rogue_one 0.1.3 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50bc52be2dec2e0e5c7daf51af82117041d99a1925dc6709ee45c9bfe14feac1
-  data.tar.gz: 0f08a6005109c20fe4e48b8fbff97375813d4eff7f75259648e8b74614ce1b99
+  metadata.gz: a66b70adea810f6e952e08294a0323dc2be06c23d7ccbc28739045829696aae5
+  data.tar.gz: 5d41ff1fa13254071aecef1cbf70168d818a963207922be4d44f134d9bb42f0d
 SHA512:
-  metadata.gz: 40cda8348091166aa7dd06518596f9f2da42673a28563a91515505f76a851ecda89addb9bf3463f7a4b3732bffcbff991913ee0108e304712fcc06351ea57c46
-  data.tar.gz: 9c0f43f946d9f5559e5711d557466fea2b41adc706dfa8897e693a01b5327e04e3b5470e123e56a69b266a8bdf396dc8eb680429017a139f23775d7ad184db6d
+  metadata.gz: c08f2049c42ac79a9a0256ae2f99761748660fa3bd1981f680196540e4525db9b4e8dbba54264d35cc2b7b5773b96441886a0a7acb4900e1626cd42c34089304
+  data.tar.gz: a4cffb3b9d5c92f90ac267201417c459b334d38aa82a0631a43c7db15552bed00d11cc9f37291904f48bfad08c33f4bc7d051bf3946acf4c35fcdc9a7e927567

data/.travis.yml

@@ -4,4 +4,5 @@ language: ruby
 cache: bundler
 rvm:
   - 2.6
-before_install: gem install bundler -v 2.0.1
+  - 2.7
+before_install: gem install bundler -v 2.1

data/README.md

@@ -1,9 +1,25 @@
-# Rogue one: a rogue DNS detector
+# Rogue one
 
 [![Gem Version](https://badge.fury.io/rb/rogue_one.svg)](https://badge.fury.io/rb/rogue_one)
-[![Build Status](https://travis-ci.org/ninoseki/rogue_one.svg?branch=master)](https://travis-ci.org/ninoseki/rogue_one)
+[![Build Status](https://travis-ci.com/ninoseki/rogue_one.svg?branch=master)](https://travis-ci.com/ninoseki/rogue_one)
+[![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/rogue_one/badge)](https://www.codefactor.io/repository/github/ninoseki/rogue_one)
 [![Coverage Status](https://coveralls.io/repos/github/ninoseki/rogue_one/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/rogue_one?branch=master)
 
+A PoC tool for analyzing a rogue DNS server.
+
+This tool could be used for checking maliciousness of a DNS server and extracting landing pages.
+
+## How it works
+
+![image](./images/eyecatch.png)
+
+IPv4 space is vast. But an attacker could secure a few numbers of IP addresses for landing pages.
+It means you can (probably) find malicious landing pages by using the following methods.
+
+- Resolving a bunch of domains by using a DNS server.
+- Finding frequent IPv4s from the resolutions. They might be landing pages.
+- If a DNS server has landing pages, it might be a rogue one.
+
 ## Installation
 
 ```bash
@@ -18,6 +34,21 @@ Commands:
   rogue_one help [COMMAND]       # Describe available commands or one specific command
   rogue_one report [DNS_SERVER]  # Show a report of a given DNS server
 
+$ rogue_one help report
+Usage:
+  rogue_one report [DNS_SERVER]
+
+Options:
+  [--default-list=DEFAULT_LIST]  # A default list of top 100 domains (Alexa or Fortune)
+                                 # Default: alexa
+  [--custom-list=CUSTOM_LIST]    # A path to a custom list of domains
+  [--threshold=N]                # Threshold value for determining malicious or not
+  [--verbose], [--no-verbose]
+
+Show a report of a given DNS server
+
+Show a report of a given DNS server
+
 $ rogue_one report 1.1.1.1
 {
   "verdict": "benign one",
@@ -35,12 +66,23 @@ $ rogue_one report 1.53.252.215
     "61.230.102.66"
   ]
 }
+
+$ rogue_one report 171.244.3.111 --custom-list tmp/roaming.yml
+{
+  "verdict": "rogue one",
+  "landing_pages": [
+    "154.223.53.53",
+    "58.82.243.9"
+  ]
+}
+# Note: a custom list should be an array of domains in YAML format.
 ```
 
-| Key           | Desc.                                            |
-|---------------|--------------------------------------------------|
-| verdict       | A detection result (`rogue one` or `benign one`) |
-| landing_pages | An array of IP of landing pages                  |
+| Key           | Desc.                                                                    |
+|---------------|--------------------------------------------------------------------------|
+| verdict       | A detection result (`rogue one` or `benign one`)                         |
+| landing_pages | An array of IP of landing pages                                          |
+| results       | DNS resolution results (only available if --verbose option is specified) |
 
 ## Notes
 

data/lib/rogue_one.rb

@@ -2,8 +2,11 @@
 
 require "rogue_one/version"
 
+require "rogue_one/domain_list"
+
 require "rogue_one/resolver"
 require "rogue_one/detector"
+require "rogue_one/ping"
 require "rogue_one/cli"
 
 module RogueOne

data/lib/rogue_one/cli.rb

@@ -6,9 +6,19 @@ require "json"
 module RogueOne
   class CLI < Thor
     desc "report [DNS_SERVER]", "Show a report of a given DNS server"
+    method_option :default_list, type: :string, default: "alexa", desc: "A default list of top 100 domains (Alexa or Fortune)"
+    method_option :custom_list, type: :string, desc: "A path to a custom list of domains"
+    method_option :threshold, type: :numeric, desc: "Threshold value for determining malicious or not"
+    method_option :verbose, type: :boolean
     def report(dns_server)
       with_error_handling do
-        detector = Detector.new(target: dns_server)
+        Ping.pong? dns_server
+
+        default_list = options["default_list"].downcase
+        custom_list = options["custom_list"]
+        threshold = options["threshold"]
+        verbose = options["verbose"]
+        detector = Detector.new(target: dns_server, default_list: default_list, custom_list: custom_list, threshold: threshold, verbose: verbose)
         puts JSON.pretty_generate(detector.report)
       end
     end
@@ -17,7 +27,8 @@ module RogueOne
       def with_error_handling
         yield
       rescue StandardError => e
-        puts "Warning: #{e}"
+        message = { error: e.to_s }
+        puts JSON.pretty_generate(message)
       end
     end
   end

data/lib/rogue_one/data/alexa_100.yml

@@ -0,0 +1,101 @@
+---
+- google.com
+- youtube.com
+- tmall.com
+- baidu.com
+- qq.com
+- sohu.com
+- facebook.com
+- login.tmall.com
+- wikipedia.org
+- taobao.com
+- yahoo.com
+- jd.com
+- 360.cn
+- amazon.com
+- sina.com.cn
+- weibo.com
+- pages.tmall.com
+- reddit.com
+- live.com
+- vk.com
+- okezone.com
+- netflix.com
+- blogspot.com
+- office.com
+- csdn.net
+- alipay.com
+- xinhuanet.com
+- stackoverflow.com
+- yahoo.co.jp
+- instagram.com
+- google.com.hk
+- aliexpress.com
+- microsoft.com
+- babytree.com
+- naver.com
+- twitter.com
+- bing.com
+- livejasmin.com
+- amazon.co.jp
+- tribunnews.com
+- ebay.com
+- salesforce.com
+- twitch.tv
+- google.co.in
+- force.com
+- microsoftonline.com
+- apple.com
+- tianya.cn
+- adobe.com
+- pornhub.com
+- msn.com
+- zhanqi.tv
+- dropbox.com
+- linkedin.com
+- yandex.ru
+- wordpress.com
+- myshopify.com
+- amazon.in
+- mail.ru
+- panda.tv
+- imdb.com
+- caijing.com.cn
+- china.com.cn
+- mama.cn
+- amazonaws.com
+- google.com.br
+- trello.com
+- bongacams.com
+- google.de
+- medium.com
+- google.co.jp
+- soso.com
+- booking.com
+- w3schools.com
+- amazon.co.uk
+- spotify.com
+- amazon.de
+- rednet.cn
+- bbc.com
+- detail.tmall.com
+- xvideos.com
+- espn.com
+- detik.com
+- github.com
+- cnn.com
+- instructure.com
+- ok.ru
+- indeed.com
+- yy.com
+- tumblr.com
+- huanqiu.com
+- stackexchange.com
+- nytimes.com
+- imgur.com
+- soundcloud.com
+- whatsapp.com
+- rakuten.co.jp
+- nih.gov
+- sogou.com
+- google.cn

data/lib/rogue_one/data/fortune_100.yml

@@ -0,0 +1,101 @@
+---
+- walmart.com
+- exxonmobil.com
+- berkshirehathaway.com
+- apple.com
+- unitedhealthgroup.com
+- mckesson.com
+- cvshealth.com
+- amazon.com
+- att.com
+- gm.com
+- ford.com
+- amerisourcebergen.com
+- chevron.com
+- cardinalhealth.com
+- costco.com
+- verizon.com
+- kroger.com
+- ge.com
+- walgreensbootsalliance.com
+- jpmorganchase.com
+- fanniemae.com
+- abc.xyz
+- homedepot.com
+- bankofamerica.com
+- express-scripts.com
+- wellsfargo.com
+- boeing.com
+- phillips66.com
+- antheminc.com
+- microsoft.com
+- valero.com
+- citigroup.com
+- comcastcorporation.com
+- ibm.com
+- delltechnologies.com
+- statefarm.com
+- jnj.com
+- freddiemac.com
+- target.com
+- lowes.com
+- marathonpetroleum.com
+- pg.com
+- metlife.com
+- ups.com
+- pepsico.com
+- intel.com
+- dow-dupont.com
+- adm.com
+- aetna.com
+- fedex.com
+- utc.com
+- prudential.com
+- albertsons.com
+- sysco.com
+- disney.com
+- humana.com
+- pfizer.com
+- hp.com
+- lockheedmartin.com
+- aig.com
+- centene.com
+- cisco.com
+- hcahealthcare.com
+- energytransfer.com
+- caterpillar.com
+- nationwide.com
+- morganstanley.com
+- libertymutual.com
+- newyorklife.com
+- gs.com
+- aa.com
+- bestbuy.com
+- cigna.com
+- charter.com
+- delta.com
+- facebook.com
+- honeywell.com
+- merck.com
+- allstate.com
+- tysonfoods.com
+- united.com
+- oracle.com
+- techdata.com
+- tiaa.org
+- tjx.com
+- americanexpress.com
+- coca-colacompany.com
+- publix.com
+- nike.com
+- andeavor.com
+- wfscorp.com
+- exeloncorp.com
+- massmutual.com
+- riteaid.com
+- conocophillips.com
+- chsinc.com
+- 3m.com
+- timewarner.com
+- generaldynamics.com
+- usaa.com

data/lib/rogue_one/detector.rb

@@ -1,23 +1,45 @@
 # frozen_string_literal: true
 
+require "async"
+require "async/barrier"
+require "async/dns"
+require "async/reactor"
+require "async/semaphore"
+require "resolv"
 require "yaml"
-require "parallel"
+require "etc"
 
 module RogueOne
   class Detector
     attr_reader :target
+    attr_reader :default_list
+    attr_reader :custom_list
+    attr_reader :verbose
+    attr_reader :max_concurrency
 
     GOOGLE_PUBLIC_DNS = "8.8.8.8"
 
-    def initialize(target:)
+    def initialize(target:, default_list: "alexa", custom_list: nil, threshold: nil, verbose: false)
       @target = target
+      @default_list = default_list
+      @custom_list = custom_list
+      @threshold = threshold
+      @verbose = verbose
+
+      @max_concurrency = Etc.nprocessors * 2
       @memo = {}
+      @verbose_memo = nil
     end
 
     def report
       inspect
 
-      { verdict: verdict, landing_pages: landing_pages }
+      {
+        verdict: verdict,
+        landing_pages: landing_pages,
+        results: results,
+        meta: meta
+      }.compact
     end
 
     private
@@ -30,35 +52,110 @@ module RogueOne
       !landing_pages.empty?
     end
 
+    def threshold
+      @threshold ||= (domains.length.to_f / 10.0).ceil
+    end
+
+    def meta
+      return nil unless verbose
+
+      { threshold: threshold }
+    end
+
     def landing_pages
       @memo.map do |ip, count|
-        count > 10 ? ip : nil
+        count > threshold ? ip : nil
       end.compact.sort
     end
 
+    def results
+      return nil unless verbose
+
+      {
+        resolutions: resolutions,
+        occurrences: occurrences
+      }
+    end
+
+    def resolutions
+      (@verbose_memo || {}).sort_by { |_, v| v }.to_h
+    end
+
+    def occurrences
+      @memo.sort_by{ |_, v| -v }.to_h
+    end
+
     def inspect
       return unless @memo.empty?
 
-      results = Parallel.map(top_100_domains) do |domain|
-        normal_result = normal_resolver.dig(domain, "A")
-        target_result = target_resolver.dig(domain, "A")
+      # read domains outside of the async blocks
+      domains
+
+      normal = bulk_resolve(normal_resolver, domains)
+      resolutions = bulk_resolve(target_resolver, domains)
+
+      results = resolutions.map do |domain, addresses|
+        normal_addresses = normal.dig(domain) || []
+        address = (addresses || []).first
+        [domain, address] if address && !normal_addresses.include?(address)
+      end.compact.to_h
 
-        target_result if target_result && normal_result != target_result
-      end.compact
+      @memo = results.values.group_by(&:itself).map { |k, v| [k, v.length] }.to_h
+      @verbose_memo = results if verbose
+    end
+
+    def domains
+      @domains ||= custom_list ? custom_domains : top_100_domains
+    end
 
-      @memo = results.group_by(&:itself).map { |k, v| [k, v.length] }.to_h
+    def custom_domains
+      read_domains custom_list
     end
 
     def top_100_domains
-      @top_100_domains ||= YAML.safe_load(File.read(File.expand_path("./data/top_100.yml", __dir__)))
+      case default_list
+      when "alexa"
+        read_domains File.expand_path("./data/alexa_100.yml", __dir__)
+      when "fortune"
+        read_domains File.expand_path("./data/fortune_100.yml", __dir__)
+      end
+    end
+
+    def read_domains(path)
+      list = DomainList.new(path)
+      return list.domains if list.valid?
+
+      raise ArgumentError, "Inputted an invalid list. #{path} is not eixst." unless list.exists?
+      raise ArgumentError, "Inputted an invalid list. Please input a list as an YAML file." unless list.valid_format?
+    end
+
+    def bulk_resolve(resolver, domains)
+      results = []
+      Async do
+        barrier = Async::Barrier.new
+        semaphore = Async::Semaphore.new(max_concurrency, parent: barrier)
+
+        domains.each do |domain|
+          semaphore.async do
+            addresses = []
+            begin
+              addresses = resolver.addresses_for(domain, Resolv::DNS::Resource::IN::A, { retries: 1 }).map(&:to_s)
+            rescue Async::DNS::ResolutionFailure
+              # do nothing
+            end
+            results << [domain, addresses]
+          end
+        end
+      end
+      results.to_h
     end
 
     def normal_resolver
-      @normal_resolver ||= Resolver.new(nameserver: GOOGLE_PUBLIC_DNS)
+      Async::DNS::Resolver.new([[:udp, GOOGLE_PUBLIC_DNS, 53], [:tcp, GOOGLE_PUBLIC_DNS, 53]])
     end
 
     def target_resolver
-      @target_resolver ||= Resolver.new(nameserver: target)
+      Async::DNS::Resolver.new([[:udp, target, 53], [:tcp, target, 53]])
     end
   end
 end

data/lib/rogue_one/domain_list.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module RogueOne
+  class DomainList
+    attr_reader :path
+
+    def initialize(path)
+      @path = path.to_s
+    end
+
+    def valid?
+      exists? && valid_format?
+    end
+
+    def domains
+      @domains ||= exists? ? YAML.safe_load(File.read(path)) : nil
+    end
+
+    def exists?
+      File.exist?(path)
+    end
+
+    def valid_format?
+      domains.is_a? Array
+    end
+  end
+end

data/lib/rogue_one/ping.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "resolv"
+
+module RogueOne
+  class Ping
+    attr_reader :resolver
+    attr_reader :nameserver
+
+    def initialize(nameserver)
+      @nameserver = nameserver
+      @resolver = Resolv::DNS.new(nameserver: [nameserver])
+      @resolver.timeouts = 5
+    end
+
+    def get_a_record
+      resolver.getresource("example.com", Resolv::DNS::Resource::IN::A)
+    rescue Resolv::ResolvError => _e
+      nil
+    end
+
+    def pong?
+      result = get_a_record
+      raise Error, "DNS resolve error: there is no resopnse from #{nameserver}" unless result
+
+      true
+    end
+
+    def self.pong?(target)
+      new(target).pong?
+    end
+  end
+end

data/lib/rogue_one/resolver.rb

@@ -10,9 +10,15 @@ module RogueOne
       @nameserver = nameserver
     end
 
-    def dig(domain, type)
+    def get_resource(domain, type)
       _resolver.getresource(domain, resource_by_type(type)).address.to_s
-    rescue Resolv::ResolvError => e
+    rescue Resolv::ResolvError => _e
+      nil
+    end
+
+    def get_resources(domain, type)
+      _resolver.getresources(domain, resource_by_type(type)).map { |r| r.address.to_s }
+    rescue Resolv::ResolvError => _e
       nil
     end
 
@@ -20,6 +26,8 @@ module RogueOne
 
     def _resolver
       @_resolver ||= Resolv::DNS.new(nameserver: [nameserver])
+      @_resolver.timeouts = 5
+      @_resolver
     end
 
     def resource_by_type(type)

data/lib/rogue_one/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RogueOne
-  VERSION = "0.1.3"
+  VERSION = "0.4.1"
 end

data/rogue_one.gemspec

@@ -10,8 +10,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Manabu Niseki"]
   spec.email         = ["manabu.niseki@gmail.com"]
 
-  spec.summary       = "Rogue one: a rogue DNS detector"
-  spec.description   = 'Rogue one: a rogue DNS detector'
+  spec.summary       = "A rogue DNS detector"
+  spec.description   = "A rogue DNS detector"
   spec.homepage      = "https://github.com/ninoseki/rogue_one"
   spec.license       = "MIT"
 
@@ -24,11 +24,11 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "bundler", "~> 2.1"
   spec.add_development_dependency "coveralls", "~> 0.8"
-  spec.add_development_dependency "rake", "~> 12.3"
-  spec.add_development_dependency "rspec", "~> 3.8"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.9"
 
-  spec.add_dependency "parallel", "~> 1.17"
-  spec.add_dependency "thor", "~> 0.19"
+  spec.add_dependency "async-dns", "~> 1.2"
+  spec.add_dependency "thor", "~> 1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rogue_one
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.4.1
 platform: ruby
 authors:
 - Manabu Niseki
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-05-03 00:00:00.000000000 Z
+date: 2020-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -44,57 +44,57 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
-  name: parallel
+  name: async-dns
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.19'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.19'
-description: 'Rogue one: a rogue DNS detector'
+        version: '1.0'
+description: A rogue DNS detector
 email:
 - manabu.niseki@gmail.com
 executables:
@@ -112,10 +112,14 @@ files:
 - bin/console
 - bin/setup
 - exe/rogue_one
+- images/eyecatch.png
 - lib/rogue_one.rb
 - lib/rogue_one/cli.rb
-- lib/rogue_one/data/top_100.yml
+- lib/rogue_one/data/alexa_100.yml
+- lib/rogue_one/data/fortune_100.yml
 - lib/rogue_one/detector.rb
+- lib/rogue_one/domain_list.rb
+- lib/rogue_one/ping.rb
 - lib/rogue_one/resolver.rb
 - lib/rogue_one/version.rb
 - rogue_one.gemspec
@@ -123,7 +127,7 @@ homepage: https://github.com/ninoseki/rogue_one
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -138,8 +142,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
-summary: 'Rogue one: a rogue DNS detector'
+summary: A rogue DNS detector
 test_files: []

data/lib/rogue_one/data/top_100.yml

@@ -1,101 +0,0 @@
----
-- google.com
-- facebook.com
-- youtube.com
-- yahoo.com
-- baidu.com
-- wikipedia.org
-- qq.com
-- taobao.com
-- twitter.com
-- amazon.com
-- linkedin.com
-- live.com
-- google.co.in
-- sina.com.cn
-- hao123.com
-- blogspot.com
-- weibo.com
-- tmall.com
-- vk.com
-- wordpress.com
-- yahoo.co.jp
-- sohu.com
-- yandex.ru
-- ebay.com
-- google.de
-- bing.com
-- pinterest.com
-- google.co.uk
-- 163.com
-- 360.cn
-- google.fr
-- ask.com
-- instagram.com
-- google.co.jp
-- tumblr.com
-- msn.com
-- google.com.br
-- mail.ru
-- microsoft.com
-- xvideos.com
-- paypal.com
-- google.ru
-- soso.com
-- adcash.com
-- google.es
-- google.it
-- imdb.com
-- apple.com
-- imgur.com
-- neobux.com
-- craigslist.org
-- amazon.co.jp
-- t.co
-- xhamster.com
-- stackoverflow.com
-- reddit.com
-- google.com.mx
-- google.com.hk
-- cnn.com
-- google.ca
-- fc2.com
-- go.com
-- ifeng.com
-- bbc.co.uk
-- vube.com
-- people.com.cn
-- blogger.com
-- aliexpress.com
-- odnoklassniki.ru
-- wordpress.org
-- alibaba.com
-- gmw.cn
-- adobe.com
-- huffingtonpost.com
-- google.com.tr
-- xinhuanet.com
-- googleusercontent.com
-- youku.com
-- godaddy.com
-- pornhub.com
-- akamaihd.net
-- thepiratebay.se
-- kickass.to
-- google.com.au
-- amazon.de
-- clkmon.com
-- ebay.de
-- alipay.com
-- google.pl
-- espn.go.com
-- dailymotion.com
-- about.com
-- bp.blogspot.com
-- blogspot.in
-- netflix.com
-- vimeo.com
-- dailymail.co.uk
-- redtube.com
-- rakuten.co.jp
-- conduit.com