modified on 15 April 2009 at 06:35 ••• 23,116 views

Conficker-Virus-Blocking

From MikroTik Wiki

Jump to: navigation, search

If you have any questions regarding this please post in the related forum thread: http://forum.mikrotik.com/viewtopic.php?f=9&t=30614

For any questions not relating to this script I am contactable via email: andrew ( at ) accessplus ( dot ) com ( dot ) au

Contents

Summary

This script was created as a method to help identify computers on a private (lan) network that are infected with the conficker virus.

Obviously there are many ways to prevent infection in a fully managed and maintained network but the script here was created to help with the identification of infected non-managed computers in a transient user environment.

I've done all the scripts in a format that can be pasted directly into the script window in winbox as I find the terminal formatting can cause problems copying and pasting from the wiki. The scheduler just cut and paste into a terminal window.

Note that due to the 4096 char limit on a string variable this system is only able to block Conficker variants A and B at this time.

Variant C generates a list of 50,000 domains each day of which it only uses 500. However even if we were able to identify those 500, at a conservative 14 characters per domain name, this well exceeds the 4096 character limit I have to work with at this time.

I am however working on a second version of this which will give us a method to block variant C as well. I will have this out before April 1st (the day conficker C is supposed to 'activate') - see http://bits.blogs.nytimes.com/2009/03/19/the-conficker-worm-april-fools-joke-or-unthinkable-disaster/ for more details.

Analysis of Conficker.C is available here - http://mtc.sri.com/Conficker/addendumC/index.html

Update (12/03/09): I've merged the changes I'd made and listed in the forum thread which do the following a) each list entry is given the dns address it was originally resolved from. b) subsequent duplicate queries pointing to the same address are dropped.

Notes on using my domain lists

I have broken up the domain lists (originally sourced from http://blogs.technet.com/msrc/archive/2009/02/12/conficker-domain-information.aspx) into daily lists as the mikrotik cannot import files above 4096 characters.

If you want to download a copy of the complete list, I've hosted it at http://www.epicwinrar.com/conficker/domains.txt or you can use the original windows link above.

Othewise you're welcome to download or mirror copies of my daily lists all available under http://www.epicwinrar.com/conficker/

Lists the script uses

The lists the script below uses are ones I've cut from the original domains list and broken up into day by day sections, you're welcome to leave the script intact and download these lists with my consent. Please let me know if this has helped you out, its good to know when my work is used elsewhere :-)

The lists I've created I'm still exporting one at a time, but will eventually go up until 06/30/2009

The Daily IP List

This script does the following:

- Checks todays date

- Downloads the matching domainlist file ($month-$day-$year.txt)

- Confirms the file downloaded contains data (is > 0)

- Removes any current address list entries for 'daily-conficker'

- Resolves and adds todays domains into address-list 'daily-conficker'

- Deletes the downloaded text file

Note that you could easily change the script to point to a copy of the lists hosted on a more local server.

script name: daily-conficker-list

:local date [/system clock get date]
:local month [:pick $date 0 3]
:local day [:pick $date 4 6]
:local year [:pick $date 7 11]

#set month to numerical value
:if ([$month] = "jan") do={ :set month "01" }
:if ([$month] = "feb") do={ :set month "02" }
:if ([$month] = "mar") do={ :set month "03" }
:if ([$month] = "apr") do={ :set month "04" }
:if ([$month] = "may") do={ :set month "05" }
:if ([$month] = "jun") do={ :set month "06" }
:if ([$month] = "jul") do={ :set month "07" }
:if ([$month] = "aug") do={ :set month "08" }
:if ([$month] = "sep") do={ :set month "09" }
:if ([$month] = "oct") do={ :set month "10" }
:if ([$month] = "nov") do={ :set month "11" }
:if ([$month] = "dec") do={ :set month "12" }

#download current days domain list
/tool fetch address=www.epicwinrar.com host=www.epicwinrar.com mode=http src-path="conficker/$month-$day-$year.txt"
:log info "Download Complete"
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info "Begining Address List Modification"
:if ( [/file get [/file find name="$month-$day-$year.txt"] size] > 0 ) do={

  /ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

  :local content [/file get [/file find name="$month-$day-$year.txt"] contents] ;
  :local contentLen [ :len $content ] ;

  :local lineEnd 0;
  :local line "";
  :local lastEnd 0;

  :do {
     :set lineEnd [:find $content "\n" $lastEnd ] ;
     :set line [:pick $content $lastEnd $lineEnd] ;
     :set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker. updated to list domain as comment
       :if ( [:pick $line 0 1] != "\n" ) do={
         :local entry [:pick $line 0 ($lineEnd ) ]
         :if ( [:len $entry ] > 0 ) do={
             :local listip [:resolve "$entry"]
             :if ($listip != "failure" ) do={
               :if ((/ip firewall address-list find list=daily-conficker address=$listip) = "") do={
                 /ip firewall address-list add list=daily-conficker address=$listip comment=$entry
                 :log info "$listip"
             } else={:log info "duplicate IP $entry"}
          }
      } 
   }
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"

Scheduler Entry (can be pasted into terminal)

/system scheduler
add comment="" disabled=no interval=1d name=Conficker-daily on-event="/system script run daily-conficker-list" start-date=jan/01/1970 start-time=00:00:01

The Results

This gives you a list of the ip's that conficker will try to contact each day. What you actually use this for is up to you, but in my case I've then created a simple rule that searches for http connection to those servers and logs the src IP address for me.

/ip firewall filter
add action=add-src-to-address-list address-list=conficker-infected address-list-timeout=1d chain=forward comment="label conficker-infected" disabled=no dst-address-list=\
   daily-conficker dst-port=80 protocol=tcp

You could probably go one step futher and have the list of these emailed to you and deleted each day but I don't have the time to go into that much detail here .. if you do however want that, feel free to leave a note on the discussion page and I'll get around to it as soon as I can.