo4KT40JvUSncyV/Kp3N2NSaJpHBa5sjoqvnUb | |
JngrtmowKavkPr7Yl8EctaRTbKHFQjboU1WYJX5kN8b6lX8D/u+SaVarA1vlO0v/ | |
3QaukoAgqNt8gSQmUHGY4zx81Gk04zp8dPW+xUxO82NXsxmpAkEA/j3YuWMgOFTK | |
hfaHQp8dZcf87x2e7FAaeCRqGW0Oddhwji+Sw5jQ9ALz/8gJmGficwIZ9h/1lHCg | |
jZhyU+nG0wJBAOIoFKGi8kOHusPgB178C8MkGtTVuypNxZHZcMFPgl0uilJIhqSm | |
5zdiVnQiXt7D5RUac+KlG/U9FWJSJRAxylUCQQC0yDN4N4UsqRZNRayOcegMfLVd | |
LhnYfWkk7vfG1qZGo739TNS2Ys6KBCOOSKaSCaSbFO5y9ezBPYjcxn7dLkljAkEA | |
jEI5UWmigHk8PmDBkYoVrWfF8DvBwWHMZ0EIqgsqmanUhWWPg6wzd+jYH1x1pAiw | |
GZ93QZgOt9CzY2/4pouKpQJAJiU3l/Z2IokLUoaTxK+LqA8SWT3QfbMiiUbrbd9p | |
9D4p4hAhItXRIJqkPG0uFvGAGUoupvIonjmSmxEqrA4LLg== | |
-----END RSA PRIVATE KEY----- | |
Next one: secureteen parental control software. Which uses both | |
ring0 and ring3 rootkits for some reason. | |
-----BEGIN CERTIFICATE----- | |
MIIDbDCCAtWgAwIBAgIJALvKJhFyvLXBMA0GCSqGSIb3DQEBBQUAMIGBMRIwEAYD | |
VQQKEwlJbmZvV2Vpc2UxIjAgBgkqhkiG9w0BCQEWE2FkbWluQGluZm93ZWlzZS5j | |
b20xEjAQBgNVBAcTCUdyYW52aWxsZTESMBAGA1UECBMJR3JhbnZpbGxlMQswCQYD | |
VQQGEwJBVTESMBAGA1UEAxMJSW5mb1dlaXNlMB4XDTEzMDMxMzAwNDE1N1oXDTMz | |
MDMwODAwNDE1N1owgYExEjAQBgNVBAoTCUluZm9XZWlzZTEiMCAGCSqGSIb3DQEJ | |
ARYTYWRtaW5AaW5mb3dlaXNlLmNvbTESMBAGA1UEBxMJR3JhbnZpbGxlMRIwEAYD | |
VQQIEwlHcmFudmlsbGUxCzAJBgNVBAYTAkFVMRIwEAYDVQQDEwlJbmZvV2Vpc2Uw | |
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANi/uhkLWQ0AoP5Cn5oAMG8BD0Ju | |
rrIffS6V/5oI3YYKtC/Igghs2EC2VRA8ajxhW1Fm6xmCQvBVfNLpRQ3XHApmr9IV | |
5A9XcL3q3LOSIuXsdU5e8ffJFdXzzs58DCuHHtxBoko+blkT40EkjMVtye5IXi1D | |
1TmluOt0TSAzJzsrAgMBAAGjgekwgeYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU | |
9U64d3+V5Xret/wYZVSiPfTK4GgwgbYGA1UdIwSBrjCBq4AU9U64d3+V5Xret/wY | |
ZVSiPfTK4GihgYekgYQwgYExEjAQBgNVBAoTCUluZm9XZWlzZTEiMCAGCSqGSIb3 | |
DQEJARYTYWRtaW5AaW5mb3dlaXNlLmNvbTESMBAGA1UEBxMJR3JhbnZpbGxlMRIw | |
EAYDVQQIEwlHcmFudmlsbGUxCzAJBgNVBAYTAkFVMRIwEAYDVQQDEwlJbmZvV2Vp | |
c2WCCQC7yiYRcry1wTANBgkqhkiG9w0BAQUFAAOBgQBcT9TiZJERvD2c0dq52g0A | |
a8uYiDY6POYmqnuf9HGsdRDIVBCiyHIqsUAGuAqMmBl04gICnZ9lE2Zd/L1JzMlC | |
UqBA0qViYfWptTfyaklLbUIl47J/JIs1AMHALoIGDGOwzv0p7nHFktzr2iRrNxSf | |
GesOxhz9NZSIT0FPWxrUSQ== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQInpl7zSN9OrQCAggA | |
MBQGCCqGSIb3DQMHBAi4GAUcF0LCOgSCAoBFz3sCTXgXbTLrq5uYtD6LZ4HwW1gs | |
uSJGujoTqI5xE0L7lU3fU9WyJJFpFvAB1OFAvpSWZ7zEyKnDrHZHXrusSbNoygkn | |
0DZdivkxoZHXujy0H3RB+Ku2YIqLeQtgSPtnSRtJEanFYllXh37ff8ULUfFPPHFG | |
ebNNjfeCzCEluAgYB/HhRLdSt2zKg3vEWhPEov2/T6fZXWPRKLSTR6L59aT15hB3 | |
6z/Aof+WUmUMcNU17tIHZYcfNuDC+IIPCFH8uU8u8CFiOdoGgpSTMFQq9kQ8R5pK | |
7VON6mJbqtbYuQ6nPlBjdlx9Y9E3o2z0NjpHLrvp3+hKFCa1UytwdVNur5ENGKKK | |
7WUdYPbkeR6lo7QmNpcRztwvLxGNIKN9lASdueArjmBbn0cgPvKSCO4Q11cUEmfJ | |
c+U0XEVOlGYTPmiW7nQWJGGtXx754nQ52Qtex9Jc+Y12NBHUEmhxUdNvQQdvfLZ6 | |
tsunmVjvtxGnkevrZZGb12gZSyJPKWrFhtJcHZbxzLPr/AuqDogvT1+z7rPq5tSG | |
DD9id+Zw/Zx2x5jFgKPB1ZRpEq9XfgZNq9xMil1rxSl/GijaCZtUkM3EBFbOIkT8 | |
aJpfM2Snen450XvZWYD+hAhwSh03yBLqTe0UZyuqAqfyMDX5qy8fYQXoywNB2mQu | |
Mxw8jUuc/vO9jdMZirNOHYL4YVZl2TD3Ko4ewtehR6mmhjvuMDAaW8kZPbBWj6MV | |
wjir4MuR3EcqTsr+AuwVzVXaG7Or8GJaZDRKM10GnKpy9LYbOCkuTZG5BVsHuWNS | |
ua4rmCea4Mbgi4c6zHOA9sAmKcNBMshf+ItOtAMlbP+jCuQK5yEysdjK | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXQIBAAKBgQDYv7oZC1kNAKD+Qp+aADBvAQ9Cbq6yH30ulf+aCN2GCrQvyIII | |
bNhAtlUQPGo8YVtRZusZgkLwVXzS6UUN1xwKZq/SFeQPV3C96tyzkiLl7HVOXvH3 | |
yRXV887OfAwrhx7cQaJKPm5ZE+NBJIzFbcnuSF4tQ9U5pbjrdE0gMyc7KwIDAQAB | |
AoGAVVnSX3BPhcY8n0L+9Dak2+FP7/oDwtKRidm5SB+7k7/9Sl+rjMPHuFvUTUtt | |
Dg/MVNaxN19LGrafK7J95cBSIrDJbS2xfSK5S5Ghn5c2qnBMY/Y0hrhpCp0NWlPA | |
QL2Ksh0FJaQ/VAX/U5R5g0hb31AG5LXscWdjj52mYC7mgoECQQDyqoAxPxfQSD8Y | |
N6tfJfNbWyOIiX7HRTqDDpu4YuYXtoHMQkwZvmRiDALtVAS/Wzv3ckhYLtf3DOW1 | |
vFuu8tfBAkEA5Kio1Dh0vkxLAzM64Yi9mvvozjWibsk/GJ+q5FTMok/JE66rge8D | |
ZICtXnGQ0dWoRLK/uR3zkwaerPpQ295t6wJBAICT0OrHGHIW5b+KN7ZpoGFmkBRX | |
biJdzxwEEISJeotT+8Bj3HjDheLhpGdl3kIaMFLzbduzrmDLp6c8z4OKTsECQG+u | |
2Vdeg9b22KSlfxrteP6cD+e4VrAZ55GVWxjPOmwE4EeWxvpdzaBnIUbB3WRAIUH8 | |
tJwsPu4PC62dTaU2jSUCQQDijJsmRmqVcfifoGCyzPTOg7+wehCFiCxAK1t9+h0J | |
2v5FaDvI8OwEfgjXShQNfrU7pbgZhIJd+fAdg2JDSIwZ | |
-----END RSA PRIVATE KEY----- | |
Another one: ImpresX? DiscountCow? not even sure of its true | |
name, but it's a PUP and it uses komodia anti-av. Thanks to | |
@Whistler4Ever for the sample. | |
-----BEGIN CERTIFICATE----- | |
MIIDXDCCAsWgAwIBAgIJAIBz5MYJY92LMA0GCSqGSIb3DQEBBQUAMH0xEzARBgNV | |
BAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGltcHJlc3guY29t | |
MRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxsaW5uMQswCQYDVQQGEwJF | |
RTETMBEGA1UEAxMKSW1wcmVzWCBPVTAeFw0xNDA1MjYxNjQ2MzhaFw0zNDA1MjEx | |
NjQ2MzhaMH0xEzARBgNVBAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFk | |
bWluQGltcHJlc3guY29tMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxs | |
aW5uMQswCQYDVQQGEwJFRTETMBEGA1UEAxMKSW1wcmVzWCBPVTCBnzANBgkqhkiG | |
9w0BAQEFAAOBjQAwgYkCgYEA3lQ/p55vsENRi5XPmEoIh82gYk4zmd+ehMeuywwq | |
9HdrKb2OrGBaMhQ6yYOmkehKfdQ8uYXPzfxhopTS+/e5tn3lW9Q4nswGeSqH8R9k | |
OInUxqrZZMqcAj3nJf/RwDH0xM74Mke6WqXqUi1pNFJRiMcc2qDaMdtd+JsA5iX4 | |
WsMCAwEAAaOB4zCB4DAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQu5yPPo3ExV+Fs | |
0iudkjR625iiPDCBsAYDVR0jBIGoMIGlgBQu5yPPo3ExV+Fs0iudkjR625iiPKGB | |
gaR/MH0xEzARBgNVBAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFkbWlu | |
QGltcHJlc3guY29tMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxsaW5u | |
MQswCQYDVQQGEwJFRTETMBEGA1UEAxMKSW1wcmVzWCBPVYIJAIBz5MYJY92LMA0G | |
CSqGSIb3DQEBBQUAA4GBAILx7WN4Gie9/xYf3/HOSEfXNXwVulp8b8K/uc5iKEP+ | |
INVOHzMZVxY4iR+CYIoOotxGE/Auk+oQ6qY1BFJ0f4Os8/dxIQMKLpDqeiLrPopD | |
DdJ0IRzdrzCryHnh5iJdu/kd5T+iF7Bobah3/688TNXNGTCwm2tNmoWTeqO0mK45 | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIyS4tJ+5EAFsCAggA | |
MBQGCCqGSIb3DQMHBAimAXMFacX3uwSCAoDWGJY4WM9roM9SsR0o9S/HR7Tv0Mvg | |
LnzW4zmgQdmbCbFeHJhYwm+iq7kmr1jNQbfFDnplBBDiXLL92IJzAhnGFO/pIZO9 | |
668YIWcfxBYDxMFn0CReFBSLUxiMjW3/ati0kX9BiHovwFI0Uf4+WNmbSmphi8Cn | |
bDJq9mWdwZGyvGr4Das6u0MQ2BubP17uBADnM0MfWKmWEYiy3Kt0Uk8gLLdp6TSL | |
PrT41iZRwoJXBNR2knUMoIBw8cY8iA1vE0hzy+UkCEcTng1UU199ENMhkVxBSzuq | |
bOhutWB1HYBSp31UeDW1taReCheiOwz61mwAfcB75Azp9AhtmV3kzTqPCu5EGo+S | |
3qSrApRPUfZn+5MkApeMdqXHnBM/81l9CEq5FWB2t26M0mXJI4nOhzPo59tQFPgv | |
AdZWnmISQ18+j/vKe0DNDiqF7D6twWSM6kCn5059l6Kr8O7CHy4g8bdv73cELYgF | |
8W2jidO69S6zfhXajjdgnA5r7zpfISgjYMWn4yTndtN9sCJ3sQRZrIxticpsJisW | |
i7jLQ33GlENBfcNqv6pa6l8D3xwFzlLtcMlzI7+0NLryVNpKtNnt71cMuN7dHYSv | |
OEzlbe964QvGNmA0T3kaKQ5ZzzyhUWpURBYkTEUxIIcX1DUvJpX5tGw+86MaVoIn | |
V4r4OFrRhm/H1Rup2WZH5l0URf6iMzFVix+e8rw+tl2RkcXDRSmHunf4JXOEZTWY | |
KooX/o6sRFCck7gT8+jRCLnIRtYQQek2kp0cDsqDBy+A8zRkjAzOdER+oTK9yn5a | |
1OwrfpP9nFX6X/mC/5e1P0Y531PoYHI5KwmVrwx2agFrdo6JLo2X4tVP | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXQIBAAKBgQDeVD+nnm+wQ1GLlc+YSgiHzaBiTjOZ356Ex67LDCr0d2spvY6s | |
YFoyFDrJg6aR6Ep91Dy5hc/N/GGilNL797m2feVb1DiezAZ5KofxH2Q4idTGqtlk | |
ypwCPecl/9HAMfTEzvgyR7papepSLWk0UlGIxxzaoNox2134mwDmJfhawwIDAQAB | |
AoGBAKlwF5sNGh2BEHKK180+DsZApcyFwLmyPMMA02uXeF0bbaY/+q3QOK0V0b+l | |
/5oPKEZBK45QNpDLmTUoqqqwnuzT039nvKCtSkOcagG6Dcg8M6Fgr5lR7/XHNyL+ | |
HVexsO1hC16r7VoIZmsgBD7ck8nMT0BBFUqrDYxJehaufXOxAkEA8kCtR3H7504V | |
PZFzAwnAxHKAIqrv3jhg11cFxCXsFONmTtH01fCnK76KutU8ltRNsPNYb4g1qXsm | |
lfu/QmE2dwJBAOryIfM8NsabqYblGIhXN380q7AauTAKKRvJeCZt5H/tDerEVV/E | |
Mktkn6vSvaKlwvlpqskB92/FR7o3VIDZ9RUCQQC0F/L55zofJgRSZhv7iTeek4TA | |
wRVbvcv4qsAlpw+QI9G+DQYYOjT9J0UZSkcl1iT/xJjdKYTDP0NbQvFX1s9XAkBb | |
+LNPm3e54b/IXbBv1uyTsFOxWZS6+I9FIGYXbRdw+KRlDbx6A7zIhLh4s8OmgwtD | |
RZkknM93ApxkijpbQndNAkASmoHloiaXokGAdqgDY8wwM0BZnTxJSoU7qgWzNWDt | |
7FQ7Ss+Yq0tBcX6X0ijL9TAc/A9/n9ERfgHtV09R50RM | |
-----END RSA PRIVATE KEY----- | |
And here's another one. Not really sure what it's from, some | |
PUPs by Objectify Media, "WebProtect" or something, and this one | |
also includes the ring0 rootkit. Again thanks to @Whistler4Ever | |
for the sample. | |
-----BEGIN CERTIFICATE----- | |
MIIDmTCCAwKgAwIBAgIJAJsRr9PFsJ57MA0GCSqGSIb3DQEBBQUAMIGQMR0wGwYD | |
VQQKExRPYmplY3RpZnkgTWVkaWEgSW5jIDEjMCEGCSqGSIb3DQEJARYUY29udGFj | |
dEBvYmplY3RpZnkuY2ExEjAQBgNVBAcTCVZhbmNvdXZlcjELMAkGA1UECBMCQkMx | |
CzAJBgNVBAYTAkNBMRwwGgYDVQQDExNPYmplY3RpZnkgTWVkaWEgSW5jMB4XDTE0 | |
MDEwNzE1NTU1M1oXDTM0MDEwMjE1NTU1M1owgZAxHTAbBgNVBAoTFE9iamVjdGlm | |
eSBNZWRpYSBJbmMgMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QG9iamVjdGlmeS5j | |
YTESMBAGA1UEBxMJVmFuY291dmVyMQswCQYDVQQIEwJCQzELMAkGA1UEBhMCQ0Ex | |
HDAaBgNVBAMTE09iamVjdGlmeSBNZWRpYSBJbmMwgZ8wDQYJKoZIhvcNAQEBBQAD | |
gY0AMIGJAoGBAL9CxsBV2TKxhZI1a/12efY4DQb6d/K2g2zrGpwpUzV456nkvaTj | |
Nf63aamgfzIA3VM5FuACfVXmy/Slpfw9GTMCjgz5L37b4ATzMxLRyMoCkYNeZW4J | |
9NTE3ibUOu/KXzJiA3eiONCgnm90SBfQ5tfQK3NCRSnLDzKeCRb+aM+pAgMBAAGj | |
gfgwgfUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUzXU7741oj/G3CB2jmwWaGA7f | |
3wAwgcUGA1UdIwSBvTCBuoAUzXU7741oj/G3CB2jmwWaGA7f3wChgZakgZMwgZAx | |
HTAbBgNVBAoTFE9iamVjdGlmeSBNZWRpYSBJbmMgMSMwIQYJKoZIhvcNAQkBFhRj | |
b250YWN0QG9iamVjdGlmeS5jYTESMBAGA1UEBxMJVmFuY291dmVyMQswCQYDVQQI | |
EwJCQzELMAkGA1UEBhMCQ0ExHDAaBgNVBAMTE09iamVjdGlmeSBNZWRpYSBJbmOC | |
CQCbEa/TxbCeezANBgkqhkiG9w0BAQUFAAOBgQALXxRZX1GuMAi3aZDFVkd3yzEK | |
CwCc2voOo83FMv0bLag0kNR/KOSYyDkAsxKOCG/0y/BIO4AC9U3nWFXrmmyhYOg4 | |
U1OQIiSNU39EhdSkkqwVHk0KGAmoqXYRPtN9cH+TkihRhzB6oR6kb0N3ADyGKpb7 | |
OcNkx/Nw1CakrQxzOg== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZwA9HVc40XkCAggA | |
MBQGCCqGSIb3DQMHBAjpyi92mdKUlwSCAoA/RVHqM+K+yjXjwF9t74EA0/4utrgV | |
f1Hz5HqV25hynaufhuIRHGUmbPAvmKH7YMGYpjEeimNuqXy+M/EOIYzNaXsKr9QM | |
iKZMy/UEwSNgnFwbz5NRgvbldKex9qtM8ppHDkG9mszPBqg0gB2NQp25h071ZzM1 | |
F2cxVO+qdTX8kHcaBXLJEasu/oBaktEP7XW6OIId+zO2WqN3WjxOd9OGC5RS2mYj | |
ImP1Jr8cmgL6+LiyEpKUOmlMQDf9qqrKtxGZCMrrHJdHe0lq3a+V93RaKUTtAQ8X | |
bVXx4VsANv68TS3FZqljLj8oEKuoLq8Ciz3VJ1uo4fmDM0/kq2jHVhSjdxdlFJkV | |
8yx5lpxp5F8p/7Eik9QGs8pXG4lGeksnbfrmm0QzF2u3qXbMe2dnQUPJviCTGHRH | |
YOZbCeRI+fcJ3lYJVVYFHmxBQtUGkxRgoCftmHLnlGKjOmBSRWsdI2aCdPhlRnMt | |
FKQjuNTaUH2gA5T/h36tFEphisJAe8zEuXGRmHHTJRYsDyA6ukVzubZIGk9AbCrX | |
DRGZND1ljsSrbKICjhqdFXcCqw38F5UODBqjw4sqS+Je1gbzplGgMQEYRaTu6taH | |
cyyo6rm2oNdCAYKxvDXtryTYTNwhSNxbYCjUGF6MdYup3euL9k7i4Np7QXPY4XpU | |
IJ20iTP2prBgbgnng7+oq4LTaLffIq6VEGy8p2enrBLQZpwlN/PjpLTZWgLKZ9L5 | |
B8Z6RcOldVQ4tNrdh0Dzk8qgVxsWMubKKHqyb4QIlS0kez5JO2ds/S10ffojB03Y | |
F42UqssaxmfzJLBN1nWiZFNtj4PaPYtRRWt/rhKIbfdYuG/2bjxjNCvh | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXgIBAAKBgQC/QsbAVdkysYWSNWv9dnn2OA0G+nfytoNs6xqcKVM1eOep5L2k | |
4zX+t2mpoH8yAN1TORbgAn1V5sv0paX8PRkzAo4M+S9+2+AE8zMS0cjKApGDXmVu | |
CfTUxN4m1Drvyl8yYgN3ojjQoJ5vdEgX0ObX0CtzQkUpyw8yngkW/mjPqQIDAQAB | |
AoGAbqKcAaonR9G0qEzKuQWNq0XlE0JTnEzDXX/qFqc5ANd9eqNcqELeewdx0bOL | |
oEsru/ZsKwyFn+kv1cb0ayKUrhIS/a4XDExstQeKrVcz3xHnaxV5oV9WjvrM8xPa | |
exAbrp031/vnPcT+7wmHdt4QmOWEmCM5FeeBp/WXoKrS3OECQQDy2Lw3nHIWwoAZ | |
0ncX9tklb7CwHOHI5MXJq7nGz1DLLGZxqJ3Q82yNsF7z2ej7UUKUnpQS5ec0OgHA | |
mM8xHIPVAkEAyZ7DPIZu1pW5HUku+qAoOZ2b+g8TVNJuFDk052eoYRwI4kdlAjUU | |
CakJaHfL2rvMKM7PD32PKY+1MtnriqoKhQJBAJLGP+v0mFf9MmNo+yX2wgOIX+fx | |
bN14t7pOGjh48MH7kec8HDZACeoRITKND+1ljbI5rhFF9tlv/cMkGIX8UAkCQQC2 | |
lIMQyFyPDj74elGEvIwwwL2DESvcYEM3JSb3dzNP3WdeInEiMpbWuLDAXdvJVM9p | |
FP8FdBq09GKOjjFy/NFRAkEA4m0ZwLOrw+eyMXVjptMoIcr2K7UH64PqmZgHwLbA | |
UUC5FUlnOrfF6m+etPbGf0BiPW/OAAk6gCFIHgg5Iz35jg== | |
-----END RSA PRIVATE KEY----- | |
Next one is CovenantEyes, a parental control software. It | |
uses the komodia ring-0 rootkit of course. Thanks to @Gh0stAg3ntX | |
for the sample. | |
-----BEGIN CERTIFICATE----- | |
MIIDkzCCAvygAwIBAgIJAMvP1KgitpY2MA0GCSqGSIb3DQEBBQUAMIGOMRcwFQYD | |
VQQKEw5Db3ZlbmFudCBFeWVzIDEwMC4GCSqGSIb3DQEJARYhc2NvdHQuaGFtbWVy | |
c2xleUBjb3ZlbmFudGV5ZXMuY29tMQ8wDQYDVQQHEwZPd29zc28xCzAJBgNVBAgT | |
Ak1JMQswCQYDVQQGEwJVUzEWMBQGA1UEAxMNQ292ZW5hbnQgRXllczAeFw0xMTEy | |
MTgxMTQxMTFaFw0xNjEyMTYxMTQxMTFaMIGOMRcwFQYDVQQKEw5Db3ZlbmFudCBF | |
eWVzIDEwMC4GCSqGSIb3DQEJARYhc2NvdHQuaGFtbWVyc2xleUBjb3ZlbmFudGV5 | |
ZXMuY29tMQ8wDQYDVQQHEwZPd29zc28xCzAJBgNVBAgTAk1JMQswCQYDVQQGEwJV | |
UzEWMBQGA1UEAxMNQ292ZW5hbnQgRXllczCBnzANBgkqhkiG9w0BAQEFAAOBjQAw | |
gYkCgYEAx6aiwtawXYZYaWuCuwJ/dyVe/t7QH89oAZZDTCNhSCO44jPsvvAiEKcz | |
97FLcqAcObsq8wOUX3ANTEGcfHQOUbD7XpAxbBK2cOlM30FLMLEKD3H8+fia+uzF | |
T1saL9FtkKBla5JduuH/Z0I303UV3MmvYL3nMvVJ379Xqyu9Dw0CAwEAAaOB9jCB | |
8zAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQwS+QB7AqNML9k+mvzr6gWhoOeujCB | |
wwYDVR0jBIG7MIG4gBQwS+QB7AqNML9k+mvzr6gWhoOeuqGBlKSBkTCBjjEXMBUG | |
A1UEChMOQ292ZW5hbnQgRXllcyAxMDAuBgkqhkiG9w0BCQEWIXNjb3R0LmhhbW1l | |
cnNsZXlAY292ZW5hbnRleWVzLmNvbTEPMA0GA1UEBxMGT3dvc3NvMQswCQYDVQQI | |
EwJNSTELMAkGA1UEBhMCVVMxFjAUBgNVBAMTDUNvdmVuYW50IEV5ZXOCCQDLz9So | |
IraWNjANBgkqhkiG9w0BAQUFAAOBgQApcHgEfwzJFMjujMV2ejbd29A144O4TlHI | |
V/MjnDiUrCTXAm4Ac4mh+/1BMJi89GZxTAxllRwmdnt7l+lvbd5pT2BnLNbi2dYD | |
S+Jjzh6y0MkQCTNJH3zg+bfwTqre+4nTcbM0Fi3BNGwL5IDNu9BF6eQE2/uwn7LE | |
4u5Xbb9qMw== | |
-----END CERTIFICATE----- | |
-----BEGIN ENCRYPTED PRIVATE KEY----- | |
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKw6lobvpJq4CAggA | |
MBQGCCqGSIb3DQMHBAjFReHNxEIpMgSCAoDgU8yfpgH44U56+YJ2N4joJVaCpwDc | |
kVICvgsGvg0yKu4gLwg/nOIdOsokIgGrpetbg0z9eWREBLCLExaJzOKeEVA2TmCw | |
zRW8GsRe7q0J+TbbC+7hjP5RIpGSjdf05xIwSOxf/5TO4IYSRaYPBMWYZSXkvfy8 | |
Z+ozoAKzRjYEhvUlamvKVOHkF1Acm+HDPv7Z3+tkVpcJGLPqYxgKEHw9NRjojtoF | |
KCZzk4dNzSGK/dKjP1QjO32Pif+tymjd2Y2XRqTaDd9aheSEwMSzmK8phGO09zPh | |
GV7c1hPjNuS8j+kvmI9knxJuBUEEbC8AH2MXDTOqK+uQikIYKNzZpyuAzVkbaSne | |
0TEEA8KfNoXplZoKzid7kt0sD4ALw6RAC65mR1PRVzFbDPhrVaIZBKvWBmWT6yzQ | |
pwG50juNvJROJQCKiF49k3gqhZpgbOp8XGxLcDv517GjCI8VCojkqZDZs9S3rt2K | |
9EywJ7vaYKijfAJX2o7F9M2DQnImti7noRkjS4ZiKc5TlcCsnBwTTcBoer1Wg6jg | |
2auGenkZnhYZZ2fgIEg7pSm2i3c91jyd0j/jdyuexRbPCjSHqSgvvmPfNmWWuB3V | |
GZ06sXFEI+3mygNiJYAEafeq6JVlUhBCIH0g19ShxJJEhnnDlmGmOxv/P68Ntilw | |
9VO246N9SvHg5awm1fyaDnU5j+MVS5UmQTLMJDfSjS8nDSmmD5t/xAQcymbsDyyy | |
CO2D9p3SAqwJRwWjeZVlfoD2M2+hXXaovEhWYGJovTZ2uEq9eY1M4VTSYTYbPJ1Z | |
8nN6Ez7P8BDbovzoLa9IBlZr/s04qa1c9Xy3SpkpqTzAd/tdYdsT2QT3 | |
-----END ENCRYPTED PRIVATE KEY----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXgIBAAKBgQDHpqLC1rBdhlhpa4K7An93JV7+3tAfz2gBlkNMI2FII7jiM+y+ | |
8CIQpzP3sUtyoBw5uyrzA5RfcA1MQZx8dA5RsPtekDFsErZw6UzfQUswsQoPcfz5 | |
+Jr67MVPWxov0W2QoGVrkl264f9nQjfTdRXcya9gvecy9Unfv1erK70PDQIDAQAB | |
AoGBAKMKGpqAFhCaGHMmf+DWHl+fHh+Gt3Fyv52kJxrzPYta2K2o96nJkhgFYzPg | |
DhvyUnp2tZE0mCMD72gZoIAlilaL5ekhVkzzRkUi3zBvfj73PxKAbduHSS2muNYo | |
rd9fv5xi2GGfvYR36AsBt9Rm5hiQUs85C425pwKzk8vnWy0FAkEA8WkMXp//RzoY | |
VqrDGP2BLBwgWU+1fNgKknwJrpFVlWOL/aSYVt8kg3RsjR5ggI04X6SC9xpxMlY1 | |
T1wRdgu0CwJBANO3gu9MKSVgzS9y72V5dLIxroYJaz4ChjN7OuKSaMthvUGnAdTJ | |
J2wcXWTRBN4lMvJI5iEFBkW+gbk6U7MuYEcCQCPHTucDTYFP8eV+X3XntGpGLOEv | |
uBUtq7t0GLc/oPCIFWpdJ5rQbYfyDFiJ5QGIbI94QVTAHYC5WCNP4OKe72sCQQC2 | |
1ub27lkidKT+802X3vpO4eUM0JmTJe7sCuJhxXtHGZOuXSKRt16aWSy24mRHzOxg | |
nWBQ59vw44N4icy7E7QFAkEA0gf2842MSehY1+Udtlv/7B2m6OOXeDZ9i9mBaQn4 | |
3yQERbD+vN2SE/y54iUWShtalQf8vhGGtHdzN97K/FjZ+w== | |
-----END RSA PRIVATE KEY----- | |
Seems some VPNs use komodia's sdk, but not for SSL MITM. | |
Nevertheless, hide-my-ip's komodia proxy contains a CA cert and | |
plaintext private key, for E = sales@komodia.com CN = Barak | |
OU = SSL O = Komodia L = TLV S = NA C = IL - I guess it's some | |
kind of leftover. Here's the cert and private key, though. | |
-----BEGIN CERTIFICATE----- | |
MIICazCCAdQCCQCpiLml/GKkTDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJJ | |
TDELMAkGA1UECBMCTkExDDAKBgNVBAcTA1RMVjEQMA4GA1UEChMHS29tb2RpYTEM | |
MAoGA1UECxMDU1NMMQ4wDAYDVQQDEwVCYXJhazEgMB4GCSqGSIb3DQEJARYRc2Fs | |
ZXNAa29tb2RpYS5jb20wHhcNMDkwNTEwMDM1NjEzWhcNMDkwNjA5MDM1NjEzWjB6 | |
MQswCQYDVQQGEwJJTDELMAkGA1UECBMCTkExDDAKBgNVBAcTA1RMVjEQMA4GA1UE | |
ChMHS29tb2RpYTEMMAoGA1UECxMDU1NMMQ4wDAYDVQQDEwVCYXJhazEgMB4GCSqG | |
SIb3DQEJARYRc2FsZXNAa29tb2RpYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A | |
MIGJAoGBAMEKl1DYDx++Msz3+ACIgrNKMyuW6gg+ljIMsg2ZEm57iIaZa+zrnlaF | |
UBTyVzclcIzLplXQ9HRabSAun7IZ+xWfDIC5Vt/oGNaCwnxdLaAA0NMNr6jH+h/d | |
XDI4sJa3mWFZ/dXtlcGulQJyIwDFj0xK020HsQltMWQIz1P17X4BAgMBAAEwDQYJ | |
KoZIhvcNAQEFBQADgYEAk/lMNHGuv+vpCgrcfef0GaFtjLEXZuyVNEk7IDxquaAJ | |
zCxDkx1Iwo/04nv3d5cR+Y3iFzhGQVtXo/VmpG/ddgu1oCE6AEtCNZxYY4TLeWUJ | |
Q3r98plviLVF5CKYTiZb9jJze+XHSKSP5T+L9pdx3yZB9tCHmocGa6taJzmeQZY= | |
-----END CERTIFICATE----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXAIBAAKBgQDBCpdQ2A8fvjLM9/gAiIKzSjMrluoIPpYyDLINmRJue4iGmWvs | |
655WhVAU8lc3JXCMy6ZV0PR0Wm0gLp+yGfsVnwyAuVbf6BjWgsJ8XS2gANDTDa+o | |
x/of3VwyOLCWt5lhWf3V7ZXBrpUCciMAxY9MStNtB7EJbTFkCM9T9e1+AQIDAQAB | |
AoGAUV+PjYqmRXE9pN1ac48X2VAL5fIF0VfgpFRpsgW2mVAFqwd9US+5XStxKINH | |
dH2ZxiAKi947TdjYa1p8Au2kwyqTn0M6aln4MaknLTbk4bSDYRLKeYh+SvZuxC0O | |
GWiPDbzE+6YNNSCgmuDiWo3o+LCzLKh8HBR6h90mvYtcfikCQQDu15fxa7vFNFTW | |
or0bOeuRL3OTL9zGpcbgBTF2WrzfJhpURDAhymSBcWDVut0uiX5qnaB8L7DOtqCb | |
23HCYLRHAkEAzuiztloajRCLhQLU8N44HtozJTabJH0beJHu4E0UlwFLi86DIRhX | |
GVRg3EeQEAyebwdcT4ZFUgruNAzJLjZHdwJAZACA7eRdykQPAY9B/pRRvYhQq9/u | |
YH4otsN14kg7rHMXsxCZ1owXaNs/4D1NPp7y/1DgUR7muKZeuOM4zloPIQJBALmg | |
c3ppo+Bis4kFXV0rQFYNlE0SjGVUCE1HP3PkM1C2TLyE7YfHenyzAqMdYNXFPG6H | |
v/1ojNBqFgKEZgkbkUkCQBhqzxG3aZ4Osm8V3X2laMz4TYGAiExB5VQC3zjtec2l | |
T01vHHDkqhv3kBWnhOwLLUFV5XTZ337Circ+hm9rDw8= | |
-----END RSA PRIVATE KEY----- | |
- slipstream / raylee - @TheWack0lian | |
PS: I also checked the OSX version of qustodia. It's somewhat | |
unrelated, but it uses its own CA cert/privkey pair. The privkey | |
wasn't crypted in the mach-o. | |
-----BEGIN CERTIFICATE----- | |
MIIDQzCCAqygAwIBAgIJAKUImtyeAIY4MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV | |
BAYTAlVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEV | |
MBMGA1UEChMMUXVzdG9kaW8gTExDMREwDwYDVQQLEwhRdXN0b2RpbzEUMBIGA1UE | |
AxMLUXVzdG9kaW8gQ0EwHhcNMTMwMjI3MTU0OTM2WhcNMjMwMjI1MTU0OTM2WjB1 | |
MQswCQYDVQQGEwJVUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJj | |
ZWxvbmExFTATBgNVBAoTDFF1c3RvZGlvIExMQzERMA8GA1UECxMIUXVzdG9kaW8x | |
FDASBgNVBAMTC1F1c3RvZGlvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB | |
gQDKx/DCWmKZzxCgw6LzFgXZHsYJtM3BvQN9XbiBfB9RqoKzTgAy9nKbWuMPe3ts | |
w0qmP8XB9SuFGv4jzx8AeNB/iPfhfHoc1gcwcKfmMjoJCev1ykRBkeDor51+Kff+ | |
NHOumt2LIaTbf9BwWEircO0DTReyS1neFvwF9K+Tg4CtVwIDAQABo4HaMIHXMB0G | |
A1UdDgQWBBTaBJBHFcOMv0zTnwhrhifBLGITfTCBpwYDVR0jBIGfMIGcgBTaBJBH | |
FcOMv0zTnwhrhifBLGITfaF5pHcwdTELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUJh | |
cmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMRUwEwYDVQQKEwxRdXN0b2RpbyBM | |
TEMxETAPBgNVBAsTCFF1c3RvZGlvMRQwEgYDVQQDEwtRdXN0b2RpbyBDQYIJAKUI | |
mtyeAIY4MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAsD2o/g6NUPty | |
07t5N6MxlFE+SrgJ0MzW1EENC3azQfNL4pKWiIP69ivbxHcr9QCLAd4smtICgXHF | |
t2shIJKL6qpM0uOMS5ocfgFs8QFwPXXPbb68IU88vRcbwZbQ2+v5M4E/8IrF5VLz | |
qcAbBFPIMmZ3pOPa/CUSAzh4dcSiHoU= | |
-----END CERTIFICATE----- | |
-----BEGIN RSA PRIVATE KEY----- | |
MIICXQIBAAKBgQDKx/DCWmKZzxCgw6LzFgXZHsYJtM3BvQN9XbiBfB9RqoKzTgAy | |
9nKbWuMPe3tsw0qmP8XB9SuFGv4jzx8AeNB/iPfhfHoc1gcwcKfmMjoJCev1ykRB | |
keDor51+Kff+NHOumt2LIaTbf9BwWEircO0DTReyS1neFvwF9K+Tg4CtVwIDAQAB | |
AoGAMXD8b7av8cZ9zGTG1zQYau7I5Fb0D/ew4SE3ukJ0NGo5gdRT0hkqqlxHnl/C | |
ISugiNZltju7x7FkI4D9kxTh6Lbo7XveD3CNldnzkQXr1kzHI2rMYAfpQB3xtVQ4 | |
OqG46MtgoZLKMwsFKPU7IA8RpiQq91UkgBITY/h0MdPxqgECQQD7wWCwKb2FJ8GL | |
bZl6FTPp9t2RDxJ1vav0dqINtgDCY1s+h9fysyck7h87CgDZ+OlzI7RTZAR/KMlM | |
63+hKfJXAkEAzjMuMmxbLDNDxjRO6AhwkSerfWFrupjc+GMP/NTjou9tGhS8Rs2Y | |
heGYpFEV/dRHpHUIjodVYNmAGzoRaig9AQJBAOEnTUW/ztNrftknp/9bPxabxgSZ | |
qjTK8SKthrkkcQFowo3mB+fy+as5m4y9oY1P49kpsXhzFuJyo7W7WGXWkfkCQQCv | |
LjArSn9S1+LWew4mdzUbPPamuKOLjd79bzvf8wXKIVsxczhZdsYDyBukTfc/BKAx | |
CfTREgzpER+TAgxVggYBAkB1tQKlAdTAiQrTLzAmLLsQsP3kYIWfBxdudxo59vus | |
6Ckt8vspJdLcnVvNdRrZEzlJmrVzX/MB1otY3N1FCVW7 | |
-----END RSA PRIVATE KEY----- |
Easy Hide IP Classic is on CERT's page listed under the vendor "WebSecure Ltd".
The SSL MITM component of the komodia redirector is an optional extra that costs more. I believe I've seen that sales@komodia.com cert in some of the samples that do SSL MITM. I'm still not sure what it's used for, more reversing work is required for that.
Komodia anti-AV is easy enough to unpack. Inside the function that main() calls to unpack, there's a memcpy call below a call to the decrypter and a call to the decompressor: if you break there the memcpy source param points to the unpacked PE DLL in memory.
Added to gist: PureLeads PUP cert/key.
@Wack0, could you please clarify: are you certain that all these products that use the SDK use the same cert (per product, that is)? They don't generate a random one per machine?
@taoeffect They use the same cert per product. They don't generate a random one per machine.
Found another one:
https://twitter.com/cryptostorm_is/status/569038274909614080
Also, you write that:
"Seems some VPNs use komodia's sdk, but not for SSL MITM.
Nevertheless, hide-my-ip's komodia proxy contains a CA cert and
plaintext private key, for E = sales@komodia.com CN = Barak
OU = SSL O = Komodia L = TLV S = NA C = IL - I guess it's some
kind of leftover. Here's the cert and private key, though."
How confident are you that they are not using this malware "for SSL MiTM?"
Finally, you write that:
"Another one from CERT's page, "easy hide ip classic". Why would
a VPN MITM SSL connections? Definitely not for a good reason?"
I can't find any reference to this VPN on the CERT page - any pointers to help me out?
I've found two more "VPN services" that show a first-order match. We're currently unpacking to confirm certificate-based matches. As to why these "VPN services," would have session hijacking malware embedded in them... let's just say I know more than most folks from outside this "industry" would know, and that what I know makes me 90% confident I know what's going on with this corner of things. But we'll pcap to be sure...