Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
•
0 j'aime•1,039 vues
“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de forma dinámica los resultados obtenidos después de algunos meses de trabajo focalizado en las comunicaciones, tanto en la parte de control como en la fuga de información, de las ‘botnets’. Por supuesto con el protocolo DNS con un papel protagonista. Jugaremos con tres parámetros fundamentales que tendremos que equilibrar: Nivel de exposición de la infraestructura del atacante. Recursos y complejidad. Ancho de banda en la comunicación. El objetivo final es concienciar de la importancia de poner el foco en este protocolo como se ha hecho en otros. Nuestros resultados, y los resultados obtenidos por proveedores de seguridad e investigadores en los últimos meses avalan la posición que defendemos.
Recommandé
Recommandé
Contenu connexe
En vedette
En vedette (20)
Similaire à Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Similaire à Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012] (20)
Plus de RootedCON
Plus de RootedCON (20)
Dernier
Dernier (20)
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
- 1. CMD:%Look%who’s%talking%too% DNS:%a%botnet%dialect%
- 2. Francisco%J.%Gómez%Rodríguez%(fran@Gd.es):% • Computer%Engineering%(EUIMUPM)% • Security%Research%(Telefonica%R&D)% • dig$fran.rootedcon.themafia.info$TXT$ Carlos%Díaz%Hidalgo%(charlie@Gd.es):% • TelecommunicaGons%Engineer%(ETSITMMUPM),%GPEN,%GCIH,% OPST,%ITILF%and%CCNA.% • Technology%Specialist%in%Ethical%Hacking%(Telefonica%R&D)% • dig$charlie.rootedcon.themafia.info$TXT$
- 3. look$who’s$talking$too$ Nasal%Spray% This$presenta9on$contains:$ one%year%ago%…………………………………………....%%%%3%mg% cloud%malware%distribuGon%…………………..….%%%10%mg% dns%is%in%the%air%…………………………………………%%%10%mg% suspicion%………………………………………………….%%%%%8%mg% data%leak%………………………………………………….%%%10%mg% laboratory%……………………………………………….%%%%10%mg% 4.4$FL$OZ$(130mL)$ Tamper;Evident:%Do%not%accept%if%sealed%blister% unit%has%been%broken%or%opened% THIS%PACKAGE%FOR%HOUSEHOLDS% WITHOUT%YOUNG%CHILDREN%
- 5. One%year%ago%…% • We%talked%about%DNS%and%Malware.% • We%released%Cloud%Malware%DistribuGon% (CMD):% – An%alternaGve%method%for%malware%distribuGon% using%Cache%DNS%services.% – Using%client%default%DNS%se_ngs.% – Malware%source%virtually%untraceable.%
- 6. A%DNS%shot%
- 8. Cloud%Malware%DistribuGon% 1. Encoding:%Split%malware%payload%into%DNS%Records.% % 2. Publishing:%Publish%domain%and%each%record%in%a%public%Name%Server.% % 3. Loading:%Force%an%Open%Emi`er%DNS%Cache%Server%to%store%all%records.% % 4. Downloading:%Download%records%from%an%infected%host%(bot).% % 5. Decoding:%Rebuild%malware%payload%from%records.% 8rjqerkjqet.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 1,2% ueirytbdosu.cmdns.domain.com1% 3% 4% 5 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% Open%Emi`er% DNS%
- 9. Encoding%&%Publish% Cloud%Malware%DistribuGon%(I)% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqet1 ueirytbdosu.cmdns.domain.com1% ueirytbdosu1 ktqtr53xase1 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze1% kzmfzzmfzze.cmdns.domain.com1% • From%malware%file%we%create% a%base32%coded%string.% • So%we%split%the%string%into% DNS%compliance%records.% DNS%AUTH% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% Freedns.afraid.org% 8rjqerkjqet.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1%
- 10. Cloud%Malware%DistribuGon(II)% 8rjqerkjqet.cmdns.domain.com1% • We%upload%each%DNS%record%from% a%malicious%DNS%to%Open%Emi`er.% ueirytbdosu.cmdns.domain.com1% • This%is%made%by%requesGng%each% ktqtr53xase.cmdns.domain.com1% record%to%Open%Emi`er%DNS.% • Then%Server%caches%each%record.% kzmfzzmfzze.cmdns.domain.com1% Split[1..n].cmdns.domain.com% A?% 8rjqerkjqet.cmdns.domain.com1% Open% ueirytbdosu.cmdns.domain.com1% Emi`er% ktqtr53xase.cmdns.domain.com1% cmdns.domain.com% DNS%AUTH% NS?% DNS% kzmfzzmfzze.cmdns.domain.com1% Freedns.afraid.org% Loading%
- 11. Cloud%Malware%DistribuGon%(III)% • Since%the%Open%Emi`er%Server%has%cached%all%records%we% convert%it%into%a%domain%authoritaGve%domain%server.% • From%now%on,%Open%Emi`er%will%resolve%all%domain%queries.% • Thus,%all%Internet%DNS%servers%can%resolve%malware%records%and% bots%can%get%them.% DNS%AUTH% % % % Freedns.afraid.org% 8rjqerkjqet.cmdns.domain.com1% Open% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% Emi`er% kzmfzzmfzze.cmdns.domain.com1% DNS% Downloading%
- 12. Cloud%Malware%DistribuGon%(IV)% kzmfzzmfzze.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% • With%all%the%retrieved%records%bots% can%rebuild%the%original%file.%% • Bot%has%now%updated%the%malware% file.% Decoding%
- 13. % Own%survey%:%yesterday%and%today% Febrero$de$2011$ Marzo$de$2012$ España% EEUU% España% EEUU% Queried%hosts% 10.406% 10.406% 8217% 8217% Replying%hosts% 87,22%% 87,39%% 87,58%% 87,69%% Open%resolvers% 76,46%% 77,28%% 95,45%% 82,08%% Open%emi`ers% 57,76%% 57,33%% 53,78%% 53,51%% Accept%+norecurse% queries% 55,91%% 55,49%% 87,67%% 74,44%% TTL%≥%604800% 43,05%% 42,94%% 51,24%$ 49,32%$
- 14. A%quick%test…% DNSCrypt$ In% the% same% way% the% SSL% turns% HTTP% web% traffic% into% HTTPS% encrypted% Web% traffic,% DNSCrypt% turns% regular% DNS% traffic% into% encrypted% DNS% traffic% that% is% secure% from% eavesdropping% and% manMinMtheMmiddle%a`acks.%%
- 17. Are%you%talking%to%me?% • Let’s%see%some%about…% – DNS%as%covert%channel.% – DNS%uses%in%malware%communicaGons.%
- 18. l% DNS%as%Covert%Channe%% • OzymanDNS%(Kaminsky)% • Dnscapy% • (NSTX)%Iodine:%Use%several%RR%types,% NULL,TXT,CNAME)% • Dns2tcp%&%TCPMoverMDNS:%relay%TCP%connecGons.% • LoopcVPN%One%of%ChinaMTelecom%Hotspot% nightmare.%
- 19. Are%you%talking%to%me?% • Let’s%see%some%about…% – DNS%as%covert%channel.% – DNS%uses%in%malware%communicaGons.%
- 20. Stateless%malware%(I)% • TSPY_ZBOT.SMQH – Another Modified ZeuS Variant Seen in the Wild. – Reported in September 2011 by Trendmicro. – Data exchange is also now happening in UDP. – http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
- 21. Stateless%malware(II)% • Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP – http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
- 22. Stateless%malware(II)% • Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP – http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP%
- 24. Feedorbot% • Using DNS protocol. – Feedorbot share encrypted commands from C&C. – Encapsuling data in TXT records and Base64 encoded. – http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
- 25. HiloG% • Thanks%DNS%querys%HiloG%monitors%infected%host%status.% – h`p://blog.forGnet.com/hiloGMtheMbotmasterMofMdisguise% ! 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com% • Although%It%uses%DNS%as%control%protocol,%bots%download% update%files%from%“file%hosGng”%servers%by%HTTP.% % !
- 26. Morto% • From IRC to DNS. – Morto, like Feedorbot, uses TXT records to comnunicate. – http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
- 30. Gathering%&%EvaluaGng%InformaGon%(III)% • Don´t%forget%the%classics:% – h`p://www.robtex.com/%
- 31. Learned%in%#Rooted2012% • h`p://labs.alienvault.com/labs/index.php/projects/openMsourceMipMreputaGonMportal/%%
- 32. SomeGmes%…%I%see%dead%people% • September,%2011% %%%%(Top%10%Malicious%Domains)%
- 33. Scratch%&%Win%
- 34. Ten%Li`le%Niggers% • h`p://www.webboar.com/ip/67.15.149.70/% – 25%Domain(s)%on%IP%Address%67.15.149.70% • azxdf.com% • civiGcle0.com% • morewallfalls7.com% • mjuyh.com% • ckubf.com% • okjyu.com% • hjuyv.com% • djhbw.com% • orn2hcb.com% • plokm.com% • himovingto8.com% • qlovg.com% • nbgtr.com% • hiuxd.com% • quiluGon2.com% • vcxde.com% • liunj.com% • uncdt.com% • asljd.com% • loijm.com% • xvfar.com% • bruGllor5.com% • mjrth.com% • zscdw.com% • zukamosion3.com%
- 39. TradiGonal%data%leak%using%DNS% [OUTPUT_DOMAIN]1 DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord11 DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord21 …! 1% 2% Cache%DNS% (public or private) DNS%Auth.% OUTPUT_DOMAIN% Bot
- 40. Using%a%DNS%reflector% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% (PUBLICATION_DOMAIN)! Cache%DNS% !Data1!R>!DataLeakRecord1 (public or private) 3% Force%Data%Leak%Upload% CMD$ 5% Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)% PUBLICATION_DOMAIN% !Data1!R>!DataLeakRecord1
- 42. Using%FastMFlux%DNS%reflectors% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% Cache%DNS% (PUBLICATION_DOMAIN)! !Data1!R>!DataLeakRecord1 (public or private) 3% DataLeakRecord1.[OUTPUT_DOMAIN] Force%Data%Leak%Upload% CMD$ 5% Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)%
- 43. Data%Leak%using%NXDOMAIN%responses% • NXDOMAIN%responses%are%cached:% – NegaGve%caching%is%useful.% – TTL%value:%The%SOA%'minimum'%parameter%is%used% as%the%negaGve%(NXDOMAIN)%caching%Gme% (defined%in%RFC%2308).% • Other%queries%may%reuse%some%parts%of%the% lookup%(quick%response).%
- 47. Data%leak%with%“dig”% RCODE$ TTL$ QUERY$TIME$
- 48. Leak%recovery%with%“dig”%(I)% TTL$<$86400$ QUERY$TIME$<$300$msec$
- 49. Leak%recovery%with%“dig”%(II)% TTL$=$86400$ QUERY$TIME$approx.$300$msec$ It$is$not$a$good$method$for$recovery!$
- 50. Leak%recovery%with%“dig”%(III)% TTL$<$86400$ QUERY$TIME$<$300$msec$
- 51. Leak%recovery%with%“dig”%(IV)% RCODE$≠$NXDOMAIN$ QUERY$TIME$<$300$msec$ It$is$the$preferred$method$for$recovery!$
- 52. Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
- 53. Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% RESPONSE:%RCODE?% dataleakrecord1 TTL%value?% Query%Gme?%
- 54. NXDOMAIN%(demo)%
- 55. Data%Leak%using%“nice”%domains% • There%are%authoritaGve%DNS%server%that:% – Simply%point%all%unknown%DNS%queries%to%a%single% IP%address.% – Minimum%TTL%value%on%the%order%of%1M7%days.% • Where%can%I%find%them?% inbox.com% imgur.com% – Alexa%“Tops%Sites”:% motherless.com% h`p://www.alexa.com/topsites%% wikia.com% wikispaces.com% pbworks.com% %%%%%%%%%%%%…%
- 58. Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
- 59. Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% ANSWER%SECTION?% dataleakrecord1 TTL%value?%
- 60. Conclusions%dataMleak% Use$client$ Upload$ Expose$ Download$ Score$ default$DNS$ queries$ cybercrime$ queries$ (0;10)$ seings$ needed$ infrastructure$ needed$ TradiGonal% YES% 2%queries/kB% YES$ M% 5% DNS%tunneling% Using%FastMFlux% YES% 2%queries/kB% YES$ 2%queries/kB% 4% DNS%reflectors% Using% NXDOMAIN% NO$ 2$queries/B$ NO% 20%queries/B% 2% response% Using%“nice”% NO$ 2$queries/B$ NO% 20%queries/B% 6% domains%
- 61. ToDo:%Improvement++% • Data%Leak%using%‘nice’%domains.%But$ remembering$that:$ – Must%use%client%default%DNS%se_ngs.% • Maybe%can%use%three%party%resources%…%(once% again)% – %…%Use%misconfigured%DNS%(proxy%DNS,%cache%DNS,% authoritaGve%server,%…).% – e.g.%must%ignore%“+norecurse”%flag,%“minimalM response”%configured,%etc.% • Result:%Untraceable%data%leaks%
- 62. Harder%than%finding%a%needle%in%a% haystack!%
- 64. Making%the%lab.% • We%need%a%“real”%threat…% • But%we%are%“ethical”…% • And%we%are%not%developers…% Searching…$
- 65. And%the%winner%is…% • Wri`en%in%C#%and%PHP% • GNU/GPL% • Geared%to%build%botnets% • HTTP%communicaGon%
- 66. How%Flu%works% • Flu%server%share%XML%commands%file.% • Infected%hosts%get%XML%file%through% HTTP%request.% HTTP$ Flu% Flu% Infected% SERVER% Host%
- 67. Flu%and%CMD% • We%use%CMD%to%distribute%XML%commands%file.% • Our%dream:%Flu%become%stateless%Trojan.% • Then%we’ll%have%statelessMTrojanMGPL%botnet.% 1%GET% 1%query% 11%pkts.% HTTP/TCP% Vs% DNS/UDP% 2%pkts.% 1%conn.% % 0%conn.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
- 68. Flu%and%CMD:%Server% • PHP%5.3.0%or%higher%required.% • Three%steps:% 1. &domain.db%file%create.%(external%lib:%Tar.php)% 2. Load%XML%file%into%DNS%server.%(NaGve%lib)% 3. Download%data%from%infected%host.%(NaGve%lib)%
- 69. Flu%and%CMD:%3th%Party% • ISC%Bind% • FreeDNS.afraid.org% • HE%free%DNS%service% • Misconfigured%DNS%server.% Open% Emi`er%
- 70. Flu%and%CMD:%3th%Party% • ISC%Bind% • FreeDNS.afraid.org% • HE%free%DNS%service% • Misconfigured%DNS%server.% Open% Emi`er%
- 71. Flu%and%CMD:%Client% • We%use%ARSoD.Tools.Net%library.% • Without%GUI%changes:% – We%use%domainload&to%data%leak.% – We%use%domaindownload&to%get%XML%file.%
- 72. Flu%and%CMD:%How%it%works%(I)% XML2DNS$ LOADXML$ DOWNLOADXML$ DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
- 73. Flu%and%CMD:%How%it%works%(II)% • How%flu%call%back?% – NXDOMAIN%can:%Track%new%bots.% – NXDOMAIN%can’t:%Send%huge%files.%% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery% Noerror% DNS% Noerror% Host% DNS%Server%
- 74. Flu%and%CMD:%How%it%works%(II)% 1. How%flu%call%back?% – NXDOMAIN%can:%Track%new%bots.% – NXDOMAIN%can’t:%Send%huge%files.%% 2. Then…%we%need%to%expose%DNS%server.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery% 1% Noerror% DNS% Noerror% Host% DNS%Server% DNS$ DNS$ Flu% Flu% Cache% 2% Infected% DNS% DNS% Host%
- 76. Conclusions% • DNS%is%a%botnet%dialect…% – One%year%ago%DNS%was%a%possibility,%today%could%be%a%real% threat.% • Data%leak%using%DNS%need%an%improvement…% – ...but%we%are%working%progress.% • Malware%need%to%communicate%undetected,%and%IDS% want%to%detect%malware.% – Both%must%be%looking%for%the%same…%DNS.% • Don’t%forget%DNS%Protocol%
- 77. QuesGons?% Who$invented$the$rootedcon?$ Perez$the$mouse$ Rootedcon$is$your$parents$ Santa$ Three$Magic$Kings$
- 78. References% ! h`p://code.kryo.se/iodine/%% ! h`p://dns.measurementMfactory.com/%% ! h`p://darkwing.uoregon.edu/~joe/secprof10Mdns/secprof10Mdns.pdf%%% ! h`p://www.blackhat.com/presentaGons/bhMeuropeM05/BH_EU_05MKaminsky.pdf%% ! h`p://www.blackhat.com/presentaGons/bhMusaM04/bhMusM04Mkaminsky/bhMusM04Mkaminsky.ppt%% ! h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html%%% ! h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf%%% ! h`p://www.secdev.org/projects/scapy/%% ! h`ps://www.isc.org/soÉware/bind/documentaGon/arm95#man.dig%% ! h`p://dns.measurementMfactory.com/cgiMbin/openresolvercheck.pl%%% ! h`p://hakin9.org/magazine/1652MmobileMmalwareMtheMnewMcyberMthreat%% ! h`p://www.ieÑ.org/rfc/rfc{1033,1034,1035,1183,2181}.txt%% ! h`p://tools.ieÑ.org/id/draÉMcmdMpreventMmalwareMdnsMdistributeM00.txt%%% ! h`p://www.wombatMproject.eu/%% ! h`p://exposure.iseclab.org/index.html%% ! h`ps://dnsdb.isc.org/#Home%%% ! h`p://www.webboar.com%% ! h`ps://dns.he.net/%% ! h`p://www.fluMproject.com/%% ! h`p://arsoÉtoolsnet.codeplex.com/%%
- 79. Thanks%for%your%Gme!% @{Hlexpired,ffranz}& {charlie,fran}@7d.es%