Thursday, April 26, 2012

BigFix Searching Enterprise for Malware

PURPOSE
Use BigFix to search the enterprise for malware.

  1. Run the BigFix Queries
  2. Run the Python Script to Deduplicate and Count BigFix results
  3. Investigate hits and add filters to Python Script
  4. Rinse and Repeat
  5. Run another Python Script to show computer names and infections

1. Run the BigFix Queries


HKEY_LOCAL_MACHINE Run Key 
if exists (keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of registry) then ((name of it & ", " & it as string) of values whose (name of it != "") of (keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of registry)) else "HKLM Run Key does not exist."

Output Example:
VMware Tools, "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
 
HKEY_CURRENT_USER Run Key
if exists ((logged on user whose (active of it))) then (if (exists keys
"Software\Microsoft\Windows\CurrentVersion\Run" of current user keys (logged on user whose (active of it)) of registry) then ((name of it & ", " & it as string) of values whose (name of it != "") of (keys "Software\Microsoft\Windows\CurrentVersion\Run" of current user keys (logged on user whose (active of it)) of registry)) else ("HKCU Run key does not exist.")) else ("No user is logged on to this box.")

Output Example:
ctfmon.exe, "C:\WINDOWS\system32\ctfmon.exe"
 
HKEY_LOCAL_MACHINE Active Setup
if exists (keys "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" of registry) then (((name of it, it) of values whose (name of it contains "StubPath") of (it;keys of it) of key "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" of registry) as string) else ("HKLM Installed Components Key does not exist")

Output:
StubPath, C:\WINDOWS\system32\malware.exe
 
HKEY_CURRENT_USER Active Setup
if exists ((logged on user whose (active of it))) then (if exists (keys "SOFTWARE\Microsoft\Active Setup\Installed  Components" of current user keys (logged on user whose (active of it)) of registry) then (((names of it, (name of it, it) of values of it) of (it; keys of it) of keys "SOFTWARE\Microsoft\Active Setup\Installed  Components" of current user keys (logged on user whose (active of it)) of registry) as string) else ("HKCU Installed Components key does not exist.")) else ("No user is logged on to this box.")

HKEY_LOCAL_MACHINE Winlogon userinit.exe
if exists (key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry) then (((name of it, it) of  values whose (name of it as lowercase contains "userinit") of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry) as string) else "Winlogon Key does not exist."

Output:
Userinit, ( C:\WINDOWS\system32\userinit.exe, C:\Temp\malware.exe )


2. Run the Python Script to Deduplicate and Count BigFix results


import re
from sets import Set

f = open('name_of_data_file.txt', 'r')
data = f.read()
f.close()

def RemoveUnwantedData(fdata):
        fdata = fdata.replace("qttask.exe", "") #Apple's Quick Time Tray Icon
        fdata = fdata.replace("groovemonitor.exe", "") #Microsoft Groove
        fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\Acrotray.exe", "") #Adobe
        fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe", "") #Adobe
        fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\Acrotray.exe", "") #Adobe
        fdata = fdata.replace("", "") #Entry next file you want to remove from your data here
        fdata = fdata.replace("", "") #This list can get super long but Python will get through it quick
        fdata = fdata.replace("", "") #
        fdata = fdata.replace("", "") #
        return fdata

def DeDuplicateAndCountHits(dupedList):
    uniqueSet = Set(item for item in dupedList) #Deduplicate a List
    return [(item, dupedList.count(item)) for item in uniqueSet] #Count the number deduplicated

data = RemoveUnwantedData(data)
match = re.findall(r'C:\\.+?\.exe[^\][^\n]{1}', data) #Final files starting with C:\ and ending with .exe
count = DeDuplicateAndCountHits(match)

f2 = open('Data_Results.csv', 'w')

for item in count:
    print >> f2, item

f2.close()

#Output:
#<Location of Infection>, <Hit Count>
#C:\WINDOWS\system32\malware.exe, 5
#This means you have 5 computer with this infection
#To find the computer names run PCNameFilter.And.LocationOfInfection.py
 

3. Investigate hits and add filters to Python Script

Anything with a low hit count and found in these folders should be investigated: (Uploaded to VirusTotal)
    C:\Documents and Settings\<username>\Application Data\malware.exe
    C:\Documents and Settings\<username>\Local Settings\Application Data\malware.exe
    C:\WINDOWS\malware.exe
    C:\WINDOWS\system32\malware.exe

False-positive rate:
The really high hit counts are usually legitimate.


4. Rinse and Repeat

The high hit counts will be files you recognize as legitimate. 
Filter these out by adding them to the python script.

def RemoveUnwantedData(fdata):
        fdata = fdata.replace("<File to be filtered>", "") #Removes the data from your results.



5. Run another Python Script to show computer names and infections

import re
from sets import Set

f = open('name_of_data_file.txt', 'r')
data = f.readlines()
f.close()

def RemoveUnwantedData(fdata):
        fdata = fdata.replace("qttask.exe", "") #Apple's Quick Time Tray Icon
        fdata = fdata.replace("groovemonitor.exe", "") #Microsoft Groove
        fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\Acrotray.exe", "") #Adobe
        fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe", "") #Adobe
        fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\Acrotray.exe", "") #Adobe
        fdata = fdata.replace("", "") #Entry next file you want to remove from your data here
        fdata = fdata.replace("", "") #This list can get super long but Python will get through it quick
        fdata = fdata.replace("", "") #
        fdata = fdata.replace("", "") #
        return fdata

f2 = open('PCName.Location.Results.csv', 'w') #Open a file to dump your results

for line in data:
    PCName = line.split("|") #The PCName with delimiter of "|".  Your data may be different so adjust as necessary
    PCName = PCName[0] #Since you split your data the data at PCName[0] will be your computer name
    line2 = remove_unwanted_data(line)
    matchEXE = re.findall(r'C:\\.+?\.exe[^\][^\n]{1}', line2) #Find all files with extension .exe
    for line3 in matchEXE:
        if ".exe" in line3:
            print >> f2, PCName, ",", line3

f2.close()

#Output:
#<ComputerName>, <Location of infection>
#PCName, C:\WINDOWS\system32\malware.exe

 
BONUS: Delete Malware Registry key using BigFix

Relevance:
if exists (keys "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}" of registry) then (((name of it, it) of values whose (name of it as lowercase contains "stubpath") of (it;keys of it) of key "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}" of registry) as string) else ("Key does not exist.")

Action:
// These two delete lines are included in case regdel.reg already exists.
// It's to avoid rare errors, but mostly not necessary.
delete __appendfile
delete regdel.reg

// Append the next two lines to a file called "__appendfile" with this information.
//There is an extra "{" in "{{" due to this being an escape character in actionScript.
appendfile Windows Registry Editor Version 5.00
appendfile [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{{GUID}]

// rename the "__appendfile" to "regdel.reg"
move __appendfile regdel.reg

// run "regedit /s" that is the command to import into the registry and feed it the file regdel.reg.
wait regedit /s regdel.reg


NOTES

it = A reference to the closest direct object or ‘whose’ clause.

BES 7.0 to allow logged in users to be properly handled. A new inspector "logged on user" was introduced with some properties, for instance:
q: (name of it, active of it, remote of it) of logged on users
a: ben, True, True

The BES Client runs as the LOCAL SYSTEM account and so its HKEY_CURRENT_USER branch does not match the logged in user’s branch. However, it is still possible to get the logged in user’s HKEY_CURRENT_USER branch of HKEY_USERS by searching through the Logon keys for the name of the current user:

q: name of key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & "@") of (it as string as lowercase) of value "Logon User Name" of key "Software\Microsoft\Windows\CurrentVersion\Explorer" of it) of key "HKEY_USERS" of registry

a: S-1-5-21-1214450339-2025729265-839522115-1013

DOCS
http://support.bigfix.com/fixlet/documents/Windows%20Inspectors%2080_101123.pdf 
http://forum.bigfix.com/viewtopic.php?id=7428 
http://support.bigfix.com/fixlet/documents/BES_Relevance_Language_Reference_60_2006-11-03.pdf
http://support.bigfix.com/fixlet/documents/WinActions-2007-09-08.pdf
 

No comments:

Post a Comment