Conficker-Virus-Blocking

From MikroTik Wiki
Revision as of 04:25, 26 March 2009 by Omega-00 (talk | contribs) (initial creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Summary

This script was created as a method to help identify computers on a private (lan) network that are infected with the conficker virus. Obviously there are many ways to prevent infection in a fully managed and maintained network but the script here was created to help with the identification of infected non-managed computers in a transient user environment.

I've done all the scripts in a format that can be pasted directly into the script window in winbox as I find the terminal formatting can cause problems copying and pasting from the wiki. The scheduler just cut and paste into a terminal window.

Notes on using my domain lists

I have broken up the domain lists (originally sourced from http://blogs.technet.com/msrc/archive/2009/02/12/conficker-domain-information.aspx) into daily lists as the mikrotik cannot import files above 4096 characters.

If you want to download a copy of the complete list, I've hosted it at http://www.epicwinrar.com/conficker/domains.txt or you can use the original windows link above.

Othewise you're welcome to download or mirror copies of my daily lists all available under http://www.epicwinrar.com/conficker/

The Daily IP List

This script does the following: -Checks todays date -Downloads the matching domainlist file ($month-$day-$year.txt) -Confirms the file downloaded contains data (is > 0) -Removes any current address list entries for 'daily-conficker' -Resolves and adds todays domains into address-list 'daily-conficker' -Deletes the downloaded text file

Note that you could easily change the script to point to a copy of the lists hosted on a more local server.

script name: daily-conficker-list 

:local date [/system clock get date]
:local month [:pick $date 0 3]
:local day [:pick $date 4 6]
:local year [:pick $date 7 11]

#set month to numerical value
:if ([$month] = "jan") do={ :set month "01" }
:if ([$month] = "feb") do={ :set month "02" }
:if ([$month] = "mar") do={ :set month "03" }
:if ([$month] = "apr") do={ :set month "04" }
:if ([$month] = "may") do={ :set month "05" }
:if ([$month] = "jun") do={ :set month "06" }
:if ([$month] = "jul") do={ :set month "07" }
:if ([$month] = "aug") do={ :set month "08" }
:if ([$month] = "sep") do={ :set month "09" }
:if ([$month] = "oct") do={ :set month "10" }
:if ([$month] = "nov") do={ :set month "11" }
:if ([$month] = "dec") do={ :set month "12" }

#download current days domain list
/tool fetch address=www.epicwinrar.com host=www.epicwinrar.com mode=http src-path="conficker/$month-$day-$year.txt"
:log info "Download Complete"
:delay 10

#check to ensure todays file exists before deleting yesterdays list
:log info "Begining Address List Modification"
:if ( [/file get [/file find name="$month-$day-$year.txt"] size] > 0 ) do={

  /ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

  :local content [/file get [/file find name="$month-$day-$year.txt"] contents] ;
  :local contentLen [ :len $content ] ;

  :local lineEnd 0;
  :local line "";
  :local lastEnd 0;

  :do {
     :set lineEnd [:find $content "\n" $lastEnd ] ;
     :set line [:pick $content $lastEnd $lineEnd] ;
     :set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
     :if ( [:pick $line 0 1] != "\n" ) do={
         :local entry [:pick $line 0 ($lineEnd ) ]
         :if ( [:len $entry ] > 0 ) do={
	   :local listip [:resolve "$entry"]
           :if ($listip != "failure" ) do={
             /ip firewall address-list add list=daily-conficker address=$listip
             :log info "$listip"
           }
       } 
     }
   } while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"

Scheduler Entry (can be pasted into terminal) 

/system scheduler
add comment="" disabled=no interval=1d name=Conficker-daily on-event="/system script run daily-conficker-list" start-date=jan/01/1970 start-time=00:00:01

The Results

This gives you a list of the ip's that conficker will try to contact each day. What you actually use this for is up to you, but in my case I've then created a simple rule that searches for http connection to those servers and logs the src IP address for me. 

/ip firewall filter
add action=add-src-to-address-list address-list=conficker-infected address-list-timeout=1d chain=forward comment="label conficker-infected" disabled=no dst-address-list=\
   daily-conficker dst-port=80 protocol=tcp

You could probably go one step futher and have the list of these emailed to you and deleted each day but I don't have the time to go into that much detail here .. if you do however want that, feel free to leave a note on the discussion page and I'll get around to it as soon as I can.

Retrieved from "https://wiki.mikrotik.com/index.php?title=Conficker-Virus-Blocking&oldid=11778"