Motivation
Understanding the behavior of infected websites is very important. This provides security researchers with strategies to help deal a blow to the bad guys and at the same time, provide website owners and administrators an idea of the current state of website security.

Since the publication of our last article in this series, we have received good feedback from our colleagues in security. We will attempt to incorporate their comments and concerns in this part of the series.

Methodology
We discussed the aim of this experiment and methodology in the last part of this series. We won’t repeat them here, but we encourage you to take a look at our first article in this series if you haven’t already read it!

Analysis
Below we present some graphs which provide more information about the analysis.

• Websites have a high probability of getting hacked on a Wednesday!

Websites have a high probability of getting hacked on a Wednesday!

• Websites have a high probability of getting hacked between 7-8 PM PDT.

Websites have a high probability of getting hacked between 7-8 PM PDT.

• On Monday websites get hacked most between 11 AM to 12 Noon, PDT
• On Tuesday websites get hacked most between 9 AM to 10 AM, PDT
• On Wednesday websites get hacked most between 7 PM to 8 PM, PDT
• On Thursday websites get hacked most between 10 PM to 11 PM, PDT
• On Friday websites get hacked most between 11 AM to 12 Noon, PDT
• On Saturday websites get hacked most between 1 PM to 2 PM, PDT
• On Sunday websites get hacked most between 11 AM to 12 Noon, PDT

Note: Most hashes which stay on the blacklist (over the 113 day period) seem to get added to the blacklist on Wednesday.

Conclusions
We have presented more interesting statistics regarding the appearance of website hashes on the Google Safe Browsing List. These statistics provide information which website administrators and owners can use better arm themselves with against attackers. We will continue analyzing the dataset to provide more interesting information. If you have any questions please add a comment.

At stopthehacker.com, we work hard to help you combat malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you, in fact you can even sign up for free services!

Till next time…

Motivation
In this article we will be analyzing the Google malware hash lists that have been published over the past few months in order to answer these important questions:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?

These are practical questions which are often posed by frustrated, sometimes confused and angry website owners, time and time again at help forums, and via our contact page.

Resources
Google has done a good job creating detailed help content describing the process of blacklisting, as well as a group where website owners can ask for help. Additionally there are excellent resources like BadwareBusters where users can find volunteers to help them. We also participate in these groups.

Yet, there is still a demand for getting clear cut answers to some basic questions like the ones detailed above. In this vein we want to provide scientifically sound and statistically significant analysis of freely available information to provide clear answers to these questions. A small FAQ is also available on our site to answer questions from website owners and admins.

Goals
This series of experiments is split into multiple parts. This article presents a first look (part 1) at openly available data. The goal of the experiment is to understand:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?
• How many websites fall back onto the blacklist?
• How much time elapses before a website falls back into the blacklist?

Methodology
For the purposes of this experiment, Google malware hash lists were collected from March 3, 2010 to June 1, 2010 (113 days). Malware hash lists were collected every 30 minutes. Each malware hash list contains the information in the Google malware hash specification. All hash lists were parsed and unique hashes were extracted and time stamped, and correlated with the malware hash list version.

Subsequently an analysis was conducted to answer the questions posed above. At no point was an attempt identify a website name from the hashes. Also, note that a single website can have more than one unique hash. For example: “www.abcd.com”, “abcd.com”, and “www.abcd.com/infected/” can all generate different hashes.

Brief Highlights

• Total number of unique hashes tracked: 688,602.
• Average number of unique hashes per day (over 113 day period): 6093.
• 25.8% of hashes never got off the Google blacklist.
  Each one of these unique hashes was deemed infected for over 3 months (greater than 113 days).
• 43% of hashes were listed exactly once as infected and managed to get off the Google blacklist.
  The average time each of these hashes was blacklisted was 13 days (89 days max).
• 2% of hashes were blacklisted exactly twice.
  Each one of these hashes was blacklisted, was then removed from the blacklist and then fell back in (the sites were hacked again). These sites remained infected for an average of 19 days (89 days max), and remained clean for an average of 17 days before being hacked again.

Analysis
It is clear from these initial results that a very large number of websites, nearly one quarter of the 6000 hashes added per day never make it off the Google blacklist. There are a number of reasons for this. One being that most webmasters, who may be good at website design and layouts, may not have the technical skills which are required to clean websites infected by malware and code injection attacks. We have also met website owners who are extremely business savvy, but lack the technical expertise to recover from a blacklisting event. The income lost due to business interruption in these cases is considerable.

We see that 43% of websites which get blacklisted manage to make it off the blacklist, but these websites suffer for an average period of 13 days.

Some websites manage to get off the blacklist and then fall in again. The average time for these “repeat offenders” on the blacklist is larger than the previous case. The time for which these “repeat offenders” stay clean is not very high, an average of just 17 days.

Conclusion
These numbers clearly show the current sorry state of website security. It is unfortunate that thousands of websites are affected every day. At stopthehacker.com, we strive to help combat this trend.  These issues need to be addressed specifically by services that currently are not readily available to the masses. To address this vacuum in the service space, and disrupt the security market stopthehacker.com provides its advanced Health Monitoring and Vulnerability assessment services for website owners. Our services take away the anguish which business owners face when their websites are attacked. Please visit our services page to find out how we can help you. In fact, you can even sign up for free services.

Further detailed analysis will be presented in the second part of this series. We will show detailed analysis of the data and will provide more insight on the implications of these observations.

Stay tuned for Part 2!

Overview

The popularity, relevance and importance of a website, which determines where in the search rankings it should appear, can simplistically, thought to be represented by one magic number: the Google PageRank. This article is not about how to calculate, improve or tune your Google PageRank.

This article will discuss how a hacker can break into your site, without you knowing and reduce your Google PageRank, thereby making your website plummet from the top rankings in search engines, making your business lose money and visibility.

An Example

On May 7th, 2010, we reviewed a compromise of one of many sites we scan on a daily basis. This site was attacked by a hacker who had exploited a vulnerability in the web application used to host the website. Once the hacker had identified the specific vulnerability, which was WordPress based, he injected spam links into the source code of the pages on the site.

All the spam links are nicely placed after the main body of the legitimate HTML portion and even starts with a comment tag “<!– google –>”!

Malicious spam links injected into the website.

Conclusion

The affect of this spam link injection was that the PageRank of the legitimate site was potentially reduced since many links on the website now pointed to spam or malicious pages. This could result in lower positioning in search results as displayed on various search engines. This is yet another case where webmasters and administrators, who are already overloaded with many tasks, were either unaware or could not pay attention to the security breach.

At stopthehacker.com we are always available to help. If you have suffered from a breach of this kind and would like to share your experience, please contact us.

In recent years, the number of blacklist being published by web-centric organizations have grown by leaps and bounds. Large Internet based companies such as Google, Yahoo and Microsoft have been providing cues to their users about malicious websites in trying to make the Internet a safer place. Google provides much more in-depth information than the other two, Yahoo and Bing, and seems to have sophisticated virtual machine based analysis tools which can detect misbehaving malicious code. Yahoo employs McAfee’s Search scan service while Bing potentially uses Microsoft specific technologies.

Experiment Goal

The aim of this experiment is to compare the coverage for each of the blacklists published by Google, Yahoo and Bing and compare them to what users in the Internet believe. To do this we will compare the results of Google, Yahoo, Bing and Malware Patrol with Web of Trust (WOT). Furthermore, we have also tried to see how many of these malicious URLs are also involved in Phishing. We have done this by looking up each URL/domain via Phishtank’s API.

Blacklists provide an easy mechanism for users (via browsers) and developers (via APIs) to assimilate security information about websites, IPs and such in order to make an informed decision about whether to allow or deny access to an IP or website.

Methodology

We have collected 1095 confirmed malicious links from MalwareURL. Each of these links was tested to determine if they are listed on blacklists supplied by Google, Yahoo and Bing. Note that Yahoo and Bing unlike Google do not provide any direct APIs to probe their databases. Thereby each link, and its associated domain was pushed via an HTTP request to Yahoo and Bing to analyze if the results indicated that the domain/link was infected.

To determine if a website is present in the Google malware blacklist, the domain name along with the link and its variations, as defined here, are converted to MD5 hashes and checked using Google’s Safe Browsing API. For Malware Patrol, the aggressive version of their blacklist is downloaded and comparisons are made locally. For WOT, we employ their XML based API to gather information about the belief of users in the Internet. For Phishtank we have used their XML based API. The tests were conducted on Mar 22 2010.

Popular blacklists cover only a minuscule percentage of malicious sites.

Highlights

• Google marked 0.18% of the URLs as unsafe.
• Yahoo marked 1.0% of the URLs as unsafe.
• Bing marked 0.09% of the URLs as unsafe.
• Malware Patrol marked 0.63% of the URLs as unsafe.
• Phishtank marked 0% of the URLs as unsafe.
• WOT marked 99% of URLs as unsafe.

Note: 1095 unique, malicious URLs were tested with each service.

Observations

Interestingly, Web Of Trust (WOT) marked 99% of the URLs with “poor” or “very poor” or “unsatisfactory” reputation. We have to assume that when users will see such a rating they will not visit the website in question and hence treat this kind of rating as unsafe, for the purposes of this test. It remains to be determined if WOT uses a data feed from a malware URL which we have used to prime the test set. Nonetheless, it is surprising to see that a company which specializes in collating the trust and opinions of web surfers performs better orders of magnitude than large Internet companies and established blacklist providers.

One must keep in mind though that Google’s approach to maintaining an ever changing blacklist is slightly different from the other actors in the game. Google publishes an updated version of its list every 30 minutes or so and specifies which MD5 hashes need to be purged and which ones need to be inserted. Some blacklist services do not take this approach and hence may claim to store information on millions of sites, which were infected at one point in time. The probability of this happening in the Google blacklist is low, because they have opened up a review process via their webmaster central area to update their blacklist.

In contrast, Bing and Yahoo do not provide public APIs for developers and applications to use.

Also, we see that none of the URL/domains were actually listed on Phishtank. It seems that websites which aim to infect users with malware are quite different from the set of sites used for phishing. It does not seem that malware laced websites are also used to commit phishing.

Conclusion

Large Internet companies, some of whom have published effective blacklists, used by many developers and application all over the world, still have a long way to go in order to become truly effective. As we have seen, only minuscule numbers of malicious websites are identified by the blacklist services. WOT seems to be extremely effective at identifying unsafe websites. It remains to be determined whether the data-set used for this test has a large overlap with any of the sources WOT uses to classify websites.

Another interesting result is that it does not seem that websites which aim to infect users with malware are actively involved in phishing campaigns.

Overview

SEO poisoning is not new, but it is definitely a growing trend. It is becoming a vector of choice for hackers. The procedure to commit this crime is actually quite similar to the method of code-injection. First, find a vulnerability in the website or hosting infrastructure which will allow a hacker to upload malicious code or modify the behavior of the web application. Once this is achieved a hacker can insert URLs into a web page which will be indexed by search engines such as Google.

Below, we provide a screen shot to illustrate that hackers are reverse-engineering popular keywords from Google search trends to exploit unsuspecting users. In this particular example, the search query is extracted from Google Trends and results clearly show URLs which redirect users to fake anti-virus websites. Unfortunately, few of these URLs are even blacklisted by Google and hence users do not even have the luxury of making a decision to visit an unsafe website or not.

An example of SEO poisoning using a search query from Google Trends.

Experiment Goal

The aim of this experiment is to identify URLs which are using SEO poisoning.

Methodology

Search results were collected from Google Trends. Once the search queries were collected, searches were performed via Google and the first  10 results were collected for each search query.

Each search result was analyzed to find whether the URLs displayed in the search results contained the complete search query in the exact same order. Also, it was determined whether the structure of the URL matched patterns of SEO poisoning. Furthermore, the IP associated with the URL was looked up on Spamcop to verify if the IP had been used for sending spam or had participated in zombie networks. Finally, using a geo-location API from IPinfo DB, the country of origin for the URL was determined. The test was conducted on March 23, 2010. Google trend results for the period of January 1, 2010 to March 22, 2010 were used for searches.

Highlights

• 59.5% of search results returned by Google had URLs which contained the entire search string in the same exact order.
• 26.07% of search results returned by Google had URLs which matched SEO poisoning patterns.
• 14.1% of search results returned by Google had URLs which matched SEO poisoning patterns and contained the entire search string in the same exact order.
• Only one IP seemed to be involved in spam related activity.
• Some of the most popular locations for websites returned as search results are: US, Canada, Netherlands, Germany, UK, France, Czech Republic, Australia and Singapore.

Note: 10,559 search results were analyzed.

Percentage of sites from different countries affected by SEO poisoning.

Countries which seem to have the highest number of SEO poisoned links indexed by Google:

• 86.1% of URLs from Singapore based sites.
• 74% of URLs from Netherlands based sites.
• 30.5% of URLs from UK based sites.
• 25.1% of URLs from Germany based sites.
• 12.6% of URLs from Canada based sites.
• 12.42% of URLs from US based sites.

Fluctuation in the number of SEO poisoned results.

Note the fluctuations in the number of search results which are SEO poisoned.

Conclusion

It is clear that even the world’s most popular search engine company is not secure from SEO poisoning. It is not for the lack of trying though, but instead of the myriad number of ways hackers can break into a website and take advantage of it. We have seen that large numbers of search results match SEO poisoning patterns. Furthermore, it is clear that hackers are injecting malicious URLs into compromised websites to latch onto Google trends.

Unfortunately, the idea of page caching has not been implemented well. In fact, page caching has opened up new opportunities for malware. The primary problem being that, from a security perspective, when search engines cache copies of websites, they are storing any malware that is present on the site on their own infrastructure as well.

Hackers Exploit Search Engine Page Caches

Most large search engines use some kind of malware analysis to determine if a website is compromised or not. Google for example, has a well tuned system with high accuracy. In our meeting with the Google malware team, some months ago, we were glad to find that they were already aware of this problem. In the weeks following our interaction, cached copies of infected websites were no longer easily available via searches.

Not so long ago, we wrote an article about our efforts to alert Yahoo of the presence of malware in the cached versions of various web pages served up by their search engine. Our efforts were not successful, although the occurrence of malware in Yahoo cached pages seems to have gone down significantly. Perhaps our messages were not entirely ignored.

Recently, an article came up on ISC SANS discussing this very same issue.

Recently, we have found instances of Bing serving up malware in their cached pages. It seems that Bing’s malware detection methods are not able to reliably detect malware on cached web pages. This keeps Bing from securing cached pages which contain malware for its users. We have provided screen shots below as an example of the issue. In this particular case, the strain of malware found in Bing cached pages has been around since 2009.

Search Engines Ignore the Problem

Consider the case where a malicious individual deliberately infects a website with malware and Bing (or another search engine) indexes it. The malicious individual can then send out hyperlinks pointing to the cached web pages hosted by Bing. Any kind of “reputation-checking” for the cached link will confirm that the page is hosted by a reputable company, in this case, Bing (Microsoft). However, the malware will still be able to deliver its payload. Just in case you’re thinking, “my antivirus will protect me from the malware on the cached page,” you may like to read this article.

It is surprising to see that search engines like Bing, which claim to implement malware detection, cannot correctly determine if a cached copy of a web page hosts malware! In these cases, Bing ends up an excellent attack vector for malicious individual.

It remains to be seen if search engine companies will continue to serve up cached pages laced with malware at the same time as they are touting active scan and detection mechanisms. Let’s hope this article can get attention in the upper echelons of management at these large search giants and they start to pay attention to this problem.

Screen shots follow below:

Hackers employ two basic techniques:

• Creating large numbers of users on forums. These accounts are then used to post spam on the message boards.
• Exploiting Web Application vulnerabilities in the software used to run the forum.

Approximately two weeks ago, Lenny Zeltser, from ISC SANS, posted an informative article about online pharmacy ads popping up on message boards. In this vein we have conducted a limited experiment with about 14,000 websites which contain spam announcing online pharmacies.

The aim of the experiment:

• What percentage of websites which advertise online pharmacies are message boards and Internet forums?
• What Web Applications, e.g. CMS packages, are used on the message boards that are compromised?

We believe this will provide us with a rough estimate of how focused are hackers toward using message boards and forums on the Internet to advertise spam. From another perspective, it will provide us some idea of how vulnerable websites are if it hosts a message board or forum from being abused by hackers.

Testing methodology:

We have used Google to mine the websites which contain certain keyword patterns such as “buy zocor online”, or “buy brand kamagra online” etc. Once the links suggested by Google were mined, each of the websites was tested against Google’s Safe Browsing List to determine if they had hosted malware (according to Google). Next, an analysis was done to determine if the link(s) mined from Google pointed to a forum or message board. This was done by identifying the presence of multiple strings inside a link. For example, if a link has the keywords “topic”, “view”, “thread” or similar keywords, including characters associated with dynamic page generation, it is probably hosting a message board or forum.

The test was conducted between January 21st and January 23rd, 2010.

Popular software packages installed on compromised forums and message boards.

We present the most interesting results below:

• 47.9% of websites displaying “online pharmacy” spam are message boards and forums.
• None of the websites advertising “online pharmacy” spam were listed on Google Safe Browsing List.
• 20.28% of forums displaying “online pharmacy” spam were using Jquery.
• 15.73% of forums displaying “online pharmacy” spam were using phpBB.
• 11.54% of forums displaying “online pharmacy” spam were using WordPress.
• 10.84 % of forums displaying “online pharmacy” spam were using Mootools.

These results and other software packages, helper-scripts, tracking-code are depicted in the graph presented above.

This small experiment shows that a high percentage of websites displaying online spam campaigns are message boards or forums. This indicates that there are many unsecured software installations and older software packages still in use which are often exploited by malicious individuals to post spam. Further, it seems that most sites which were hacked are using jQuery. This supports our previous observations regarding jQuery scripts being used to push malware to unsuspecting visitors.

Below we present some sample links which lead to “online pharmacy” spam ads:

We strongly suggest that you do not visit the below sites.

hxxp://agingparents.com/blog/wp-comments.php?id_comments=1041
hxxp://agnitech.net/forums/viewtopic.php?f=2&t=426
hxxp://altlingo.com/community/members/zocor+online+24q.aspx
hxxp://aslansin.com/members/zocor-package-insert-26i/default.aspx
hxxp://beanbol.com/purchase-zocor-(simvastatin)-40-mg.html
hxxp://beanbol.com/zocor-(simvastatin)-20-mg.html
hxxp://blog.firestats.cc/
hxxp://blog.firestats.cc/49
hxxp://blogs.bet.com/music/soundOff/about/?cp=13
hxxp://blogs.greenpeace.ca/?proto=713
hxxp://blogs.greenpeace.ca/?proto=715
hxxp://blogs.inquirer.net/happynest/2009/10/09/just-sing/
hxxp://boards.tx-outdoors.com/viewtopic.php?f=2&t=467
hxxp://buy-cheap-zocor.hi5.com/
hxxp://cheapzocor.com/
hxxp://cheapzocor.com/about/
hxxp://coilhouse.net/?deppsa=710
hxxp://coilhouse.net/?deppsa=715
hxxp://community.burton.com/members/zocor+interaction+10a.aspx
hxxp://en.netlog.com/clan/BuyZocorOnline
hxxp://en.netlog.com/clan/zocor
hxxp://eostrava.cz/post-80523-cheap-zocor/
hxxp://f5fest.com/?p=50
hxxp://fans.askaninja.com/profiles/blogs/buy-zocor-no-prescription-buy
hxxp://feedblogger.net/members/cost-zocor-68l.aspx
hxxp://foros.canaljuegos.com/index.php?topic=1067891.0
hxxp://foro.toplatino.net/viewtopic.php?f=3&t=17031
hxxp://forsale.oodle.com/view/buy-zocor-online-and-treat-the-cholesterol-problems/1763399272-seattle-wa/
hxxp://forum.asian-autoparts.eu/viewtopic.php?p=4234&sid=82d1fc8ea8bf7189150dda0674d1d9b0
hxxp://forum.atiz.com/index.php?topic=362.msg665;topicseen
hxxp://forum.autonews.fr/index.php?showtopic=43369&view=getlastpost
hxxp://forum.jiwang.org/index.php?showtopic=44638
hxxp://forum.lugarcerto.com.br/viewtopic.php?f=13&t=1022
hxxp://forum.ronatvan.com/index.php?action=printpage;topic=3171.0
hxxp://forum.ronatvan.com/index.php?topic=3171.0
hxxp://forums.solmetra.com/viewtopic.php?f=2&t=67911
hxxp://forums.solmetra.com/viewtopic.php?f=3&t=48102
hxxp://forum.tag-board.com/showthread.php?p=70359
hxxp://forum.tarad.com/index.php?action=printpage;topic=23901.0
hxxp://forum.vachealait.com/viewtopic.php?f=3&t=123806
hxxp://forum.vachealait.com/viewtopic.php?f=5&t=124103
hxxp://forum.vladimirmedvedev.com/index.php?topic=190.0
hxxp://forum.vortue.com/showthread.php?p=114540
hxxp://gallopinghillcaterers.com/?page=buy-online-zocor&f=1262906101
hxxp://gameinformer.com/blogs/members/b/buy_zocor_warnings_blog/archive/2009/12/18/buy-zocor-warnings-pu4.aspx
hxxp://gameinformer.com/members/zocor_2D00_online/default.aspx
hxxp://gfestival.com/?pages=157
hxxp://gfestival.com/?pages=65
hxxp://grabhot.com/index.php?topic=2537.0
hxxp://groups.adobe.com/posts/534b2ec31b
hxxp://harvardcitizen.com/?zine=1144
hxxp://harvardcitizen.com/?zine=4200
hxxp://historias.masoportunidades.com.ar/?page_navg=3879
hxxp://ibls.com/cs/members/zocor+pricing+44n.aspx
hxxp://identi.ca/andres250
hxxp://identi.ca/zachery328
hxxp://innfromthenight.com/forum/viewtopic.php?f=28&t=57971&p=60406
hxxp://jackpenate.com/forum/viewtopic.php?pid=16485
hxxp://leegibbons.com/formbuilder/web/pharmacy/zocor/p=tricor-zocor.html
hxxp://letterheadforemail.com/Zocor.html
hxxp://mabonline.net/tablets-zocor-(simvastatin)-5-mg.html
hxxp://mabonline.net/zocor-(simvastatin)-for-sale.html
hxxp://matadornetwork.com/
hxxp://my.superbasket.gr/viewtopic.php?f=4&t=1562&p=2139
hxxp://naturalpet-com.safepages.com/showthread.php?t=1071
hxxp://networking.bizjournals.com/Jonny2
hxxp://noprescriptiononlinepharmacy.ca/zocor.html
hxxp://pastebin.ca/1743811
hxxp://pornknight.com/zocor-depression-t14855.html
hxxp://posterous.com/people/37qTcxHC297r
hxxp://punkrock.org/buyzocoronline1075&v=comments
hxxp://ranahan.dephan.go.id/forum/viewtopic.php?f=2&t=6803
hxxp://responsiblemarketing.com/blog/?generic=3880
hxxp://room.vicman.net/viewtopic.php?f=2&t=147874
hxxp://room.vicman.net/viewtopic.php?f=4&t=147047
hxxp://technorati.com/blogs/zocorlinks.blogspot.com
hxxp://thebristolfestival.org/README.php?tbf=746
hxxp://theevonyforum.com/online-zocor-purchase-buy-cheap-zocor-t433.html?sid=c64462e6e1214d18ea22e365c76aa13d
hxxp://thisis50.ning.com/forum/topics/buy-zocor-from-a-usa-pharmacy
hxxp://tk-twk.nets.hk/viewtopic.php?f=42&t=11427
hxxp://tohanschik.ru/viewtopic.php?t=1380&view=previous&sid=5ccac30f7095c3421d89b8a3c16a23a4
hxxp://twit88.com/home/node/10289
hxxp://virb.com/rushots/posts/text/6881665
hxxp://visualstudiogallery.msdn.microsoft.com/it-IT/4ec90b81-93e4-4435-b627-4410e6028af9?persist=True
hxxp://webradiocharts.eu/forum/viewtopic.php?f=4&t=376
hxxp://wiki.pylonshq.com/display/~heetley/BUY+Zocor+LOWEST+prices+NOW
hxxp://wiki.pylonshq.com/display/~heetley/BUY+Zocor+LOWEST+prices+NOW?showComments=true&showCommentArea=true
hxxp://www.247-pharmacy.com/buy/zocor.php
hxxp://www.abbeyproperties.co.uk/config.php?set_user=1&s=1264
hxxp://www.abbeyproperties.co.uk/config.php?set_user=1&s=1996
hxxp://www.aldaracreamonline.co.uk/buy-zocor.htm
hxxp://www.antidepressantscheaper.com/
hxxp://www.aperitto.com/support/forum/12-emr-suite/511-meridian-two-bit-pharmacy-appraiser-it
hxxp://www.articlesbase.com/health-articles/online-pharmacy-offers-the-most-competitive-prices-on-zocor-869351.html
hxxp://www.atalasoft.de/cs/members/zocor+400+mg+53b.aspx
hxxp://www.avatarpress.com/2010/01/22/post-80540-buy-zocor/
hxxp://www.blogged.com/topics/zocor/
hxxp://www.bowlofcereal.net/viewtopic.php?f=5&t=99
hxxp://www.brbooks.co.uk/zocor-(simvastatin)-10-mg-free-shipping.html
hxxp://www.canadianhealthcaremall.net/drug-zocor123.shtml
hxxp://www.canamericaglobal.com/products/Zocor/20/
hxxp://www.chemistdirect.co.uk/zocor-simvastatin-10-mg-tablets_4_12038.html
hxxp://www.chemistdirect.co.uk/zocor-simvastatin-40-mg-tablets_4_12040.html
hxxp://www.chop.edu/forum/user/profile/12110.page
hxxp://www.clockworkpharmacy.com/zocor-heart-pro-tablets-10mg.html
hxxp://www.copykatchat.com/
hxxp://www.cruisersforum.com/forums/members/inxgwo32-30799.html
hxxp://www.daanbantayan.gov.ph/dbforums/viewtopic.php?f=26&t=43370
hxxp://www.daanbantayan.gov.ph/dbforums/viewtopic.php?f=28&t=43373
hxxp://www.divingleisurelondon.co.uk/forum/online-zocor
hxxp://www.drugs-s.com/product-35-prd_12.html
hxxp://www.elakiri.com/forum/showthread.php?p=6341304
hxxp://www.europeanirish.com/index.php?med_id=buy-zocor-(simvastatin)-10-mg
hxxp://www.europeanirish.com/index.php?med_id=buy-zocor-(simvastatin)-40-mg
hxxp://www.fastcompany.com/tag/pharmacy
hxxp://www.feld.com/blog/archives/2007/02/buy-zocor-online.html
hxxp://www.feld.com/blog/archives/2007/02/online-buy-zocor-without-a-prescription.html
hxxp://www.fioricetpharmacy.info/product.php?prod=Zocor
hxxp://www.flexyx.com/Z/Zocor.html
hxxp://www.folkd.com/go/zocor+lipitor
hxxp://www.forkncork.com/?p=80540
hxxp://www.forkncork.com/?p=80544
hxxp://www.freecodesource.com/user/profile-354708.html
hxxp://www.freecodesource.com/user/profile-354802.html
hxxp://www.genbrand-rx.com/Zocor.html
hxxp://www.genericmedsfromcanada.com/
hxxp://www.genericmedsfromcanada.com/ZOCOR_80_mg_GENERIC_SIMVASTATIN_80_mg_28_Tabs_p/sim0753b.htm
hxxp://www.genericsmed.com/buy-cheap-generic-zocor-simvastatin-p-21.html
hxxp://www.genv.net/en-us/node/10875
hxxp://www.giustiziere.org/viewtopic.php?f=7&t=10277
hxxp://www.globaltrainingcenter.com/news.php?node=1412
hxxp://www.globaltrainingcenter.com/news.php?node=682
hxxp://www.goprocamera.com/admin/_js/tiny_mce/themes/advanced/files/buying-zocor-legally.html
hxxp://www.goprocamera.com/admin/_js/tiny_mce/themes/advanced/files/buy-zocor-without-a-prescription.html
hxxp://www.gradcats.org/index.php?option=com_content&view=section&layout=blog&id=1&Itemid=2&node=2156
hxxp://www.gradcats.org/index.php?option=com_content&view=section&layout=blog&id=1&Itemid=2&node=3753
hxxp://www.gripenet.pt/blog/?p=80521
hxxp://www.gripenet.pt/blog/?p=80528
hxxp://www.hcs.harvard.edu/~salient/site/?menus=715
hxxp://www.hip-hop.net/profile/buyzocorG9FG
hxxp://www.hip-hop.net/profile/Fredmd
hxxp://www.hkcd-team.net/viewtopic.php?f=7&t=284
hxxp://www.ibiblio.org/agray/brushd/cheapest-price-for-zocor-40-mg.html
hxxp://www.ibiblio.org/agray/brushd/does-effect-have-libido-womens-zocor.html
hxxp://www.inansurucukursu.com/inan/forum/index.php?topic=2153.0;wap2
hxxp://www.inyoursuburb.com.au/forum/viewtopic.php?f=25&t=12069
hxxp://www.ipetitions.com/petition/buy_ambien_online_480/
hxxp://www.kucasnova.net/index.php?topic=1911.0
hxxp://www.kucasnova.net/index.php?topic=2378.0
hxxp://www.last.fm/user/zocor7103
hxxp://www.lerpg.com/forum/index.php?topic=1716.0
hxxp://www.livestrong.com/zocor-side-effects/
hxxp://www.mahalo.com/answers/drugs/where-can-you-buy-lipitor-online-is-it-cheaper
hxxp://www.makingthings.com/wiki/document.zocor-online-order
hxxp://www.masterseek.com/q/Zocor/0/1/Zocor.htm
hxxp://www.mathleagueforum.com/viewtopic.php?f=2&t=41
hxxp://www.menieresforum.com/?q=node/132
hxxp://www.michwine.com/index.php?Itemid=148&option=com_jcalpro&Subitem=3562
hxxp://www.michwine.com/index.php?Itemid=148&option=com_jcalpro&Subitem=773
hxxp://www.mister-wong.com/topics/zocor/
hxxp://www.mombu.com/hdtv/hdtv/t-buy-lipitor-online-no-prescription-needed-3828654.html
hxxp://www.mypage.com/buyzocor862/extendedprofile
hxxp://www.nfu.org/forum/archive/index.php?t-20956.html
hxxp://www.numberstemplates.com/forums/showthread.php?t=977
hxxp://www.offshorerx.com/drug/buy_generic_zocor.htm
hxxp://www.online-drugstore-usa.com/cheap_cardiovascular_prices/buy_generic_zocor_pills
hxxp://www.onlinepillspro.com/buy/zocor.html
hxxp://www.oxygenoverkill.com/forum/viewtopic.php?f=2&t=15
hxxp://www.pharmacyescrow.com/s3737-s-ZOCOR.aspx
hxxp://www.pharmacyescrow.com/s41524-s-ZOCOR.aspx
hxxp://www.photography-now.net/help/index?no-rx=1475
hxxp://www.photography-now.net/katja_oluscha_grunther/index?no-rx=3348
hxxp://www.pillsforall.com/cholesterol-lowering/zocor-40mg-generic-x-60/prod_57.html
hxxp://www.pillwatch.com/product/zocor/
hxxp://www.postnewsline.com/2009/04/the-post-new-website.html
hxxp://www.praktikum.de/forum/online-zocor-purchase-prescription-zocor-t12436.html
hxxp://www.psicologico.cl/?favorite=4356
hxxp://www.pyzam.com/profile/3304209
hxxp://www.pyzam.com/profile/3304382
hxxp://www.rfidtalk.com/showthread.php?p=19119
hxxp://www.rottentomatoes.com/vine/showthread.php?p=16528906
hxxp://www.rottentomatoes.com/vine/showthread.php?t=709353
hxxp://www.scribd.com/doc/25364786/buy-cheap-Generic-Zocor-Simvastatin-20mg-online-without-prescription
hxxp://www.server2go-web.de/forumng/index.php?topic=111147.0
hxxp://www.spurs11.com/forum/showthread.php?t=69947
hxxp://www.teamhallpass.com/2010/01/post-80522-buy-zocor/
hxxp://www.teamhallpass.com/2010/01/post-80527-about-zocor/
hxxp://www.technieuws.org/?p=83598
hxxp://www.technieuws.org/?p=83620
hxxp://www.tempuspharmacy.org/zocor-drug-information.html
hxxp://www.theartofthepossible.net/?p=83620
hxxp://www.theunforsaken.com/viewtopic.php?f=3&t=7668&p=8971
hxxp://www.thisis50.com/xn/detail/784568:Topic:18648223?xg_source=activity
hxxp://www.travelersnation.com/forum/post774.html
hxxp://www.tumblr.com/tagged/saints+&amp%3B+sinners
hxxp://www.twit88.com/home/node/10117
hxxp://www.valuepharmaceuticals.com/medicine/index.php
hxxp://www.wehopres.org/?p=83620
hxxp://www.wikio.com/article/122956318
hxxp://www.wikio.com/sports/football/football_players/michael_koenen
hxxp://www.wizard101.pl/forum/buy-zocor-drugs-online-zocor-t296.html
hxxp://www.world-drugs.net/order_generic_zocor.php
hxxp://www.xlpharmacy.com/
hxxp://www.xlpharmacy.com/generic-zocor/
hxxp://www.zenpharmacy.com/Zocor/buy-prescription-Zocor-online.html
hxxp://zocoronline130.typepad.com/blog/2010/01/buy-zocor-estrogen.html
hxxp://36poker.ru/forum/index.php?topic=2188.0
hxxp://ad-bu.chavalar.com/forum/index.php?topic=124.0
hxxp://alexatutor.com/viewtopic.php?f=2&t=838&p=915
hxxp://articlet.com/article7179.html
hxxp://bb.obscurusfio.com/index.php?topic=279.msg406
hxxp://bb.peak2010.org/viewtopic.php?f=2&t=31619
hxxp://bbs.qqcipher.com/viewtopic.php?f=2&t=51
hxxp://benthanhgold.com/forum/viewtopic.php?f=8&t=1487
hxxp://biblioteca.uniminuto.edu/index.php/biblioteca-en-cifras/1297?task=view&page=975
hxxp://bigcuzinent.com/forum/index.php?topic=29.0
hxxp://blog.see3.net/?p=484
hxxp://blogs.inquirer.net/m-ph/2008/08/29/nikon-d90-official-1st-dslr-with-hd-video-recording/
hxxp://boards.tx-outdoors.com/viewtopic.php?f=2&t=343
hxxp://buycheapviagra.ca/kamagra.html
hxxp://buycialis20mg.com/buy-kamagra-soft-tabs.htm
hxxp://buy-kamagra-online.net/
hxxp://carolinadelnorte.jomc.unc.edu/?optin=com_pharma&rr=buy-kamagra-viagra-india.php
hxxp://carolinaweek.jomc.unc.edu/?option_pharma=viagra-uk-kamagra.php
hxxp://centovacast.com/viewtopic.php?f=9&t=182
hxxp://centovacast.com/viewtopic.php?f=9&t=218
hxxp://chemisaxli.gov.ge/forum/viewtopic.php?id=76060
hxxp://citkim.phpbboy.com/viewtopic.php?f=2&t=734&p=734
hxxp://community.bonnaroo.com/service/displayKickPlace.kickAction?u=13803616&as=12058
hxxp://community.essence.com/forum/topics/how-to-buy-online-kamagra
hxxp://cooperation-of-benzin.de/viewtopic.php?f=2&t=3726
hxxp://district9140ng.org/index.php?topic=11.0
hxxp://ekkanisayoluganda.org.uk/furum/index.php?topic=19289.0
hxxp://essenceonline.ning.com/forum/topics/buy-kamagra-drugsorder-chep
hxxp://fahrerservice.org/viewtopic.php?f=2&t=1830
hxxp://fanclub.darabubamara.eu/viewtopic.php?f=3&t=2701
hxxp://fanclub.darabubamara.eu/viewtopic.php?f=4&t=2687
hxxp://feelmaldives.com/forum/viewtopic.php?f=2&t=36
hxxp://foorum.kundaliniyoga.ee/viewtopic.php?f=2&t=5526
hxxp://fora.an-archos.com/viewtopic.php?t=134335&sid=f3287141aaa40ea1970e3e8d53279b27
hxxp://forocientifico.com/viewtopic.php?f=2&t=179
hxxp://foros.comfusion.es/index.php?topic=675.0
hxxp://forum.acme.nu/index.php?topic=12.0
hxxp://forum.ampirstyle.ru/viewtopic.php?f=6&t=53
hxxp://forumas.vtv.lt/index.php?topic=4192.0
hxxp://forum.atlaspronet.net/showthread.php?t=80150
hxxp://forum.autonews.fr/index.php?showtopic=42109&view=getlastpost
hxxp://forum.auto.ro/showthread.php?t=505005
hxxp://forum.cudaswiata.pl/viewtopic.php?f=6&t=488
hxxp://forum.cudaswiata.pl/viewtopic.php?f=7&t=485
hxxp://forum.dayment.com/viewtopic.php?f=14&t=19
hxxp://forum.delifisek.net/index.php?topic=6.0
hxxp://forum.djlanka.com/viewtopic.php?f=2&t=20547
hxxp://forum.egypt.com/enforum/programming-languages-f84/buy-cheap-generic-kamagra-online-kamagra-no-prescription-39580.html
hxxp://forum.faazmagazine.com/index.php?topic=153.0
hxxp://forum.familyguy.cz/viewtopic.php?f=6&t=1215
hxxp://forum.fsbw.de/viewtopic.php?f=1&t=543
hxxp://forum.geotorrents.com/index.php?showtopic=455183&view=getnewpost
hxxp://forum.gwteambuilder.de/index.php?topic=1516.0
hxxp://forum.im1music.net/index.php?topic=13695.0
hxxp://forum.jurutera.net/viewtopic.php?f=5&t=6
hxxp://forum.jzip.com/archive/index.php/t-194030.html
hxxp://forum.livetoride.cz/viewtopic.php?f=2&t=5
hxxp://forum.masseriadelpino.it/viewtopic.php?f=2&t=850
hxxp://forum.matura.pl/viewtopic.php?f=4&t=17054
hxxp://forum.matura.pl/viewtopic.php?f=7&t=17150
hxxp://forum.montages-electroniques.com/viewtopic.php?t=5824&sid=a19708674cddb891449e7c154a5fbaaa
hxxp://forum.muzsweet.com/viewtopic.php?f=4&t=3502&p=23454
hxxp://forum.opensourceassets.com/index.php?topic=10.0
hxxp://forum.parrucchieritalia.it/viewtopic.php?f=3&t=1374
hxxp://forum.plovdivairport.com/index.php?topic=8792.0
hxxp://forum.pngarnet.ac.pg/viewtopic.php?f=2&t=36593
hxxp://forum.pngarnet.ac.pg/viewtopic.php?f=2&t=36701
hxxp://forum.polymus.ru/index.php?topic=2345.0;wap2
hxxp://forum.rimsketoplice.net/viewtopic.php?f=5&t=721
hxxp://forums.beerke.nl/viewtopic.php?f=4&t=4319
hxxp://forums.deviationsonline.com/viewtopic.php?f=7&t=407
hxxp://forums.deviationsonline.com/viewtopic.php?f=7&t=421
hxxp://forum.sibautobroker.ru/viewtopic.php?f=5&t=4
hxxp://forums.salug.org/index.php?action=printpage;topic=286.0
hxxp://forums.stevengould.org/viewtopic.php?t=37126&sid=964c4c68b15e636529dbd54f2ab791a3
hxxp://forum.ti.itb.ac.id/index.php?topic=2844.0
hxxp://forum.toniderassi.com/viewtopic.php?f=5&t=25
hxxp://forum.transimagovideo.com/index.php?topic=34.0
hxxp://forum.ultravnc.fr/index.php?topic=2274.0
hxxp://forum.wayfinder.com/index.php?topic=40.0;wap2
hxxp://generics-sale.com/product/kamagra-soft-flavoured.html
hxxp://generic-viagra-kamagra.com/
hxxp://generic-viagra-kamagra.com/kamagra.php
hxxp://habbo-aktuell.net/forum/viewtopic.php?f=5&t=1640
hxxp://heldentaten-gilde.com/viewtopic.php?f=6&t=41
hxxp://innfromthenight.com/forum/viewtopic.php?f=14&t=52817
hxxp://jeepinohio.com/forum/viewtopic.php?f=8&t=3712
hxxp://khaz.de/viewtopic.php?f=2&t=1051
hxxp://knolstuff.com/forum/topics/buy-kamagra-online-1
hxxp://laissezfaire.ru/viewtopic.php?f=3&t=4282
hxxp://laser-inkjet-labels.com/viewtopic.php?f=2&t=228
hxxp://laser-inkjet-labels.com/viewtopic.php?f=2&t=57
hxxp://legalrxlist.com/
hxxp://letterheadforemail.com/Kamagra.html
hxxp://medicine.bizrate.co.uk/oid651048929.html
hxxp://medicine.bizrate.co.uk/oid651048949.html
hxxp://messageboard.wrolc.org/index.php?action=printpage;topic=2811.0
hxxp://messageboard.wrolc.org/index.php/topic,2811.msg2826.html
hxxp://my.superbasket.gr/viewtopic.php?f=4&t=1592
hxxp://online-pill-store.com/
hxxp://paintballtokod.hu/forum/viewtopic.php?f=2&t=6
hxxp://permai.gov.my/forum/viewtopic.php?f=3&t=22558
hxxp://picpost.rootsee.com/index.php?topic=150.0
hxxp://pokerqc.ca/viewtopic.php?f=4&t=667
hxxp://poradny.rodinaaja.cz/viewtopic.php?f=4&t=703
hxxp://pravoedelo-spb.ru/forum/viewtopic.php?f=2&t=5
hxxp://program.kralchat.net/kamagra.html
hxxp://realmomsguide.sheknows.com/?q=kamagra
hxxp://redrum-demos.net/forum/index.php?topic=672.0;wap2
hxxp://registrar.fiu.edu/typo3_cache/a/index.html
hxxp://rozbeans.com/forum/viewtopic.php?p=15276
hxxp://sietereinos.com/viewtopic.php?f=8&t=10
hxxp://sitagu.info/community/index.php?topic=49.0
hxxp://slowebdev.net/viewtopic.php?f=4&t=6
hxxp://snsdfan.com/forum/viewtopic.php?f=2&t=4
hxxp://socbaytravel.com/forum/viewtopic.php?f=4&t=603
hxxp://socbaytravel.com/forum/viewtopic.php?f=4&t=697
hxxp://sonsofanarchyboards.com/viewtopic.php?f=2&t=12
hxxp://sorsogon.gov.ph/discussion/viewtopic.php?f=2&t=47576
hxxp://southernorcleague.com/forums/index.php?topic=149.0
hxxp://spainleds.com/viewtopic.php?f=2&t=965
hxxp://tatilyorum.net/viewtopic.php?f=2&t=7
hxxp://techexchange.packeteer.com/viewtopic.php?f=4&p=18467
hxxp://theevonyforum.com/post1915.html
hxxp://thememoryhole.org/?s=kandu+v
hxxp://thewallsoflove.com/forums/viewtopic.php?f=4&t=8
hxxp://thisis50.ning.com/xn/detail/784568:Topic:18422720?xg_source=activity
hxxp://thisis50.ning.com/xn/detail/784568:Topic:18869853?xg_source=activity
hxxp://tra.tools4noobs.com/support-f2/where-buy-kamagra-online-the-lowest-drugs-online-offers-t88.html
hxxp://twit88.com/home/node/9933
hxxp://velociteen.com/forum/index.php?action=printpage;topic=1643.0
hxxp://virb.com/cialiss91m
hxxp://vitsearkiv.net/viewtopic.php?f=9&t=34
hxxp://waltham2.financialchat.com/blogs/online-generic-kamagra-without-prescription
hxxp://web.kc.ac.th/viewtopic.php?f=2&t=1454
hxxp://web.kc.ac.th/viewtopic.php?f=2&t=1578
hxxp://www.365pharmacy.co.uk/
hxxp://www.3tabs.com/viagra/kamagra.html
hxxp://www.acauch.com/foro/viewtopic.php?f=2&t=4
hxxp://www.alismed.com/
hxxp://www.arvuroma.it/forum/viewtopic.php?f=2&t=2131
hxxp://www.bacila.com/forum/viewtopic.php?f=3&t=3925
hxxp://www.backyardsteamtrains.com/viewtopic.php?f=2&t=659
hxxp://www.bellspharmacy.com/
hxxp://www.bellspharmacy.com/category/4/kamagra.html
hxxp://www.bestpharmacy4u.com/kamagra/
hxxp://www.blogcatalog.com/topic/buy+kamagra+oral+jelly+uk/
hxxp://www.blogcatalog.com/topic/kamagra+100mg/
hxxp://www.britishsteelcollection.org.uk/index.php?option=com_contact&view=contact&id=6:community&catid=45:sponsors&Itemid=59
hxxp://www.bvkportal.com/phpbb3/viewtopic.php?f=4&t=20
hxxp://www.carolinamartialartsforum.com/viewtopic.php?f=7&t=39
hxxp://www.caverta-silagra.com/
hxxp://www.cheapest-prescription-drugs.biz/
hxxp://www.classicrockmagazine.com/forum/viewtopic.php?f=4&t=733&p=8913
hxxp://www.classicrockmagazine.com/forum/viewtopic.php?f=9&p=8914
hxxp://www.clubprivedesire.com/forum/viewtopic.php?f=6&t=257
hxxp://www.coffeeshopnieuwvennep.nl/viewtopic.php?f=2&t=471
hxxp://www.columbusunderground.com/wonder-bread-bakery-in-italian-village-to-close
hxxp://www.daanbantayan.gov.ph/dbforums/viewtopic.php?f=9&t=1419
hxxp://www.devourofmugthol.com/forums/index.php?topic=109.0
hxxp://www.drontlen.com/forum/viewtopic.php?f=4&t=253&p=374
hxxp://www.drontlen.com/forum/viewtopic.php?f=4&t=259
hxxp://www.ekaport.ru/forum/showthread.php?t=14099
hxxp://www.ekaport.ru/forum/showthread.php?t=14127
hxxp://www.family-online-pharmacy.com/purchase_men___s_health_generic/
hxxp://www.family-online-pharmacy.com/purchase_men___s_health_generic/buy_cheap_brand_kamagra_oral_jelly_online.html
hxxp://www.folkd.com/go/kamagra+ajanta+pharma
hxxp://www.forodevinos.com/viewtopic.php?f=3&t=55
hxxp://www.forum4voip.com/viewtopic.php?f=1&t=38125
hxxp://www.forum.tripudiolatino.it/viewtopic.php?f=2&t=165
hxxp://www.freewebs.com/costaescorts/
hxxp://www.geistheiler24.de/forum/viewtopic.php?f=11&p=5217
hxxp://www.generatedata.com/forums/index.php?topic=2351.msg2495
hxxp://www.getdarker.com/forums/viewtopic.php?f=3&t=5797&start=0
hxxp://www.gourmet.com/forums/message.jspa?messageID=1481
hxxp://www.healthpharmarx.com/
hxxp://www.hollywood.com/Forums/Home.aspx?plckForumPage=ForumDiscussion&plckDiscussionId=Cat%3ACelebsForum%3A41Discussion%3Ac7c7096b-9895-497f-bb0d-a79fd53fc8f1
hxxp://www.homegrow.me/where-to-buy-mestinon-online-fast-worldwide-shipping-the-m-t504.html
hxxp://www.hunglay.com/webboard/index.php?action=printpage;topic=26.0
hxxp://www.hunglay.com/webboard/index.php?topic=26.0
hxxp://www.infotop.ro/forum/viewtopic.php?f=2&t=4
hxxp://www.inox.tarrea.cl/foro/index.php?showtopic=68&view=old
hxxp://www.ireallywantviagra.com/2009/11/cheap-kamagra-oral-jelly.html
hxxp://www.jamespot.com/a/188474-Buy-Kamagra-Online.html
hxxp://www.jobsstack.com/forum/index.php?action=printpage;topic=4405.0
hxxp://www.jomc.unc.edu/
hxxp://www.joomlatemplatesearcher.com/forum/index.php?action=printpage;topic=7362.0
hxxp://www.joomlatemplatesearcher.com/forum/index.php?topic=7362.msg%msg_id%
hxxp://www.kamagra.in/India-Kamagra.htm
hxxp://www.kamagra-online.co.uk/aurogratablets.asp
hxxp://www.kamagrastore.co.uk/
hxxp://www.kamagratop.com/
hxxp://www.led-tv-fernseher.de/forum/viewtopic.php?f=4&t=4
hxxp://www.makinem.net/forum/index.php?topic=952.0
hxxp://www.malerxpharmacy.com/product/sildenafil-kamagra.html
hxxp://www.minco.com/community/members/Dr+Levitra.aspx
hxxp://www.mister-wong.com/topics/buy+cheapest/
hxxp://www.mister-wong.com/topics/kamagra/
hxxp://www.mypage.com/viagralive/weblog
hxxp://www.nnenyy-cs.info/viewtopic.php?f=8&t=943
hxxp://www.oktmilya.ru/viewtopic.php?p=13782
hxxp://www.onlinemedicalstore.net/
hxxp://www.online-pharmacy-usa.com/men___s_health_drugs/buy_propecia_online
hxxp://www.oxygenoverkill.com/forum/viewtopic.php?f=2&t=4
hxxp://www.partyoffers.co.uk/forum/read.php?19,400,400
hxxp://www.pdsanlazzaro.it/forum/viewtopic.php?f=3&t=2878
hxxp://www.perlenhimmel.at/viewtopic.php?p=16661
hxxp://www.photoactions.co.uk/Discount-Kamagra.htm
hxxp://www.photoactions.co.uk/Jelly_Kamagra_Liquid.htm
hxxp://www.phtclub.be/viewtopic.php?f=8&t=253
hxxp://www.pills2go.com/
hxxp://www.pioneer-physicaltherapy.com/buy-generic-kamagra+soft-online.html
hxxp://www.portaldocuidador.com/forum/viewtopic.php?f=6&t=4212
hxxp://www.promiana-bg.com/forum/index.php?action=printpage;topic=3072.0
hxxp://www.promiana-bg.com/forum/index.php?topic=2777.0
hxxp://www.ps3planet.it/forum/viewtopic.php?f=4&t=10090
hxxp://www.pyzam.com/profile/3318196
hxxp://www.pyzam.com/profile/3318197
hxxp://www.realpharmacyrx.com/
hxxp://www.reasonfrontier.com/index.php?action=printpage;topic=2791.0
hxxp://www.redleafwands.com/ehsrp/index.php?action=printpage;topic=14534.0
hxxp://www.rfidtalk.com/showthread.php?p=18965
hxxp://www.rhettmiller.com/forum/viewtopic.php?f=3&t=1449
hxxp://www.rottentomatoes.com/vine/showthread.php?p=16465556
hxxp://www.rugbyveneto.org/phpbb//viewtopic.php?t=59630
hxxp://www.scribd.com/doc/23935277/Buy-Kamagra-Online-Without-Prescription-Best-Place-to-Buy-Kamagra
hxxp://www.scribd.com/doc/25069184/buy-Brand-Kamagra-oral-jelly-Sildenafil-citrate-100mg-online-without-prescription
hxxp://www.sharpmeds.com/
hxxp://www.simpy.com/user/mastsiagoel/tag/generic4all
hxxp://www.skaly.sk/viewtopic.php?f=6&t=3009
hxxp://www.skydsl.org/forum/viewtopic.php?p=12035&sid=594e5b80965d00e1ae83a04c1ee6eb5c
hxxp://www.skydsl.org/forum/viewtopic.php?t=5999&sid=2254d3872dbd467413cde299664fd2a8
hxxp://www.somalinet.com/forums/viewtopic.php?f=8&t=231252
hxxp://www.songstowearpantsto.com/forum/viewtopic.php?f=3&t=118055
hxxp://www.ssteve.nl/forum/viewtopic.php?f=2&t=105
hxxp://www.stalkerzone.de/forum/viewtopic.php?f=3&t=2568
hxxp://www.stalkerzone.de/forum/viewtopic.php?f=5&t=2642&p=22695
hxxp://www.surcentro.com/en/info/www.kamagrarx.com
hxxp://www.tebene.de/Members/Kamagra/buy-kamagra-online-paypal-payment
hxxp://www.thegeneric-viagra.net/
hxxp://www.thegreatpotdebate.com/forum/topic48.html?sid=ac9e1defb50abca2e1cff33a76d91bdb
hxxp://www.theviagrastore.com/kamagra-generic-store-1095.html
hxxp://www.thewealthacademy.co.uk/index.php?topic=1135.0
hxxp://www.tuneando.es/index.php?action=printpage;topic=1705.0
hxxp://www.tuneando.es/index.php?topic=1705.0
hxxp://www.vertifight.com/forum/viewtopic.php?f=3&p=63126
hxxp://www.vibeystars.nl/index.php?topic=35.0
hxxp://www.vinilkosmo-mp3.com/forum/index.php?topic=201.0
hxxp://www.wbahealth.com/product_brand_kamagra_soft_online.html
hxxp://www.wordcountbuddies.com/wcb_forum_test/viewtopic.php?f=4&p=286
hxxp://www.worstpreviews.com/forums/showthread.php?p=42881
hxxp://www.xlpharmacy.com/ed-jelly/
hxxp://www.xlpharmacy.com/Kamagra/
hxxp://www.xmaspharmacy.com/kamagra-oral-jelly-100mg-p-59.html
hxxp://www.xmaspharmacy.com/resource/index.html
hxxp://www.your-best-drugstore.com/
hxxp://www.zeroegg.cn/viewtopic.php?f=4&t=10674

UPDATE: On 3/9/2010, hxxp://runbetterpoker.com/viewtopic.php?f=4&t=887 was removed from the list at the owner’s request. Software used to run the forum whose vulnerability led to the recent abuse has been removed.

At StopTheHacker.com (Jaal LLC) we have conducted tests of 721 URLs, all of which have been reported as malicious by volunteers of various blacklists. We follow a similar format for presentation of results as in the last post.

Website Reputation services: agree to disagree.

Note: All 721 domains/URLs, were reported as malicious, and were collected from malware.com.br on January 14, 2010. The blue column (maximum 100) indicates the percentage of sites that the website-reputation service correctly identified as unsafe. The orange column (maximum 100) indicates the percentage of sites that the website-reputation services incorrectly identified as safe.

The aim of the test:

1. Identify the accuracy of the website reputation service
2. Identify the overlap in terms of safe/unsafe websites

We present the most interesting results in this article. First we detail the parameters of the testing procedure to provide an idea of how the test was set up.

First, 721 URLs were collected from malware.com.br (mbr) on January 14, 2010. These URLs are reported for listing by one or more of the following: individuals, organizations, agencies and software products or services.  For the purposes of this test we assume that all the URLs obtained from the “regular” list on mbr are malicious and hence deemed “unsafe” to visit.

We compare the reputation provided by each website-reputation service and observe how many websites are marked unsafe, safe, untested, maybe-unsafe/caution/potentially-unsafe, and unreachable.

Website-reputation services tested:

• McAfee SiteAdvisor
• Norton Safe Web
• Google Safe Browsing
• Microsoft Bing
• Comodo SiteInspector

Note, that when analyzing a domainname/URL, for checking with the Google safebrowsing API, we have calculated the MD5 hash of the website name to match with the malware hash list. The date that we conducted this test was: January 15, 2010. The list of domain names tested are presented below and a graph representing the statistics for the 721 sites tested is above.

We identify the most interesting results below:

1. McAfee SiteAdvisor marked 36.75% of domains as Unsafe, 27.18% as Safe, 32.32% as Untested and 3.74% as Potentially-Unsafe.
2. Norton Safe Web marked 41.75% of domains as Unsafe, 45.49% as Safe, 4.3% as Untested and 8.32% as Potentially-Unsafe.
3. Google Safe Browsing marked 5.96% of domains as Unsafe, 94.04% as Safe.
   Note: The presence of the hash of the domain name  being tested, on the google malware hash list, is interpreted as “unsafe” while the absence is interpreted as “safe.”
4. Microsoft Bing marked 0.69% of domains as Unsafe, 34.26% as Safe, and 65.05% as Untested
5. Comodo SiteInspector marked 0.19% of domains as Unsafe, 95.82% as Safe, and 4.08% as Unreachable.

This follow-up experiment also shows that the variance between website reputation services that are currently being offered by large Internet-services/security companies continues to be very large indeed.

After discussions with representatives of the companies mentioned in this article, and getting a better idea of their behind the scenes methodologies. It seems that these website reputation services will continue to “agree to disagree.” We welcome their comments.

A note on differences between website reputation services:

Some of the services scan pages and some scan parts of a site. Some scan for potential “signs” of an infection, while others scan for the “postmortem” effect of an infection, such as an exploit being launched. Furthermore, the time difference between one of the services testing a web page or site versus when another one tests the same web page can also complicate issues. At StopTheHacker.com we recognize the current limitations of website reputation services that being offered by the industry.

In conclusion, while website reputation services have come a long way, they still have an even longer path to tread in order to become something that users should trust implicitly.

In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites.  We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

We present some brief results below:

1. The average percentage of blacklisted websites in
   • Top 10 ASes (according to number of sites noted by Google) is 3.5%
   • ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
   • ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
2. The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
3. The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

Interesting observations:

1. AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
2. AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
3. AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
4. The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
5. AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
6. AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
7. AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

Making Sense of the Results

Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

Nearly 50 ASes host at least 600 blacklisted sites each

Top 10 ASes host lage percentages of blacklisted sites

ASes hosting more than 10,000 sites (each having more than 6% infected sites)

Below follows the list of ASes, which host more than 10,000 sites each. Of those, at least 6% (600) are blacklisted by Google. Perhaps more attention needs to be focused on fighting malware from within these ASes. There are quite a few prominent web-hosting companies in this list. Note that all ASes below are ranked based on the number of websites analyzed by Google. An AS which appears earlier in the list hosts more websites, analyzed by Google than an AS which appears later on in the list.

ASN             Name
21844           ThePlanet.com Internet Services, Inc.
4837            CNC
11798           Bluehost Inc. US
4812            CABLENETSWISS-HITTNAU Cablenetswiss	CH
26347           New Dream Network, LLC	US
29629           INETWORK-AS IEUROP AS	FR
32244           Liquid Web, Inc.	US
16265           LEASEWEB LEASEWEB AS	NL
3786            LGDACOM LG DACOM Corporation	KR
3595            Global Net Access, LLC	US
32392           Ecommerce Corporation	US
32613           iWeb Technologies Inc.	CA
4847            CNIX
33182           HostDime.com, Inc.	US
21788           Network Operations Center Inc.	US
38356           TIMENET BeiJing Sincerity-times Network Technology Project Ltd.	CN
15244           Lunar Pages	US
25074           INETBONE-AS INET-People Provider Services	DE
25532           MASTERHOST-AS .masterhost autonomous system	RU
30496           Colo4Dallas LP	US
12824           HOMEPL-AS home.pl autonomous system	PL
9929            CNCNET-CN China Netcom Corp.	CN
28753           NETDIRECT AS NETDIRECT Frankfurt, DE
11388           Peer 1 Dedicated Hosting	US
9121            TTNET TTnet Autonomous System	TR
13237           LAMBDANET-AS European Backbone of LambdaNet	EU
9931            CAT-AP The Communication Authoity of Thailand, CAT	TH
46475           Limestone Networks, Inc.	US
29671           SERVAGE Servage GmbH	DE
15685           Casablanca INT Autonomous system	CZ
39392           SUPERNETWORK-AS SuperNetwork s.r.o.	CZ
8342            RTCOMM-AS RTComm.RU Autonomous System	RU
34104           TELETEK-AS TELETEK TELEKOMINIKASYON HIZMETLERI A.S	TR
42910           SADECEHOSTING-COM Sadecehosting-Com	TR
8358            INTERWARE-AS InterWare Autonomus System	HU
25653           FortressITX	US
26277           A+ Hosting, Inc.	US
12363           DADA-AS DADA S.p.a.	IT
23352           Server Central Network	US
17964           DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.	CN
24400           CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.	CN
30176           Priority Colo	CA
4750            CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited.	TH
32181           GigeNET	US
27823           Dattatec.com	AR
16557           Colo Solutions, Inc.	US
5617            TPNET Polish Telecom's commercial IP network	PL
39561           AGAVA Agava JSC AS number	RU
19318           NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC	US
9848            GNGAS Enterprise Networks	KR

Website-reputation services vary wildly in their opinions.

Note that all 350 domains, were reported as malicious, and were collected from malware.com.br on December 18, 2009. The blue column (maximum 350) indicates the number of sites that the website-reputation service correctly identified reported bad sites. The orange column (maximum 350) indicates the number of sites that the website-reputation services incorrectly identified reported malicious sites as safe.

Website reputation services have been around for nearly 5-7 years now. Initially developing as a niche product line which could serve to provide an opinion of a site’s reputation to full fledged offerings which provide advisories about websites, whether they are distributing malware, and if they are, what kind, and using which Autonomous Systems.

At StopTheHacker.com (Jaal LLC) we have conducted tests with 350 domain names, all of which have been reported as malicious by volunteers of various blacklists.

The aim of the test is to:

1. Identify how accurate the website reputation services are
2. What is the overlap in terms of safe/unsafe websites

We have found some interesting results which we present in this article. First we detail the parameters of the testing procedure to provide an idea of how the test was set up.

350 URLs were collected from malware.com.br (mbr) on December 18, 2009. These URLs are reported to this website for listing by one or more of the following: individuals, organizations, agencies and software products or services.  We assume for the purposes of this test that all the URLs obtained from the “regular” list from mbr are malicious and hence deemed “unsafe” to visit.

We compare the reputation provided by each website-reputation service and observe how many websites are marked as unsafe, safe, untested, maybe-unsafe/caution/potentially-unsafe, unreachable.

• McAfee Siteadvisor
• Norton Safeweb
• Google SafeBrowsing
• Comodo Siteinspector

Note, that when analyzing a domain name, for checking with the Google safebrowsing API, we have had to calculate the MD5 hashes of the website names to match with the malware hash list. The date that we conducted this test was: December 21, 2009. The list of domain names tested are presented below and a graph representing the statistics for the first 350 sites tested is above.

We have identified some of the most interesting results below:

1. McAfee Siteadvisor marked 32.5% of Domains as Unsafe, 22% as Safe, 43% as Untested and 1.7% as Potentially-unsafe.
2. Norton Safeweb marked 50.86% of Domains as Unsafe, 43.71% as Safe, 2.29% as Untested and 3.14% as Potentially-unsafe.
3. Google SafeBrowsing marked 10.86% of Domains as Unsafe, 89.14% as Safe. Note: the presence of the hash of the domain name  being tested, on the google malware hash list, is interpreted as “unsafe” while the absence in interpreted as “safe”.
4. Comodo Siteinspector marked 0.29% of Domains as Unsafe, 98.86% as Safe and 0.86% as Unreachable. Note: after feedback from Comodo, a retest was conducted, accuracy changed from 0.29% -> 1.2%.

This limited test is a first step towards showing how much variance there is website reputation services that are currently being offered by large Internet-services/security companies. To highlight this point we present immediately below the relatively few domains (~6% of the total domains tested) that were marked as bad by all three major services, Norton, McAfee, and Google.

In brief:

• 6% of domains tested were marked as “unsafe” by all 3, McAfee, Norton and Google
• 10% of domains tested were marked as “unsafe” by Norton and Google
• 22% of domains tested were marked as “unsafe” by Norton and McAfee
• 5.7% of domains tested were marked as “unsafe” by Google and McAfee

Update: December 28, 2009

After receiving helpful feedback from representatives at Comodo, we were informed that Comodo’s service could provide more accurate answers if complete web page locations were checked instead of just the domain name. We followed the advice and saw a definite increase in Comodo’s accuracy. Comodo marked 1.2% of the website/pages as malicious. Prior to this re-test, the same service marked 0.2% of the websites as unsafe. The graph at the beginning of this article does not represent the results of this re-test.

Below we list the websites from which we extract the statistics above

Websites marked as “unsafe” by Norton, McAfee and Google

219.148.34.10
219.148.34.9
4gameranking.com
77.245.61.232
aiongamemeca.com
durantilumi1cao.com.br
golary.cn
hagnuor.cn
igivor.cn
igoudix.cn
igouhxe.cn
ihaegup.cn
ihaerxi.cn
ihagoin.cn
ihoekag.cn
ihouvi.cn
ihuere.cn
ihuqoyr.cn
ijaheuw.cn
ikyigy.cn
iloefe.cn

Websites marked as “unsafe” by Google and Norton

212.99.87.130
219.148.34.10
219.148.34.9
4gameranking.com
61.164.108.213
77.245.61.232
aimeblog.com
aiongamemeca.com
bhactuant.com
durantilumi1cao.com.br
findreaso1ble.org
for23.3322.org
golary.cn
gyfvuxe.cn
hagnuor.cn
ifueme.cn
igivor.cn
igoudix.cn
igouhxe.cn
iguyzmo.cn
ihaegup.cn
ihaerxi.cn
ihagoin.cn
ihoekag.cn
ihogedi.cn
ihouvi.cn
ihuere.cn
ihuqoyr.cn
ijaheuw.cn
ijakony.cn
ijazofy.cn
ijeife.cn
ijelodi.cn
ikyigy.cn
iloefe.cn

Websites marked as “unsafe” by McAfee and Google

219.148.34.10
219.148.34.9
4gameranking.com
77.245.61.232
aiongamemeca.com
durantilumi1cao.com.br
emes.com.br
golary.cn
hagnuor.cn
igivor.cn
igoudix.cn
igouhxe.cn
ihaegup.cn
ihaerxi.cn
ihagoin.cn
ihoekag.cn
ihouvi.cn
ihuere.cn
ihuqoyr.cn
ijaheuw.cn
ikyigy.cn
iloefe.cn

Websites marked as “unsafe” by McAfee and Norton

163.fuckunion.com
206.161.127.72
208.75.230.43
209.205.196.16
218.93.205.250
219.148.34.10
219.148.34.9
4gameranking.com
61.235.117.72
70.148.212.252
77.245.61.232
82.98.235.173
85.92.157.141
91.213.126.100
97feihu.com
adobeflashupdates.com
adwareprotectionsite.com
aiongamemeca.com
amforum.lua.pl
antivirus-live.com
artistinove.it
centralspa.ca
comerciocentral.net
densmail.com
diadoamigo0.myartsonline.com
dimorphothec.com
dl.get-torrent.com
dl.targetsaver.com
dudi11.off.co.il
durantilumi1cao.com.br
ebestsite.co.kr
elogios0.myartsonline.com
exeype.cn
fuck-celebrities-movie.com
gclass.it
generalantivirus.com
ghterwa.com
gokzed.cn
golary.cn
google.netcdn.com
gorazyn.cn
hagnuor.cn
hahdyti.cn
hgtr3.com
hiqtacy.cn
hjyuw2.com
icepot.cn
idoafy.cn
idoape.cn
igafep.cn
igakuot.cn
igeuvat.cn
igivor.cn
igoudix.cn
igouhxe.cn
igycoat.cn
ihaegup.cn
ihaerxi.cn
ihagoin.cn
ihoekag.cn
ihouvi.cn
ihuere.cn
ihuqoyr.cn
ijaheuw.cn
ijepiyq.cn
ijesiam.cn
ijobuaw.cn
ijuebka.cn
ikoiwe.cn
ikorate.cn
ikuaxge.cn
ikyadeh.cn
ikyigy.cn
ileufby.cn
ilixyeq.cn
ilodux.cn
iloefe.cn
iluefot.cn
i1gyve.cn

Interestingly, Comodo’s service marked only 1 website, 218.146.255.156 as malicious. This domain was also marked malicious by Norton, “Untested” by McAfee and was not found on the Google malware hash list. Below follows the complete list of domains that were tested.

Complete list of domains tested

001.bbexe.cn
113.105.175.138
114.207.112.169
119.147.114.163
12.10.157.6
12.24.238.229
12.25.151.68
121.12.127.230
121.205.91.142
121.205.91.145
123.244.30.118
123.244.30.66
123.bbexe.cn
147.163.1.77
148.208.196.2
163.fuckunion.com
174.36.233.59
192.220.110.228
193.104.27.139
193.169.234.27
200.111.155.122
200.242.43.250
200.63.5.78
200.67.103.187
200.69.124.17
202.105.183.104
202.114.181.5
204.12.43.43
204.232.131.12
206.161.127.72
208.75.230.43
209.131.200.246
209.172.35.144
209.205.196.16
209.43.123.143
210.166.220.240
210.206.8.254
210.51.166.217
211.39.130.196
211.78.87.42
212.31.234.155
212.63.132.215
212.88.178.22
212.97.63.156
212.99.87.130
216.24.165.4
216.240.148.175
217.116.46.139
218.146.255.156
218.16.120.253
218.188.0.5
218.6.15.135
218.63.200.196
218.86.118.98
218.93.202.115
218.93.205.250
219.146.128.242
219.146.128.245
219.148.34.10
219.148.34.9
220.90.213.158
220.95.232.28
221.1.204.243
221.143.43.200
222.66.209.98
222.76.243.53
24.1188d.cn
24.65.70.52
3.1188d.cn
3310.net.cn
38.99.91.47
3s.8i9i.com
46.1188d.cn
46.3388a.cn
4gameranking.com
5.1188d.cn
53.1188d.cn
58.147.27.69
58.215.79.176
6.1188d.cn
60.191.39.6
61.108.173.3
61.110.21.192
61.164.108.213
61.235.117.72
62.193.229.83
64.160.216.20
65.109.240.130
65.183.178.92
66.116.229.233
66.152.93.119
66.220.17.157
66.45.235.228
67.19.9.234
67.43.224.77
68.153.57.9
70.148.212.252
72.10.166.195
72.20.6.106
72.237.212.57
72.35.84.6
72.64.146.16
731273265.520815.com
76.162.68.70
76.73.42.43
77.245.61.232
77.92.158.122
78.159.127.254
78.46.151.179
80.153.182.80
81.223.40.244
81.252.31.148
82.114.87.46
82.98.235.173
83.103.59.84
83.206.113.161
83.240.174.136
83.245.62.87
84.20.251.223
85.17.136.139
85.25.81.140
85.92.157.141
91.207.7.116
91.213.126.100
93.174.95.140
95.211.98.136
97feihu.com
98.126.34.250
a.amg777.com
a1964.g.akamai.net
absi2008.netfirms.com
acripino7878.110mb.com
admin.bbexe.cn
adobeflashupdates.com
adwareprotectionsite.com
aha-autoimage.com
aimeblog.com
aiongamemeca.com
album.pagi1s.sapo.pt
alison.wz.cz
alkeichah.com
amforum.lua.pl
amoravela.com.sapo.pt
antivirus-live.com
antivirusadvanced.com
arathas.de
arcade.ya.com
arkbroadcasters.org
artdeli.co.kr
artistinove.it
atencaousuario.webcindario.com
atualizaca-juridica.sitesled.com
ausamedia.berepublic.com
avr-download.com
b.amg777.com
backstaroup.home.sapo.pt
bb.bbexe.cn
bbs.pxtang.cn
bcfpb.com
bchokies.com
bdesata.com
belezademulher.org
best-sale.us
bevaccine.com
bgcomstock.com
bhactuant.com
blog20fc2.com
blogaofotos8.com.sapo.pt
blogfotos2008.com.sapo.pt
blogpesoalpessoal.com.sapo.pt
bmz.horizon.net.pl
brasilterra.com.sapo.pt
c.amg777.com
caixa-cefinstall.sitesled.com
caixaeconomica-gov.sitesled.com
cancelamentt0.googlepages.com
carbys.no.sapo.pt
card2009.com.sapo.pt
cardamorhtml.no.sapo.pt
cardpaixao.esmartdesign.com
cartao8578.com.sapo.pt
cartaoamizade000.com.sapo.pt
cartaoespecial9.com.sapo.pt
cartaovirtual2006.no.sapo.pt
cartoesnovos.250x.com
cartoesuol.com.sapo.pt
cartoeswebapaxo1do.no.sapo.pt
casasbahia.com.sapo.pt
cau.ac.kr
centralspa.ca
chaiyapruekpethospital.com
chamadavideo-1.my3gb.com
chi1oilfactory.cn
chinesefreewebs.com
ciduninstall.com
cinema-film-4you.ru
club.telepolis.com
comerciocentral.net
comunidade777.110mb.com
config.koreamessenger.com
correiosweb.com.sapo.pt
cprzafra.juntaextremadura.net
d.amg777.com
d.kkkmfdy.com
d4.kkkmfdy.com
damnkt.logi1pp.com
db.ms.kr
denizlisurucukursu.com.tr
densmail.com
diadoamigo0.myartsonline.com
dimorphothec.com
di1r-cs.real-host.ru
dindindopv.bravehost.com
ditto.arpa.org
dl.get-torrent.com
dl.qvodir.cn
dl.targetsaver.com
dl.woyo8g.com
dl02.softdown-load.com.cn
dollardream.ru
donghae.ms.kr
dorota288.w8w.pl
down.1vysoft.org
down.woyo8g.com
down.yellowsoft.org
download.gameztar.com
download.iobit.com
download.leeboo.com
download.softpedia.com
downlopaginvisualiz.com.sapo.pt
dtvprosoft.hotbox.ru
dudi11.off.co.il
durantilumi1cao.com.br
dw.idchecker.co.kr
dx.woyo8g.com
e-airkoryo.com
e.amg777.com
ebestsite.co.kr
edirrelojoeiro.com.br
elogios0.myartsonline.com
emes.com.br
empresarial0001.pisem.su
energy-sol.com
exeype.cn
extex-events.ru
f-forge.com
fhblack.com
fideizm.ru
fileanchor.com
findreaso1ble.org
flashplaginsmirror.com
flashplayer.home.sapo.pt
fondbaybakova.ru
for23.3322.org
forrodotchaka.com.br
forum.factor8guild.com
fotoalbumbr.flog.br
fotoemsg.110mb.com
fotosbalada10x.fileave.com
fotoslinks439856.com.sapo.pt
franciszkankiswklary.ofm.pl
freefilehosting.net
freeweb.siol.net
fuck-celebrities-movie.com
galeon.com
gclass.it
generalantivirus.com
ghterwa.com
gizemguvenfa1tikleri.googlepages.com
glla.net
gokzed.cn
golary.cn
goldeninka.ii1a.net
google.netcdn.com
gorazyn.cn
govsaude.110mb.com
grwww.info
gtpq.info
gtz-legalproject.az
gyfsanimados2009.com.sapo.pt
gyfvuxe.cn
gymarqe.cn
hagnuor.cn
hahdyti.cn
haimadhav.googlepages.com
hakaymobilya.com
hgtr3.com
hiqtacy.cn
hjwx3.com
hjyuw2.com
hohu.spacequadrat.de
homecards11.no.sapo.pt
hosting.free2w.com
hotmailtorpedos2008.com.sapo.pt
humano.ya.com
icepot.cn
idfc2.info
idoafy.cn
idoape.cn
ies.bbexe.cn
ifueme.cn
ifypeod.cn
igafep.cn
igakuot.cn
igayzde.cn
igeuvat.cn
igivor.cn
igoudix.cn
igouhxe.cn
iguyzmo.cn
igycoat.cn
ihaegup.cn
ihaerxi.cn
ihagoin.cn
ihoekag.cn
ihogedi.cn
ihouvi.cn
ihuere.cn
ihuqoyr.cn
ijaheuw.cn
ijakony.cn
ijazofy.cn
ijeife.cn
ijelodi.cn
ijepiyq.cn
ijesiam.cn
ijobuaw.cn
ijuebka.cn
ijyadpi.cn
ijyoxri.cn
ikayvo.cn
ikeuqe.cn
ikeysi.cn
ikioda.cn
ikoiwe.cn
ikorate.cn
ikuaxge.cn
ikyadeh.cn
ikyigy.cn
ildapadilha.110mb.com
ileufby.cn
ilipyw.cn
ilixyeq.cn
ilodux.cn
iloefe.cn
iluefot.cn
img242.imageshack.us
img503.imageshack.us
img522.imageshack.us
i1gyve.cn