Thursday, April 23, 2009

Powershell vs Conficker

Earlier in the week I found a few PC's that were infected with the Conficker malware. After looking at the infected PC's I noted that the infected file that was detected always had the following characteristics.

  1. Always a dll file in the Windows\system32 directory
  2. Always exactly the same size (155858 bytes)
  3. Always has ReadOnly, System, Archive and Hidden attributes set

Out of curiosity I wrote the following script to pull from AD a list of servers, ping them and then search through the System32 directory on servers that were up for dll files with those attributes set.

I found 3 servers that had dodgy AV signatures and infected dll files.....Powershell wins!!


#Get the server list
$ServerList = @(get-qadcomputer -OSName "Windows Server*"); $Servers = $ServerList | foreach {$_.Name}; Write-host "These Servers will be checked" -fore green ; $Servers

#Ping Server
function Find-Infection{
$ping = gwmi -q "SELECT * FROM Win32_Pingstatus WHERE Address = '$serv'"
if($ping.statusCode -eq 0) { Write-Host "Checking $Serv Now" -fore Yellow;

#Check for File
gci -path \\$serv\c$\windows\system32 -filter *.dll -force | where { $_.attributes -eq "ReadOnly, Hidden, System, Archive" }
}
else { write-host "$serv is not responding" -for Red}
}
foreach ($serv in ($servers))
{
Find-Infection | select Length,Mode,FullName | ft -auto
}

Sunday, April 19, 2009

Yet Another Security Podcast

I joined Twitter last night. I'd held off for quite a while but figured what the hell, everyone else is lovin it so it couldn't be too bad. Well within a few hours of joining I found a few people out there that I figured would have similar interests so I 'followed' them.

Now anyone who knows me is aware that I have a horrible commute and I'm always looking for new podcasts to make the trip to and from work as educational as possible. Well thanks to following Mubix I learnt of the Exotic Liability Podcast. They have about 6 shows out so far and interview some of the big names in the security/hacking arena such as Val Smith and Chris Gates.

Exotic Liability is a show thats along the same lines as Security Justice and Securabit, so if you like those shows then this is one for you. For the moment though, although Exotic Liability is showing promise I think for now though I'll be keeping Risky Business, Paul dot com and Radio Free Security as the top 3 on my playlist.

Friday, April 10, 2009

Where's Syn?

This is just a quick note to say (for anyone that's interested) that I'm taking a short break throughout April to work on some fresh new ideas for future posts. I'm also working on a new story and I hope to have it up soon.

In the meantime you should check out the Command Line Kung Fu blog, it really is very good.


Syn

Abusing Citrix

This is really just a placeholder for my past and hopefully upcoming posts on fun ways to play with Citrix or Remote Desktop restrictions.

Part 1

Part 2

Part 3

Part 4