Thursday, April 23, 2009

Powershell vs Conficker

Earlier in the week I found a few PC's that were infected with the Conficker malware. After looking at the infected PC's I noted that the infected file that was detected always had the following characteristics.

  1. Always a dll file in the Windows\system32 directory
  2. Always exactly the same size (155858 bytes)
  3. Always has ReadOnly, System, Archive and Hidden attributes set

Out of curiosity I wrote the following script to pull from AD a list of servers, ping them and then search through the System32 directory on servers that were up for dll files with those attributes set.

I found 3 servers that had dodgy AV signatures and infected dll files.....Powershell wins!!

#Get the server list
$ServerList = @(get-qadcomputer -OSName "Windows Server*"); $Servers = $ServerList | foreach {$_.Name}; Write-host "These Servers will be checked" -fore green ; $Servers

#Ping Server
function Find-Infection{
$ping = gwmi -q "SELECT * FROM Win32_Pingstatus WHERE Address = '$serv'"
if($ping.statusCode -eq 0) { Write-Host "Checking $Serv Now" -fore Yellow;

#Check for File
gci -path \\$serv\c$\windows\system32 -filter *.dll -force | where { $_.attributes -eq "ReadOnly, Hidden, System, Archive" }
else { write-host "$serv is not responding" -for Red}
foreach ($serv in ($servers))
Find-Infection | select Length,Mode,FullName | ft -auto


Anonymous said...

You are awesome.

InfoSec4All said...

Love your blog. I'm hoping we'll get to see more of the Abusing Citrix series soon. I'm sure it's how I snagged a Twitter follower, a VP at Citrix. Keep the posts coming.

g3k said...

Awesome man, another tool to fight this thing!

Are you going to be at Defcon this year?

SynJunkie said...

@g3k. Maybe. I'll see how things at work go.



SynJunkie said...

@infosec4all. Already thinking about the next posts. I have to try and come up with something new though.


Tai Long said...

Thank you!
I like blog of you
Have a fun

SynJunkie said...

Thanks Tai.