Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
It's not just superfish that's the problem.
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
Of course it used it..
-----BEGIN CERTIFICATE-----
MIID8jCCA1ugAwIBAgIJAKrphUL0Z06XMA0GCSqGSIb3DQEBBQUAMIGtMSgwJgYD
VQQKEx9QYXJlbnRhbCBDb250cm9sIFNvbHV0aW9ucyBMdGQuMTEwLwYJKoZIhvcN
AQkBFiJwYXJlbnRhbGNvbnRyb2xzb2x1dGlvbnNAZ21haWwuY29tMREwDwYDVQQH
EwhQYXJkZXNpYTERMA8GA1UECBMIUGFyZGVzaWExCzAJBgNVBAYTAklMMRswGQYD
VQQDExJLZWVwTXlGYW1pbHlTZWN1cmUwHhcNMTIxMDE2MTM1ODIzWhcNMzIxMDEx
MTM1ODIzWjCBrTEoMCYGA1UEChMfUGFyZW50YWwgQ29udHJvbCBTb2x1dGlvbnMg
THRkLjExMC8GCSqGSIb3DQEJARYicGFyZW50YWxjb250cm9sc29sdXRpb25zQGdt
YWlsLmNvbTERMA8GA1UEBxMIUGFyZGVzaWExETAPBgNVBAgTCFBhcmRlc2lhMQsw
CQYDVQQGEwJJTDEbMBkGA1UEAxMSS2VlcE15RmFtaWx5U2VjdXJlMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDFNKNbpDaQJYPebNA1tDVuUlDM4Hg5O/uxOeo5
IddDmQ9ECo/TIIdvyD0DMR7rk4u4PWqIvir4azBahXavk4e52BD2a8QOldZ8JLY8
KSSWwWzjAjLC5Gd5P2y8JJVBsMDpdvSKIpO6UtKs0Z07lm9W35kdwpwtHV4E7ejC
1wpO7wIDAQABo4IBFjCCARIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUDHqAI8uS
erLj7lnvN0ABN6XNQzgwgeIGA1UdIwSB2jCB14AUDHqAI8uSerLj7lnvN0ABN6XN
QzihgbOkgbAwga0xKDAmBgNVBAoTH1BhcmVudGFsIENvbnRyb2wgU29sdXRpb25z
IEx0ZC4xMTAvBgkqhkiG9w0BCQEWInBhcmVudGFsY29udHJvbHNvbHV0aW9uc0Bn
bWFpbC5jb20xETAPBgNVBAcTCFBhcmRlc2lhMREwDwYDVQQIEwhQYXJkZXNpYTEL
MAkGA1UEBhMCSUwxGzAZBgNVBAMTEktlZXBNeUZhbWlseVNlY3VyZYIJAKrphUL0
Z06XMA0GCSqGSIb3DQEBBQUAA4GBAFWSg0LU74SaE5/Q9tN5Q00vfNUpTN2yk6/f
Lxh+uujava9MRtreZ58JNQyHsc5sIKnTDcgTuslsci9ki4Fj2CFBjQd5X0NleFfY
vifsntPXFWkHm9qXpK9iSruOnPBfmFiAGBBvqKCXw7MNvnqEw6tSad9/DM3kWsHN
v6RWTHzi
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQILF34Px9hQRECAggA
MBQGCCqGSIb3DQMHBAintK5HPgUPJgSCAoBtd66eQ9l6a2IbjtQdWLFxBHMgnayE
oG0Oj2o22wsOfYPmhM08Q3L3C0GDWc6A64rDd6Ja7SNBbg2Pt4+0Gt5Xc8S4Ep4n
B1/+Qg9wRPPNRNzPQkvsHIAgCepSFiSBEnvA4LdEnkmExgEOC6boPveBqZeWrGMQ
RlekxiFPV3h+VFn12Az3+DZZLINno/X+u3BUPnkVoTIOiLOiPKr2M34upx4ZqvoO
KQENG3cPF3Q8n4AfsWMFM+2bPlwfFMQSEQ8qV54gRmGHQ4vFyjZE48G7LIyCN6Kx
qKRy7TBR9DvXrO73XWxNyiaEqpX1u4BFGYPYAhwfQGYDHafZ/gnIlTw4c9snZvoT
+5GLB5+duTJPEXw5uxlSEWaHZ8+KEMDGi+FMQNnnXHeUrMXVVN2DimlFXwINwaVK
CxWfWUyEP6PosOjF2ft5RbWNbctTWPzSa7qhlKftacMxMaoZoPN/AQ2xJfMHrP1e
jHZqemO/8yTPwYmIUDsUsduF02N7tPmCXJ+0DaziBcGR7vd48afAZ4oOPgOHVIFT
eEhgm/ITQozGJJ5TMmVXC+XajKKjQpAl+0D+BNODnescaZVpAEUTgk3q+dVJR2zV
y9PY4O1sOTLYDx7wQg4uYI66vu0usCZIz+vNoO0lZRt/cZj7tuWfFSvX1NwSgJSB
MVZ126eOgv6IMXuovp/lBX8FAMPppLZB6sZiwty2chY+uxz/69osFa7Ol1JRZvUk
/hruS5iWoOgYHc0XS6s5fTuHbesaluHkJgTidcXyNTZYxU/H3ejV6/ONJl1w8Ixg
BosVSS/WNDnkLW8MJ67dCHZsSQIoARtOvUlCmrsXftB7T8/njnH/D0vS
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDFNKNbpDaQJYPebNA1tDVuUlDM4Hg5O/uxOeo5IddDmQ9ECo/T
IIdvyD0DMR7rk4u4PWqIvir4azBahXavk4e52BD2a8QOldZ8JLY8KSSWwWzjAjLC
5Gd5P2y8JJVBsMDpdvSKIpO6UtKs0Z07lm9W35kdwpwtHV4E7ejC1wpO7wIDAQAB
AoGAV2YFxBaaC/ZkZA5LlJGCYJtgrfwJrCv2V0w4jwt9cLsD9f7MUSCIhbTzvVdm
wbcJZCTr8yB8wM4YhvXBbPzwWFfGkIQRmKmhu9U01eALkTxfZaOjl2aBtbXC6XHc
o6lNrAW+a+9KFJY+sOOT7h4OEcfuwn3S+VrLmVXqfhCtosECQQD4uMiDYPIgSYqX
NMmZMTnhNXCpmpSy0jdokgKUfWsnb3bImq7vhSsRGwXwdSjlsLayBxAQexKvsWJj
A7Y0BCYPAkEAyvnwPXVAp+jlHeppYReM2/r3K97ioZSV3e9vi693yZGQ+IZjD0Ew
Eor7V0F1snq1CB2OavYyD3+GMUbCsgcpIQJBANpK23krKfaadO+WneU85g65p2LD
0AROKeE2XNtUZCpdUsRntmdz2kOOEx1ixn0pJn+DYV8FlXXr2m0KgeyPQ5MCQAH1
4g0l6cb1Z+kfD3+Bk7m4NdT1pSi8X6oyGti1jCmlP0o3OhO2pHk5YG4aUsGzj7YR
WwPLdvZRXAFz1oOTsCECQC5lYMFYxWudct6AjlaTRnfUuUg8xcNwGO5w3iOiI50e
N/BjkPidMO2n4ENpvfLnDw7sVKxWqZaHb2XpxyM4lVY=
-----END RSA PRIVATE KEY-----
So I decided to google for parental control software and checked
them. The first one I came across was Qustodio. (page 1 of google
search results) And naturally, it uses Komodia's sdk.
-----BEGIN CERTIFICATE-----
MIIDbDCCAtWgAwIBAgIJAMv8ogGSpFLEMA0GCSqGSIb3DQEBBQUAMIGBMREwDwYD
VQQKEwhRdXN0b2RpbzEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBxdXN0b2Rpby5j
b20xEjAQBgNVBAcTCUJhcmNlbG9uYTETMBEGA1UECBMKQmFyY2Vsb25hIDELMAkG
A1UEBhMCRVMxETAPBgNVBAMTCFF1c3RvZGlvMB4XDTExMDIwMTEzMzQyNFoXDTE2
MDEzMTEzMzQyNFowgYExETAPBgNVBAoTCFF1c3RvZGlvMSMwIQYJKoZIhvcNAQkB
FhRzdXBwb3J0QHF1c3RvZGlvLmNvbTESMBAGA1UEBxMJQmFyY2Vsb25hMRMwEQYD
VQQIEwpCYXJjZWxvbmEgMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIUXVzdG9kaW8w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLxJr+osZyBbsYVabr0uqHQlOJi
VlSZ6xc1lF4qv3pwF/nLpMbRCxp7nurb3YqquxvlGc5v+CTZRb8VFTgl1XziyF0h
bXS66E9+fjfZHQJS42nZpT5+vmkN0HnvM1cAlwqD9zTkK5O2/ivvsAAx1MLs+pGc
UDYEP5a3J7Q197cNAgMBAAGjgekwgeYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
SWswaxdVEERUUNtnx2cWQikSDr8wgbYGA1UdIwSBrjCBq4AUSWswaxdVEERUUNtn
x2cWQikSDr+hgYekgYQwgYExETAPBgNVBAoTCFF1c3RvZGlvMSMwIQYJKoZIhvcN
AQkBFhRzdXBwb3J0QHF1c3RvZGlvLmNvbTESMBAGA1UEBxMJQmFyY2Vsb25hMRMw
EQYDVQQIEwpCYXJjZWxvbmEgMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIUXVzdG9k
aW+CCQDL/KIBkqRSxDANBgkqhkiG9w0BAQUFAAOBgQBvd6viZ3FTxRZeAlUjfaTB
Dp//MOOQLIJqES8+dHfKZsP5Y+AAon59IVukvlhnW1UIkkWkdh8U40EWHcuSFEbh
o3cobml5TReZmvZnO3kX7iEk4wr6HshzitH3ZQNzUe9aPqeUodKe2iC5TVhDuoJ0
yCSHm5bFYByC35DAZeQ5lA==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIPMnoaCa0ZU0CAggA
MBQGCCqGSIb3DQMHBAicfkSaJH8cbwSCAoC2jhlkXNoTvUY0fAp3eVY80p2ue45i
yIQnpCsF282T+K5RpIC5E9PvUxeO5kLAOO+Xg4HwUOXUOh2fo/eC8b4GMzVdeLT0
OmsgNn8sK0irPcyyHRr6cUwdxchMZjNE5w5pucVRLvyNc3txfAtW2ZcVRDPufZc+
thQqnGeYU4DHM5XGdh0k/yaa6S8P1HjKlY2D1pASscEuTNh4rn6OClF7EUr/ajDY
nuntl6XTI/FYXphwD9ObDunVlXLU0t3sTWYlfmuimc9fBxvYuwybIvTosb4Gsf54
mROTwSXXR+QNkPYyfPABd6/dPR9BjAJD6Jfdday2g5GT1ACIs6YBwyYnZ4PC/2fa
C56KcO9mB+dSyA/T+ApQ59FexOwQeEZ1BIj4tdwRaHe3ajy3nlAOhpxrDVhk1NrT
gihIfSdTxJKJO9XvX//StFUIqexugXAI/x6LglI0fc9rdXuuKJnYNJDvL0ocmm25
TVx5WirpI7MR+TE09I6jjSB2tuVxM7ebOOJSmXfmIIfeYzZZfpoqDY5O2x+9/C/g
MngR2xj8WyD5ObX1l92eEcMVbQwu/22kGeRxw8VAJCWHd2WSvKbIPeno6Looadhg
6QD3b1MJVADKdvZJ3GugDwzlOQS+n5+7Gl5BjI9ec/EPRFzJo64EzXR5lewArtWq
vMNFAF6UEAEv/6A5RK93zWnJohgZfLL3uya8/eKQ1LSOnNONz5wVIeR9CtLQ0jDI
OH0PW3ne+HQdOvu3K9rWhhiu5xQYbjbyMvW1Wqbvoi0wWUyQb2mnY2IHbIMcTA8/
5D8tUO2UuhNjfI14Hf6kWd+yPf/jSovkQuQPYwNyVtN8O0FY3FNPT7jF
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDC8Sa/qLGcgW7GFWm69Lqh0JTiYlZUmesXNZReKr96cBf5y6TG
0Qsae57q292Kqrsb5RnOb/gk2UW/FRU4JdV84shdIW10uuhPfn432R0CUuNp2aU+
fr5pDdB57zNXAJcKg/c05CuTtv4r77AAMdTC7PqRnFA2BD+Wtye0Nfe3DQIDAQAB
AoGAIMIvdcOeXSNu/wB4LP+VIT4Q1t4ZjcvzsonBbfWXCbcugD6VaQeV6xRdBzB9
USERokVkiclNFLwiOVMMpsvMzQ2gMc+OYFN7MTmiG+S64YdIX1PfAKT3uWApVTMD
iZTnAUz9pZJ7zWhgRliegJW4MRRkUrAm9D9wxOxHjhRubK0CQQDlIP7l10Fr7L54
4aD8fu+f/qiDFXzy32Fsel1BCGtXldLYtvUrt4kXtnNlU5vL7o80tFV7lNEvf1DW
rSa7YhSHAkEA2c3ISI2gK1vg35kRKKhvNgutRZW31J7LkTANGRQmTDgkKpEDWXza
ndipVy2qGvwmdNqPnSAtDnf4xW7x5g8QywJAMgilgL0jjRSydyUWCW0SmIZ8d7tu
gH6lAJIr4PKcthCCbU5udTBr4GC4DC1YvQyH+wNSE11o3I1Zsrc22P5O6wJAT/2A
kgzZhzMOKnBn2dvKRDoTn9u1kPPk5WSVWuGIkzOHLM7nQQVWsOPyhV7y+0ghw4bF
ebpoccjj53awhoJ/8wJAOP7iMDN+nKLBJg5+g6H25/y+kXOYNSb07I+Kghir5QjP
X/iEs55sM1OyGMc77GZnRB7BzzDkOvAd8/2j0G0Tuw==
-----END RSA PRIVATE KEY-----
Then I came across some parental control software of brazilian
origin, called kurupira webfilter. Naturally, it uses komodia sdk too!
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJALtt/7AtN33EMA0GCSqGSIb3DQEBBQUAMIGMMRUwEwYD
VQQKEwxLdXJ1cGlyYS5ORVQxJDAiBgkqhkiG9w0BCQEWFWt1cnVwaXJhQGt1cnVw
aXJhLm5ldDEcMBoGA1UEBxMTUGVkcm8gTGVvcG9sZG8gLSBNRzELMAkGA1UECBMC
TUcxCzAJBgNVBAYTAkJSMRUwEwYDVQQDEwxLdXJ1cGlyYS5ORVQwHhcNMTEwOTA1
MTU0NDM1WhcNMTYwOTAzMTU0NDM1WjCBjDEVMBMGA1UEChMMS3VydXBpcmEuTkVU
MSQwIgYJKoZIhvcNAQkBFhVrdXJ1cGlyYUBrdXJ1cGlyYS5uZXQxHDAaBgNVBAcT
E1BlZHJvIExlb3BvbGRvIC0gTUcxCzAJBgNVBAgTAk1HMQswCQYDVQQGEwJCUjEV
MBMGA1UEAxMMS3VydXBpcmEuTkVUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDFODmSmiBhKTnfdGY66jv0Y2ANhocrYm9HPmcR5ARBtAeN/b9l5i2kRdFn4kQt
jOgVRbYa290zoxLuZOiI7r6nULEux0HRcusneefdPtHXrAIO24hV+57kuj9IUz/I
eWhNU1LStbt448YswRzhLkaHGjdCKaj032L7nqORI2L0ywIDAQABo4H0MIHxMAwG
A1UdEwQFMAMBAf8wHQYDVR0OBBYEFBI8It2RXk0k1eruND3XOAa3Ehv4MIHBBgNV
HSMEgbkwgbaAFBI8It2RXk0k1eruND3XOAa3Ehv4oYGSpIGPMIGMMRUwEwYDVQQK
EwxLdXJ1cGlyYS5ORVQxJDAiBgkqhkiG9w0BCQEWFWt1cnVwaXJhQGt1cnVwaXJh
Lm5ldDEcMBoGA1UEBxMTUGVkcm8gTGVvcG9sZG8gLSBNRzELMAkGA1UECBMCTUcx
CzAJBgNVBAYTAkJSMRUwEwYDVQQDEwxLdXJ1cGlyYS5ORVSCCQC7bf+wLTd9xDAN
BgkqhkiG9w0BAQUFAAOBgQCWJW5TwVWYmiZDCc7aiICZh+YB1y0G2bJEjEZWd2Bu
siArM43Y1XH6eQDy8o2NdDQV/M135R4n8qnHA+SOnuezVtU0vlKm1vyflTWdNUC4
CoGRdIlbR35Uc2xO8ta99y+2x/yeUazt5ybRAI640kp7G+zvKsxA5+cS5bFB4DNM
Zw==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIk/p2jZeBM3UCAggA
MBQGCCqGSIb3DQMHBAhZRlk2yUVsRASCAoAxHkd01SYdfv0FUSrc8umraHsoZqpG
eZUJ0UK/PVDXuF5z+ywjM1AiAU6y9hlnUaEQe0zBWZH+/M2xXZqDQ3tE6DUYSXVi
FoSGH8zea/1NhEPOCkACmdCYGW5rHMYqnMR5lNgVV38RoQ8p4gxYMKm9CkdbCucw
7DwTq5BvT06T6pE18uhHtd9IcdfHqXe6iimShOISFMJAqIi3wqR5Uh8Im0jWRAvF
BigZuGrrfVyEQmo9rBbaJHvNBWzu2pt39AUMHxNzCKNynU9rF0W2xQmmPKg3Bp+D
97siScfCrHanOHP/S8Ud1NyKUk8z4vDqytvXUPj+RyFjb/9etMjP/WIpBwoM6OFe
omaL4aiwK+1M22eIS7BgGluiJNcRqX9fRlk69kq4JMwWZcvrq3St9bG1VGyQGoZr
NJvsE224KwM1D4/6P0Jfkwuz+qYWJ/erCIXHryJAKPHw0VzLfAbSkwigYBCrTnN1
eidlLB9CmLRyaVlAF7y3TB/lUSI6z1ATCv2glawxku6bFaEzOqKanR8w/QKJG9Dp
yARQSbv63FuzimNJJOAdlGBI/7qz3EyIlVgV+1l6s+2Lnw0daqhShUj8nrEARLQZ
SzQlUx4ErjDLfqigJ+ajXV7l5/Oja4aiRycG9ur/EW1iwR0nKGvMM0Du3K3ARipK
jrx3fiXywWZh6/NeWbKoUJxTtdecVfJdp+2jMM53gT8LvtZHeSiQUV2DM9siooPu
SVPoVEmucIiZA+AECm7Bs+wsokFrYcM+elZEimRhIjRFEwoKdEiYr5wzF1zg6WRT
KMUeB8XV90MLwZzRVjnt6Gz2y43Srn9FMniy8+ICo1l0wiew8VArQcD+
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDFODmSmiBhKTnfdGY66jv0Y2ANhocrYm9HPmcR5ARBtAeN/b9l
5i2kRdFn4kQtjOgVRbYa290zoxLuZOiI7r6nULEux0HRcusneefdPtHXrAIO24hV
+57kuj9IUz/IeWhNU1LStbt448YswRzhLkaHGjdCKaj032L7nqORI2L0ywIDAQAB
AoGBAKoMfLfHZTvhjCD8AFm0NdXXCa8f29SwnzpSuBRZAsKUNB9eN3XpLlmCSbjF
A/wyjroozYgDI4uuhFhBca8ADCo8f99YNOr9IuhVirKvhnMDmbFmbpibmxxSXsq8
iBkVmNC06ebdFa7LCKQuVG27r7vA8Jd48Re3OOB1gWbhYWdhAkEA5Ov7lI2KlXZB
e/GAEZhIiNkAW03pmmnuRBNbU8gQLAN4Loifb5NkYQXFrHCH3hdtszT5DEwg2FXY
Yv5+x88EhwJBANyMQ3PZZJfFg3bfS2O6iQVrig0xrNPKELsXTHbR66spw8aQs8uL
kRd1L0DsOe0y2lZMq/pLl4TdcZjQ9bai4p0CQFmtG+OowtYj+ikchMffuOJq55nc
3psPzje6wXcDk1o6jbTk7lgeDB95zGLtvjvBP8cJBFrN47v7fQXinjWVojcCQD7g
TiqtA5yxVrWBG4EnIQFGk2kHjHok1XhBQC9v0XxOv93QSzHwbED/y6T6s9kH8m9A
FJebDWt3pncmu6aB8ZECQFZPdEWEKEPCquEY2USliLCGx0qvKgSxedLp4u3BHsXe
CGn6rJFDMhaZotNSzcZYkdJgQadVJH1H0rfslozkyCE=
-----END RSA PRIVATE KEY-----
As I said on Twitter, the password is always komodia...
I wonder what else uses komodia's sdk..
Checked the CERT page and it's been updated with more products
that use komodia's sdk. So here's the cert and privkey for
StaffCop. Interestingly CERT page says only 5.6 is affected,
but I checked the latest 5.8 and it also uses komodia..
-----BEGIN CERTIFICATE-----
MIIDpTCCAw6gAwIBAgIJAIA+vDW44Q02MA0GCSqGSIb3DQEBBQUAMIGUMR4wHAYD
VQQKExVBdG9tUGFyayBTb2Z0d2FyZSBJbmMxIzAhBgkqhkiG9w0BCQEWFHBldGVy
X3hAYXRvbXBhcmsuY29tMRMwEQYDVQQHEwpBbGV4YW5kcmlhMQswCQYDVQQIEwJW
QTELMAkGA1UEBhMCVVMxHjAcBgNVBAMTFUF0b21QYXJrIFNvZnR3YXJlIEluYzAe
Fw0xMTExMjMwMDIxMjFaFw0xNjExMjEwMDIxMjFaMIGUMR4wHAYDVQQKExVBdG9t
UGFyayBTb2Z0d2FyZSBJbmMxIzAhBgkqhkiG9w0BCQEWFHBldGVyX3hAYXRvbXBh
cmsuY29tMRMwEQYDVQQHEwpBbGV4YW5kcmlhMQswCQYDVQQIEwJWQTELMAkGA1UE
BhMCVVMxHjAcBgNVBAMTFUF0b21QYXJrIFNvZnR3YXJlIEluYzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAvDOcOoa7uJ+Ifwx1TZC8hdBsYrsBGrhFsaALF6Kr
sv1xbCxZhp7OqnU0ygPtSqsHzVU9fVjAHlmglzeZ8G4X5VoVfMjqD/o7RYsjAUhS
AL+PYpSnKwzJZKyXBDZQ88DAKNUguUfOLF4wqZ/oLuvgyiVrVFtkq/fFoaeA8bmP
MssCAwEAAaOB/DCB+TAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRslW1gfzL9PhrR
vMNmeYPYcE3FjDCByQYDVR0jBIHBMIG+gBRslW1gfzL9PhrRvMNmeYPYcE3FjKGB
mqSBlzCBlDEeMBwGA1UEChMVQXRvbVBhcmsgU29mdHdhcmUgSW5jMSMwIQYJKoZI
hvcNAQkBFhRwZXRlcl94QGF0b21wYXJrLmNvbTETMBEGA1UEBxMKQWxleGFuZHJp
YTELMAkGA1UECBMCVkExCzAJBgNVBAYTAlVTMR4wHAYDVQQDExVBdG9tUGFyayBT
b2Z0d2FyZSBJbmOCCQCAPrw1uOENNjANBgkqhkiG9w0BAQUFAAOBgQB2naAppBRR
tVnWog54Bgy58j7f9OTirpzpAURgRIA/XllV8woUJsHNYhwsib/738lhJ3cla0bH
vcVOWQQZkF/WrhUEFkjhIoZfeCbEhwIzIDy54EAkDB8Fng7zyIESAAl6F2SO4MAG
4CyNTW9UGq5lkTrrSkARYI38v2XW49pl7Q==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIORD8avHP7ngCAggA
MBQGCCqGSIb3DQMHBAjYrv5+LIP6IASCAoCze5x4doMj3EFYwDafsohSDKrrz75+
zQbzbiE4w2wEOe/WBRw41aQvFs3C9HAvAFs9zH6g6ojzcvUzEve3vW3+D7pw5PBc
j43UOEsR65tiWHG+aoGe0RDRkBWMfNiJ7uDfoSAQnZ/OXrxAvT03rqmd4oELb8Lh
cDbrq22YlVxMOS++K/l4G5NdC1PlgtUjK24u35yI7U1KIQ544IivjEBryk619KXx
qraZm3bj9+cLRq/BDXq9yWFNQbKYRFQRBnaJ1EVSzVzQzH1b8D4e7/JcoQLUsJvk
o2JwtcwvhNQyBNzmzxqPYkIRoQZhjlMBqOtt38RZq8swl/tXIxNIBq4KM6EngUYd
N0w8+UWrjQ85wUHKyffEEWRQC/uoyEHRw4YueIknpRuHrzyP6MQ6hZhrHua636O1
yvpICaqhu5CwsARtz3xu89zbynK7L+hArF3SbAbAZvqFCQqeVdNLQy3JTcPVHFN0
6Mnghye40Sboz6Ps1Xl2e9Bp4p45Z1cCJkY3uKBkR+uNsI5zm2CboZSGOGPuP4Ab
8msQAT16wUJRqImG03IsJayzIYIwXkoE6TfvE+6vdTHUMQUsU0w/BYsCudWRpymQ
3hG8mwVRzulx9vvMieLYLdQXTnBq5r4UJAW3IPa22n1ejukDfnvH0XzYFyPS/lP/
BcGF+pBqsNu9A4rFzr2XkQ1z6wPzioV/HwugP9onEzuaZ6xC3QeFW/UnWGfJ+5Ka
CZsvjvuJh8oBHayHenKgiFWZP+he7ST63aWqSEA30J0rL/n3M1cBR+ECoCy49NcV
ARGbt4ADGoyvokm8iqFbY+7jxrqhuytALNiB3S5x/5+fOPPRxxD3Dzq0
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC8M5w6hru4n4h/DHVNkLyF0GxiuwEauEWxoAsXoquy/XFsLFmG
ns6qdTTKA+1KqwfNVT19WMAeWaCXN5nwbhflWhV8yOoP+jtFiyMBSFIAv49ilKcr
DMlkrJcENlDzwMAo1SC5R84sXjCpn+gu6+DKJWtUW2Sr98Whp4DxuY8yywIDAQAB
AoGBAIgTJN1oN2iI6K87ucDIapayGPvVzDmejL2eQwbm1hBHkW+uLVjZkAHNVsrN
xg9b0/tRq3Dq75XCJgvP5tzhLSKmqQ/Qx2xK5Q1H9y/yW3cn+LLSzV+7cuJ1mjqW
0E0JXDlh6j/4DZhwb8lko49vNT9YckgqgyD8615Km/l7933RAkEA939KCROUdTj8
c5KBUHuzrQEmjLKctXWdc7Mv3w1eqzZBu14ndQgJd84cMeT+wJ5omTu997BkQSGG
46vsqQIZ6QJBAMKq0pcVx0chsexQgdF4qqiXOFVBA/YI5Nd/84/fXwcsAJmUvuwW
WGre3bsiWCNpPnhxCp8Bpx3rcxSkXoligpMCQHAZo3sA91kw+oeOcCv4G6Xcw40u
yXQXVb22B5TMBXkfFh67wrtrbH5rSLIAurKcDVx6hszNhFtLyEEO+h6C6SECQCoT
7o1F4dtYRzNDe6whnxHuDfkvooGODpkeSTFyIQJV2pNX+aTid54yKk+G7vJIj35N
QPR50PvApxFxLhYYOw0CQQDPBr+gVUkJGn3lcZSuAtla8Ed19dZjBqRt2/1Ssb/P
+Rt9Pw7HLUyh236AzV19iolJrCQ+nV8IcbfxCOE0fcZQ
-----END RSA PRIVATE KEY-----
Another one from CERT's page, "easy hide ip classic". Why would
a VPN MITM SSL connections? Definitely not for a good reason.
-----BEGIN CERTIFICATE-----
MIIDkDCCAvmgAwIBAgIJAINOfAMrW56oMA0GCSqGSIb3DQEBBQUAMIGNMREwDwYD
VQQKEwhFYXN5VGVjaDEnMCUGCSqGSIb3DQEJARYYc3VwcG9ydEBlYXN5LWhpZGUt
aXAuY29tMREwDwYDVQQHEwhWYWxlbmNpYTEcMBoGA1UECBMTU3RhdGUgb3IgUHJv
dmlkZW5jZTELMAkGA1UEBhMCRVMxETAPBgNVBAMTCEVhc3lUZWNoMB4XDTEwMDcy
OTE2NDcwOVoXDTE1MDcyODE2NDcwOVowgY0xETAPBgNVBAoTCEVhc3lUZWNoMScw
JQYJKoZIhvcNAQkBFhhzdXBwb3J0QGVhc3ktaGlkZS1pcC5jb20xETAPBgNVBAcT
CFZhbGVuY2lhMRwwGgYDVQQIExNTdGF0ZSBvciBQcm92aWRlbmNlMQswCQYDVQQG
EwJFUzERMA8GA1UEAxMIRWFzeVRlY2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALCbDSE2ltg0phas1eai1RwHHpzKbAappVNsGMBV84i8Khpi38nL6p8cCTXW
70gyY8/Hp1/EERfAxBVgnJb5oeMZI6x9zli8cZqaF2m4qbGy3/tUkml5jqSN/Ds7
xjVFAIcW4VtU14ZH0Kf6JEEq5wlfbneLcELt2OiB0XgwgOMnAgMBAAGjgfUwgfIw
DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUvnkX9NQFZUztCAeAL8oso9q54fUwgcIG
A1UdIwSBujCBt4AUvnkX9NQFZUztCAeAL8oso9q54fWhgZOkgZAwgY0xETAPBgNV
BAoTCEVhc3lUZWNoMScwJQYJKoZIhvcNAQkBFhhzdXBwb3J0QGVhc3ktaGlkZS1p
cC5jb20xETAPBgNVBAcTCFZhbGVuY2lhMRwwGgYDVQQIExNTdGF0ZSBvciBQcm92
aWRlbmNlMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIRWFzeVRlY2iCCQCDTnwDK1ue
qDANBgkqhkiG9w0BAQUFAAOBgQBrlLJMjMNsK/bgtY9QRcv/5/1uNn1v+XYqGF4d
gTXUrscsTveQV+w9/UOW1T2SxDvkOB+8CIzORXbP3kSlfOUw2own+QgS8KuMd7Zp
qdMzJi6tSq/j7m/CGvNcSnZtu+z/xj69p4ymHhfMF2HC8F24eWxo+tf7iPnJbFkO
llmh3w==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfLEkMdPr8uECAggA
MBQGCCqGSIb3DQMHBAhtkX+wc6jGEwSCAoCJonscPt4iBrcBmeFodEqdTsikl0w3
F6/bkL/5enituWjmN8P9hI8XWFFMW5xfC3v5zpOVHh4WZtVMSanEXxnoXGGLQ2CW
U+LKHD0GI9o2Yphty6LrchvTcohnPUojTI7gRLxdPYFNK4TA1zlB9oe3tsO9IlEH
H9TL+LcekWBQ4C5E+EHxi1UDpOgdOn3PLSJ/hBpoSbt0CBDl+dGS/HHYIsNYJDFD
sEonfl1pejr4BtMojFyR103oLUwha/KvIkjan8jtgOogSHUKHrclPVIt7TpnqqPi
AzHjnnN6pNt6UFNrbQYw9KNwy/NrCqvEXvYld2bctvTgvi/G6O/7uKECjRUuG/rZ
W0V9iUw1dpE5y4emj2aK8+Cp470iOfxfQTc3SXK/TPw1CHZbQjY94ApHPC+Ug6C/
CkDQ7idrZnnqyTv+Bw/51/cAlx6tFW1ePjvGjDTJDjHLOE4VdYySWzkgUwPLTsZa
KQpyoeh1eEbnM3iAj3ydnGsSEYoubwoDRleXiQUf28dLNEhPjev6NuLFLIHAKSx/
4HXw0VTGcBm98cIsxsr2AI3Cad5217qdT+Ihbj+gnwH21cXD10GN65KLs7BkWKPu
aE9ehUaQB+Cb46EEzlL/JKecGYnIN3lNHSSc4cig1OLmw2S58XbLp+Fjb/KI7Pck
wc/WMynW0DGK+yMqR4scgRfhb2/pC0szCfcz2ExQ/GlF6b8Yjj8kSUe2WRejMDAI
mtK6M8Xbb7Z4WrZi4FF9SoRpnhAzdA2uriraFZ7R05MFNc6wKyE0IZnVozkoq/hP
+lgzGOxYrje4GWnDdjDVhQO3r3jlpT06KoUA1dQgjaX6uf1rR6Qv5kPS
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCwmw0hNpbYNKYWrNXmotUcBx6cymwGqaVTbBjAVfOIvCoaYt/J
y+qfHAk11u9IMmPPx6dfxBEXwMQVYJyW+aHjGSOsfc5YvHGamhdpuKmxst/7VJJp
eY6kjfw7O8Y1RQCHFuFbVNeGR9Cn+iRBKucJX253i3BC7djogdF4MIDjJwIDAQAB
AoGASWx9PfTDLCpfbwf2ekfykA+Js6gY14BKgu9rLvPNJ2kLnCLFZdGIvxPZ5G9y
1jJU+vrH5HHQpW54V2buU3p/ygh+WWF7BoGVVEZWM5G19LTifO/yyJZmp5dkBlby
CDQ/my0HSQD9vKX8DA9Z9aIw+q7LBlRmNrmMlebkdFrCV6kCQQDpuE+D6cTztlnM
T9w1z2aAzQ/NDnbN/ZRZQ5Wn/N4ERQX7OGSou9E354rmvEJDpO9JkdOLnWkAaviD
SThv31KjAkEAwXDtMJIwISBLQ6HvGAx9ePrqh4I20HEb8y6BwJ5TogjJuFq1OG7S
0gZtXcMkUwdQtCkXROKUBuXWyBTvdM15rQJBAL0yEkw6pNCUwMR/sUduCRAi77OT
DeFacQiBiVhffmn+ZgUjdXiR8Z9LtElsBEg17+6iOZk/Z4yLC3lbgHAvW/kCQQCr
HvHEMN5Av6e1CbBPruTkO9tyyn8g/55BDtgbhDPpuCpyWlPLu0XmI2dmNXWRuXvs
FBmQh3t5aqMI1nRJ+Gb1AkEAnBUw8rjlFRK9ZS/rJLdKs2dvoT8z1MQ4CefTp/Om
ahrmca6RUFF/rfajE+IT5E+tIKJ7F4azTQpTY5rPwWEm/A==
-----END RSA PRIVATE KEY-----
Next: Lavasoft Ad-Aware Web Companion. Lavasoft should know
better in my opinion, but given that this one is only the third
I've seen to use komodia's "anti-av", and this one uses XXTEA
not blowfish... (and it caused me some trouble unpacking, at least
now I know an easy way to unpack all of komodia's anti-av stuff!)
-----BEGIN CERTIFICATE-----
MIIDkDCCAvmgAwIBAgIJAMQx2ndXqbSzMA0GCSqGSIb3DQEBBQUAMIGNMRkwFwYD
VQQKExBMYXZhc29mdCBMaW1pdGVkMSYwJAYJKoZIhvcNAQkBFhduaWdlbC5zaGF3
QGxhdmFzb2Z0LmNvbTEPMA0GA1UEBxMGU2xpZW1hMQ8wDQYDVQQIEwZTbGllbWEx
CzAJBgNVBAYTAk1UMRkwFwYDVQQDExBMYXZhc29mdCBMaW1pdGVkMB4XDTEzMDgw
OTAxMjMxNFoXDTMzMDgwNDAxMjMxNFowgY0xGTAXBgNVBAoTEExhdmFzb2Z0IExp
bWl0ZWQxJjAkBgkqhkiG9w0BCQEWF25pZ2VsLnNoYXdAbGF2YXNvZnQuY29tMQ8w
DQYDVQQHEwZTbGllbWExDzANBgNVBAgTBlNsaWVtYTELMAkGA1UEBhMCTVQxGTAX
BgNVBAMTEExhdmFzb2Z0IExpbWl0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAKV1FdSpS6ZFNQpzkSPa4W9yTjwo76vBj7OLRoQHjk/mNk7oAnN8haNeWujm
K582Osyw/39mBqmpTX1QK5Bo9sxRRVxvTfeFXdmiTa2ZYbSrrpGTi+z1NVNq8JFA
tOeIZI50o8X5pStpBiRnJN4hS0ulz4r4UxK5rpLj9SkVjzPPAgMBAAGjgfUwgfIw
DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUaCHzkvDvsDxg5mDPrqkxx3cmX14wgcIG
A1UdIwSBujCBt4AUaCHzkvDvsDxg5mDPrqkxx3cmX16hgZOkgZAwgY0xGTAXBgNV
BAoTEExhdmFzb2Z0IExpbWl0ZWQxJjAkBgkqhkiG9w0BCQEWF25pZ2VsLnNoYXdA
bGF2YXNvZnQuY29tMQ8wDQYDVQQHEwZTbGllbWExDzANBgNVBAgTBlNsaWVtYTEL
MAkGA1UEBhMCTVQxGTAXBgNVBAMTEExhdmFzb2Z0IExpbWl0ZWSCCQDEMdp3V6m0
szANBgkqhkiG9w0BAQUFAAOBgQBfzeeRgrhoxhtwhLzNBTS27SI8IimngEvbK9kB
exdbzcT3E+ZnihNQreTrE0vHk0wchIb2yefmKarUrmT9eB1xAPjKxO5u4QSsJ74u
GdVGrHhVlAs44pIK0icvBuD/ueMmIrPCTt0F1+UtygZV88/07J6DHgMNeaqzQYOh
i0khSw==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsZoM/h+RxVICAggA
MBQGCCqGSIb3DQMHBAjA21LLZfOuhQSCAoDWi8ibEBP+mjkLAKeZPGxPmDjaiEuX
gDDWhNjEK6lyEyA6zlpcfHr7ffb+9DGopF4HZsD50Bt9GpAS0wEm94kAfv05/ULC
chD3HCJjW7KnScsnvcaAnLGysJH2fz1Vno7/9FI31OOZrxEMNDJ8TgQXYQBcWFAJ
TnSIB5UDnFE105k5mfJ2N0HrZqAZ6WhaoSRGSEJ0ry5dne/mdMzGN772r1xDZftb
LqdIk1GYlssCtfrWl6Zz/pSqDS9hCPpLNNdtz8B1McqSk80cKZfYvesX7ox/xopj
IKUKj7/bOfq3g2TN4qSE4q8ltNxA1jDmC5L7q2JME9A4voPi6msYrIzQf5yeEKSS
f3pd+Plx0V0VENdqufLIEa9LMOrICKbVHXsGBcRFUhoYmr/7VAN6BIFltVEtR57e
FtWFt1FHAygXiMe270dVcrJMGvMfTQ+dlKTdPfwWHy5l++p7B7cvJvh9XatPqGnt
cXYWKhS6gZ071VYa8xYjoGc2ywbH8MTAoLZqu2EBgyP//neqytMOGgWFMwmghkCZ
Q9wLoB74EF0i3muOv7eXKMfb9eMmsgzlB48+QmcYN2mHWx2EjU7X90QHZ9k9tX5I
rnk1F1NrmEJhbk2A6jRMs3XAsUh32vgvXIYlQ1RS5QQIJvqL+awMv1V7gK8+igRx
Y1uFNE7BC1B+gBkcy28FZIAkAttgt4wp9TD3Ojv8M/FRgc2eD8ZfFO0TKJB44BQz
2+vwh3BJxJX8xoR3g5/PzPqZXyFyRdtEe46H2Smq7t3I6vHGOEUICIbf6U2gJS7B
dHUOKOzwerL6drcPc3AvNUjZVcU6vi50dv/k4Ya4kOE0SOiEGnRoNkN0
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCldRXUqUumRTUKc5Ej2uFvck48KO+rwY+zi0aEB45P5jZO6AJz
fIWjXlro5iufNjrMsP9/ZgapqU19UCuQaPbMUUVcb033hV3Zok2tmWG0q66Rk4vs
9TVTavCRQLTniGSOdKPF+aUraQYkZyTeIUtLpc+K+FMSua6S4/UpFY8zzwIDAQAB
AoGALI/7YDp0kISlQ3paxfBmtTBxF8ziuDy6ql3BkT/DuYtEZz4fouEP0S9Rhtav
OwNNFOI6/iIJe1qI705PXWaXyYKlj9l8tcQ4JVaH1tpvaUC8ka4nt4alhWQteDi3
IOrtiPLVzRZHhNkowlD9WjPRoEuWCtw6LdxmY89GGPX7JsECQQDbnVETWvoP9VwE
zbNEYSVGgurfjW6bHqwV3u09i8IxftL8+mZtgAdKUgzcOx50OHFqJgACR6hnena2
Y7af2N3hAkEAwN7CNANcWwcXkuU0ypeWvw0DjtwNc7Nrrx9pw47g0w3+373pRVSf
m1ZOT6vf0+MmJ8mlnU/ifPS91oyG7EpnrwJBAIT8BS1ISOZC+D68ZNKCVPUWr61B
UnnCIAh6XoSHTcd0+cRQyJeEEGYTu0/cyLsttpfFfPnkdHh8ssgNJ3gx9WECQBAf
z26XxVXa3u6p+OLjD3hDd0OvQ/SjUGJgpu/xdvxOFDvSXbktHPbYnU1t2hWVzO/Q
nObs8ctujpxsPS9t/QMCQDt+7+Ta99o/9K0QKFFvHtdbHDEA6l/TV3qFdmtg74+v
0IGnEazpJbNOGrpY+MJ2NmvrOD3LkLLsL3EM5CupYIg=
-----END RSA PRIVATE KEY-----
This one wasn't on the CERT website when I found it. The PUP
PureLeads uses komodia, with ssl mitm. Here's the cert and privkey.
Also, the PUP Sendori (which contains Komodia's ring0 rootkit also)
uses this same cert and privkey.
-----BEGIN CERTIFICATE-----
MIIDpTCCAw6gAwIBAgIJAM7mVQAE4U4kMA0GCSqGSIb3DQEBBQUAMIGUMRUwEwYD
VQQKEwxTZW5kb3JpLCBJbmMxMDAuBgkqhkiG9w0BCQEWIXNlbmRvcmlzaXRlcHJv
ZHVjdGlvbkBzZW5kb3JpLmNvbTEQMA4GA1UEBxMHT2FrbGFuZDETMBEGA1UECBMK
Q2FsaWZvcm5pYTELMAkGA1UEBhMCVVMxFTATBgNVBAMTDFNlbmRvcmksIEluYzAe
Fw0xMjEwMDgyMzM1MzBaFw0zMjEwMDMyMzM1MzBaMIGUMRUwEwYDVQQKEwxTZW5k
b3JpLCBJbmMxMDAuBgkqhkiG9w0BCQEWIXNlbmRvcmlzaXRlcHJvZHVjdGlvbkBz
ZW5kb3JpLmNvbTEQMA4GA1UEBxMHT2FrbGFuZDETMBEGA1UECBMKQ2FsaWZvcm5p
YTELMAkGA1UEBhMCVVMxFTATBgNVBAMTDFNlbmRvcmksIEluYzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA4JpneuIhc8avf1OXl2Wv3JAUL7jfPJSTFcJdxk1W
jCe/t9kxArQE0MUxuqsjHO6RiIzQapEv+kmL8b94h94syTuKjx4VsznX5rtkkTdE
4CNS/OZD8M8gc0ZoiQTkjePTlVcBFE0vbJ9z6ehZCAfcEKyFekPUcgAxyq3S15Hk
gg8CAwEAAaOB/DCB+TAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTnnoZ3LXjC/P/E
XbhhJGL0sQnZ6zCByQYDVR0jBIHBMIG+gBTnnoZ3LXjC/P/EXbhhJGL0sQnZ66GB
mqSBlzCBlDEVMBMGA1UEChMMU2VuZG9yaSwgSW5jMTAwLgYJKoZIhvcNAQkBFiFz
ZW5kb3Jpc2l0ZXByb2R1Y3Rpb25Ac2VuZG9yaS5jb20xEDAOBgNVBAcTB09ha2xh
bmQxEzARBgNVBAgTCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxT
ZW5kb3JpLCBJbmOCCQDO5lUABOFOJDANBgkqhkiG9w0BAQUFAAOBgQCQznLVgYFd
vTrdQDQeEXTQACaV795qGyVkvJ03VnudO/JVa2CAcdHiCfuf+43CV+RoDFT66LxJ
/BYxQMO0j9yZB8R/abplTk53kP6ks820wzpPMl5a8DaClHLkM64zaBZsnl7SROkA
gg9u8igTnxVroFD1BgRBTw6lJxhA7Yz56g==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIXtNls0qhzx0CAggA
MBQGCCqGSIb3DQMHBAiW5hw82IAjCASCAoBN0ACZbk1Z78ewidEgytBXHeE/OcuU
6Gm2WxKFzMA3DnrEfxuT78vUbGNqlVCAV7GFcMtuFbhNSXmkgdA7To3c9Nla6/UQ
09TePKP/NKYTg/frafMb1WDFMuNDpqU3BmHuN4G137nPKR8rhakoXKbG1G2DmYwE
KO03HaO3msXhhnWzlmaSvQX0Vx6dJNmhlNL4T9uMFelkWwq+nQa6ssoKP5hPVvNZ
TEa47/1uCy+C6dx8X14WID5y5UA+r2NIQFollUrGn8rhFxQIZdiIQnIz0u1h3Mlj
hZc28mkO2H+5TeqcPvjKnmA5StU+TT0C8r6zFKbksG3gzfLk6hg1ikNh7nkmxx3k
lajLAtwZOzWg28Nt4SWhPDKGBe1OAbzds8LMsM9qSu+6OVTLBKLI/8EzUvHZTeme
MfHCxgJJfLS1C0mRFS62Yul6pkO51Rb74T0hge1Ti6moOnqweRMXQYjGgkHWyV8n
HJIXYZZYzbJoJzfAkr2gNOItbVomMPT4I12TNUIoTCIxLVqkDsB/XfPzfJYgyisi
fZ4xVVii1C/vptXvKQlXRjidaDCCwK3D7zXrCCbnGsJLvSTHFQPL2z6Q2U9tTitH
Xz7aV8oeFFPWgLm+IIND9uWAjnnM1RpMOXuifShl7UpsI1gZhsm0kmFDeF6A4f+o
Kf55s95Sm0WHKw9rWw2iEbhR3ys84jQIx7EgwLvzXO0PWuTKsCYjD/NBe15s2FKD
05B6eq2IPEhkk2Py/BDhM1yE4+cheossl72R39zS+pjtbFs3HkeYTlT4JM4YmcMJ
dEQSm+oAPwlCafAGmL1FhgQqIHCrEpgWkaqF5bV0INqNCNLEMviM36sC
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDgmmd64iFzxq9/U5eXZa/ckBQvuN88lJMVwl3GTVaMJ7+32TEC
tATQxTG6qyMc7pGIjNBqkS/6SYvxv3iH3izJO4qPHhWzOdfmu2SRN0TgI1L85kPw
zyBzRmiJBOSN49OVVwEUTS9sn3Pp6FkIB9wQrIV6Q9RyADHKrdLXkeSCDwIDAQAB
AoGBALS1ZlanRBT7oc4G+qu0BAeo4KT40JvUSncyV/Kp3N2NSaJpHBa5sjoqvnUb
JngrtmowKavkPr7Yl8EctaRTbKHFQjboU1WYJX5kN8b6lX8D/u+SaVarA1vlO0v/
3QaukoAgqNt8gSQmUHGY4zx81Gk04zp8dPW+xUxO82NXsxmpAkEA/j3YuWMgOFTK
hfaHQp8dZcf87x2e7FAaeCRqGW0Oddhwji+Sw5jQ9ALz/8gJmGficwIZ9h/1lHCg
jZhyU+nG0wJBAOIoFKGi8kOHusPgB178C8MkGtTVuypNxZHZcMFPgl0uilJIhqSm
5zdiVnQiXt7D5RUac+KlG/U9FWJSJRAxylUCQQC0yDN4N4UsqRZNRayOcegMfLVd
LhnYfWkk7vfG1qZGo739TNS2Ys6KBCOOSKaSCaSbFO5y9ezBPYjcxn7dLkljAkEA
jEI5UWmigHk8PmDBkYoVrWfF8DvBwWHMZ0EIqgsqmanUhWWPg6wzd+jYH1x1pAiw
GZ93QZgOt9CzY2/4pouKpQJAJiU3l/Z2IokLUoaTxK+LqA8SWT3QfbMiiUbrbd9p
9D4p4hAhItXRIJqkPG0uFvGAGUoupvIonjmSmxEqrA4LLg==
-----END RSA PRIVATE KEY-----
Next one: secureteen parental control software. Which uses both
ring0 and ring3 rootkits for some reason.
-----BEGIN CERTIFICATE-----
MIIDbDCCAtWgAwIBAgIJALvKJhFyvLXBMA0GCSqGSIb3DQEBBQUAMIGBMRIwEAYD
VQQKEwlJbmZvV2Vpc2UxIjAgBgkqhkiG9w0BCQEWE2FkbWluQGluZm93ZWlzZS5j
b20xEjAQBgNVBAcTCUdyYW52aWxsZTESMBAGA1UECBMJR3JhbnZpbGxlMQswCQYD
VQQGEwJBVTESMBAGA1UEAxMJSW5mb1dlaXNlMB4XDTEzMDMxMzAwNDE1N1oXDTMz
MDMwODAwNDE1N1owgYExEjAQBgNVBAoTCUluZm9XZWlzZTEiMCAGCSqGSIb3DQEJ
ARYTYWRtaW5AaW5mb3dlaXNlLmNvbTESMBAGA1UEBxMJR3JhbnZpbGxlMRIwEAYD
VQQIEwlHcmFudmlsbGUxCzAJBgNVBAYTAkFVMRIwEAYDVQQDEwlJbmZvV2Vpc2Uw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANi/uhkLWQ0AoP5Cn5oAMG8BD0Ju
rrIffS6V/5oI3YYKtC/Igghs2EC2VRA8ajxhW1Fm6xmCQvBVfNLpRQ3XHApmr9IV
5A9XcL3q3LOSIuXsdU5e8ffJFdXzzs58DCuHHtxBoko+blkT40EkjMVtye5IXi1D
1TmluOt0TSAzJzsrAgMBAAGjgekwgeYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
9U64d3+V5Xret/wYZVSiPfTK4GgwgbYGA1UdIwSBrjCBq4AU9U64d3+V5Xret/wY
ZVSiPfTK4GihgYekgYQwgYExEjAQBgNVBAoTCUluZm9XZWlzZTEiMCAGCSqGSIb3
DQEJARYTYWRtaW5AaW5mb3dlaXNlLmNvbTESMBAGA1UEBxMJR3JhbnZpbGxlMRIw
EAYDVQQIEwlHcmFudmlsbGUxCzAJBgNVBAYTAkFVMRIwEAYDVQQDEwlJbmZvV2Vp
c2WCCQC7yiYRcry1wTANBgkqhkiG9w0BAQUFAAOBgQBcT9TiZJERvD2c0dq52g0A
a8uYiDY6POYmqnuf9HGsdRDIVBCiyHIqsUAGuAqMmBl04gICnZ9lE2Zd/L1JzMlC
UqBA0qViYfWptTfyaklLbUIl47J/JIs1AMHALoIGDGOwzv0p7nHFktzr2iRrNxSf
GesOxhz9NZSIT0FPWxrUSQ==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQInpl7zSN9OrQCAggA
MBQGCCqGSIb3DQMHBAi4GAUcF0LCOgSCAoBFz3sCTXgXbTLrq5uYtD6LZ4HwW1gs
uSJGujoTqI5xE0L7lU3fU9WyJJFpFvAB1OFAvpSWZ7zEyKnDrHZHXrusSbNoygkn
0DZdivkxoZHXujy0H3RB+Ku2YIqLeQtgSPtnSRtJEanFYllXh37ff8ULUfFPPHFG
ebNNjfeCzCEluAgYB/HhRLdSt2zKg3vEWhPEov2/T6fZXWPRKLSTR6L59aT15hB3
6z/Aof+WUmUMcNU17tIHZYcfNuDC+IIPCFH8uU8u8CFiOdoGgpSTMFQq9kQ8R5pK
7VON6mJbqtbYuQ6nPlBjdlx9Y9E3o2z0NjpHLrvp3+hKFCa1UytwdVNur5ENGKKK
7WUdYPbkeR6lo7QmNpcRztwvLxGNIKN9lASdueArjmBbn0cgPvKSCO4Q11cUEmfJ
c+U0XEVOlGYTPmiW7nQWJGGtXx754nQ52Qtex9Jc+Y12NBHUEmhxUdNvQQdvfLZ6
tsunmVjvtxGnkevrZZGb12gZSyJPKWrFhtJcHZbxzLPr/AuqDogvT1+z7rPq5tSG
DD9id+Zw/Zx2x5jFgKPB1ZRpEq9XfgZNq9xMil1rxSl/GijaCZtUkM3EBFbOIkT8
aJpfM2Snen450XvZWYD+hAhwSh03yBLqTe0UZyuqAqfyMDX5qy8fYQXoywNB2mQu
Mxw8jUuc/vO9jdMZirNOHYL4YVZl2TD3Ko4ewtehR6mmhjvuMDAaW8kZPbBWj6MV
wjir4MuR3EcqTsr+AuwVzVXaG7Or8GJaZDRKM10GnKpy9LYbOCkuTZG5BVsHuWNS
ua4rmCea4Mbgi4c6zHOA9sAmKcNBMshf+ItOtAMlbP+jCuQK5yEysdjK
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDYv7oZC1kNAKD+Qp+aADBvAQ9Cbq6yH30ulf+aCN2GCrQvyIII
bNhAtlUQPGo8YVtRZusZgkLwVXzS6UUN1xwKZq/SFeQPV3C96tyzkiLl7HVOXvH3
yRXV887OfAwrhx7cQaJKPm5ZE+NBJIzFbcnuSF4tQ9U5pbjrdE0gMyc7KwIDAQAB
AoGAVVnSX3BPhcY8n0L+9Dak2+FP7/oDwtKRidm5SB+7k7/9Sl+rjMPHuFvUTUtt
Dg/MVNaxN19LGrafK7J95cBSIrDJbS2xfSK5S5Ghn5c2qnBMY/Y0hrhpCp0NWlPA
QL2Ksh0FJaQ/VAX/U5R5g0hb31AG5LXscWdjj52mYC7mgoECQQDyqoAxPxfQSD8Y
N6tfJfNbWyOIiX7HRTqDDpu4YuYXtoHMQkwZvmRiDALtVAS/Wzv3ckhYLtf3DOW1
vFuu8tfBAkEA5Kio1Dh0vkxLAzM64Yi9mvvozjWibsk/GJ+q5FTMok/JE66rge8D
ZICtXnGQ0dWoRLK/uR3zkwaerPpQ295t6wJBAICT0OrHGHIW5b+KN7ZpoGFmkBRX
biJdzxwEEISJeotT+8Bj3HjDheLhpGdl3kIaMFLzbduzrmDLp6c8z4OKTsECQG+u
2Vdeg9b22KSlfxrteP6cD+e4VrAZ55GVWxjPOmwE4EeWxvpdzaBnIUbB3WRAIUH8
tJwsPu4PC62dTaU2jSUCQQDijJsmRmqVcfifoGCyzPTOg7+wehCFiCxAK1t9+h0J
2v5FaDvI8OwEfgjXShQNfrU7pbgZhIJd+fAdg2JDSIwZ
-----END RSA PRIVATE KEY-----
Another one: ImpresX? DiscountCow? not even sure of its true
name, but it's a PUP and it uses komodia anti-av. Thanks to
@Whistler4Ever for the sample.
-----BEGIN CERTIFICATE-----
MIIDXDCCAsWgAwIBAgIJAIBz5MYJY92LMA0GCSqGSIb3DQEBBQUAMH0xEzARBgNV
BAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGltcHJlc3guY29t
MRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxsaW5uMQswCQYDVQQGEwJF
RTETMBEGA1UEAxMKSW1wcmVzWCBPVTAeFw0xNDA1MjYxNjQ2MzhaFw0zNDA1MjEx
NjQ2MzhaMH0xEzARBgNVBAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFk
bWluQGltcHJlc3guY29tMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxs
aW5uMQswCQYDVQQGEwJFRTETMBEGA1UEAxMKSW1wcmVzWCBPVTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA3lQ/p55vsENRi5XPmEoIh82gYk4zmd+ehMeuywwq
9HdrKb2OrGBaMhQ6yYOmkehKfdQ8uYXPzfxhopTS+/e5tn3lW9Q4nswGeSqH8R9k
OInUxqrZZMqcAj3nJf/RwDH0xM74Mke6WqXqUi1pNFJRiMcc2qDaMdtd+JsA5iX4
WsMCAwEAAaOB4zCB4DAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQu5yPPo3ExV+Fs
0iudkjR625iiPDCBsAYDVR0jBIGoMIGlgBQu5yPPo3ExV+Fs0iudkjR625iiPKGB
gaR/MH0xEzARBgNVBAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFkbWlu
QGltcHJlc3guY29tMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxsaW5u
MQswCQYDVQQGEwJFRTETMBEGA1UEAxMKSW1wcmVzWCBPVYIJAIBz5MYJY92LMA0G
CSqGSIb3DQEBBQUAA4GBAILx7WN4Gie9/xYf3/HOSEfXNXwVulp8b8K/uc5iKEP+
INVOHzMZVxY4iR+CYIoOotxGE/Auk+oQ6qY1BFJ0f4Os8/dxIQMKLpDqeiLrPopD
DdJ0IRzdrzCryHnh5iJdu/kd5T+iF7Bobah3/688TNXNGTCwm2tNmoWTeqO0mK45
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIyS4tJ+5EAFsCAggA
MBQGCCqGSIb3DQMHBAimAXMFacX3uwSCAoDWGJY4WM9roM9SsR0o9S/HR7Tv0Mvg
LnzW4zmgQdmbCbFeHJhYwm+iq7kmr1jNQbfFDnplBBDiXLL92IJzAhnGFO/pIZO9
668YIWcfxBYDxMFn0CReFBSLUxiMjW3/ati0kX9BiHovwFI0Uf4+WNmbSmphi8Cn
bDJq9mWdwZGyvGr4Das6u0MQ2BubP17uBADnM0MfWKmWEYiy3Kt0Uk8gLLdp6TSL
PrT41iZRwoJXBNR2knUMoIBw8cY8iA1vE0hzy+UkCEcTng1UU199ENMhkVxBSzuq
bOhutWB1HYBSp31UeDW1taReCheiOwz61mwAfcB75Azp9AhtmV3kzTqPCu5EGo+S
3qSrApRPUfZn+5MkApeMdqXHnBM/81l9CEq5FWB2t26M0mXJI4nOhzPo59tQFPgv
AdZWnmISQ18+j/vKe0DNDiqF7D6twWSM6kCn5059l6Kr8O7CHy4g8bdv73cELYgF
8W2jidO69S6zfhXajjdgnA5r7zpfISgjYMWn4yTndtN9sCJ3sQRZrIxticpsJisW
i7jLQ33GlENBfcNqv6pa6l8D3xwFzlLtcMlzI7+0NLryVNpKtNnt71cMuN7dHYSv
OEzlbe964QvGNmA0T3kaKQ5ZzzyhUWpURBYkTEUxIIcX1DUvJpX5tGw+86MaVoIn
V4r4OFrRhm/H1Rup2WZH5l0URf6iMzFVix+e8rw+tl2RkcXDRSmHunf4JXOEZTWY
KooX/o6sRFCck7gT8+jRCLnIRtYQQek2kp0cDsqDBy+A8zRkjAzOdER+oTK9yn5a
1OwrfpP9nFX6X/mC/5e1P0Y531PoYHI5KwmVrwx2agFrdo6JLo2X4tVP
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDeVD+nnm+wQ1GLlc+YSgiHzaBiTjOZ356Ex67LDCr0d2spvY6s
YFoyFDrJg6aR6Ep91Dy5hc/N/GGilNL797m2feVb1DiezAZ5KofxH2Q4idTGqtlk
ypwCPecl/9HAMfTEzvgyR7papepSLWk0UlGIxxzaoNox2134mwDmJfhawwIDAQAB
AoGBAKlwF5sNGh2BEHKK180+DsZApcyFwLmyPMMA02uXeF0bbaY/+q3QOK0V0b+l
/5oPKEZBK45QNpDLmTUoqqqwnuzT039nvKCtSkOcagG6Dcg8M6Fgr5lR7/XHNyL+
HVexsO1hC16r7VoIZmsgBD7ck8nMT0BBFUqrDYxJehaufXOxAkEA8kCtR3H7504V
PZFzAwnAxHKAIqrv3jhg11cFxCXsFONmTtH01fCnK76KutU8ltRNsPNYb4g1qXsm
lfu/QmE2dwJBAOryIfM8NsabqYblGIhXN380q7AauTAKKRvJeCZt5H/tDerEVV/E
Mktkn6vSvaKlwvlpqskB92/FR7o3VIDZ9RUCQQC0F/L55zofJgRSZhv7iTeek4TA
wRVbvcv4qsAlpw+QI9G+DQYYOjT9J0UZSkcl1iT/xJjdKYTDP0NbQvFX1s9XAkBb
+LNPm3e54b/IXbBv1uyTsFOxWZS6+I9FIGYXbRdw+KRlDbx6A7zIhLh4s8OmgwtD
RZkknM93ApxkijpbQndNAkASmoHloiaXokGAdqgDY8wwM0BZnTxJSoU7qgWzNWDt
7FQ7Ss+Yq0tBcX6X0ijL9TAc/A9/n9ERfgHtV09R50RM
-----END RSA PRIVATE KEY-----
And here's another one. Not really sure what it's from, some
PUPs by Objectify Media, "WebProtect" or something, and this one
also includes the ring0 rootkit. Again thanks to @Whistler4Ever
for the sample.
-----BEGIN CERTIFICATE-----
MIIDmTCCAwKgAwIBAgIJAJsRr9PFsJ57MA0GCSqGSIb3DQEBBQUAMIGQMR0wGwYD
VQQKExRPYmplY3RpZnkgTWVkaWEgSW5jIDEjMCEGCSqGSIb3DQEJARYUY29udGFj
dEBvYmplY3RpZnkuY2ExEjAQBgNVBAcTCVZhbmNvdXZlcjELMAkGA1UECBMCQkMx
CzAJBgNVBAYTAkNBMRwwGgYDVQQDExNPYmplY3RpZnkgTWVkaWEgSW5jMB4XDTE0
MDEwNzE1NTU1M1oXDTM0MDEwMjE1NTU1M1owgZAxHTAbBgNVBAoTFE9iamVjdGlm
eSBNZWRpYSBJbmMgMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QG9iamVjdGlmeS5j
YTESMBAGA1UEBxMJVmFuY291dmVyMQswCQYDVQQIEwJCQzELMAkGA1UEBhMCQ0Ex
HDAaBgNVBAMTE09iamVjdGlmeSBNZWRpYSBJbmMwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAL9CxsBV2TKxhZI1a/12efY4DQb6d/K2g2zrGpwpUzV456nkvaTj
Nf63aamgfzIA3VM5FuACfVXmy/Slpfw9GTMCjgz5L37b4ATzMxLRyMoCkYNeZW4J
9NTE3ibUOu/KXzJiA3eiONCgnm90SBfQ5tfQK3NCRSnLDzKeCRb+aM+pAgMBAAGj
gfgwgfUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUzXU7741oj/G3CB2jmwWaGA7f
3wAwgcUGA1UdIwSBvTCBuoAUzXU7741oj/G3CB2jmwWaGA7f3wChgZakgZMwgZAx
HTAbBgNVBAoTFE9iamVjdGlmeSBNZWRpYSBJbmMgMSMwIQYJKoZIhvcNAQkBFhRj
b250YWN0QG9iamVjdGlmeS5jYTESMBAGA1UEBxMJVmFuY291dmVyMQswCQYDVQQI
EwJCQzELMAkGA1UEBhMCQ0ExHDAaBgNVBAMTE09iamVjdGlmeSBNZWRpYSBJbmOC
CQCbEa/TxbCeezANBgkqhkiG9w0BAQUFAAOBgQALXxRZX1GuMAi3aZDFVkd3yzEK
CwCc2voOo83FMv0bLag0kNR/KOSYyDkAsxKOCG/0y/BIO4AC9U3nWFXrmmyhYOg4
U1OQIiSNU39EhdSkkqwVHk0KGAmoqXYRPtN9cH+TkihRhzB6oR6kb0N3ADyGKpb7
OcNkx/Nw1CakrQxzOg==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZwA9HVc40XkCAggA
MBQGCCqGSIb3DQMHBAjpyi92mdKUlwSCAoA/RVHqM+K+yjXjwF9t74EA0/4utrgV
f1Hz5HqV25hynaufhuIRHGUmbPAvmKH7YMGYpjEeimNuqXy+M/EOIYzNaXsKr9QM
iKZMy/UEwSNgnFwbz5NRgvbldKex9qtM8ppHDkG9mszPBqg0gB2NQp25h071ZzM1
F2cxVO+qdTX8kHcaBXLJEasu/oBaktEP7XW6OIId+zO2WqN3WjxOd9OGC5RS2mYj
ImP1Jr8cmgL6+LiyEpKUOmlMQDf9qqrKtxGZCMrrHJdHe0lq3a+V93RaKUTtAQ8X
bVXx4VsANv68TS3FZqljLj8oEKuoLq8Ciz3VJ1uo4fmDM0/kq2jHVhSjdxdlFJkV
8yx5lpxp5F8p/7Eik9QGs8pXG4lGeksnbfrmm0QzF2u3qXbMe2dnQUPJviCTGHRH
YOZbCeRI+fcJ3lYJVVYFHmxBQtUGkxRgoCftmHLnlGKjOmBSRWsdI2aCdPhlRnMt
FKQjuNTaUH2gA5T/h36tFEphisJAe8zEuXGRmHHTJRYsDyA6ukVzubZIGk9AbCrX
DRGZND1ljsSrbKICjhqdFXcCqw38F5UODBqjw4sqS+Je1gbzplGgMQEYRaTu6taH
cyyo6rm2oNdCAYKxvDXtryTYTNwhSNxbYCjUGF6MdYup3euL9k7i4Np7QXPY4XpU
IJ20iTP2prBgbgnng7+oq4LTaLffIq6VEGy8p2enrBLQZpwlN/PjpLTZWgLKZ9L5
B8Z6RcOldVQ4tNrdh0Dzk8qgVxsWMubKKHqyb4QIlS0kez5JO2ds/S10ffojB03Y
F42UqssaxmfzJLBN1nWiZFNtj4PaPYtRRWt/rhKIbfdYuG/2bjxjNCvh
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC/QsbAVdkysYWSNWv9dnn2OA0G+nfytoNs6xqcKVM1eOep5L2k
4zX+t2mpoH8yAN1TORbgAn1V5sv0paX8PRkzAo4M+S9+2+AE8zMS0cjKApGDXmVu
CfTUxN4m1Drvyl8yYgN3ojjQoJ5vdEgX0ObX0CtzQkUpyw8yngkW/mjPqQIDAQAB
AoGAbqKcAaonR9G0qEzKuQWNq0XlE0JTnEzDXX/qFqc5ANd9eqNcqELeewdx0bOL
oEsru/ZsKwyFn+kv1cb0ayKUrhIS/a4XDExstQeKrVcz3xHnaxV5oV9WjvrM8xPa
exAbrp031/vnPcT+7wmHdt4QmOWEmCM5FeeBp/WXoKrS3OECQQDy2Lw3nHIWwoAZ
0ncX9tklb7CwHOHI5MXJq7nGz1DLLGZxqJ3Q82yNsF7z2ej7UUKUnpQS5ec0OgHA
mM8xHIPVAkEAyZ7DPIZu1pW5HUku+qAoOZ2b+g8TVNJuFDk052eoYRwI4kdlAjUU
CakJaHfL2rvMKM7PD32PKY+1MtnriqoKhQJBAJLGP+v0mFf9MmNo+yX2wgOIX+fx
bN14t7pOGjh48MH7kec8HDZACeoRITKND+1ljbI5rhFF9tlv/cMkGIX8UAkCQQC2
lIMQyFyPDj74elGEvIwwwL2DESvcYEM3JSb3dzNP3WdeInEiMpbWuLDAXdvJVM9p
FP8FdBq09GKOjjFy/NFRAkEA4m0ZwLOrw+eyMXVjptMoIcr2K7UH64PqmZgHwLbA
UUC5FUlnOrfF6m+etPbGf0BiPW/OAAk6gCFIHgg5Iz35jg==
-----END RSA PRIVATE KEY-----
Next one is CovenantEyes, a parental control software. It
uses the komodia ring-0 rootkit of course. Thanks to @Gh0stAg3ntX
for the sample.
-----BEGIN CERTIFICATE-----
MIIDkzCCAvygAwIBAgIJAMvP1KgitpY2MA0GCSqGSIb3DQEBBQUAMIGOMRcwFQYD
VQQKEw5Db3ZlbmFudCBFeWVzIDEwMC4GCSqGSIb3DQEJARYhc2NvdHQuaGFtbWVy
c2xleUBjb3ZlbmFudGV5ZXMuY29tMQ8wDQYDVQQHEwZPd29zc28xCzAJBgNVBAgT
Ak1JMQswCQYDVQQGEwJVUzEWMBQGA1UEAxMNQ292ZW5hbnQgRXllczAeFw0xMTEy
MTgxMTQxMTFaFw0xNjEyMTYxMTQxMTFaMIGOMRcwFQYDVQQKEw5Db3ZlbmFudCBF
eWVzIDEwMC4GCSqGSIb3DQEJARYhc2NvdHQuaGFtbWVyc2xleUBjb3ZlbmFudGV5
ZXMuY29tMQ8wDQYDVQQHEwZPd29zc28xCzAJBgNVBAgTAk1JMQswCQYDVQQGEwJV
UzEWMBQGA1UEAxMNQ292ZW5hbnQgRXllczCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAx6aiwtawXYZYaWuCuwJ/dyVe/t7QH89oAZZDTCNhSCO44jPsvvAiEKcz
97FLcqAcObsq8wOUX3ANTEGcfHQOUbD7XpAxbBK2cOlM30FLMLEKD3H8+fia+uzF
T1saL9FtkKBla5JduuH/Z0I303UV3MmvYL3nMvVJ379Xqyu9Dw0CAwEAAaOB9jCB
8zAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQwS+QB7AqNML9k+mvzr6gWhoOeujCB
wwYDVR0jBIG7MIG4gBQwS+QB7AqNML9k+mvzr6gWhoOeuqGBlKSBkTCBjjEXMBUG
A1UEChMOQ292ZW5hbnQgRXllcyAxMDAuBgkqhkiG9w0BCQEWIXNjb3R0LmhhbW1l
cnNsZXlAY292ZW5hbnRleWVzLmNvbTEPMA0GA1UEBxMGT3dvc3NvMQswCQYDVQQI
EwJNSTELMAkGA1UEBhMCVVMxFjAUBgNVBAMTDUNvdmVuYW50IEV5ZXOCCQDLz9So
IraWNjANBgkqhkiG9w0BAQUFAAOBgQApcHgEfwzJFMjujMV2ejbd29A144O4TlHI
V/MjnDiUrCTXAm4Ac4mh+/1BMJi89GZxTAxllRwmdnt7l+lvbd5pT2BnLNbi2dYD
S+Jjzh6y0MkQCTNJH3zg+bfwTqre+4nTcbM0Fi3BNGwL5IDNu9BF6eQE2/uwn7LE
4u5Xbb9qMw==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKw6lobvpJq4CAggA
MBQGCCqGSIb3DQMHBAjFReHNxEIpMgSCAoDgU8yfpgH44U56+YJ2N4joJVaCpwDc
kVICvgsGvg0yKu4gLwg/nOIdOsokIgGrpetbg0z9eWREBLCLExaJzOKeEVA2TmCw
zRW8GsRe7q0J+TbbC+7hjP5RIpGSjdf05xIwSOxf/5TO4IYSRaYPBMWYZSXkvfy8
Z+ozoAKzRjYEhvUlamvKVOHkF1Acm+HDPv7Z3+tkVpcJGLPqYxgKEHw9NRjojtoF
KCZzk4dNzSGK/dKjP1QjO32Pif+tymjd2Y2XRqTaDd9aheSEwMSzmK8phGO09zPh
GV7c1hPjNuS8j+kvmI9knxJuBUEEbC8AH2MXDTOqK+uQikIYKNzZpyuAzVkbaSne
0TEEA8KfNoXplZoKzid7kt0sD4ALw6RAC65mR1PRVzFbDPhrVaIZBKvWBmWT6yzQ
pwG50juNvJROJQCKiF49k3gqhZpgbOp8XGxLcDv517GjCI8VCojkqZDZs9S3rt2K
9EywJ7vaYKijfAJX2o7F9M2DQnImti7noRkjS4ZiKc5TlcCsnBwTTcBoer1Wg6jg
2auGenkZnhYZZ2fgIEg7pSm2i3c91jyd0j/jdyuexRbPCjSHqSgvvmPfNmWWuB3V
GZ06sXFEI+3mygNiJYAEafeq6JVlUhBCIH0g19ShxJJEhnnDlmGmOxv/P68Ntilw
9VO246N9SvHg5awm1fyaDnU5j+MVS5UmQTLMJDfSjS8nDSmmD5t/xAQcymbsDyyy
CO2D9p3SAqwJRwWjeZVlfoD2M2+hXXaovEhWYGJovTZ2uEq9eY1M4VTSYTYbPJ1Z
8nN6Ez7P8BDbovzoLa9IBlZr/s04qa1c9Xy3SpkpqTzAd/tdYdsT2QT3
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDHpqLC1rBdhlhpa4K7An93JV7+3tAfz2gBlkNMI2FII7jiM+y+
8CIQpzP3sUtyoBw5uyrzA5RfcA1MQZx8dA5RsPtekDFsErZw6UzfQUswsQoPcfz5
+Jr67MVPWxov0W2QoGVrkl264f9nQjfTdRXcya9gvecy9Unfv1erK70PDQIDAQAB
AoGBAKMKGpqAFhCaGHMmf+DWHl+fHh+Gt3Fyv52kJxrzPYta2K2o96nJkhgFYzPg
DhvyUnp2tZE0mCMD72gZoIAlilaL5ekhVkzzRkUi3zBvfj73PxKAbduHSS2muNYo
rd9fv5xi2GGfvYR36AsBt9Rm5hiQUs85C425pwKzk8vnWy0FAkEA8WkMXp//RzoY
VqrDGP2BLBwgWU+1fNgKknwJrpFVlWOL/aSYVt8kg3RsjR5ggI04X6SC9xpxMlY1
T1wRdgu0CwJBANO3gu9MKSVgzS9y72V5dLIxroYJaz4ChjN7OuKSaMthvUGnAdTJ
J2wcXWTRBN4lMvJI5iEFBkW+gbk6U7MuYEcCQCPHTucDTYFP8eV+X3XntGpGLOEv
uBUtq7t0GLc/oPCIFWpdJ5rQbYfyDFiJ5QGIbI94QVTAHYC5WCNP4OKe72sCQQC2
1ub27lkidKT+802X3vpO4eUM0JmTJe7sCuJhxXtHGZOuXSKRt16aWSy24mRHzOxg
nWBQ59vw44N4icy7E7QFAkEA0gf2842MSehY1+Udtlv/7B2m6OOXeDZ9i9mBaQn4
3yQERbD+vN2SE/y54iUWShtalQf8vhGGtHdzN97K/FjZ+w==
-----END RSA PRIVATE KEY-----
Seems some VPNs use komodia's sdk, but not for SSL MITM.
Nevertheless, hide-my-ip's komodia proxy contains a CA cert and
plaintext private key, for E = sales@komodia.com CN = Barak
OU = SSL O = Komodia L = TLV S = NA C = IL - I guess it's some
kind of leftover. Here's the cert and private key, though.
-----BEGIN CERTIFICATE-----
MIICazCCAdQCCQCpiLml/GKkTDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJJ
TDELMAkGA1UECBMCTkExDDAKBgNVBAcTA1RMVjEQMA4GA1UEChMHS29tb2RpYTEM
MAoGA1UECxMDU1NMMQ4wDAYDVQQDEwVCYXJhazEgMB4GCSqGSIb3DQEJARYRc2Fs
ZXNAa29tb2RpYS5jb20wHhcNMDkwNTEwMDM1NjEzWhcNMDkwNjA5MDM1NjEzWjB6
MQswCQYDVQQGEwJJTDELMAkGA1UECBMCTkExDDAKBgNVBAcTA1RMVjEQMA4GA1UE
ChMHS29tb2RpYTEMMAoGA1UECxMDU1NMMQ4wDAYDVQQDEwVCYXJhazEgMB4GCSqG
SIb3DQEJARYRc2FsZXNAa29tb2RpYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMEKl1DYDx++Msz3+ACIgrNKMyuW6gg+ljIMsg2ZEm57iIaZa+zrnlaF
UBTyVzclcIzLplXQ9HRabSAun7IZ+xWfDIC5Vt/oGNaCwnxdLaAA0NMNr6jH+h/d
XDI4sJa3mWFZ/dXtlcGulQJyIwDFj0xK020HsQltMWQIz1P17X4BAgMBAAEwDQYJ
KoZIhvcNAQEFBQADgYEAk/lMNHGuv+vpCgrcfef0GaFtjLEXZuyVNEk7IDxquaAJ
zCxDkx1Iwo/04nv3d5cR+Y3iFzhGQVtXo/VmpG/ddgu1oCE6AEtCNZxYY4TLeWUJ
Q3r98plviLVF5CKYTiZb9jJze+XHSKSP5T+L9pdx3yZB9tCHmocGa6taJzmeQZY=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDBCpdQ2A8fvjLM9/gAiIKzSjMrluoIPpYyDLINmRJue4iGmWvs
655WhVAU8lc3JXCMy6ZV0PR0Wm0gLp+yGfsVnwyAuVbf6BjWgsJ8XS2gANDTDa+o
x/of3VwyOLCWt5lhWf3V7ZXBrpUCciMAxY9MStNtB7EJbTFkCM9T9e1+AQIDAQAB
AoGAUV+PjYqmRXE9pN1ac48X2VAL5fIF0VfgpFRpsgW2mVAFqwd9US+5XStxKINH
dH2ZxiAKi947TdjYa1p8Au2kwyqTn0M6aln4MaknLTbk4bSDYRLKeYh+SvZuxC0O
GWiPDbzE+6YNNSCgmuDiWo3o+LCzLKh8HBR6h90mvYtcfikCQQDu15fxa7vFNFTW
or0bOeuRL3OTL9zGpcbgBTF2WrzfJhpURDAhymSBcWDVut0uiX5qnaB8L7DOtqCb
23HCYLRHAkEAzuiztloajRCLhQLU8N44HtozJTabJH0beJHu4E0UlwFLi86DIRhX
GVRg3EeQEAyebwdcT4ZFUgruNAzJLjZHdwJAZACA7eRdykQPAY9B/pRRvYhQq9/u
YH4otsN14kg7rHMXsxCZ1owXaNs/4D1NPp7y/1DgUR7muKZeuOM4zloPIQJBALmg
c3ppo+Bis4kFXV0rQFYNlE0SjGVUCE1HP3PkM1C2TLyE7YfHenyzAqMdYNXFPG6H
v/1ojNBqFgKEZgkbkUkCQBhqzxG3aZ4Osm8V3X2laMz4TYGAiExB5VQC3zjtec2l
T01vHHDkqhv3kBWnhOwLLUFV5XTZ337Circ+hm9rDw8=
-----END RSA PRIVATE KEY-----
- slipstream / raylee - @TheWack0lian
PS: I also checked the OSX version of qustodia. It's somewhat
unrelated, but it uses its own CA cert/privkey pair. The privkey
wasn't crypted in the mach-o.
-----BEGIN CERTIFICATE-----
MIIDQzCCAqygAwIBAgIJAKUImtyeAIY4MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
BAYTAlVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEV
MBMGA1UEChMMUXVzdG9kaW8gTExDMREwDwYDVQQLEwhRdXN0b2RpbzEUMBIGA1UE
AxMLUXVzdG9kaW8gQ0EwHhcNMTMwMjI3MTU0OTM2WhcNMjMwMjI1MTU0OTM2WjB1
MQswCQYDVQQGEwJVUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJj
ZWxvbmExFTATBgNVBAoTDFF1c3RvZGlvIExMQzERMA8GA1UECxMIUXVzdG9kaW8x
FDASBgNVBAMTC1F1c3RvZGlvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDKx/DCWmKZzxCgw6LzFgXZHsYJtM3BvQN9XbiBfB9RqoKzTgAy9nKbWuMPe3ts
w0qmP8XB9SuFGv4jzx8AeNB/iPfhfHoc1gcwcKfmMjoJCev1ykRBkeDor51+Kff+
NHOumt2LIaTbf9BwWEircO0DTReyS1neFvwF9K+Tg4CtVwIDAQABo4HaMIHXMB0G
A1UdDgQWBBTaBJBHFcOMv0zTnwhrhifBLGITfTCBpwYDVR0jBIGfMIGcgBTaBJBH
FcOMv0zTnwhrhifBLGITfaF5pHcwdTELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUJh
cmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMRUwEwYDVQQKEwxRdXN0b2RpbyBM
TEMxETAPBgNVBAsTCFF1c3RvZGlvMRQwEgYDVQQDEwtRdXN0b2RpbyBDQYIJAKUI
mtyeAIY4MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAsD2o/g6NUPty
07t5N6MxlFE+SrgJ0MzW1EENC3azQfNL4pKWiIP69ivbxHcr9QCLAd4smtICgXHF
t2shIJKL6qpM0uOMS5ocfgFs8QFwPXXPbb68IU88vRcbwZbQ2+v5M4E/8IrF5VLz
qcAbBFPIMmZ3pOPa/CUSAzh4dcSiHoU=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDKx/DCWmKZzxCgw6LzFgXZHsYJtM3BvQN9XbiBfB9RqoKzTgAy
9nKbWuMPe3tsw0qmP8XB9SuFGv4jzx8AeNB/iPfhfHoc1gcwcKfmMjoJCev1ykRB
keDor51+Kff+NHOumt2LIaTbf9BwWEircO0DTReyS1neFvwF9K+Tg4CtVwIDAQAB
AoGAMXD8b7av8cZ9zGTG1zQYau7I5Fb0D/ew4SE3ukJ0NGo5gdRT0hkqqlxHnl/C
ISugiNZltju7x7FkI4D9kxTh6Lbo7XveD3CNldnzkQXr1kzHI2rMYAfpQB3xtVQ4
OqG46MtgoZLKMwsFKPU7IA8RpiQq91UkgBITY/h0MdPxqgECQQD7wWCwKb2FJ8GL
bZl6FTPp9t2RDxJ1vav0dqINtgDCY1s+h9fysyck7h87CgDZ+OlzI7RTZAR/KMlM
63+hKfJXAkEAzjMuMmxbLDNDxjRO6AhwkSerfWFrupjc+GMP/NTjou9tGhS8Rs2Y
heGYpFEV/dRHpHUIjodVYNmAGzoRaig9AQJBAOEnTUW/ztNrftknp/9bPxabxgSZ
qjTK8SKthrkkcQFowo3mB+fy+as5m4y9oY1P49kpsXhzFuJyo7W7WGXWkfkCQQCv
LjArSn9S1+LWew4mdzUbPPamuKOLjd79bzvf8wXKIVsxczhZdsYDyBukTfc/BKAx
CfTREgzpER+TAgxVggYBAkB1tQKlAdTAiQrTLzAmLLsQsP3kYIWfBxdudxo59vus
6Ckt8vspJdLcnVvNdRrZEzlJmrVzX/MB1otY3N1FCVW7
-----END RSA PRIVATE KEY-----
pjstorm commented Feb 21, 2015

Found another one:
https://twitter.com/cryptostorm_is/status/569038274909614080

Also, you write that:
"Seems some VPNs use komodia's sdk, but not for SSL MITM.
Nevertheless, hide-my-ip's komodia proxy contains a CA cert and
plaintext private key, for E = sales@komodia.com CN = Barak
OU = SSL O = Komodia L = TLV S = NA C = IL - I guess it's some
kind of leftover. Here's the cert and private key, though."

How confident are you that they are not using this malware "for SSL MiTM?"

Finally, you write that:
"Another one from CERT's page, "easy hide ip classic". Why would
a VPN MITM SSL connections? Definitely not for a good reason?"

I can't find any reference to this VPN on the CERT page - any pointers to help me out?

I've found two more "VPN services" that show a first-order match. We're currently unpacking to confirm certificate-based matches. As to why these "VPN services," would have session hijacking malware embedded in them... let's just say I know more than most folks from outside this "industry" would know, and that what I know makes me 90% confident I know what's going on with this corner of things. But we'll pcap to be sure...

Owner
Wack0 commented Feb 21, 2015

Easy Hide IP Classic is on CERT's page listed under the vendor "WebSecure Ltd".

The SSL MITM component of the komodia redirector is an optional extra that costs more. I believe I've seen that sales@komodia.com cert in some of the samples that do SSL MITM. I'm still not sure what it's used for, more reversing work is required for that.

Komodia anti-AV is easy enough to unpack. Inside the function that main() calls to unpack, there's a memcpy call below a call to the decrypter and a call to the decompressor: if you break there the memcpy source param points to the unpacked PE DLL in memory.

Owner
Wack0 commented Feb 21, 2015

Added to gist: PureLeads PUP cert/key.

@Wack0, could you please clarify: are you certain that all these products that use the SDK use the same cert (per product, that is)? They don't generate a random one per machine?

Owner
Wack0 commented Feb 22, 2015

@taoeffect They use the same cert per product. They don't generate a random one per machine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment