I see that there is still a lot of ZeroAccess infections from EK's around.
One should think that these bad guys should be somewhat satisfied with well over a million bots.
But not these guys, no they have to be the biggest and I guess they need to sustain their illegal income!
Check here for more info on ZeroAccess and network behaviour
Well enough ranting about the biggest botnet on the face of the earth.
Lets make our litte Python script,
with the help of the excellent tool Scapy we will make a script that can check if a remote host is infected with ZeroAccess.
Note the requirements: root access(we need promisc on the interface), scapy installed and python 2.7.3 of course.
run it with the remote ip as argument and it will shout the country where penguins come from back at you, BURMA, if the host is infected.
ZeroAccesed python script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # @malforsec python script to check ZeroAccess infected hosts # requires scapy # requires root privs # usage: python zeroaccess_check.py <dest_ip> # Why BURMA -> because penguins comes from Burma from scapy. all import * def main(): dest_ip = sys.argv[ 1 ] ## alter port if you want a differnet source port src_port = 16464 dst_port = 16464 payload = '\xb8\x14\x35\xfe\x28\x94\x8d\xab\xc9\xc0\xd1\x99\x85\x95\x6f\x3f' pkt = sr1(IP(dst = dest_ip) / UDP(dport = dst_port, sport = src_port) / payload, timeout = 10 ) ## if we get an anwer and it is not icmp(eg port unreachable) if pkt and pkt.proto ! = 1 : if pkt.load.encode( "hex" )[ 8 : 16 ] = = "28948dbe" : print "\nBURMA!! : The host is ZerorAaccessed\n" else : print "Could not get ZeroAcess answer from host: " , dest_ip if __name__ = = "__main__" : main() |
Donload here: code.google.com
Please note that firewalls, routers and alike devices can block the traffic between you and the remote host. So use with intelligence :)
Should be OK to test internal networks. Even thoug it is slow. Set timeout wisely.
Test run
1 2 3 4 5 6 7 8 9 | /tmp/zeroaccess$ sudo python zeroaccess_check.py xxx.yy.70.244 [sudo] password for malforsec: WARNING: No route found for IPv6 destination :: (no default route?) Begin emission: ......Finished to send 1 packets. .............* Received 20 packets, got 1 answers, remaining 0 packets BURMA!! : The host is ZerorAaccessed |
Yupp that worked
If you find an infected host. Don't panic. It's not like something exploded, just another regular day.
Whatch this first youtube
Then disconnect the host and do a complete reinstall. I would not recommend trying to clean the mess up.
Happy ZeroAccess hunting
沒有留言:
張貼留言