Reports show botnets are managed using common services such as Baidu’s stick bar

Chihoo security researchers report that botnets with dual-gun malicious programs are managed using common services in the country. The number of botnets exceeds 100,000. The researchers observed that the two-gun malicious program used Baidu paste bar images to distribute profiles and malware, used Alibaba Cloud storage to host the profile, used Baidu statistics to manage the activity of infected hosts, malicious program samples also found Tencent microcloud URL address on several occasions.

For the first time, it integrates the services of the three major BAT vendors into its own programs. Baidu has taken action to block malicious code download links.

The following is the full report:

New trend for two-gun gangs to manage hundreds of thousands of botnets with cloud services

By Jinye, Jia Yu, Suqitian, Researcher of Core Security Department THL

概述

Recently, our domain name anomaly monitoring system DNSMon captured the unusual activity of domain name pro.csocools.com. Based on data coverage estimates, the scale of infection is more than 100k. By linking the alarm domain name to a batch of samples and C2, we analyzed the samples and found that the gangs associated with the two-gun malicious program began a new large-scale activity. In recent years, the two-gun gang has been repeatedly exposed and attacked by security manufacturers, but each time can revive the high-profile comeback, it can be seen that its distribution channels are very large. This time, it is still due to the large number of infected hosts, resulting in internet monitoring data anomalies, triggered the netlab early warning system. In this report, we have found some patterns and made some guesses by combing through C2 associated with these URLs.

We observed that malware uses Alibaba Cloud Storage to host profiles in addition to using Baidu Stick Bar images to distribute profiles and malware. In order to improve flexibility and stability, and make it more difficult to block, developers also use Baidu statistics, a common network service, to manage the active ness of infected hosts. At the same time, we found tencent microcloud URL address many times in the sample, interestingly, we did not find the code in the code to reference these addresses. For the first time, the dual-gun gang has integrated the services of BAT’s three major vendors into its own programs, and it is foreseeable that the use of open services to manage botnets or become a popular trend. It is important to clarify that these public services are technically neutral in themselves, that the misuse of these public services in this malicious code is a deliberate act by their authors, and that all major Internet companies expressly oppose and take steps to combat these malicious abuses within their user licenses.

Since May 14, we have contacted Baidu’s security team and taken joint action to measure the extent of the malicious code and take countermeasures against it. As of this article, the relevant malicious code download link has been blocked. Baidu’s security team’s statement on the incident is at the end of the article.

IOC关联分析

Starting with the alarm domain name, establishing IOC association through DNS resolution records and sample traffic analysis, filtering out isolated and noise nodes, we found a set of key C2 related to this propagation activity. As can be seen from the part of the IOC association diagram taken below, almost all domain names and two key ip addresses 125.124.255.20 and 125.124.255.79 related, around these two ip addresses, the two-gun gang from the second half of 19 years to start a number of domain names to control and issue malicious programs. In fact, the gang’s long-term and stable control of a large number of 125.124.255.0/24 network segments of the ip address, can be seen that they have a very rich network resources.

Reports show botnets are managed using common services such as Baidu's stick bar

Through the sample trace can be seen, this large-scale infection is mainly by inducing users to install malicious code containing the online game private service client, the specific infection method is roughly divided into two, the following in-depth analysis.

Reports show botnets are managed using common services such as Baidu's stick bar

感染方式1 — 启动器内包含恶意代码 阶段1 — 下载并加载cs.dll恶意文件

All kinds of private clothing entrance

Reports show botnets are managed using common services such as Baidu's stick bar

Click on the download link to jump to the private service home page

Reports show botnets are managed using common services such as Baidu's stick bar

Sign-in download “Dragon Rank.zip”

Reports show botnets are managed using common services such as Baidu's stick bar

Private service client launchers with malicious code are downloaded and executed by the user, malicious code access esmos the configuration information server, and then download and dynamically load the latest version of a malicious program called cs.dll from Baidu Paste Bar based on configuration information. The sensitive strings in cs.dll use a distorted DES encryption method that is highly similar to the two-gun sample we previously captured. We start with the sample body exe file and gradually analyze the above malicious behavior.

File structure

“Dragon rank.exe” PE Resource contains 7 files, widget.dll is a client component, and cs.dll in the resource file is an older version of the malicious program. The 4 .sys files are drivers for private clients, and although they are named Game Protect, we found code in the code that hijacks traffic to insert ads.

Reports show botnets are managed using common services such as Baidu's stick bar

Download configuration information

Launcher creates thread access encryption profile http://mtdlq.oss-cn-beijing.aliyuncs.com/cscsmt.txt

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

The page contains 8 lines of 16-message strings that are different from key B2 09 BB 55 93 6D 44 47 loops or can be decrypted.

Reports show botnets are managed using common services such as Baidu's stick bar

After decrypting is the address of 8 Baidu posted bar pictures.

Reports show botnets are managed using common services such as Baidu's stick bar

Download picture file cutting and reorganizing cs.dll files

Direct access to the image address, the picture content looks like randomly generated.

Reports show botnets are managed using common services such as Baidu's stick bar

A malicious program downloads a picture file, and each image uses a tag to separate the image data and malicious code data.

Reports show botnets are managed using common services such as Baidu's stick bar

Stitch all the malicious code together and we get stage 2 malicious program cs.dll.

Reports show botnets are managed using common services such as Baidu's stick bar

The malicious program loads the above cs.dll by memory mapping, and then calls the export function abcd() into stage 2, so no files land.

Reports show botnets are managed using common services such as Baidu's stick bar

阶段2 — 上报主机信息,释放并加载恶意驱动

cs.dll engages in some simple virtual machine and soft fights, using Baidu’s statistics service to escalate Bot information and release the Phase 3 VMP shelled driver (including x86/x64 versions).

DES decryption algorithm

The DES decryption algorithm in the sample is a custom implementation for malware authors, and the encryption mode is CBC, with no padding. The conversion table of the DES encryption algorithm is the same as the old version (the infrastructure update of the “double gun” Trojan and the analysis of the corresponding mode of transmission). The DES decryption involved in this malicious activity involves 2 layers of decryption, the first layer decryption, first using the Base64 algorithm to decode the string dBvvIEmQW2s to get a binary data, and then to get a binary data with an empty key. Decrypt the binary data on the above, and get the string of helloya-x00, and then use this string as the key to decrypt a large number of other confidential data with the self-study DES algorithm. The complete decryption process is as follows:

Reports show botnets are managed using common services such as Baidu's stick bar

Check the virtual host environment VMs and WM

Determine whether the VMWare host is the VMWare host by examining the note item and returns directly if it is the VM host code.

Reports show botnets are managed using common services such as Baidu's stick bar

Check the system service WayOSFw for existence and return directly if the service exists.

Reports show botnets are managed using common services such as Baidu's stick bar

Create a Bot ID

Use the system API to create the bot ID of the host, write to the registry, SOFTWARE, PCID,

Reports show botnets are managed using common services such as Baidu's stick bar

Manage Bot with Baidu’s statistical service

Malware developers use some standard fields of Baidu’s statistical interface to report host sensitive information, using Baidu to count this common network behavior to manage the activation of infected hosts. Because Baidu statistics services are used by a large number of websites, from the traffic point of view is a set of compliant browser network behavior, so it is difficult to distinguish it, increasing the difficulty of security vendors to combat.

The malicious program first used a function called DataWork() to forge a browser request and download the hm.js script.

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

Save the user cookie information in the return information HMACCOUNT to the registry.

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

Through http://hm.baidu.com/hm.gif? Interface, malicious program will extract to the statistical script version information this.b.v, user cookie information, bot_id and forged other statistical information package escalation, malware developers use Baidu statistics background can easily manage and evaluate infected users.

Reports show botnets are managed using common services such as Baidu's stick bar

Decrypt, create, install drivers from Dat resources

Check that private service client drivers such as XxGamesFilter are installed.

Reports show botnets are managed using common services such as Baidu's stick bar

Depending on the installation and the operating system version, you choose a different resource ID, and each resource corresponds to a different version of the driver (32-bit systems use ID 111 or 109 resources, 64-bit systems use resources with ID 110 or 112).

Reports show botnets are managed using common services such as Baidu's stick bar

Resources are simply encrypted, to decrypt 32-bit drivers, for example, first reverse the data order, then byte by byte and system version value 32 different or, to get a VMP shelled drive file.

Reports show botnets are managed using common services such as Baidu's stick bar

Detect the presence of a TeSafe driver if there is a newly interrupted infection process. Calculate the MD5 value of TeSafe plus Computer Name, detect the presence of a driver named the MD5 string, and interrupt the infection process if there is an indication that the system has been infected.

//拼接字串 +00   54 65 53 61 66 65 2B 57 49 4E 2D 52 48 39 34 50      TeSafe+WIN-RH94P        +10   42 46 43 37 34 41 00 00 00 00 00 00 00 00 00 00      BFC74A……….        //拼接字串的MD5值  +00   46 34 36 45 41 30 37 45 37 39 30 33 33 36 32 30      F46EA07E79033620        +10   43 45 31 33 44 33 35 44 45 31 39 41 41 43 34 32      CE13D35DE19AAC42

If the system EnableCertPaddingCheck registry key is closed, the 16 bytes at the end of the replacement file are random data. This makes the sample HASH value sinevercomplete on each infected host completely different and can fight the HASH-based kill scenario.

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

Release the driver to the TEMP directory, a random string with a file name of 7 length. For example: “C:Users,”User Name”?AppData-Local-Temp-iiitubl”

Register the driver file startup service and detect that the installation was successful.

Reports show botnets are managed using common services such as Baidu's stick bar

阶段3 — 劫持系统进程,下载后续恶意程序

After the driver runs, it copies itself to Windows/system32/driver/.7 random characters.sys, falsified drive device information for common legitimate drivers, such as fltMgr.sys, to inject D module LL into system processes Lassas.exe and svchost.exe. After the entire initialization process, a drive and DLL module is formed to do the work through DeviceIoControl() communication collaboration, which is a driver-level downloader. All sensitive configuration information is stored inside the drive, the DLL calls the driver to obtain the configuration server information, according to the downloaded configuration information to Baidu paste bar to download other malicious code, the next stage of malicious activities.

After the drive is run, the DLL module is injected into the system process Lassas.exe using the APC injection method.

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

Reports show botnets are managed using common services such as Baidu's stick bar

DLL works with the execution process.

The DLL first attempts to create a mutually exclusive object, s12F7BB4C-9886-4EC2-B831-FE762D4745DC, to prevent the system from creating multiple instances.

Reports show botnets are managed using common services such as Baidu's stick bar

The accommodation process is then checked to see if it is Lsass.exe or svchost.exe, making sure it is not running in an analytical environment such as a sandbox.

Reports show botnets are managed using common services such as Baidu's stick bar

Try to create a device handle for the device , ” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Reports show botnets are managed using common services such as Baidu's stick bar

Send the 0x222084 device control code to the driver for configuration information that connects to the server. Communication with the configuration server uses the dual encryption of HTTPS-DES, and the configuration information consists of three important parts:

Reports show botnets are managed using common services such as Baidu's stick bar

Host Information Escalation Service https://cs.wconf5.com: 12709/report.ashx, for DLL to escalate host basic information.

Bot id, installation time and other basic information.

Reports show botnets are managed using common services such as Baidu's stick bar

Whether to install 360 Antivirus, whether it is a virtual machine environment.

Reports show botnets are managed using common services such as Baidu's stick bar

Whether it is a diskless workstation.

Reports show botnets are managed using common services such as Baidu's stick bar

The escalation host information is encrypted using DES and the key is HQDCKEY1.

Reports show botnets are managed using common services such as Baidu's stick bar

Visit https://cs.wconf5.com:12710/123.html Download configuration information:

Reports show botnets are managed using common services such as Baidu's stick bar

The configuration information is still deformed DES encryption, and the decryption key is HQDCKEY1. After decrypting, you can see that the configuration information uses a custom format, two Baidu pictures as a set, intercepting valid data stitched into a valid file:

Reports show botnets are managed using common services such as Baidu's stick bar

Configuration information https://share.weiyun.com/5dSpU6a functionality unknown:

Reports show botnets are managed using common services such as Baidu's stick bar

All configuration information returned by the driver sample contains a Tencent microcloud address, which can be accessed directly to see meaningless strings of several characters and numbers. We found that there is a specific pattern of configuration information servers and data stored in the microcloud in each set of data. For example, the figure above, access Tencent Microcloud to get the string cs127, whose profile server in the same group of data has a subdomain of cs.xxxx.com and a port of 127xx. This looks like a strategy for dynamically generating profile server addresses, presumably functionally that may still be in the development phase, so the sample does not contain the corresponding code.

After completing the initialization process above, the driver begins to move into real functional operations based on the profile. Depending on the resolved profile, dll and the drive module can work together to accomplish very complex functions, some of which are listed below.

Update the driver file

The program uses another set of algorithms to get the DES decryption key HelloKey, and finally uses the DES algorithm to solve the final data:

Reports show botnets are managed using common services such as Baidu's stick bar

Hijacking process ip address.

Reports show botnets are managed using common services such as Baidu's stick bar

Add a certificate to the system

Reports show botnets are managed using common services such as Baidu's stick bar

Download the file to the TEMP directory and create the process.

Reports show botnets are managed using common services such as Baidu's stick bar

Tampering DNS configuration

Reports show botnets are managed using common services such as Baidu's stick bar

PAC Agent Hijacking

Reports show botnets are managed using common services such as Baidu's stick bar

感染方式2 — DLL 劫持

Infection Mode 2 is still a private client as a carrier, but there are significant differences in technical details.

Sign-in download page:

Reports show botnets are managed using common services such as Baidu's stick bar

After downloading the login:

Reports show botnets are managed using common services such as Baidu's stick bar

Multiple game-like private client components photobase.dll are replaced with malicious DLL files with the same name, and the PE Resources for malicious DLL files contains three key files:

Reports show botnets are managed using common services such as Baidu's stick bar

Malicious photobase.dll has two key actions:

The malicious driver signed up for the corresponding schema first, then registered the system service and started it;

Then load the real photobase.dll file and forward the export function to the real photobase.dll.

The follow-up infection process is the same. This is a standard set of DLL hijacker loading methods.

阶段1 — 释放并加载恶意驱动

The malicious photobase.dll file first generates a random file name for the soon-to-release malicious drive file, named 10 random characters, with the file suffix .dat, and puts the corresponding driver file in its PE Resources under the %windir%Temp/Directory.

Then register the system service for the maliciously driven files on the ground and start the service:

Reports show botnets are managed using common services such as Baidu's stick bar

Maliciously driving the next activity is the same as the first form of infection before, i.e. downloading, decrypting, and eventually loading other malicious files.

阶段2 — 加载真 photobase.dll

The first 2 bytes of a real photobase.dll file in the malicious photobase.dll PE Resource are emptied:

Reports show botnets are managed using common services such as Baidu's stick bar

When a malicious photobase.dll extracts this document from PE Resources, the first 2 bytes are populated with MZ (PE header):

Reports show botnets are managed using common services such as Baidu's stick bar

The malicious photobase.dll file then loads the dynamic link library, imports related functions for the newly loaded real photobase.dll file, and finally forwards the export function in the real photobase.dll to its own export function. The export functions for partial forwarding are as follows:

Reports show botnets are managed using common services such as Baidu's stick bar

In the example of the export function Sqm:: AddToStream() highlighted above, the forwarding implementation in malicious photobase.dll is as follows:

Reports show botnets are managed using common services such as Baidu's stick bar

百度安全团队声明

Based on the massive threat intelligence, Baidu’s security anti-black open platform works together to measure the size of the botnet. The platform also launches measures to try to alert users to botnet-controlled risks. In this joint operation, through the black threat intelligence analysis, sharing, response and other initiatives, we have a dual-gun gang’s modus operandi, logic and rules to form a further understanding.

附录 DES 加解密算法中的自定义转换表:

The following conversion tables differ from the public implementation of most DES plus decryptions, and the left-shift table and the SBox table are both implemented by common DES algorithms.

# Permutation and translation tables for DES __pc1 = [     56, 48, 40, 32, 24, 16, 8,     0, 57, 49, 41, 33, 25, 17,     9, 1, 58, 50, 42, 34, 26,     18, 10, 2, 59, 51, 43, 35,     62, 54, 46, 38, 30, 22, 14,     6, 61, 53, 45, 37, 29, 21,     13, 5, 60, 52, 44, 36, 28,     20, 12, 4, 27, 19, 11, 3 ] # permuted choice key (table 2) __pc2 = [     13, 16, 10, 23, 0, 4,     2, 27, 14, 5, 20, 9,     22, 18, 11, 3, 25, 7,     15, 6, 26, 19, 12, 1,     40, 51, 30, 36, 46, 54,     29, 39, 50, 44, 32, 46,     43, 48, 38, 55, 33, 52,     45, 41, 49, 35, 28, 31 ] # initial permutation IP __ip = [     57, 49, 41, 33, 25, 17, 9, 1,     59, 51, 43, 35, 27, 19, 11, 3,     61, 53, 45, 37, 29, 21, 13, 5,     63, 55, 47, 39, 31, 23, 15, 7,     56, 48, 40, 32, 24, 16, 8, 0,     58, 50, 42, 34, 26, 18, 10, 2,     60, 52, 44, 36, 28, 20, 12, 4,     62, 54, 46, 38, 30, 22, 14, 6 ] # Expansion table for turning 32 bit blocks into 48 bits __expansion_table = [     31, 0, 1, 2, 3, 4,     3, 4, 5, 6, 7, 8,     7, 8, 9, 10, 11, 12,     11, 12, 13, 14, 15, 16,     15, 16, 17, 18, 19, 20,     19, 20, 21, 22, 23, 24,     23, 24, 25, 26, 27, 28,     27, 28, 29, 30, 31, 0 ] # 32-bit permutation function P used on the output of the S-boxes __p = [     15, 6, 19, 20, 28, 11,     27, 16, 0, 14, 22, 25,     4, 17, 30, 9, 1, 7,     23, 13, 31, 26, 2, 8,     18, 12, 29, 5, 21, 10,     3, 24 ] # final permutation IP^-1 __fp = [     39, 7, 47, 15, 55, 23, 63, 31,     38, 6, 46, 14, 54, 22, 62, 30,     37, 5, 45, 13, 53, 21, 61, 29,     36, 4, 44, 12, 52, 20, 60, 28,     35, 3, 43, 11, 51, 19, 59, 27,     34, 2, 42, 10, 50, 18, 58, 26,     33, 1, 41, 9, 49, 17, 57, 25,     32, 0, 40, 8, 48, 16, 56, 24 ] 联系我们

Interested readers can contact us on twitter or via email netlab 360.cn.

部分IOC: C&Cs pro.csocools.com www.w15773.com cs.wconf5.com cs.ledfaguang.com white.fei46413.com MD5 aa497dfb5a92c28f7fa5b8e049155da0 081e586a6010b3b72ba4934f8cbdb368 04db0b062c7491a124bf7388d783c17e 0c0f43ed8317869918a23a7e7bfeb0e8 1785ef2d8bd40d8af32cca0f536cb6e8 3fb5e2c05b73168c3f259d64b8978a64 URLs https://share.weiyun.com/5XqTYW6 https://www.w15773.com:12310/123.html https://www.w15773.com:12309/report.ashx http://www.w15773.com:12313/config.html http://www.w15773.com:8889/stat1.ashx https://pro.csocools.com:12310/123.html https://pro.csocools.com:12309/report.ashx http://pro.csocools.com:8889/stat1.ashx https://share.weiyun.com/5dSpU6a https://cs.wconf5.com:12709/report.ashx https://cs.wconf5.com:12710/123.html https://cs.wconf5.com:12713/config.html https://cs.wconf5.com:12715/GetTag.ashx http://cs.wconf5.com:8889/stat1.ashx https://cs.ledfaguang.com:12710/123.html https://cs.ledfaguang.com:12709/report.ashx http://cs.ledfaguang.com:12713/config.html http://cs.ledfaguang.com:8889/stat1.ashx http://white.fei46413.com:12313/config.html http://white.fei46413.com:8889/stat1.ashx https://ap.echoit1.com:12310/123.html https://ap.echoit1.com:12309/report.ashx https://ap.echoit1.com:12710/123.html https://ap.echoit1.com:12709/report.ashx http://tiebapic.baidu.com/tieba/pic/item/72f082025aafa40fcbf1a1b9bc64034f78f0199a.jpg http://tiebapic.baidu.com/tieba/pic/item/bf096b63f6246b600e2fa810fcf81a4c510fa2b4.jpg http://tiebapic.baidu.com/tieba/pic/item/c83d70cf3bc79f3da8c48b54ada1cd11728b29a8.jpg http://tiebapic.baidu.com/tieba/pic/item/8326cffc1e178a82281910c4e103738da977e8a9.jpg http://tiebapic.baidu.com/tieba/pic/item/0823dd54564e9258e210e98a8b82d158ccbf4ea9.jpg http://tiebapic.baidu.com/tieba/pic/item/a2cc7cd98d1001e9331b7b6baf0e7bec54e797aa.jpg http://tiebapic.baidu.com/tieba/pic/item/241f95cad1c8a786800c256a7009c93d70cf50ab.jpg http://tiebapic.baidu.com/tieba/pic/item/63d0f703918fa0ecb6e10b69319759ee3d6ddbb4.jpg http://tiebapic.baidu.com/tieba/pic/item/574e9258d109b3de3570370edbbf6c81810a4c8d.jpg http://tiebapic.baidu.com/tieba/pic/item/71cf3bc79f3df8dc14f25cf7da11728b4610288d.jpg http://tiebapic.baidu.com/tieba/pic/item/8694a4c27d1ed21bd806fd83ba6eddc450da3f8d.jpg http://tiebapic.baidu.com/tieba/pic/item/5bafa40f4bfbfbed5d96e5196ff0f736aec31f8d.jpg http://tiebapic.baidu.com/tieba/pic/item/2f738bd4b31c8701b7786180307f9e2f0608ff8e.jpg http://tiebapic.baidu.com/tieba/pic/item/503d269759ee3d6d620854ad54166d224e4ade8e.jpg http://tiebapic.baidu.com/tieba/pic/item/f7246b600c338744a60bfc1a460fd9f9d62aa08e.jpg http://tiebapic.baidu.com/tieba/pic/item/b7003af33a87e95054d9200a07385343faf2b48e.jpg http://tiebapic.baidu.com/tieba/pic/item/b17eca8065380cd7fdd0718bb644ad345882818e.jpg http://tiebapic.baidu.com/tieba/pic/item/30adcbef76094b36d45cc88bb4cc7cd98c109d8e.jpg http://tiebapic.baidu.com/tieba/pic/item/2fdda3cc7cd98d107c1adf57363fb80e7aec908e.jpg http://tiebapic.baidu.com/tieba/pic/item/5d6034a85edf8db16ae0af021e23dd54574e748e.jpg http://tiebapic.baidu.com/tieba/pic/item/314e251f95cad1c81b752f41683e6709c83d518e.jpg http://tiebapic.baidu.com/tieba/pic/item/b812c8fcc3cec3fd32f07413c188d43f8694278e.jpg http://tiebapic.baidu.com/tieba/pic/item/50da81cb39dbb6fd8c9536401e24ab18962b378e.jpg http://tiebapic.baidu.com/tieba/pic/item/574e9258d109b3de3570370edbbf6c81810a4c8d.jpg http://tiebapic.baidu.com/tieba/pic/item/71cf3bc79f3df8dc14f25cf7da11728b4610288d.jpg http://tiebapic.baidu.com/tieba/pic/item/8694a4c27d1ed21bd806fd83ba6eddc450da3f8d.jpg http://tiebapic.baidu.com/tieba/pic/item/5bafa40f4bfbfbed5d96e5196ff0f736aec31f8d.jpg http://tiebapic.baidu.com/tieba/pic/item/2f738bd4b31c8701b7786180307f9e2f0608ff8e.jpg http://tiebapic.baidu.com/tieba/pic/item/503d269759ee3d6d620854ad54166d224e4ade8e.jpg http://tiebapic.baidu.com/tieba/pic/item/f7246b600c338744a60bfc1a460fd9f9d62aa08e.jpg http://tiebapic.baidu.com/tieba/pic/item/b7003af33a87e95054d9200a07385343faf2b48e.jpg http://tiebapic.baidu.com/tieba/pic/item/b17eca8065380cd7fdd0718bb644ad345882818e.jpg http://tiebapic.baidu.com/tieba/pic/item/30adcbef76094b36d45cc88bb4cc7cd98c109d8e.jpg http://tiebapic.baidu.com/tieba/pic/item/5d6034a85edf8db16ae0af021e23dd54574e748e.jpg http://tiebapic.baidu.com/tieba/pic/item/314e251f95cad1c81b752f41683e6709c83d518e.jpg http://tiebapic.baidu.com/tieba/pic/item/b812c8fcc3cec3fd32f07413c188d43f8694278e.jpg http://tiebapic.baidu.com/tieba/pic/item/50da81cb39dbb6fd8c9536401e24ab18962b378e.jpg http://tiebapic.baidu.com/tieba/pic/item/b7003af33a87e95054d9200a07385343faf2b48e.jpg http://tiebapic.baidu.com/tieba/pic/item/b17eca8065380cd7fdd0718bb644ad345882818e.jpg http://tiebapic.baidu.com/tieba/pic/item/30adcbef76094b36d45cc88bb4cc7cd98c109d8e.jpg http://tiebapic.baidu.com/tieba/pic/item/574e9258d109b3de3570370edbbf6c81810a4c8d.jpg http://tiebapic.baidu.com/tieba/pic/item/71cf3bc79f3df8dc14f25cf7da11728b4610288d.jpg http://tiebapic.baidu.com/tieba/pic/item/8694a4c27d1ed21bd806fd83ba6eddc450da3f8d.jpg http://tiebapic.baidu.com/tieba/pic/item/5bafa40f4bfbfbed5d96e5196ff0f736aec31f8d.jpg http://tiebapic.baidu.com/tieba/pic/item/2f738bd4b31c8701b7786180307f9e2f0608ff8e.jpg http://tiebapic.baidu.com/tieba/pic/item/503d269759ee3d6d620854ad54166d224e4ade8e.jpg http://tiebapic.baidu.com/tieba/pic/item/f7246b600c338744a60bfc1a460fd9f9d62aa08e.jpg http://tiebapic.baidu.com/tieba/pic/item/b7003af33a87e95054d9200a07385343faf2b48e.jpg http://tiebapic.baidu.com/tieba/pic/item/b17eca8065380cd7fdd0718bb644ad345882818e.jpg http://tiebapic.baidu.com/tieba/pic/item/30adcbef76094b36d45cc88bb4cc7cd98c109d8e.jpg http://tiebapic.baidu.com/tieba/pic/item/2fdda3cc7cd98d107c1adf57363fb80e7aec908e.jpg http://tiebapic.baidu.com/tieba/pic/item/5d6034a85edf8db16ae0af021e23dd54574e748e.jpg http://tiebapic.baidu.com/tieba/pic/item/314e251f95cad1c81b752f41683e6709c83d518e.jpg http://tiebapic.baidu.com/tieba/pic/item/b812c8fcc3cec3fd32f07413c188d43f8694278e.jpg http://tiebapic.baidu.com/tieba/pic/item/50da81cb39dbb6fd8c9536401e24ab18962b378e.jpg