Last active
July 23, 2021 12:54
-
-
Save Wack0/17c56b77a90073be81d3 to your computer and use it in GitHub Desktop.
It's not just superfish that's the problem.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now. | |
| Superfish isn't the only product to use that sdk. there's others too. | |
| Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private | |
| key pair. Seems a lot of people think they all use the superfish cert. That is | |
| NOT the case. | |
| First thing I checked was komodia's own parental control software, | |
| Keep My Family Secure. (mentioned on komodia's own website). | |
| Of course it used it.. | |
| -----BEGIN CERTIFICATE----- | |
| MIID8jCCA1ugAwIBAgIJAKrphUL0Z06XMA0GCSqGSIb3DQEBBQUAMIGtMSgwJgYD | |
| VQQKEx9QYXJlbnRhbCBDb250cm9sIFNvbHV0aW9ucyBMdGQuMTEwLwYJKoZIhvcN | |
| AQkBFiJwYXJlbnRhbGNvbnRyb2xzb2x1dGlvbnNAZ21haWwuY29tMREwDwYDVQQH | |
| EwhQYXJkZXNpYTERMA8GA1UECBMIUGFyZGVzaWExCzAJBgNVBAYTAklMMRswGQYD | |
| VQQDExJLZWVwTXlGYW1pbHlTZWN1cmUwHhcNMTIxMDE2MTM1ODIzWhcNMzIxMDEx | |
| MTM1ODIzWjCBrTEoMCYGA1UEChMfUGFyZW50YWwgQ29udHJvbCBTb2x1dGlvbnMg | |
| THRkLjExMC8GCSqGSIb3DQEJARYicGFyZW50YWxjb250cm9sc29sdXRpb25zQGdt | |
| YWlsLmNvbTERMA8GA1UEBxMIUGFyZGVzaWExETAPBgNVBAgTCFBhcmRlc2lhMQsw | |
| CQYDVQQGEwJJTDEbMBkGA1UEAxMSS2VlcE15RmFtaWx5U2VjdXJlMIGfMA0GCSqG | |
| SIb3DQEBAQUAA4GNADCBiQKBgQDFNKNbpDaQJYPebNA1tDVuUlDM4Hg5O/uxOeo5 | |
| IddDmQ9ECo/TIIdvyD0DMR7rk4u4PWqIvir4azBahXavk4e52BD2a8QOldZ8JLY8 | |
| KSSWwWzjAjLC5Gd5P2y8JJVBsMDpdvSKIpO6UtKs0Z07lm9W35kdwpwtHV4E7ejC | |
| 1wpO7wIDAQABo4IBFjCCARIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUDHqAI8uS | |
| erLj7lnvN0ABN6XNQzgwgeIGA1UdIwSB2jCB14AUDHqAI8uSerLj7lnvN0ABN6XN | |
| QzihgbOkgbAwga0xKDAmBgNVBAoTH1BhcmVudGFsIENvbnRyb2wgU29sdXRpb25z | |
| IEx0ZC4xMTAvBgkqhkiG9w0BCQEWInBhcmVudGFsY29udHJvbHNvbHV0aW9uc0Bn | |
| bWFpbC5jb20xETAPBgNVBAcTCFBhcmRlc2lhMREwDwYDVQQIEwhQYXJkZXNpYTEL | |
| MAkGA1UEBhMCSUwxGzAZBgNVBAMTEktlZXBNeUZhbWlseVNlY3VyZYIJAKrphUL0 | |
| Z06XMA0GCSqGSIb3DQEBBQUAA4GBAFWSg0LU74SaE5/Q9tN5Q00vfNUpTN2yk6/f | |
| Lxh+uujava9MRtreZ58JNQyHsc5sIKnTDcgTuslsci9ki4Fj2CFBjQd5X0NleFfY | |
| vifsntPXFWkHm9qXpK9iSruOnPBfmFiAGBBvqKCXw7MNvnqEw6tSad9/DM3kWsHN | |
| v6RWTHzi | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQILF34Px9hQRECAggA | |
| MBQGCCqGSIb3DQMHBAintK5HPgUPJgSCAoBtd66eQ9l6a2IbjtQdWLFxBHMgnayE | |
| oG0Oj2o22wsOfYPmhM08Q3L3C0GDWc6A64rDd6Ja7SNBbg2Pt4+0Gt5Xc8S4Ep4n | |
| B1/+Qg9wRPPNRNzPQkvsHIAgCepSFiSBEnvA4LdEnkmExgEOC6boPveBqZeWrGMQ | |
| RlekxiFPV3h+VFn12Az3+DZZLINno/X+u3BUPnkVoTIOiLOiPKr2M34upx4ZqvoO | |
| KQENG3cPF3Q8n4AfsWMFM+2bPlwfFMQSEQ8qV54gRmGHQ4vFyjZE48G7LIyCN6Kx | |
| qKRy7TBR9DvXrO73XWxNyiaEqpX1u4BFGYPYAhwfQGYDHafZ/gnIlTw4c9snZvoT | |
| +5GLB5+duTJPEXw5uxlSEWaHZ8+KEMDGi+FMQNnnXHeUrMXVVN2DimlFXwINwaVK | |
| CxWfWUyEP6PosOjF2ft5RbWNbctTWPzSa7qhlKftacMxMaoZoPN/AQ2xJfMHrP1e | |
| jHZqemO/8yTPwYmIUDsUsduF02N7tPmCXJ+0DaziBcGR7vd48afAZ4oOPgOHVIFT | |
| eEhgm/ITQozGJJ5TMmVXC+XajKKjQpAl+0D+BNODnescaZVpAEUTgk3q+dVJR2zV | |
| y9PY4O1sOTLYDx7wQg4uYI66vu0usCZIz+vNoO0lZRt/cZj7tuWfFSvX1NwSgJSB | |
| MVZ126eOgv6IMXuovp/lBX8FAMPppLZB6sZiwty2chY+uxz/69osFa7Ol1JRZvUk | |
| /hruS5iWoOgYHc0XS6s5fTuHbesaluHkJgTidcXyNTZYxU/H3ejV6/ONJl1w8Ixg | |
| BosVSS/WNDnkLW8MJ67dCHZsSQIoARtOvUlCmrsXftB7T8/njnH/D0vS | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXAIBAAKBgQDFNKNbpDaQJYPebNA1tDVuUlDM4Hg5O/uxOeo5IddDmQ9ECo/T | |
| IIdvyD0DMR7rk4u4PWqIvir4azBahXavk4e52BD2a8QOldZ8JLY8KSSWwWzjAjLC | |
| 5Gd5P2y8JJVBsMDpdvSKIpO6UtKs0Z07lm9W35kdwpwtHV4E7ejC1wpO7wIDAQAB | |
| AoGAV2YFxBaaC/ZkZA5LlJGCYJtgrfwJrCv2V0w4jwt9cLsD9f7MUSCIhbTzvVdm | |
| wbcJZCTr8yB8wM4YhvXBbPzwWFfGkIQRmKmhu9U01eALkTxfZaOjl2aBtbXC6XHc | |
| o6lNrAW+a+9KFJY+sOOT7h4OEcfuwn3S+VrLmVXqfhCtosECQQD4uMiDYPIgSYqX | |
| NMmZMTnhNXCpmpSy0jdokgKUfWsnb3bImq7vhSsRGwXwdSjlsLayBxAQexKvsWJj | |
| A7Y0BCYPAkEAyvnwPXVAp+jlHeppYReM2/r3K97ioZSV3e9vi693yZGQ+IZjD0Ew | |
| Eor7V0F1snq1CB2OavYyD3+GMUbCsgcpIQJBANpK23krKfaadO+WneU85g65p2LD | |
| 0AROKeE2XNtUZCpdUsRntmdz2kOOEx1ixn0pJn+DYV8FlXXr2m0KgeyPQ5MCQAH1 | |
| 4g0l6cb1Z+kfD3+Bk7m4NdT1pSi8X6oyGti1jCmlP0o3OhO2pHk5YG4aUsGzj7YR | |
| WwPLdvZRXAFz1oOTsCECQC5lYMFYxWudct6AjlaTRnfUuUg8xcNwGO5w3iOiI50e | |
| N/BjkPidMO2n4ENpvfLnDw7sVKxWqZaHb2XpxyM4lVY= | |
| -----END RSA PRIVATE KEY----- | |
| So I decided to google for parental control software and checked | |
| them. The first one I came across was Qustodio. (page 1 of google | |
| search results) And naturally, it uses Komodia's sdk. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDbDCCAtWgAwIBAgIJAMv8ogGSpFLEMA0GCSqGSIb3DQEBBQUAMIGBMREwDwYD | |
| VQQKEwhRdXN0b2RpbzEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBxdXN0b2Rpby5j | |
| b20xEjAQBgNVBAcTCUJhcmNlbG9uYTETMBEGA1UECBMKQmFyY2Vsb25hIDELMAkG | |
| A1UEBhMCRVMxETAPBgNVBAMTCFF1c3RvZGlvMB4XDTExMDIwMTEzMzQyNFoXDTE2 | |
| MDEzMTEzMzQyNFowgYExETAPBgNVBAoTCFF1c3RvZGlvMSMwIQYJKoZIhvcNAQkB | |
| FhRzdXBwb3J0QHF1c3RvZGlvLmNvbTESMBAGA1UEBxMJQmFyY2Vsb25hMRMwEQYD | |
| VQQIEwpCYXJjZWxvbmEgMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIUXVzdG9kaW8w | |
| gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLxJr+osZyBbsYVabr0uqHQlOJi | |
| VlSZ6xc1lF4qv3pwF/nLpMbRCxp7nurb3YqquxvlGc5v+CTZRb8VFTgl1XziyF0h | |
| bXS66E9+fjfZHQJS42nZpT5+vmkN0HnvM1cAlwqD9zTkK5O2/ivvsAAx1MLs+pGc | |
| UDYEP5a3J7Q197cNAgMBAAGjgekwgeYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU | |
| SWswaxdVEERUUNtnx2cWQikSDr8wgbYGA1UdIwSBrjCBq4AUSWswaxdVEERUUNtn | |
| x2cWQikSDr+hgYekgYQwgYExETAPBgNVBAoTCFF1c3RvZGlvMSMwIQYJKoZIhvcN | |
| AQkBFhRzdXBwb3J0QHF1c3RvZGlvLmNvbTESMBAGA1UEBxMJQmFyY2Vsb25hMRMw | |
| EQYDVQQIEwpCYXJjZWxvbmEgMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIUXVzdG9k | |
| aW+CCQDL/KIBkqRSxDANBgkqhkiG9w0BAQUFAAOBgQBvd6viZ3FTxRZeAlUjfaTB | |
| Dp//MOOQLIJqES8+dHfKZsP5Y+AAon59IVukvlhnW1UIkkWkdh8U40EWHcuSFEbh | |
| o3cobml5TReZmvZnO3kX7iEk4wr6HshzitH3ZQNzUe9aPqeUodKe2iC5TVhDuoJ0 | |
| yCSHm5bFYByC35DAZeQ5lA== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIPMnoaCa0ZU0CAggA | |
| MBQGCCqGSIb3DQMHBAicfkSaJH8cbwSCAoC2jhlkXNoTvUY0fAp3eVY80p2ue45i | |
| yIQnpCsF282T+K5RpIC5E9PvUxeO5kLAOO+Xg4HwUOXUOh2fo/eC8b4GMzVdeLT0 | |
| OmsgNn8sK0irPcyyHRr6cUwdxchMZjNE5w5pucVRLvyNc3txfAtW2ZcVRDPufZc+ | |
| thQqnGeYU4DHM5XGdh0k/yaa6S8P1HjKlY2D1pASscEuTNh4rn6OClF7EUr/ajDY | |
| nuntl6XTI/FYXphwD9ObDunVlXLU0t3sTWYlfmuimc9fBxvYuwybIvTosb4Gsf54 | |
| mROTwSXXR+QNkPYyfPABd6/dPR9BjAJD6Jfdday2g5GT1ACIs6YBwyYnZ4PC/2fa | |
| C56KcO9mB+dSyA/T+ApQ59FexOwQeEZ1BIj4tdwRaHe3ajy3nlAOhpxrDVhk1NrT | |
| gihIfSdTxJKJO9XvX//StFUIqexugXAI/x6LglI0fc9rdXuuKJnYNJDvL0ocmm25 | |
| TVx5WirpI7MR+TE09I6jjSB2tuVxM7ebOOJSmXfmIIfeYzZZfpoqDY5O2x+9/C/g | |
| MngR2xj8WyD5ObX1l92eEcMVbQwu/22kGeRxw8VAJCWHd2WSvKbIPeno6Looadhg | |
| 6QD3b1MJVADKdvZJ3GugDwzlOQS+n5+7Gl5BjI9ec/EPRFzJo64EzXR5lewArtWq | |
| vMNFAF6UEAEv/6A5RK93zWnJohgZfLL3uya8/eKQ1LSOnNONz5wVIeR9CtLQ0jDI | |
| OH0PW3ne+HQdOvu3K9rWhhiu5xQYbjbyMvW1Wqbvoi0wWUyQb2mnY2IHbIMcTA8/ | |
| 5D8tUO2UuhNjfI14Hf6kWd+yPf/jSovkQuQPYwNyVtN8O0FY3FNPT7jF | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICWwIBAAKBgQDC8Sa/qLGcgW7GFWm69Lqh0JTiYlZUmesXNZReKr96cBf5y6TG | |
| 0Qsae57q292Kqrsb5RnOb/gk2UW/FRU4JdV84shdIW10uuhPfn432R0CUuNp2aU+ | |
| fr5pDdB57zNXAJcKg/c05CuTtv4r77AAMdTC7PqRnFA2BD+Wtye0Nfe3DQIDAQAB | |
| AoGAIMIvdcOeXSNu/wB4LP+VIT4Q1t4ZjcvzsonBbfWXCbcugD6VaQeV6xRdBzB9 | |
| USERokVkiclNFLwiOVMMpsvMzQ2gMc+OYFN7MTmiG+S64YdIX1PfAKT3uWApVTMD | |
| iZTnAUz9pZJ7zWhgRliegJW4MRRkUrAm9D9wxOxHjhRubK0CQQDlIP7l10Fr7L54 | |
| 4aD8fu+f/qiDFXzy32Fsel1BCGtXldLYtvUrt4kXtnNlU5vL7o80tFV7lNEvf1DW | |
| rSa7YhSHAkEA2c3ISI2gK1vg35kRKKhvNgutRZW31J7LkTANGRQmTDgkKpEDWXza | |
| ndipVy2qGvwmdNqPnSAtDnf4xW7x5g8QywJAMgilgL0jjRSydyUWCW0SmIZ8d7tu | |
| gH6lAJIr4PKcthCCbU5udTBr4GC4DC1YvQyH+wNSE11o3I1Zsrc22P5O6wJAT/2A | |
| kgzZhzMOKnBn2dvKRDoTn9u1kPPk5WSVWuGIkzOHLM7nQQVWsOPyhV7y+0ghw4bF | |
| ebpoccjj53awhoJ/8wJAOP7iMDN+nKLBJg5+g6H25/y+kXOYNSb07I+Kghir5QjP | |
| X/iEs55sM1OyGMc77GZnRB7BzzDkOvAd8/2j0G0Tuw== | |
| -----END RSA PRIVATE KEY----- | |
| Then I came across some parental control software of brazilian | |
| origin, called kurupira webfilter. Naturally, it uses komodia sdk too! | |
| -----BEGIN CERTIFICATE----- | |
| MIIDjTCCAvagAwIBAgIJALtt/7AtN33EMA0GCSqGSIb3DQEBBQUAMIGMMRUwEwYD | |
| VQQKEwxLdXJ1cGlyYS5ORVQxJDAiBgkqhkiG9w0BCQEWFWt1cnVwaXJhQGt1cnVw | |
| aXJhLm5ldDEcMBoGA1UEBxMTUGVkcm8gTGVvcG9sZG8gLSBNRzELMAkGA1UECBMC | |
| TUcxCzAJBgNVBAYTAkJSMRUwEwYDVQQDEwxLdXJ1cGlyYS5ORVQwHhcNMTEwOTA1 | |
| MTU0NDM1WhcNMTYwOTAzMTU0NDM1WjCBjDEVMBMGA1UEChMMS3VydXBpcmEuTkVU | |
| MSQwIgYJKoZIhvcNAQkBFhVrdXJ1cGlyYUBrdXJ1cGlyYS5uZXQxHDAaBgNVBAcT | |
| E1BlZHJvIExlb3BvbGRvIC0gTUcxCzAJBgNVBAgTAk1HMQswCQYDVQQGEwJCUjEV | |
| MBMGA1UEAxMMS3VydXBpcmEuTkVUMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB | |
| gQDFODmSmiBhKTnfdGY66jv0Y2ANhocrYm9HPmcR5ARBtAeN/b9l5i2kRdFn4kQt | |
| jOgVRbYa290zoxLuZOiI7r6nULEux0HRcusneefdPtHXrAIO24hV+57kuj9IUz/I | |
| eWhNU1LStbt448YswRzhLkaHGjdCKaj032L7nqORI2L0ywIDAQABo4H0MIHxMAwG | |
| A1UdEwQFMAMBAf8wHQYDVR0OBBYEFBI8It2RXk0k1eruND3XOAa3Ehv4MIHBBgNV | |
| HSMEgbkwgbaAFBI8It2RXk0k1eruND3XOAa3Ehv4oYGSpIGPMIGMMRUwEwYDVQQK | |
| EwxLdXJ1cGlyYS5ORVQxJDAiBgkqhkiG9w0BCQEWFWt1cnVwaXJhQGt1cnVwaXJh | |
| Lm5ldDEcMBoGA1UEBxMTUGVkcm8gTGVvcG9sZG8gLSBNRzELMAkGA1UECBMCTUcx | |
| CzAJBgNVBAYTAkJSMRUwEwYDVQQDEwxLdXJ1cGlyYS5ORVSCCQC7bf+wLTd9xDAN | |
| BgkqhkiG9w0BAQUFAAOBgQCWJW5TwVWYmiZDCc7aiICZh+YB1y0G2bJEjEZWd2Bu | |
| siArM43Y1XH6eQDy8o2NdDQV/M135R4n8qnHA+SOnuezVtU0vlKm1vyflTWdNUC4 | |
| CoGRdIlbR35Uc2xO8ta99y+2x/yeUazt5ybRAI640kp7G+zvKsxA5+cS5bFB4DNM | |
| Zw== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIk/p2jZeBM3UCAggA | |
| MBQGCCqGSIb3DQMHBAhZRlk2yUVsRASCAoAxHkd01SYdfv0FUSrc8umraHsoZqpG | |
| eZUJ0UK/PVDXuF5z+ywjM1AiAU6y9hlnUaEQe0zBWZH+/M2xXZqDQ3tE6DUYSXVi | |
| FoSGH8zea/1NhEPOCkACmdCYGW5rHMYqnMR5lNgVV38RoQ8p4gxYMKm9CkdbCucw | |
| 7DwTq5BvT06T6pE18uhHtd9IcdfHqXe6iimShOISFMJAqIi3wqR5Uh8Im0jWRAvF | |
| BigZuGrrfVyEQmo9rBbaJHvNBWzu2pt39AUMHxNzCKNynU9rF0W2xQmmPKg3Bp+D | |
| 97siScfCrHanOHP/S8Ud1NyKUk8z4vDqytvXUPj+RyFjb/9etMjP/WIpBwoM6OFe | |
| omaL4aiwK+1M22eIS7BgGluiJNcRqX9fRlk69kq4JMwWZcvrq3St9bG1VGyQGoZr | |
| NJvsE224KwM1D4/6P0Jfkwuz+qYWJ/erCIXHryJAKPHw0VzLfAbSkwigYBCrTnN1 | |
| eidlLB9CmLRyaVlAF7y3TB/lUSI6z1ATCv2glawxku6bFaEzOqKanR8w/QKJG9Dp | |
| yARQSbv63FuzimNJJOAdlGBI/7qz3EyIlVgV+1l6s+2Lnw0daqhShUj8nrEARLQZ | |
| SzQlUx4ErjDLfqigJ+ajXV7l5/Oja4aiRycG9ur/EW1iwR0nKGvMM0Du3K3ARipK | |
| jrx3fiXywWZh6/NeWbKoUJxTtdecVfJdp+2jMM53gT8LvtZHeSiQUV2DM9siooPu | |
| SVPoVEmucIiZA+AECm7Bs+wsokFrYcM+elZEimRhIjRFEwoKdEiYr5wzF1zg6WRT | |
| KMUeB8XV90MLwZzRVjnt6Gz2y43Srn9FMniy8+ICo1l0wiew8VArQcD+ | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXAIBAAKBgQDFODmSmiBhKTnfdGY66jv0Y2ANhocrYm9HPmcR5ARBtAeN/b9l | |
| 5i2kRdFn4kQtjOgVRbYa290zoxLuZOiI7r6nULEux0HRcusneefdPtHXrAIO24hV | |
| +57kuj9IUz/IeWhNU1LStbt448YswRzhLkaHGjdCKaj032L7nqORI2L0ywIDAQAB | |
| AoGBAKoMfLfHZTvhjCD8AFm0NdXXCa8f29SwnzpSuBRZAsKUNB9eN3XpLlmCSbjF | |
| A/wyjroozYgDI4uuhFhBca8ADCo8f99YNOr9IuhVirKvhnMDmbFmbpibmxxSXsq8 | |
| iBkVmNC06ebdFa7LCKQuVG27r7vA8Jd48Re3OOB1gWbhYWdhAkEA5Ov7lI2KlXZB | |
| e/GAEZhIiNkAW03pmmnuRBNbU8gQLAN4Loifb5NkYQXFrHCH3hdtszT5DEwg2FXY | |
| Yv5+x88EhwJBANyMQ3PZZJfFg3bfS2O6iQVrig0xrNPKELsXTHbR66spw8aQs8uL | |
| kRd1L0DsOe0y2lZMq/pLl4TdcZjQ9bai4p0CQFmtG+OowtYj+ikchMffuOJq55nc | |
| 3psPzje6wXcDk1o6jbTk7lgeDB95zGLtvjvBP8cJBFrN47v7fQXinjWVojcCQD7g | |
| TiqtA5yxVrWBG4EnIQFGk2kHjHok1XhBQC9v0XxOv93QSzHwbED/y6T6s9kH8m9A | |
| FJebDWt3pncmu6aB8ZECQFZPdEWEKEPCquEY2USliLCGx0qvKgSxedLp4u3BHsXe | |
| CGn6rJFDMhaZotNSzcZYkdJgQadVJH1H0rfslozkyCE= | |
| -----END RSA PRIVATE KEY----- | |
| As I said on Twitter, the password is always komodia... | |
| I wonder what else uses komodia's sdk.. | |
| Checked the CERT page and it's been updated with more products | |
| that use komodia's sdk. So here's the cert and privkey for | |
| StaffCop. Interestingly CERT page says only 5.6 is affected, | |
| but I checked the latest 5.8 and it also uses komodia.. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDpTCCAw6gAwIBAgIJAIA+vDW44Q02MA0GCSqGSIb3DQEBBQUAMIGUMR4wHAYD | |
| VQQKExVBdG9tUGFyayBTb2Z0d2FyZSBJbmMxIzAhBgkqhkiG9w0BCQEWFHBldGVy | |
| X3hAYXRvbXBhcmsuY29tMRMwEQYDVQQHEwpBbGV4YW5kcmlhMQswCQYDVQQIEwJW | |
| QTELMAkGA1UEBhMCVVMxHjAcBgNVBAMTFUF0b21QYXJrIFNvZnR3YXJlIEluYzAe | |
| Fw0xMTExMjMwMDIxMjFaFw0xNjExMjEwMDIxMjFaMIGUMR4wHAYDVQQKExVBdG9t | |
| UGFyayBTb2Z0d2FyZSBJbmMxIzAhBgkqhkiG9w0BCQEWFHBldGVyX3hAYXRvbXBh | |
| cmsuY29tMRMwEQYDVQQHEwpBbGV4YW5kcmlhMQswCQYDVQQIEwJWQTELMAkGA1UE | |
| BhMCVVMxHjAcBgNVBAMTFUF0b21QYXJrIFNvZnR3YXJlIEluYzCBnzANBgkqhkiG | |
| 9w0BAQEFAAOBjQAwgYkCgYEAvDOcOoa7uJ+Ifwx1TZC8hdBsYrsBGrhFsaALF6Kr | |
| sv1xbCxZhp7OqnU0ygPtSqsHzVU9fVjAHlmglzeZ8G4X5VoVfMjqD/o7RYsjAUhS | |
| AL+PYpSnKwzJZKyXBDZQ88DAKNUguUfOLF4wqZ/oLuvgyiVrVFtkq/fFoaeA8bmP | |
| MssCAwEAAaOB/DCB+TAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRslW1gfzL9PhrR | |
| vMNmeYPYcE3FjDCByQYDVR0jBIHBMIG+gBRslW1gfzL9PhrRvMNmeYPYcE3FjKGB | |
| mqSBlzCBlDEeMBwGA1UEChMVQXRvbVBhcmsgU29mdHdhcmUgSW5jMSMwIQYJKoZI | |
| hvcNAQkBFhRwZXRlcl94QGF0b21wYXJrLmNvbTETMBEGA1UEBxMKQWxleGFuZHJp | |
| YTELMAkGA1UECBMCVkExCzAJBgNVBAYTAlVTMR4wHAYDVQQDExVBdG9tUGFyayBT | |
| b2Z0d2FyZSBJbmOCCQCAPrw1uOENNjANBgkqhkiG9w0BAQUFAAOBgQB2naAppBRR | |
| tVnWog54Bgy58j7f9OTirpzpAURgRIA/XllV8woUJsHNYhwsib/738lhJ3cla0bH | |
| vcVOWQQZkF/WrhUEFkjhIoZfeCbEhwIzIDy54EAkDB8Fng7zyIESAAl6F2SO4MAG | |
| 4CyNTW9UGq5lkTrrSkARYI38v2XW49pl7Q== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIORD8avHP7ngCAggA | |
| MBQGCCqGSIb3DQMHBAjYrv5+LIP6IASCAoCze5x4doMj3EFYwDafsohSDKrrz75+ | |
| zQbzbiE4w2wEOe/WBRw41aQvFs3C9HAvAFs9zH6g6ojzcvUzEve3vW3+D7pw5PBc | |
| j43UOEsR65tiWHG+aoGe0RDRkBWMfNiJ7uDfoSAQnZ/OXrxAvT03rqmd4oELb8Lh | |
| cDbrq22YlVxMOS++K/l4G5NdC1PlgtUjK24u35yI7U1KIQ544IivjEBryk619KXx | |
| qraZm3bj9+cLRq/BDXq9yWFNQbKYRFQRBnaJ1EVSzVzQzH1b8D4e7/JcoQLUsJvk | |
| o2JwtcwvhNQyBNzmzxqPYkIRoQZhjlMBqOtt38RZq8swl/tXIxNIBq4KM6EngUYd | |
| N0w8+UWrjQ85wUHKyffEEWRQC/uoyEHRw4YueIknpRuHrzyP6MQ6hZhrHua636O1 | |
| yvpICaqhu5CwsARtz3xu89zbynK7L+hArF3SbAbAZvqFCQqeVdNLQy3JTcPVHFN0 | |
| 6Mnghye40Sboz6Ps1Xl2e9Bp4p45Z1cCJkY3uKBkR+uNsI5zm2CboZSGOGPuP4Ab | |
| 8msQAT16wUJRqImG03IsJayzIYIwXkoE6TfvE+6vdTHUMQUsU0w/BYsCudWRpymQ | |
| 3hG8mwVRzulx9vvMieLYLdQXTnBq5r4UJAW3IPa22n1ejukDfnvH0XzYFyPS/lP/ | |
| BcGF+pBqsNu9A4rFzr2XkQ1z6wPzioV/HwugP9onEzuaZ6xC3QeFW/UnWGfJ+5Ka | |
| CZsvjvuJh8oBHayHenKgiFWZP+he7ST63aWqSEA30J0rL/n3M1cBR+ECoCy49NcV | |
| ARGbt4ADGoyvokm8iqFbY+7jxrqhuytALNiB3S5x/5+fOPPRxxD3Dzq0 | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXQIBAAKBgQC8M5w6hru4n4h/DHVNkLyF0GxiuwEauEWxoAsXoquy/XFsLFmG | |
| ns6qdTTKA+1KqwfNVT19WMAeWaCXN5nwbhflWhV8yOoP+jtFiyMBSFIAv49ilKcr | |
| DMlkrJcENlDzwMAo1SC5R84sXjCpn+gu6+DKJWtUW2Sr98Whp4DxuY8yywIDAQAB | |
| AoGBAIgTJN1oN2iI6K87ucDIapayGPvVzDmejL2eQwbm1hBHkW+uLVjZkAHNVsrN | |
| xg9b0/tRq3Dq75XCJgvP5tzhLSKmqQ/Qx2xK5Q1H9y/yW3cn+LLSzV+7cuJ1mjqW | |
| 0E0JXDlh6j/4DZhwb8lko49vNT9YckgqgyD8615Km/l7933RAkEA939KCROUdTj8 | |
| c5KBUHuzrQEmjLKctXWdc7Mv3w1eqzZBu14ndQgJd84cMeT+wJ5omTu997BkQSGG | |
| 46vsqQIZ6QJBAMKq0pcVx0chsexQgdF4qqiXOFVBA/YI5Nd/84/fXwcsAJmUvuwW | |
| WGre3bsiWCNpPnhxCp8Bpx3rcxSkXoligpMCQHAZo3sA91kw+oeOcCv4G6Xcw40u | |
| yXQXVb22B5TMBXkfFh67wrtrbH5rSLIAurKcDVx6hszNhFtLyEEO+h6C6SECQCoT | |
| 7o1F4dtYRzNDe6whnxHuDfkvooGODpkeSTFyIQJV2pNX+aTid54yKk+G7vJIj35N | |
| QPR50PvApxFxLhYYOw0CQQDPBr+gVUkJGn3lcZSuAtla8Ed19dZjBqRt2/1Ssb/P | |
| +Rt9Pw7HLUyh236AzV19iolJrCQ+nV8IcbfxCOE0fcZQ | |
| -----END RSA PRIVATE KEY----- | |
| Another one from CERT's page, "easy hide ip classic". Why would | |
| a VPN MITM SSL connections? Definitely not for a good reason. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDkDCCAvmgAwIBAgIJAINOfAMrW56oMA0GCSqGSIb3DQEBBQUAMIGNMREwDwYD | |
| VQQKEwhFYXN5VGVjaDEnMCUGCSqGSIb3DQEJARYYc3VwcG9ydEBlYXN5LWhpZGUt | |
| aXAuY29tMREwDwYDVQQHEwhWYWxlbmNpYTEcMBoGA1UECBMTU3RhdGUgb3IgUHJv | |
| dmlkZW5jZTELMAkGA1UEBhMCRVMxETAPBgNVBAMTCEVhc3lUZWNoMB4XDTEwMDcy | |
| OTE2NDcwOVoXDTE1MDcyODE2NDcwOVowgY0xETAPBgNVBAoTCEVhc3lUZWNoMScw | |
| JQYJKoZIhvcNAQkBFhhzdXBwb3J0QGVhc3ktaGlkZS1pcC5jb20xETAPBgNVBAcT | |
| CFZhbGVuY2lhMRwwGgYDVQQIExNTdGF0ZSBvciBQcm92aWRlbmNlMQswCQYDVQQG | |
| EwJFUzERMA8GA1UEAxMIRWFzeVRlY2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ | |
| AoGBALCbDSE2ltg0phas1eai1RwHHpzKbAappVNsGMBV84i8Khpi38nL6p8cCTXW | |
| 70gyY8/Hp1/EERfAxBVgnJb5oeMZI6x9zli8cZqaF2m4qbGy3/tUkml5jqSN/Ds7 | |
| xjVFAIcW4VtU14ZH0Kf6JEEq5wlfbneLcELt2OiB0XgwgOMnAgMBAAGjgfUwgfIw | |
| DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUvnkX9NQFZUztCAeAL8oso9q54fUwgcIG | |
| A1UdIwSBujCBt4AUvnkX9NQFZUztCAeAL8oso9q54fWhgZOkgZAwgY0xETAPBgNV | |
| BAoTCEVhc3lUZWNoMScwJQYJKoZIhvcNAQkBFhhzdXBwb3J0QGVhc3ktaGlkZS1p | |
| cC5jb20xETAPBgNVBAcTCFZhbGVuY2lhMRwwGgYDVQQIExNTdGF0ZSBvciBQcm92 | |
| aWRlbmNlMQswCQYDVQQGEwJFUzERMA8GA1UEAxMIRWFzeVRlY2iCCQCDTnwDK1ue | |
| qDANBgkqhkiG9w0BAQUFAAOBgQBrlLJMjMNsK/bgtY9QRcv/5/1uNn1v+XYqGF4d | |
| gTXUrscsTveQV+w9/UOW1T2SxDvkOB+8CIzORXbP3kSlfOUw2own+QgS8KuMd7Zp | |
| qdMzJi6tSq/j7m/CGvNcSnZtu+z/xj69p4ymHhfMF2HC8F24eWxo+tf7iPnJbFkO | |
| llmh3w== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfLEkMdPr8uECAggA | |
| MBQGCCqGSIb3DQMHBAhtkX+wc6jGEwSCAoCJonscPt4iBrcBmeFodEqdTsikl0w3 | |
| F6/bkL/5enituWjmN8P9hI8XWFFMW5xfC3v5zpOVHh4WZtVMSanEXxnoXGGLQ2CW | |
| U+LKHD0GI9o2Yphty6LrchvTcohnPUojTI7gRLxdPYFNK4TA1zlB9oe3tsO9IlEH | |
| H9TL+LcekWBQ4C5E+EHxi1UDpOgdOn3PLSJ/hBpoSbt0CBDl+dGS/HHYIsNYJDFD | |
| sEonfl1pejr4BtMojFyR103oLUwha/KvIkjan8jtgOogSHUKHrclPVIt7TpnqqPi | |
| AzHjnnN6pNt6UFNrbQYw9KNwy/NrCqvEXvYld2bctvTgvi/G6O/7uKECjRUuG/rZ | |
| W0V9iUw1dpE5y4emj2aK8+Cp470iOfxfQTc3SXK/TPw1CHZbQjY94ApHPC+Ug6C/ | |
| CkDQ7idrZnnqyTv+Bw/51/cAlx6tFW1ePjvGjDTJDjHLOE4VdYySWzkgUwPLTsZa | |
| KQpyoeh1eEbnM3iAj3ydnGsSEYoubwoDRleXiQUf28dLNEhPjev6NuLFLIHAKSx/ | |
| 4HXw0VTGcBm98cIsxsr2AI3Cad5217qdT+Ihbj+gnwH21cXD10GN65KLs7BkWKPu | |
| aE9ehUaQB+Cb46EEzlL/JKecGYnIN3lNHSSc4cig1OLmw2S58XbLp+Fjb/KI7Pck | |
| wc/WMynW0DGK+yMqR4scgRfhb2/pC0szCfcz2ExQ/GlF6b8Yjj8kSUe2WRejMDAI | |
| mtK6M8Xbb7Z4WrZi4FF9SoRpnhAzdA2uriraFZ7R05MFNc6wKyE0IZnVozkoq/hP | |
| +lgzGOxYrje4GWnDdjDVhQO3r3jlpT06KoUA1dQgjaX6uf1rR6Qv5kPS | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXgIBAAKBgQCwmw0hNpbYNKYWrNXmotUcBx6cymwGqaVTbBjAVfOIvCoaYt/J | |
| y+qfHAk11u9IMmPPx6dfxBEXwMQVYJyW+aHjGSOsfc5YvHGamhdpuKmxst/7VJJp | |
| eY6kjfw7O8Y1RQCHFuFbVNeGR9Cn+iRBKucJX253i3BC7djogdF4MIDjJwIDAQAB | |
| AoGASWx9PfTDLCpfbwf2ekfykA+Js6gY14BKgu9rLvPNJ2kLnCLFZdGIvxPZ5G9y | |
| 1jJU+vrH5HHQpW54V2buU3p/ygh+WWF7BoGVVEZWM5G19LTifO/yyJZmp5dkBlby | |
| CDQ/my0HSQD9vKX8DA9Z9aIw+q7LBlRmNrmMlebkdFrCV6kCQQDpuE+D6cTztlnM | |
| T9w1z2aAzQ/NDnbN/ZRZQ5Wn/N4ERQX7OGSou9E354rmvEJDpO9JkdOLnWkAaviD | |
| SThv31KjAkEAwXDtMJIwISBLQ6HvGAx9ePrqh4I20HEb8y6BwJ5TogjJuFq1OG7S | |
| 0gZtXcMkUwdQtCkXROKUBuXWyBTvdM15rQJBAL0yEkw6pNCUwMR/sUduCRAi77OT | |
| DeFacQiBiVhffmn+ZgUjdXiR8Z9LtElsBEg17+6iOZk/Z4yLC3lbgHAvW/kCQQCr | |
| HvHEMN5Av6e1CbBPruTkO9tyyn8g/55BDtgbhDPpuCpyWlPLu0XmI2dmNXWRuXvs | |
| FBmQh3t5aqMI1nRJ+Gb1AkEAnBUw8rjlFRK9ZS/rJLdKs2dvoT8z1MQ4CefTp/Om | |
| ahrmca6RUFF/rfajE+IT5E+tIKJ7F4azTQpTY5rPwWEm/A== | |
| -----END RSA PRIVATE KEY----- | |
| Next: Lavasoft Ad-Aware Web Companion. Lavasoft should know | |
| better in my opinion, but given that this one is only the third | |
| I've seen to use komodia's "anti-av", and this one uses XXTEA | |
| not blowfish... (and it caused me some trouble unpacking, at least | |
| now I know an easy way to unpack all of komodia's anti-av stuff!) | |
| -----BEGIN CERTIFICATE----- | |
| MIIDkDCCAvmgAwIBAgIJAMQx2ndXqbSzMA0GCSqGSIb3DQEBBQUAMIGNMRkwFwYD | |
| VQQKExBMYXZhc29mdCBMaW1pdGVkMSYwJAYJKoZIhvcNAQkBFhduaWdlbC5zaGF3 | |
| QGxhdmFzb2Z0LmNvbTEPMA0GA1UEBxMGU2xpZW1hMQ8wDQYDVQQIEwZTbGllbWEx | |
| CzAJBgNVBAYTAk1UMRkwFwYDVQQDExBMYXZhc29mdCBMaW1pdGVkMB4XDTEzMDgw | |
| OTAxMjMxNFoXDTMzMDgwNDAxMjMxNFowgY0xGTAXBgNVBAoTEExhdmFzb2Z0IExp | |
| bWl0ZWQxJjAkBgkqhkiG9w0BCQEWF25pZ2VsLnNoYXdAbGF2YXNvZnQuY29tMQ8w | |
| DQYDVQQHEwZTbGllbWExDzANBgNVBAgTBlNsaWVtYTELMAkGA1UEBhMCTVQxGTAX | |
| BgNVBAMTEExhdmFzb2Z0IExpbWl0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ | |
| AoGBAKV1FdSpS6ZFNQpzkSPa4W9yTjwo76vBj7OLRoQHjk/mNk7oAnN8haNeWujm | |
| K582Osyw/39mBqmpTX1QK5Bo9sxRRVxvTfeFXdmiTa2ZYbSrrpGTi+z1NVNq8JFA | |
| tOeIZI50o8X5pStpBiRnJN4hS0ulz4r4UxK5rpLj9SkVjzPPAgMBAAGjgfUwgfIw | |
| DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUaCHzkvDvsDxg5mDPrqkxx3cmX14wgcIG | |
| A1UdIwSBujCBt4AUaCHzkvDvsDxg5mDPrqkxx3cmX16hgZOkgZAwgY0xGTAXBgNV | |
| BAoTEExhdmFzb2Z0IExpbWl0ZWQxJjAkBgkqhkiG9w0BCQEWF25pZ2VsLnNoYXdA | |
| bGF2YXNvZnQuY29tMQ8wDQYDVQQHEwZTbGllbWExDzANBgNVBAgTBlNsaWVtYTEL | |
| MAkGA1UEBhMCTVQxGTAXBgNVBAMTEExhdmFzb2Z0IExpbWl0ZWSCCQDEMdp3V6m0 | |
| szANBgkqhkiG9w0BAQUFAAOBgQBfzeeRgrhoxhtwhLzNBTS27SI8IimngEvbK9kB | |
| exdbzcT3E+ZnihNQreTrE0vHk0wchIb2yefmKarUrmT9eB1xAPjKxO5u4QSsJ74u | |
| GdVGrHhVlAs44pIK0icvBuD/ueMmIrPCTt0F1+UtygZV88/07J6DHgMNeaqzQYOh | |
| i0khSw== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsZoM/h+RxVICAggA | |
| MBQGCCqGSIb3DQMHBAjA21LLZfOuhQSCAoDWi8ibEBP+mjkLAKeZPGxPmDjaiEuX | |
| gDDWhNjEK6lyEyA6zlpcfHr7ffb+9DGopF4HZsD50Bt9GpAS0wEm94kAfv05/ULC | |
| chD3HCJjW7KnScsnvcaAnLGysJH2fz1Vno7/9FI31OOZrxEMNDJ8TgQXYQBcWFAJ | |
| TnSIB5UDnFE105k5mfJ2N0HrZqAZ6WhaoSRGSEJ0ry5dne/mdMzGN772r1xDZftb | |
| LqdIk1GYlssCtfrWl6Zz/pSqDS9hCPpLNNdtz8B1McqSk80cKZfYvesX7ox/xopj | |
| IKUKj7/bOfq3g2TN4qSE4q8ltNxA1jDmC5L7q2JME9A4voPi6msYrIzQf5yeEKSS | |
| f3pd+Plx0V0VENdqufLIEa9LMOrICKbVHXsGBcRFUhoYmr/7VAN6BIFltVEtR57e | |
| FtWFt1FHAygXiMe270dVcrJMGvMfTQ+dlKTdPfwWHy5l++p7B7cvJvh9XatPqGnt | |
| cXYWKhS6gZ071VYa8xYjoGc2ywbH8MTAoLZqu2EBgyP//neqytMOGgWFMwmghkCZ | |
| Q9wLoB74EF0i3muOv7eXKMfb9eMmsgzlB48+QmcYN2mHWx2EjU7X90QHZ9k9tX5I | |
| rnk1F1NrmEJhbk2A6jRMs3XAsUh32vgvXIYlQ1RS5QQIJvqL+awMv1V7gK8+igRx | |
| Y1uFNE7BC1B+gBkcy28FZIAkAttgt4wp9TD3Ojv8M/FRgc2eD8ZfFO0TKJB44BQz | |
| 2+vwh3BJxJX8xoR3g5/PzPqZXyFyRdtEe46H2Smq7t3I6vHGOEUICIbf6U2gJS7B | |
| dHUOKOzwerL6drcPc3AvNUjZVcU6vi50dv/k4Ya4kOE0SOiEGnRoNkN0 | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXAIBAAKBgQCldRXUqUumRTUKc5Ej2uFvck48KO+rwY+zi0aEB45P5jZO6AJz | |
| fIWjXlro5iufNjrMsP9/ZgapqU19UCuQaPbMUUVcb033hV3Zok2tmWG0q66Rk4vs | |
| 9TVTavCRQLTniGSOdKPF+aUraQYkZyTeIUtLpc+K+FMSua6S4/UpFY8zzwIDAQAB | |
| AoGALI/7YDp0kISlQ3paxfBmtTBxF8ziuDy6ql3BkT/DuYtEZz4fouEP0S9Rhtav | |
| OwNNFOI6/iIJe1qI705PXWaXyYKlj9l8tcQ4JVaH1tpvaUC8ka4nt4alhWQteDi3 | |
| IOrtiPLVzRZHhNkowlD9WjPRoEuWCtw6LdxmY89GGPX7JsECQQDbnVETWvoP9VwE | |
| zbNEYSVGgurfjW6bHqwV3u09i8IxftL8+mZtgAdKUgzcOx50OHFqJgACR6hnena2 | |
| Y7af2N3hAkEAwN7CNANcWwcXkuU0ypeWvw0DjtwNc7Nrrx9pw47g0w3+373pRVSf | |
| m1ZOT6vf0+MmJ8mlnU/ifPS91oyG7EpnrwJBAIT8BS1ISOZC+D68ZNKCVPUWr61B | |
| UnnCIAh6XoSHTcd0+cRQyJeEEGYTu0/cyLsttpfFfPnkdHh8ssgNJ3gx9WECQBAf | |
| z26XxVXa3u6p+OLjD3hDd0OvQ/SjUGJgpu/xdvxOFDvSXbktHPbYnU1t2hWVzO/Q | |
| nObs8ctujpxsPS9t/QMCQDt+7+Ta99o/9K0QKFFvHtdbHDEA6l/TV3qFdmtg74+v | |
| 0IGnEazpJbNOGrpY+MJ2NmvrOD3LkLLsL3EM5CupYIg= | |
| -----END RSA PRIVATE KEY----- | |
| This one wasn't on the CERT website when I found it. The PUP | |
| PureLeads uses komodia, with ssl mitm. Here's the cert and privkey. | |
| Also, the PUP Sendori (which contains Komodia's ring0 rootkit also) | |
| uses this same cert and privkey. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDpTCCAw6gAwIBAgIJAM7mVQAE4U4kMA0GCSqGSIb3DQEBBQUAMIGUMRUwEwYD | |
| VQQKEwxTZW5kb3JpLCBJbmMxMDAuBgkqhkiG9w0BCQEWIXNlbmRvcmlzaXRlcHJv | |
| ZHVjdGlvbkBzZW5kb3JpLmNvbTEQMA4GA1UEBxMHT2FrbGFuZDETMBEGA1UECBMK | |
| Q2FsaWZvcm5pYTELMAkGA1UEBhMCVVMxFTATBgNVBAMTDFNlbmRvcmksIEluYzAe | |
| Fw0xMjEwMDgyMzM1MzBaFw0zMjEwMDMyMzM1MzBaMIGUMRUwEwYDVQQKEwxTZW5k | |
| b3JpLCBJbmMxMDAuBgkqhkiG9w0BCQEWIXNlbmRvcmlzaXRlcHJvZHVjdGlvbkBz | |
| ZW5kb3JpLmNvbTEQMA4GA1UEBxMHT2FrbGFuZDETMBEGA1UECBMKQ2FsaWZvcm5p | |
| YTELMAkGA1UEBhMCVVMxFTATBgNVBAMTDFNlbmRvcmksIEluYzCBnzANBgkqhkiG | |
| 9w0BAQEFAAOBjQAwgYkCgYEA4JpneuIhc8avf1OXl2Wv3JAUL7jfPJSTFcJdxk1W | |
| jCe/t9kxArQE0MUxuqsjHO6RiIzQapEv+kmL8b94h94syTuKjx4VsznX5rtkkTdE | |
| 4CNS/OZD8M8gc0ZoiQTkjePTlVcBFE0vbJ9z6ehZCAfcEKyFekPUcgAxyq3S15Hk | |
| gg8CAwEAAaOB/DCB+TAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTnnoZ3LXjC/P/E | |
| XbhhJGL0sQnZ6zCByQYDVR0jBIHBMIG+gBTnnoZ3LXjC/P/EXbhhJGL0sQnZ66GB | |
| mqSBlzCBlDEVMBMGA1UEChMMU2VuZG9yaSwgSW5jMTAwLgYJKoZIhvcNAQkBFiFz | |
| ZW5kb3Jpc2l0ZXByb2R1Y3Rpb25Ac2VuZG9yaS5jb20xEDAOBgNVBAcTB09ha2xh | |
| bmQxEzARBgNVBAgTCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxT | |
| ZW5kb3JpLCBJbmOCCQDO5lUABOFOJDANBgkqhkiG9w0BAQUFAAOBgQCQznLVgYFd | |
| vTrdQDQeEXTQACaV795qGyVkvJ03VnudO/JVa2CAcdHiCfuf+43CV+RoDFT66LxJ | |
| /BYxQMO0j9yZB8R/abplTk53kP6ks820wzpPMl5a8DaClHLkM64zaBZsnl7SROkA | |
| gg9u8igTnxVroFD1BgRBTw6lJxhA7Yz56g== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIXtNls0qhzx0CAggA | |
| MBQGCCqGSIb3DQMHBAiW5hw82IAjCASCAoBN0ACZbk1Z78ewidEgytBXHeE/OcuU | |
| 6Gm2WxKFzMA3DnrEfxuT78vUbGNqlVCAV7GFcMtuFbhNSXmkgdA7To3c9Nla6/UQ | |
| 09TePKP/NKYTg/frafMb1WDFMuNDpqU3BmHuN4G137nPKR8rhakoXKbG1G2DmYwE | |
| KO03HaO3msXhhnWzlmaSvQX0Vx6dJNmhlNL4T9uMFelkWwq+nQa6ssoKP5hPVvNZ | |
| TEa47/1uCy+C6dx8X14WID5y5UA+r2NIQFollUrGn8rhFxQIZdiIQnIz0u1h3Mlj | |
| hZc28mkO2H+5TeqcPvjKnmA5StU+TT0C8r6zFKbksG3gzfLk6hg1ikNh7nkmxx3k | |
| lajLAtwZOzWg28Nt4SWhPDKGBe1OAbzds8LMsM9qSu+6OVTLBKLI/8EzUvHZTeme | |
| MfHCxgJJfLS1C0mRFS62Yul6pkO51Rb74T0hge1Ti6moOnqweRMXQYjGgkHWyV8n | |
| HJIXYZZYzbJoJzfAkr2gNOItbVomMPT4I12TNUIoTCIxLVqkDsB/XfPzfJYgyisi | |
| fZ4xVVii1C/vptXvKQlXRjidaDCCwK3D7zXrCCbnGsJLvSTHFQPL2z6Q2U9tTitH | |
| Xz7aV8oeFFPWgLm+IIND9uWAjnnM1RpMOXuifShl7UpsI1gZhsm0kmFDeF6A4f+o | |
| Kf55s95Sm0WHKw9rWw2iEbhR3ys84jQIx7EgwLvzXO0PWuTKsCYjD/NBe15s2FKD | |
| 05B6eq2IPEhkk2Py/BDhM1yE4+cheossl72R39zS+pjtbFs3HkeYTlT4JM4YmcMJ | |
| dEQSm+oAPwlCafAGmL1FhgQqIHCrEpgWkaqF5bV0INqNCNLEMviM36sC | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXgIBAAKBgQDgmmd64iFzxq9/U5eXZa/ckBQvuN88lJMVwl3GTVaMJ7+32TEC | |
| tATQxTG6qyMc7pGIjNBqkS/6SYvxv3iH3izJO4qPHhWzOdfmu2SRN0TgI1L85kPw | |
| zyBzRmiJBOSN49OVVwEUTS9sn3Pp6FkIB9wQrIV6Q9RyADHKrdLXkeSCDwIDAQAB | |
| AoGBALS1ZlanRBT7oc4G+qu0BAeo4KT40JvUSncyV/Kp3N2NSaJpHBa5sjoqvnUb | |
| JngrtmowKavkPr7Yl8EctaRTbKHFQjboU1WYJX5kN8b6lX8D/u+SaVarA1vlO0v/ | |
| 3QaukoAgqNt8gSQmUHGY4zx81Gk04zp8dPW+xUxO82NXsxmpAkEA/j3YuWMgOFTK | |
| hfaHQp8dZcf87x2e7FAaeCRqGW0Oddhwji+Sw5jQ9ALz/8gJmGficwIZ9h/1lHCg | |
| jZhyU+nG0wJBAOIoFKGi8kOHusPgB178C8MkGtTVuypNxZHZcMFPgl0uilJIhqSm | |
| 5zdiVnQiXt7D5RUac+KlG/U9FWJSJRAxylUCQQC0yDN4N4UsqRZNRayOcegMfLVd | |
| LhnYfWkk7vfG1qZGo739TNS2Ys6KBCOOSKaSCaSbFO5y9ezBPYjcxn7dLkljAkEA | |
| jEI5UWmigHk8PmDBkYoVrWfF8DvBwWHMZ0EIqgsqmanUhWWPg6wzd+jYH1x1pAiw | |
| GZ93QZgOt9CzY2/4pouKpQJAJiU3l/Z2IokLUoaTxK+LqA8SWT3QfbMiiUbrbd9p | |
| 9D4p4hAhItXRIJqkPG0uFvGAGUoupvIonjmSmxEqrA4LLg== | |
| -----END RSA PRIVATE KEY----- | |
| Next one: secureteen parental control software. Which uses both | |
| ring0 and ring3 rootkits for some reason. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDbDCCAtWgAwIBAgIJALvKJhFyvLXBMA0GCSqGSIb3DQEBBQUAMIGBMRIwEAYD | |
| VQQKEwlJbmZvV2Vpc2UxIjAgBgkqhkiG9w0BCQEWE2FkbWluQGluZm93ZWlzZS5j | |
| b20xEjAQBgNVBAcTCUdyYW52aWxsZTESMBAGA1UECBMJR3JhbnZpbGxlMQswCQYD | |
| VQQGEwJBVTESMBAGA1UEAxMJSW5mb1dlaXNlMB4XDTEzMDMxMzAwNDE1N1oXDTMz | |
| MDMwODAwNDE1N1owgYExEjAQBgNVBAoTCUluZm9XZWlzZTEiMCAGCSqGSIb3DQEJ | |
| ARYTYWRtaW5AaW5mb3dlaXNlLmNvbTESMBAGA1UEBxMJR3JhbnZpbGxlMRIwEAYD | |
| VQQIEwlHcmFudmlsbGUxCzAJBgNVBAYTAkFVMRIwEAYDVQQDEwlJbmZvV2Vpc2Uw | |
| gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANi/uhkLWQ0AoP5Cn5oAMG8BD0Ju | |
| rrIffS6V/5oI3YYKtC/Igghs2EC2VRA8ajxhW1Fm6xmCQvBVfNLpRQ3XHApmr9IV | |
| 5A9XcL3q3LOSIuXsdU5e8ffJFdXzzs58DCuHHtxBoko+blkT40EkjMVtye5IXi1D | |
| 1TmluOt0TSAzJzsrAgMBAAGjgekwgeYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU | |
| 9U64d3+V5Xret/wYZVSiPfTK4GgwgbYGA1UdIwSBrjCBq4AU9U64d3+V5Xret/wY | |
| ZVSiPfTK4GihgYekgYQwgYExEjAQBgNVBAoTCUluZm9XZWlzZTEiMCAGCSqGSIb3 | |
| DQEJARYTYWRtaW5AaW5mb3dlaXNlLmNvbTESMBAGA1UEBxMJR3JhbnZpbGxlMRIw | |
| EAYDVQQIEwlHcmFudmlsbGUxCzAJBgNVBAYTAkFVMRIwEAYDVQQDEwlJbmZvV2Vp | |
| c2WCCQC7yiYRcry1wTANBgkqhkiG9w0BAQUFAAOBgQBcT9TiZJERvD2c0dq52g0A | |
| a8uYiDY6POYmqnuf9HGsdRDIVBCiyHIqsUAGuAqMmBl04gICnZ9lE2Zd/L1JzMlC | |
| UqBA0qViYfWptTfyaklLbUIl47J/JIs1AMHALoIGDGOwzv0p7nHFktzr2iRrNxSf | |
| GesOxhz9NZSIT0FPWxrUSQ== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQInpl7zSN9OrQCAggA | |
| MBQGCCqGSIb3DQMHBAi4GAUcF0LCOgSCAoBFz3sCTXgXbTLrq5uYtD6LZ4HwW1gs | |
| uSJGujoTqI5xE0L7lU3fU9WyJJFpFvAB1OFAvpSWZ7zEyKnDrHZHXrusSbNoygkn | |
| 0DZdivkxoZHXujy0H3RB+Ku2YIqLeQtgSPtnSRtJEanFYllXh37ff8ULUfFPPHFG | |
| ebNNjfeCzCEluAgYB/HhRLdSt2zKg3vEWhPEov2/T6fZXWPRKLSTR6L59aT15hB3 | |
| 6z/Aof+WUmUMcNU17tIHZYcfNuDC+IIPCFH8uU8u8CFiOdoGgpSTMFQq9kQ8R5pK | |
| 7VON6mJbqtbYuQ6nPlBjdlx9Y9E3o2z0NjpHLrvp3+hKFCa1UytwdVNur5ENGKKK | |
| 7WUdYPbkeR6lo7QmNpcRztwvLxGNIKN9lASdueArjmBbn0cgPvKSCO4Q11cUEmfJ | |
| c+U0XEVOlGYTPmiW7nQWJGGtXx754nQ52Qtex9Jc+Y12NBHUEmhxUdNvQQdvfLZ6 | |
| tsunmVjvtxGnkevrZZGb12gZSyJPKWrFhtJcHZbxzLPr/AuqDogvT1+z7rPq5tSG | |
| DD9id+Zw/Zx2x5jFgKPB1ZRpEq9XfgZNq9xMil1rxSl/GijaCZtUkM3EBFbOIkT8 | |
| aJpfM2Snen450XvZWYD+hAhwSh03yBLqTe0UZyuqAqfyMDX5qy8fYQXoywNB2mQu | |
| Mxw8jUuc/vO9jdMZirNOHYL4YVZl2TD3Ko4ewtehR6mmhjvuMDAaW8kZPbBWj6MV | |
| wjir4MuR3EcqTsr+AuwVzVXaG7Or8GJaZDRKM10GnKpy9LYbOCkuTZG5BVsHuWNS | |
| ua4rmCea4Mbgi4c6zHOA9sAmKcNBMshf+ItOtAMlbP+jCuQK5yEysdjK | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXQIBAAKBgQDYv7oZC1kNAKD+Qp+aADBvAQ9Cbq6yH30ulf+aCN2GCrQvyIII | |
| bNhAtlUQPGo8YVtRZusZgkLwVXzS6UUN1xwKZq/SFeQPV3C96tyzkiLl7HVOXvH3 | |
| yRXV887OfAwrhx7cQaJKPm5ZE+NBJIzFbcnuSF4tQ9U5pbjrdE0gMyc7KwIDAQAB | |
| AoGAVVnSX3BPhcY8n0L+9Dak2+FP7/oDwtKRidm5SB+7k7/9Sl+rjMPHuFvUTUtt | |
| Dg/MVNaxN19LGrafK7J95cBSIrDJbS2xfSK5S5Ghn5c2qnBMY/Y0hrhpCp0NWlPA | |
| QL2Ksh0FJaQ/VAX/U5R5g0hb31AG5LXscWdjj52mYC7mgoECQQDyqoAxPxfQSD8Y | |
| N6tfJfNbWyOIiX7HRTqDDpu4YuYXtoHMQkwZvmRiDALtVAS/Wzv3ckhYLtf3DOW1 | |
| vFuu8tfBAkEA5Kio1Dh0vkxLAzM64Yi9mvvozjWibsk/GJ+q5FTMok/JE66rge8D | |
| ZICtXnGQ0dWoRLK/uR3zkwaerPpQ295t6wJBAICT0OrHGHIW5b+KN7ZpoGFmkBRX | |
| biJdzxwEEISJeotT+8Bj3HjDheLhpGdl3kIaMFLzbduzrmDLp6c8z4OKTsECQG+u | |
| 2Vdeg9b22KSlfxrteP6cD+e4VrAZ55GVWxjPOmwE4EeWxvpdzaBnIUbB3WRAIUH8 | |
| tJwsPu4PC62dTaU2jSUCQQDijJsmRmqVcfifoGCyzPTOg7+wehCFiCxAK1t9+h0J | |
| 2v5FaDvI8OwEfgjXShQNfrU7pbgZhIJd+fAdg2JDSIwZ | |
| -----END RSA PRIVATE KEY----- | |
| Another one: ImpresX? DiscountCow? not even sure of its true | |
| name, but it's a PUP and it uses komodia anti-av. Thanks to | |
| @Whistler4Ever for the sample. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDXDCCAsWgAwIBAgIJAIBz5MYJY92LMA0GCSqGSIb3DQEBBQUAMH0xEzARBgNV | |
| BAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGltcHJlc3guY29t | |
| MRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxsaW5uMQswCQYDVQQGEwJF | |
| RTETMBEGA1UEAxMKSW1wcmVzWCBPVTAeFw0xNDA1MjYxNjQ2MzhaFw0zNDA1MjEx | |
| NjQ2MzhaMH0xEzARBgNVBAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFk | |
| bWluQGltcHJlc3guY29tMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxs | |
| aW5uMQswCQYDVQQGEwJFRTETMBEGA1UEAxMKSW1wcmVzWCBPVTCBnzANBgkqhkiG | |
| 9w0BAQEFAAOBjQAwgYkCgYEA3lQ/p55vsENRi5XPmEoIh82gYk4zmd+ehMeuywwq | |
| 9HdrKb2OrGBaMhQ6yYOmkehKfdQ8uYXPzfxhopTS+/e5tn3lW9Q4nswGeSqH8R9k | |
| OInUxqrZZMqcAj3nJf/RwDH0xM74Mke6WqXqUi1pNFJRiMcc2qDaMdtd+JsA5iX4 | |
| WsMCAwEAAaOB4zCB4DAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQu5yPPo3ExV+Fs | |
| 0iudkjR625iiPDCBsAYDVR0jBIGoMIGlgBQu5yPPo3ExV+Fs0iudkjR625iiPKGB | |
| gaR/MH0xEzARBgNVBAoTCkltcHJlc1ggT1UxIDAeBgkqhkiG9w0BCQEWEWFkbWlu | |
| QGltcHJlc3guY29tMRAwDgYDVQQHEwdUYWxsaW5uMRAwDgYDVQQIEwdUYWxsaW5u | |
| MQswCQYDVQQGEwJFRTETMBEGA1UEAxMKSW1wcmVzWCBPVYIJAIBz5MYJY92LMA0G | |
| CSqGSIb3DQEBBQUAA4GBAILx7WN4Gie9/xYf3/HOSEfXNXwVulp8b8K/uc5iKEP+ | |
| INVOHzMZVxY4iR+CYIoOotxGE/Auk+oQ6qY1BFJ0f4Os8/dxIQMKLpDqeiLrPopD | |
| DdJ0IRzdrzCryHnh5iJdu/kd5T+iF7Bobah3/688TNXNGTCwm2tNmoWTeqO0mK45 | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIyS4tJ+5EAFsCAggA | |
| MBQGCCqGSIb3DQMHBAimAXMFacX3uwSCAoDWGJY4WM9roM9SsR0o9S/HR7Tv0Mvg | |
| LnzW4zmgQdmbCbFeHJhYwm+iq7kmr1jNQbfFDnplBBDiXLL92IJzAhnGFO/pIZO9 | |
| 668YIWcfxBYDxMFn0CReFBSLUxiMjW3/ati0kX9BiHovwFI0Uf4+WNmbSmphi8Cn | |
| bDJq9mWdwZGyvGr4Das6u0MQ2BubP17uBADnM0MfWKmWEYiy3Kt0Uk8gLLdp6TSL | |
| PrT41iZRwoJXBNR2knUMoIBw8cY8iA1vE0hzy+UkCEcTng1UU199ENMhkVxBSzuq | |
| bOhutWB1HYBSp31UeDW1taReCheiOwz61mwAfcB75Azp9AhtmV3kzTqPCu5EGo+S | |
| 3qSrApRPUfZn+5MkApeMdqXHnBM/81l9CEq5FWB2t26M0mXJI4nOhzPo59tQFPgv | |
| AdZWnmISQ18+j/vKe0DNDiqF7D6twWSM6kCn5059l6Kr8O7CHy4g8bdv73cELYgF | |
| 8W2jidO69S6zfhXajjdgnA5r7zpfISgjYMWn4yTndtN9sCJ3sQRZrIxticpsJisW | |
| i7jLQ33GlENBfcNqv6pa6l8D3xwFzlLtcMlzI7+0NLryVNpKtNnt71cMuN7dHYSv | |
| OEzlbe964QvGNmA0T3kaKQ5ZzzyhUWpURBYkTEUxIIcX1DUvJpX5tGw+86MaVoIn | |
| V4r4OFrRhm/H1Rup2WZH5l0URf6iMzFVix+e8rw+tl2RkcXDRSmHunf4JXOEZTWY | |
| KooX/o6sRFCck7gT8+jRCLnIRtYQQek2kp0cDsqDBy+A8zRkjAzOdER+oTK9yn5a | |
| 1OwrfpP9nFX6X/mC/5e1P0Y531PoYHI5KwmVrwx2agFrdo6JLo2X4tVP | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXQIBAAKBgQDeVD+nnm+wQ1GLlc+YSgiHzaBiTjOZ356Ex67LDCr0d2spvY6s | |
| YFoyFDrJg6aR6Ep91Dy5hc/N/GGilNL797m2feVb1DiezAZ5KofxH2Q4idTGqtlk | |
| ypwCPecl/9HAMfTEzvgyR7papepSLWk0UlGIxxzaoNox2134mwDmJfhawwIDAQAB | |
| AoGBAKlwF5sNGh2BEHKK180+DsZApcyFwLmyPMMA02uXeF0bbaY/+q3QOK0V0b+l | |
| /5oPKEZBK45QNpDLmTUoqqqwnuzT039nvKCtSkOcagG6Dcg8M6Fgr5lR7/XHNyL+ | |
| HVexsO1hC16r7VoIZmsgBD7ck8nMT0BBFUqrDYxJehaufXOxAkEA8kCtR3H7504V | |
| PZFzAwnAxHKAIqrv3jhg11cFxCXsFONmTtH01fCnK76KutU8ltRNsPNYb4g1qXsm | |
| lfu/QmE2dwJBAOryIfM8NsabqYblGIhXN380q7AauTAKKRvJeCZt5H/tDerEVV/E | |
| Mktkn6vSvaKlwvlpqskB92/FR7o3VIDZ9RUCQQC0F/L55zofJgRSZhv7iTeek4TA | |
| wRVbvcv4qsAlpw+QI9G+DQYYOjT9J0UZSkcl1iT/xJjdKYTDP0NbQvFX1s9XAkBb | |
| +LNPm3e54b/IXbBv1uyTsFOxWZS6+I9FIGYXbRdw+KRlDbx6A7zIhLh4s8OmgwtD | |
| RZkknM93ApxkijpbQndNAkASmoHloiaXokGAdqgDY8wwM0BZnTxJSoU7qgWzNWDt | |
| 7FQ7Ss+Yq0tBcX6X0ijL9TAc/A9/n9ERfgHtV09R50RM | |
| -----END RSA PRIVATE KEY----- | |
| And here's another one. Not really sure what it's from, some | |
| PUPs by Objectify Media, "WebProtect" or something, and this one | |
| also includes the ring0 rootkit. Again thanks to @Whistler4Ever | |
| for the sample. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDmTCCAwKgAwIBAgIJAJsRr9PFsJ57MA0GCSqGSIb3DQEBBQUAMIGQMR0wGwYD | |
| VQQKExRPYmplY3RpZnkgTWVkaWEgSW5jIDEjMCEGCSqGSIb3DQEJARYUY29udGFj | |
| dEBvYmplY3RpZnkuY2ExEjAQBgNVBAcTCVZhbmNvdXZlcjELMAkGA1UECBMCQkMx | |
| CzAJBgNVBAYTAkNBMRwwGgYDVQQDExNPYmplY3RpZnkgTWVkaWEgSW5jMB4XDTE0 | |
| MDEwNzE1NTU1M1oXDTM0MDEwMjE1NTU1M1owgZAxHTAbBgNVBAoTFE9iamVjdGlm | |
| eSBNZWRpYSBJbmMgMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QG9iamVjdGlmeS5j | |
| YTESMBAGA1UEBxMJVmFuY291dmVyMQswCQYDVQQIEwJCQzELMAkGA1UEBhMCQ0Ex | |
| HDAaBgNVBAMTE09iamVjdGlmeSBNZWRpYSBJbmMwgZ8wDQYJKoZIhvcNAQEBBQAD | |
| gY0AMIGJAoGBAL9CxsBV2TKxhZI1a/12efY4DQb6d/K2g2zrGpwpUzV456nkvaTj | |
| Nf63aamgfzIA3VM5FuACfVXmy/Slpfw9GTMCjgz5L37b4ATzMxLRyMoCkYNeZW4J | |
| 9NTE3ibUOu/KXzJiA3eiONCgnm90SBfQ5tfQK3NCRSnLDzKeCRb+aM+pAgMBAAGj | |
| gfgwgfUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUzXU7741oj/G3CB2jmwWaGA7f | |
| 3wAwgcUGA1UdIwSBvTCBuoAUzXU7741oj/G3CB2jmwWaGA7f3wChgZakgZMwgZAx | |
| HTAbBgNVBAoTFE9iamVjdGlmeSBNZWRpYSBJbmMgMSMwIQYJKoZIhvcNAQkBFhRj | |
| b250YWN0QG9iamVjdGlmeS5jYTESMBAGA1UEBxMJVmFuY291dmVyMQswCQYDVQQI | |
| EwJCQzELMAkGA1UEBhMCQ0ExHDAaBgNVBAMTE09iamVjdGlmeSBNZWRpYSBJbmOC | |
| CQCbEa/TxbCeezANBgkqhkiG9w0BAQUFAAOBgQALXxRZX1GuMAi3aZDFVkd3yzEK | |
| CwCc2voOo83FMv0bLag0kNR/KOSYyDkAsxKOCG/0y/BIO4AC9U3nWFXrmmyhYOg4 | |
| U1OQIiSNU39EhdSkkqwVHk0KGAmoqXYRPtN9cH+TkihRhzB6oR6kb0N3ADyGKpb7 | |
| OcNkx/Nw1CakrQxzOg== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZwA9HVc40XkCAggA | |
| MBQGCCqGSIb3DQMHBAjpyi92mdKUlwSCAoA/RVHqM+K+yjXjwF9t74EA0/4utrgV | |
| f1Hz5HqV25hynaufhuIRHGUmbPAvmKH7YMGYpjEeimNuqXy+M/EOIYzNaXsKr9QM | |
| iKZMy/UEwSNgnFwbz5NRgvbldKex9qtM8ppHDkG9mszPBqg0gB2NQp25h071ZzM1 | |
| F2cxVO+qdTX8kHcaBXLJEasu/oBaktEP7XW6OIId+zO2WqN3WjxOd9OGC5RS2mYj | |
| ImP1Jr8cmgL6+LiyEpKUOmlMQDf9qqrKtxGZCMrrHJdHe0lq3a+V93RaKUTtAQ8X | |
| bVXx4VsANv68TS3FZqljLj8oEKuoLq8Ciz3VJ1uo4fmDM0/kq2jHVhSjdxdlFJkV | |
| 8yx5lpxp5F8p/7Eik9QGs8pXG4lGeksnbfrmm0QzF2u3qXbMe2dnQUPJviCTGHRH | |
| YOZbCeRI+fcJ3lYJVVYFHmxBQtUGkxRgoCftmHLnlGKjOmBSRWsdI2aCdPhlRnMt | |
| FKQjuNTaUH2gA5T/h36tFEphisJAe8zEuXGRmHHTJRYsDyA6ukVzubZIGk9AbCrX | |
| DRGZND1ljsSrbKICjhqdFXcCqw38F5UODBqjw4sqS+Je1gbzplGgMQEYRaTu6taH | |
| cyyo6rm2oNdCAYKxvDXtryTYTNwhSNxbYCjUGF6MdYup3euL9k7i4Np7QXPY4XpU | |
| IJ20iTP2prBgbgnng7+oq4LTaLffIq6VEGy8p2enrBLQZpwlN/PjpLTZWgLKZ9L5 | |
| B8Z6RcOldVQ4tNrdh0Dzk8qgVxsWMubKKHqyb4QIlS0kez5JO2ds/S10ffojB03Y | |
| F42UqssaxmfzJLBN1nWiZFNtj4PaPYtRRWt/rhKIbfdYuG/2bjxjNCvh | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXgIBAAKBgQC/QsbAVdkysYWSNWv9dnn2OA0G+nfytoNs6xqcKVM1eOep5L2k | |
| 4zX+t2mpoH8yAN1TORbgAn1V5sv0paX8PRkzAo4M+S9+2+AE8zMS0cjKApGDXmVu | |
| CfTUxN4m1Drvyl8yYgN3ojjQoJ5vdEgX0ObX0CtzQkUpyw8yngkW/mjPqQIDAQAB | |
| AoGAbqKcAaonR9G0qEzKuQWNq0XlE0JTnEzDXX/qFqc5ANd9eqNcqELeewdx0bOL | |
| oEsru/ZsKwyFn+kv1cb0ayKUrhIS/a4XDExstQeKrVcz3xHnaxV5oV9WjvrM8xPa | |
| exAbrp031/vnPcT+7wmHdt4QmOWEmCM5FeeBp/WXoKrS3OECQQDy2Lw3nHIWwoAZ | |
| 0ncX9tklb7CwHOHI5MXJq7nGz1DLLGZxqJ3Q82yNsF7z2ej7UUKUnpQS5ec0OgHA | |
| mM8xHIPVAkEAyZ7DPIZu1pW5HUku+qAoOZ2b+g8TVNJuFDk052eoYRwI4kdlAjUU | |
| CakJaHfL2rvMKM7PD32PKY+1MtnriqoKhQJBAJLGP+v0mFf9MmNo+yX2wgOIX+fx | |
| bN14t7pOGjh48MH7kec8HDZACeoRITKND+1ljbI5rhFF9tlv/cMkGIX8UAkCQQC2 | |
| lIMQyFyPDj74elGEvIwwwL2DESvcYEM3JSb3dzNP3WdeInEiMpbWuLDAXdvJVM9p | |
| FP8FdBq09GKOjjFy/NFRAkEA4m0ZwLOrw+eyMXVjptMoIcr2K7UH64PqmZgHwLbA | |
| UUC5FUlnOrfF6m+etPbGf0BiPW/OAAk6gCFIHgg5Iz35jg== | |
| -----END RSA PRIVATE KEY----- | |
| Next one is CovenantEyes, a parental control software. It | |
| uses the komodia ring-0 rootkit of course. Thanks to @Gh0stAg3ntX | |
| for the sample. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDkzCCAvygAwIBAgIJAMvP1KgitpY2MA0GCSqGSIb3DQEBBQUAMIGOMRcwFQYD | |
| VQQKEw5Db3ZlbmFudCBFeWVzIDEwMC4GCSqGSIb3DQEJARYhc2NvdHQuaGFtbWVy | |
| c2xleUBjb3ZlbmFudGV5ZXMuY29tMQ8wDQYDVQQHEwZPd29zc28xCzAJBgNVBAgT | |
| Ak1JMQswCQYDVQQGEwJVUzEWMBQGA1UEAxMNQ292ZW5hbnQgRXllczAeFw0xMTEy | |
| MTgxMTQxMTFaFw0xNjEyMTYxMTQxMTFaMIGOMRcwFQYDVQQKEw5Db3ZlbmFudCBF | |
| eWVzIDEwMC4GCSqGSIb3DQEJARYhc2NvdHQuaGFtbWVyc2xleUBjb3ZlbmFudGV5 | |
| ZXMuY29tMQ8wDQYDVQQHEwZPd29zc28xCzAJBgNVBAgTAk1JMQswCQYDVQQGEwJV | |
| UzEWMBQGA1UEAxMNQ292ZW5hbnQgRXllczCBnzANBgkqhkiG9w0BAQEFAAOBjQAw | |
| gYkCgYEAx6aiwtawXYZYaWuCuwJ/dyVe/t7QH89oAZZDTCNhSCO44jPsvvAiEKcz | |
| 97FLcqAcObsq8wOUX3ANTEGcfHQOUbD7XpAxbBK2cOlM30FLMLEKD3H8+fia+uzF | |
| T1saL9FtkKBla5JduuH/Z0I303UV3MmvYL3nMvVJ379Xqyu9Dw0CAwEAAaOB9jCB | |
| 8zAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQwS+QB7AqNML9k+mvzr6gWhoOeujCB | |
| wwYDVR0jBIG7MIG4gBQwS+QB7AqNML9k+mvzr6gWhoOeuqGBlKSBkTCBjjEXMBUG | |
| A1UEChMOQ292ZW5hbnQgRXllcyAxMDAuBgkqhkiG9w0BCQEWIXNjb3R0LmhhbW1l | |
| cnNsZXlAY292ZW5hbnRleWVzLmNvbTEPMA0GA1UEBxMGT3dvc3NvMQswCQYDVQQI | |
| EwJNSTELMAkGA1UEBhMCVVMxFjAUBgNVBAMTDUNvdmVuYW50IEV5ZXOCCQDLz9So | |
| IraWNjANBgkqhkiG9w0BAQUFAAOBgQApcHgEfwzJFMjujMV2ejbd29A144O4TlHI | |
| V/MjnDiUrCTXAm4Ac4mh+/1BMJi89GZxTAxllRwmdnt7l+lvbd5pT2BnLNbi2dYD | |
| S+Jjzh6y0MkQCTNJH3zg+bfwTqre+4nTcbM0Fi3BNGwL5IDNu9BF6eQE2/uwn7LE | |
| 4u5Xbb9qMw== | |
| -----END CERTIFICATE----- | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKw6lobvpJq4CAggA | |
| MBQGCCqGSIb3DQMHBAjFReHNxEIpMgSCAoDgU8yfpgH44U56+YJ2N4joJVaCpwDc | |
| kVICvgsGvg0yKu4gLwg/nOIdOsokIgGrpetbg0z9eWREBLCLExaJzOKeEVA2TmCw | |
| zRW8GsRe7q0J+TbbC+7hjP5RIpGSjdf05xIwSOxf/5TO4IYSRaYPBMWYZSXkvfy8 | |
| Z+ozoAKzRjYEhvUlamvKVOHkF1Acm+HDPv7Z3+tkVpcJGLPqYxgKEHw9NRjojtoF | |
| KCZzk4dNzSGK/dKjP1QjO32Pif+tymjd2Y2XRqTaDd9aheSEwMSzmK8phGO09zPh | |
| GV7c1hPjNuS8j+kvmI9knxJuBUEEbC8AH2MXDTOqK+uQikIYKNzZpyuAzVkbaSne | |
| 0TEEA8KfNoXplZoKzid7kt0sD4ALw6RAC65mR1PRVzFbDPhrVaIZBKvWBmWT6yzQ | |
| pwG50juNvJROJQCKiF49k3gqhZpgbOp8XGxLcDv517GjCI8VCojkqZDZs9S3rt2K | |
| 9EywJ7vaYKijfAJX2o7F9M2DQnImti7noRkjS4ZiKc5TlcCsnBwTTcBoer1Wg6jg | |
| 2auGenkZnhYZZ2fgIEg7pSm2i3c91jyd0j/jdyuexRbPCjSHqSgvvmPfNmWWuB3V | |
| GZ06sXFEI+3mygNiJYAEafeq6JVlUhBCIH0g19ShxJJEhnnDlmGmOxv/P68Ntilw | |
| 9VO246N9SvHg5awm1fyaDnU5j+MVS5UmQTLMJDfSjS8nDSmmD5t/xAQcymbsDyyy | |
| CO2D9p3SAqwJRwWjeZVlfoD2M2+hXXaovEhWYGJovTZ2uEq9eY1M4VTSYTYbPJ1Z | |
| 8nN6Ez7P8BDbovzoLa9IBlZr/s04qa1c9Xy3SpkpqTzAd/tdYdsT2QT3 | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXgIBAAKBgQDHpqLC1rBdhlhpa4K7An93JV7+3tAfz2gBlkNMI2FII7jiM+y+ | |
| 8CIQpzP3sUtyoBw5uyrzA5RfcA1MQZx8dA5RsPtekDFsErZw6UzfQUswsQoPcfz5 | |
| +Jr67MVPWxov0W2QoGVrkl264f9nQjfTdRXcya9gvecy9Unfv1erK70PDQIDAQAB | |
| AoGBAKMKGpqAFhCaGHMmf+DWHl+fHh+Gt3Fyv52kJxrzPYta2K2o96nJkhgFYzPg | |
| DhvyUnp2tZE0mCMD72gZoIAlilaL5ekhVkzzRkUi3zBvfj73PxKAbduHSS2muNYo | |
| rd9fv5xi2GGfvYR36AsBt9Rm5hiQUs85C425pwKzk8vnWy0FAkEA8WkMXp//RzoY | |
| VqrDGP2BLBwgWU+1fNgKknwJrpFVlWOL/aSYVt8kg3RsjR5ggI04X6SC9xpxMlY1 | |
| T1wRdgu0CwJBANO3gu9MKSVgzS9y72V5dLIxroYJaz4ChjN7OuKSaMthvUGnAdTJ | |
| J2wcXWTRBN4lMvJI5iEFBkW+gbk6U7MuYEcCQCPHTucDTYFP8eV+X3XntGpGLOEv | |
| uBUtq7t0GLc/oPCIFWpdJ5rQbYfyDFiJ5QGIbI94QVTAHYC5WCNP4OKe72sCQQC2 | |
| 1ub27lkidKT+802X3vpO4eUM0JmTJe7sCuJhxXtHGZOuXSKRt16aWSy24mRHzOxg | |
| nWBQ59vw44N4icy7E7QFAkEA0gf2842MSehY1+Udtlv/7B2m6OOXeDZ9i9mBaQn4 | |
| 3yQERbD+vN2SE/y54iUWShtalQf8vhGGtHdzN97K/FjZ+w== | |
| -----END RSA PRIVATE KEY----- | |
| Seems some VPNs use komodia's sdk, but not for SSL MITM. | |
| Nevertheless, hide-my-ip's komodia proxy contains a CA cert and | |
| plaintext private key, for E = [email protected] CN = Barak | |
| OU = SSL O = Komodia L = TLV S = NA C = IL - I guess it's some | |
| kind of leftover. Here's the cert and private key, though. | |
| -----BEGIN CERTIFICATE----- | |
| MIICazCCAdQCCQCpiLml/GKkTDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJJ | |
| TDELMAkGA1UECBMCTkExDDAKBgNVBAcTA1RMVjEQMA4GA1UEChMHS29tb2RpYTEM | |
| MAoGA1UECxMDU1NMMQ4wDAYDVQQDEwVCYXJhazEgMB4GCSqGSIb3DQEJARYRc2Fs | |
| ZXNAa29tb2RpYS5jb20wHhcNMDkwNTEwMDM1NjEzWhcNMDkwNjA5MDM1NjEzWjB6 | |
| MQswCQYDVQQGEwJJTDELMAkGA1UECBMCTkExDDAKBgNVBAcTA1RMVjEQMA4GA1UE | |
| ChMHS29tb2RpYTEMMAoGA1UECxMDU1NMMQ4wDAYDVQQDEwVCYXJhazEgMB4GCSqG | |
| SIb3DQEJARYRc2FsZXNAa29tb2RpYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A | |
| MIGJAoGBAMEKl1DYDx++Msz3+ACIgrNKMyuW6gg+ljIMsg2ZEm57iIaZa+zrnlaF | |
| UBTyVzclcIzLplXQ9HRabSAun7IZ+xWfDIC5Vt/oGNaCwnxdLaAA0NMNr6jH+h/d | |
| XDI4sJa3mWFZ/dXtlcGulQJyIwDFj0xK020HsQltMWQIz1P17X4BAgMBAAEwDQYJ | |
| KoZIhvcNAQEFBQADgYEAk/lMNHGuv+vpCgrcfef0GaFtjLEXZuyVNEk7IDxquaAJ | |
| zCxDkx1Iwo/04nv3d5cR+Y3iFzhGQVtXo/VmpG/ddgu1oCE6AEtCNZxYY4TLeWUJ | |
| Q3r98plviLVF5CKYTiZb9jJze+XHSKSP5T+L9pdx3yZB9tCHmocGa6taJzmeQZY= | |
| -----END CERTIFICATE----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXAIBAAKBgQDBCpdQ2A8fvjLM9/gAiIKzSjMrluoIPpYyDLINmRJue4iGmWvs | |
| 655WhVAU8lc3JXCMy6ZV0PR0Wm0gLp+yGfsVnwyAuVbf6BjWgsJ8XS2gANDTDa+o | |
| x/of3VwyOLCWt5lhWf3V7ZXBrpUCciMAxY9MStNtB7EJbTFkCM9T9e1+AQIDAQAB | |
| AoGAUV+PjYqmRXE9pN1ac48X2VAL5fIF0VfgpFRpsgW2mVAFqwd9US+5XStxKINH | |
| dH2ZxiAKi947TdjYa1p8Au2kwyqTn0M6aln4MaknLTbk4bSDYRLKeYh+SvZuxC0O | |
| GWiPDbzE+6YNNSCgmuDiWo3o+LCzLKh8HBR6h90mvYtcfikCQQDu15fxa7vFNFTW | |
| or0bOeuRL3OTL9zGpcbgBTF2WrzfJhpURDAhymSBcWDVut0uiX5qnaB8L7DOtqCb | |
| 23HCYLRHAkEAzuiztloajRCLhQLU8N44HtozJTabJH0beJHu4E0UlwFLi86DIRhX | |
| GVRg3EeQEAyebwdcT4ZFUgruNAzJLjZHdwJAZACA7eRdykQPAY9B/pRRvYhQq9/u | |
| YH4otsN14kg7rHMXsxCZ1owXaNs/4D1NPp7y/1DgUR7muKZeuOM4zloPIQJBALmg | |
| c3ppo+Bis4kFXV0rQFYNlE0SjGVUCE1HP3PkM1C2TLyE7YfHenyzAqMdYNXFPG6H | |
| v/1ojNBqFgKEZgkbkUkCQBhqzxG3aZ4Osm8V3X2laMz4TYGAiExB5VQC3zjtec2l | |
| T01vHHDkqhv3kBWnhOwLLUFV5XTZ337Circ+hm9rDw8= | |
| -----END RSA PRIVATE KEY----- | |
| - slipstream / raylee - @TheWack0lian | |
| PS: I also checked the OSX version of qustodia. It's somewhat | |
| unrelated, but it uses its own CA cert/privkey pair. The privkey | |
| wasn't crypted in the mach-o. | |
| -----BEGIN CERTIFICATE----- | |
| MIIDQzCCAqygAwIBAgIJAKUImtyeAIY4MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV | |
| BAYTAlVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEV | |
| MBMGA1UEChMMUXVzdG9kaW8gTExDMREwDwYDVQQLEwhRdXN0b2RpbzEUMBIGA1UE | |
| AxMLUXVzdG9kaW8gQ0EwHhcNMTMwMjI3MTU0OTM2WhcNMjMwMjI1MTU0OTM2WjB1 | |
| MQswCQYDVQQGEwJVUzESMBAGA1UECBMJQmFyY2Vsb25hMRIwEAYDVQQHEwlCYXJj | |
| ZWxvbmExFTATBgNVBAoTDFF1c3RvZGlvIExMQzERMA8GA1UECxMIUXVzdG9kaW8x | |
| FDASBgNVBAMTC1F1c3RvZGlvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB | |
| gQDKx/DCWmKZzxCgw6LzFgXZHsYJtM3BvQN9XbiBfB9RqoKzTgAy9nKbWuMPe3ts | |
| w0qmP8XB9SuFGv4jzx8AeNB/iPfhfHoc1gcwcKfmMjoJCev1ykRBkeDor51+Kff+ | |
| NHOumt2LIaTbf9BwWEircO0DTReyS1neFvwF9K+Tg4CtVwIDAQABo4HaMIHXMB0G | |
| A1UdDgQWBBTaBJBHFcOMv0zTnwhrhifBLGITfTCBpwYDVR0jBIGfMIGcgBTaBJBH | |
| FcOMv0zTnwhrhifBLGITfaF5pHcwdTELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUJh | |
| cmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMRUwEwYDVQQKEwxRdXN0b2RpbyBM | |
| TEMxETAPBgNVBAsTCFF1c3RvZGlvMRQwEgYDVQQDEwtRdXN0b2RpbyBDQYIJAKUI | |
| mtyeAIY4MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAsD2o/g6NUPty | |
| 07t5N6MxlFE+SrgJ0MzW1EENC3azQfNL4pKWiIP69ivbxHcr9QCLAd4smtICgXHF | |
| t2shIJKL6qpM0uOMS5ocfgFs8QFwPXXPbb68IU88vRcbwZbQ2+v5M4E/8IrF5VLz | |
| qcAbBFPIMmZ3pOPa/CUSAzh4dcSiHoU= | |
| -----END CERTIFICATE----- | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXQIBAAKBgQDKx/DCWmKZzxCgw6LzFgXZHsYJtM3BvQN9XbiBfB9RqoKzTgAy | |
| 9nKbWuMPe3tsw0qmP8XB9SuFGv4jzx8AeNB/iPfhfHoc1gcwcKfmMjoJCev1ykRB | |
| keDor51+Kff+NHOumt2LIaTbf9BwWEircO0DTReyS1neFvwF9K+Tg4CtVwIDAQAB | |
| AoGAMXD8b7av8cZ9zGTG1zQYau7I5Fb0D/ew4SE3ukJ0NGo5gdRT0hkqqlxHnl/C | |
| ISugiNZltju7x7FkI4D9kxTh6Lbo7XveD3CNldnzkQXr1kzHI2rMYAfpQB3xtVQ4 | |
| OqG46MtgoZLKMwsFKPU7IA8RpiQq91UkgBITY/h0MdPxqgECQQD7wWCwKb2FJ8GL | |
| bZl6FTPp9t2RDxJ1vav0dqINtgDCY1s+h9fysyck7h87CgDZ+OlzI7RTZAR/KMlM | |
| 63+hKfJXAkEAzjMuMmxbLDNDxjRO6AhwkSerfWFrupjc+GMP/NTjou9tGhS8Rs2Y | |
| heGYpFEV/dRHpHUIjodVYNmAGzoRaig9AQJBAOEnTUW/ztNrftknp/9bPxabxgSZ | |
| qjTK8SKthrkkcQFowo3mB+fy+as5m4y9oY1P49kpsXhzFuJyo7W7WGXWkfkCQQCv | |
| LjArSn9S1+LWew4mdzUbPPamuKOLjd79bzvf8wXKIVsxczhZdsYDyBukTfc/BKAx | |
| CfTREgzpER+TAgxVggYBAkB1tQKlAdTAiQrTLzAmLLsQsP3kYIWfBxdudxo59vus | |
| 6Ckt8vspJdLcnVvNdRrZEzlJmrVzX/MB1otY3N1FCVW7 | |
| -----END RSA PRIVATE KEY----- |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@taoeffect They use the same cert per product. They don't generate a random one per machine.