2013年12月23日星期一

墙外楼: 扯掉太极助手的马甲

墙外楼

网络热门话题追踪

Acquire Clients Globally!

Attention Advertisers: What's your CPA? Have Us Acquire Additional Clients for You Utilizing International, Localized PPC on AdWords, Bing, & Facebook Exchange!

From our sponsors

扯掉太极助手的马甲

Dec 23rd 2013, 07:00, by 墙外仙

来源

Abstract: 本文通过常用的社会工程学手段试图还原太极助手这一 iOS 7 Jailbreak bundle 的中国产 AppStore 后面的支持者。

$ whois taig.com  Domain Name: TAIG.COM  Registry Domain ID: 5070333_DOMAIN_COM-VRSN  Registrar WHOIS Server: whois.godaddy.com  Registrar URL: http://www.godaddy.com  Update Date: 2013-11-05 18:27:16  Creation Date: 1999-04-06 23:00:00  Registrar Registration Expiration Date: 2015-04-06 23:00:00  Registrar: GoDaddy.com, LLC  Registrar IANA ID: 146  Registrar Abuse Contact Email: abuse@godaddy.com  Registrar Abuse Contact Phone: +1.480-624-2505  Domain Status: clientTransferProhibited  Domain Status: clientUpdateProhibited  Domain Status: clientRenewProhibited  Domain Status: clientDeleteProhibited  Registry Registrant ID:  Registrant Name: zhou shengjin  Registrant Organization:  Registrant Street: Beijing changping district changping road  Registrant City: Beijing  Registrant State/Province: beijing  Registrant Postal Code: 100096  Registrant Country: China  Registrant Phone: +1.8811225068  Registrant Phone Ext:  Registrant Fax:  Registrant Fax Ext:  Registrant Email: nomas.chow@gmail.com  Registry Admin ID:  Admin Name: zhou shengjin  Admin Organization:  Admin Street: Beijing changping district changping road  Admin City: Beijing  Admin State/Province: beijing  Admin Postal Code: 100096  Admin Country: China  Admin Phone: +1.8811225068  Admin Phone Ext:  Admin Fax:  Admin Fax Ext:  Admin Email: nomas.chow@gmail.com  Registry Tech ID:  Tech Name: zhou shengjin  Tech Organization:  Tech Street: Beijing changping district changping road  Tech City: Beijing  Tech State/Province: beijing  Tech Postal Code: 100096  Tech Country: China  Tech Phone: +1.8811225068  Tech Phone Ext:  Tech Fax:  Tech Fax Ext:  Tech Email: nomas.chow@gmail.com  Name Server: NS3.DNSV4.COM  Name Server: NS4.DNSV4.COM

显然的， taig.com 是一个足够老的域名。这个域名里的联系电话， +1.8811225068 应为 +86-18811225068. 这是我们的线索之一。地址『北京市昌平区昌平路』与手机号码归属地北京相匹配。 Email 地址则是另一个有效的线索。

$ host www.taig.com  www.taig.com has address 211.155.82.248  www.taig.com has address 203.191.148.133  www.taig.com has address 42.62.21.140  www.taig.com has address 42.62.21.141  www.taig.com has address 42.62.21.142  www.taig.com has address 42.62.21.143  www.taig.com has address 42.62.21.144  www.taig.com has address 211.155.82.233

看这势头，不像是什么小公司的基础设施。 whois 得到的结果令人失望，因其均指向了各个数据中心，而 bgp.he.net 并没有给出更多的信息。

$ curl -s www.taig.com|grep -Eo "http://[^\"']+"    http://bbdown.iphonespirit.com/site/image/logo.ico      http://js.pingguoyingyong.com/taiji-home/css/style.css      http://bbs.taig.com      http://www.taig.com/archives/category/news      http://static.youku.com/v1.0.0334/v/swf/player_yk.swf      http://static.youku.com/v1.0.0334/v/swf/player_yk.swf      http://www.adobe.com/go/getflash      http://bbdown.iphonespirit.com/ios/7/TaiG_JailBreak_iOS7_ForWin_v1.0.zip      http://bbdown.iphonespirit.com/ios/7/TaiG_JailBreak_iOS7_ForMac_v1.0.dmg      http://www.taig.com/archives/category/news      http://www.taig.com/archives/548      http://bbdown.iphonespirit.com/site/docpic/2348.jpg      http://www.taig.com/archives/548      http://www.taig.com/archives/548      http://www.taig.com/archives/253      http://www.taig.com/archives/251      http://www.taig.com/archives/249      http://www.taig.com/archives/247      http://www.taig.com/archives/241      http://www.taig.com/archives/239      http://www.taig.com/archives/237      http://www.taig.com/archives/233      http://js.pingguoyingyong.com/taiji-home/js/build.js

这一次的结果则看起来很有意思。下面是一些域名的 whois 信息备份。

$ whois pingguoyingyong.com  Domain Name: PINGGUOYINGYONG.COM  Registry Domain ID: 1701302087_DOMAIN_COM-VRSN  Registrar WHOIS Server: whois.godaddy.com  Registrar URL: http://www.godaddy.com  Update Date: 2013-02-04 05:56:33  Creation Date: 2012-02-09 09:52:46  Registrar Registration Expiration Date: 2015-02-09 09:52:46  Registrar: GoDaddy.com, LLC  Registrar IANA ID: 146  Registrar Abuse Contact Email: abuse@godaddy.com  Registrar Abuse Contact Phone: +1.480-624-2505  Domain Status: clientTransferProhibited  Domain Status: clientUpdateProhibited  Domain Status: clientRenewProhibited  Domain Status: clientDeleteProhibited  Registry Registrant ID:  Registrant Name: John Lennon  Registrant Organization: Apple Application INC.  Registrant Street: China  Registrant City: guangdong  Registrant State/Province: baiyun  Registrant Postal Code: 000000  Registrant Country: China  Registrant Phone: +86.138000138000  Registrant Phone Ext:  Registrant Fax:  Registrant Fax Ext:  Registrant Email: fidate@gmail.com  Registry Admin ID:  Admin Name: John Lennon  Admin Organization: Apple Application INC.  Admin Street: China  Admin City: guangdong  Admin State/Province: baiyun  Admin Postal Code: 000000  Admin Country: China  Admin Phone: +86.138000138000  Admin Phone Ext:  Admin Fax:  Admin Fax Ext:  Admin Email: fidate@gmail.com  Registry Tech ID:  Tech Name: John Lennon  Tech Organization: Apple Application INC.  Tech Street: China  Tech City: guangdong  Tech State/Province: baiyun  Tech Postal Code: 000000  Tech Country: China  Tech Phone: +86.138000138000  Tech Phone Ext:  Tech Fax:  Tech Fax Ext:  Tech Email: fidate@gmail.com  Name Server: F1G1NS1.DNSPOD.NET  Name Server: F1G1NS2.DNSPOD.NET

经查，此域名的邮箱拥有另一个域名，idestop.com。邮箱的主人早在 2006 年便并聚在了在北京市一个名为『新龙城』的社区内。

$ whois iphonespirit.com    Domain Name ..................... iphonespirit.com  Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.  Name Server ..................... ns3.dnsv4.com                                    ns4.dnsv4.com  Registrant ID ................... whois-protect  Registrant Name ................. WHOIS AGENT  Registrant Organization ......... DOMAIN WHOIS PROTECTION SERVICE  Registrant Address .............. 3/F.,HiChina Mansion,No.27 Gulouwai Avenue                                    Dongcheng District,Beijing 100120,China  Registrant City ................. Beijing  Registrant Province/State ....... Beijing  Registrant Postal Code .......... 100120  Registrant Country Code ......... CN  Registrant Phone Number ......... +8610.64242266  Registrant Fax .................. +8610.84138796  Registrant Email ................ domainadm@hichina.com  Administrative ID ............... whois-protect  Administrative Name ............. WHOIS AGENT  Administrative Organization ..... DOMAIN WHOIS PROTECTION SERVICE  Administrative Address .......... 3/F.,HiChina Mansion,No.27 Gulouwai Avenue                                    Dongcheng District,Beijing 100120,China  Administrative City ............. Beijing  Administrative Province/State ... Beijing  Administrative Postal Code ...... 100120  Administrative Country Code ..... CN  Administrative Phone Number ..... +8610.64242266  Administrative Fax .............. +8610.84138796  Administrative Email ............ domainadm@hichina.com  Billing ID ...................... whois-protect  Billing Name .................... WHOIS AGENT  Billing Organization ............ DOMAIN WHOIS PROTECTION SERVICE  Billing Address ................. 3/F.,HiChina Mansion,No.27 Gulouwai Avenue                                    Dongcheng District,Beijing 100120,China  Billing City .................... Beijing  Billing Province/State .......... Beijing  Billing Postal Code ............. 100120  Billing Country Code ............ CN  Billing Phone Number ............ +8610.64242266  Billing Fax ..................... +8610.84138796  Billing Email ................... domainadm@hichina.com  Technical ID .................... whois-protect  Technical Name .................. WHOIS AGENT  Technical Organization .......... DOMAIN WHOIS PROTECTION SERVICE  Technical Address ............... 3/F.,HiChina Mansion,No.27 Gulouwai Avenue                                    Dongcheng District,Beijing 100120,China  Technical City .................. Beijing  Technical Province/State ........ Beijing  Technical Postal Code ........... 100120  Technical Country Code .......... CN  Technical Phone Number .......... +8610.64242266  Technical Fax ................... +8610.84138796  Technical Email ................. domainadm@hichina.com  Domain Create Date .............. 2013-03-29 19:54:24  Expiration Date ................. 2014-03-29 19:54:24

虽然这个域名有 whois protect，但依然可以进一步的进行 DNS 分析。

$ host bbdown.iphonespirit.com  bbdown.iphonespirit.com is an alias for bbdown.iphonespirit.com.51ccdn.com.  bbdown.iphonespirit.com.51ccdn.com is an alias for c01.i08.sisyun.com.  c01.i08.sisyun.com is an alias for c01.i08.cncsd.hadns.net.  c01.i08.cncsd.hadns.net has address 61.156.242.76  c01.i08.cncsd.hadns.net has address 60.210.10.77  c01.i08.cncsd.hadns.net has address 61.156.157.183

随手一搜索，我们可以发现『苹果核』使用的分发域名便是这个域名。而苹果核使用了 360 的核心，不得不让人有某些联想。

$ host js.pingguoyingyong.com  js.pingguoyingyong.com has address 117.121.11.32

接下来，我们搜索这个 IP 地址则得到了一个惊奇的发现

$ host www.kuaiyong.com  www.kuaiyong.com has address 117.121.11.16

经查，海外解析地址为 .16，国内解析地址为 .32

$ curl -s --head -H"Host: www.kuaiyong.com" 117.121.11.32  HTTP/1.1 200 OK  Server: nginx/1.0.15  Date: Sun, 22 Dec 2013 22:40:11 GMT  Content-Type: text/html  Content-Length: 9268  Last-Modified: Thu, 19 Dec 2013 05:47:21 GMT  Connection: keep-alive  Accept-Ranges: bytes    $ curl -s -H"Host: nosuchhost.com" 117.121.11.32 | grep '<title>'  <title>Test Page for the Nginx HTTP Server on EPEL</title>    $ curl -s -H"Host: www.kuaiyong.com" 117.121.11.32 | grep '<title>'  <title> 快用苹果助手 </title>

惊奇的发现之2

结论

由于 TaiG 的下载链接托管在了 iphonespirit.com 上，我们有理由相信 TaiG 和 360 或 360 投资的某些公司有某种联系。由于 TaiG 的 JS 资源托管到了 pingguoyingyong.com 上，我们有理由相信 TaiG 和快用助手有某种深层次的合作，或曰 TaiG 只是快用的另一个马甲。