2013年4月27日 星期六

Checking ZeroAccess with Python and Scapy

http://malforsec.blogspot.no/2013/03/checking-zeroaccess-with-python-and.html

I see that there is still a lot of ZeroAccess infections from EK's around.
One should think that these bad guys should be somewhat satisfied with well over a million bots.
But not these guys, no they have to be the biggest and I guess they need to sustain their illegal income!

Check here for more info on ZeroAccess and network behaviour

Well enough ranting about the biggest botnet on the face of the earth.
Lets make our litte Python script,
with the help of the excellent tool Scapy we will make a script that can check if a remote host is infected with ZeroAccess.

Note the requirements: root access(we need promisc on the interface), scapy installed and python 2.7.3 of course.

run it with the remote ip as argument and it will shout the country where penguins come from back at you, BURMA, if the host is infected.


ZeroAccesed python script



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# @malforsec python script to check ZeroAccess infected hosts
# requires scapy
# requires root privs
# usage: python zeroaccess_check.py <dest_ip>
# Why BURMA -> because penguins comes from Burma
from scapy.all import *
  
  
def main():
  dest_ip = sys.argv[1]
  ## alter port if you want a differnet source port
  src_port = 16464
  dst_port = 16464
  payload = '\xb8\x14\x35\xfe\x28\x94\x8d\xab\xc9\xc0\xd1\x99\x85\x95\x6f\x3f'
  
  pkt = sr1(IP(dst=dest_ip)/UDP(dport=dst_port, sport=src_port)/payload, timeout=10)
  ## if we get an anwer and it is not icmp(eg port unreachable)
  if pkt and pkt.proto != 1:
    if pkt.load.encode("hex")[8:16] == "28948dbe":
      print "\nBURMA!! : The host is ZerorAaccessed\n"
  else:
    print "Could not get ZeroAcess answer from host: ", dest_ip
  
if __name__ == "__main__":
    main()


Donload here: code.google.com

Please note that firewalls, routers and alike devices can block the traffic between you and the remote host. So use with intelligence :)

Should be OK to test internal networks. Even thoug it is slow. Set timeout wisely.


Test run



1
2
3
4
5
6
7
8
9
/tmp/zeroaccess$ sudo python zeroaccess_check.py xxx.yy.70.244
[sudo] password for malforsec: 
WARNING: No route found for IPv6 destination :: (no default route?)
Begin emission:
......Finished to send 1 packets.
.............*
Received 20 packets, got 1 answers, remaining 0 packets
  
BURMA!! : The host is ZerorAaccessed


Yupp that worked

If you find an infected host. Don't panic. It's not like something exploded, just another regular day.
Whatch this first youtube


Then disconnect the host and do a complete reinstall. I would not recommend trying to clean the mess up.

Happy ZeroAccess hunting

沒有留言:

張貼留言