Script to identify conficker (virus infected) users

omega-00 · March 26, 2009, 2:39am

Hello all,

Just finished posting a wiki article on a script I’ve done up to help identify private network (lan) users infected with variants of the conficker virus.

Implementation of the script will give you a way to get the IP addresses of users on your network attempting to access sites that conficker ‘phones home’ to periodically.

If anyone has any questions, bugs or suggestions on the script feel free to voice them here.

Wiki article: http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking

omega-00 · March 26, 2009, 5:21am

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X
Workaround for me was to use OpenDNS as the name servers, so that all requests would resolve, then just catch the users heading to non opendns IP’s.

http://forum.mikrotik.com/t/script-file-and-resolve-return-values-file-solved/26182/1 - could you please try to fix this for us mikrotik? The bug has been around since Feb.

Thanks.

Ibersystems · March 27, 2009, 1:52pm

Thanks!

pokeman · March 28, 2009, 7:42am

Hi there

i use this script in x3.17 its not working for me i just modified the script to check they resolve the ips . i created the file name conf.txt and put the all domain which listed on site. i used opendns for nameserver

:local content [/file get [/file find name=“conf.txt”] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line “”;
:local lastEnd 0;

:do {
:set lineEnd [:find $content “\n” $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != “\n” ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve “$entry”]
:if ($listip != “failure” ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info “$listip”
}
}
}
} while ($lineEnd < $contentLen)
}
:log info “Address List Modification Complete”

omega-00 · March 28, 2009, 5:17pm

Yes, as noted in my post above, I only found out after finishing the scrip that the mikrotik :resolve command is currently broken, any failed resolution simple forces the script to quit, hence using opendns is the only way I see to get it to complete at this time.. too bad we’ve got no other solution for the 1st April

However, if you’re still getting an error in the script even thou all addresses are resolving, run it from terminal instead and let me know what line it errors on and I’ll have a look.

Aug · March 28, 2009, 11:56pm

Thanks.

I managed to get it working and it’s popping up hits on several of my access points.
I copied the address list and firewall rule to the access points to isolate the customer.
I checked some of the ip address against arin.
208.69.36.132 opendns
72.167.202.5 godaddy
72.14.205.102 google

Does that seem right??

Also, could one just block the ip addresses from the list daily-conficker?

omega-00 · March 29, 2009, 2:43am

Yes you can block the addresses, I’ve done so on my sites and haven’t had any users call with issues accessing google :-/ (Roughly 3000 users its running across at the moment)

as for the ARIN listings, try the following addition. Change the line

/ip firewall address-list add list=daily-conficker address=$listip

to

/ip firewall address-list add list=daily-conficker address=$listip comment=$entry

This should give you a listing of the domain that each address was resolved from so you can see exactly which domain is which.
I’ve updated the script to include this.

pokeman · March 29, 2009, 9:02am

Dude
Can you post the resolve export ips list so i can direcly add in addresses list

pokeman · March 29, 2009, 9:19am

got error when i post the script on terminal window

omega-00 · March 29, 2009, 11:04pm

the whole reason the script goes through and resolves each of the IP’s is because conficker uses a new set of domains each day, if I were to resolve all of them now and just provide an IP list, this list could easily change within a few days time given that a) new domains that weren’t resolving previously may have now been purchased. b) old domains that were pointing elsewhere before could have records updated to point to new sites.

When I say run it from terminal I mean goto terminal and type in

/system run script daily-conficker-list

then paste the output.

Pasting in terminal like that simply won’t work.

pokeman · March 30, 2009, 6:28am

Thanks for your prompt response. actully i have over 2500 user. most of the user are infacted with this virus.

here is terminal output

[admin@MikroTik] > /system run script daily-conficker-list
bad command name run (line 1 column 9)
[admin@MikroTik] >

omega-00 · March 30, 2009, 7:19am

arggh sorry, typo

/system script run daily-conficker-list

is what you want to do.

pokeman · March 30, 2009, 7:32am

something wrong in script when i run given error. see my last post

the worm has been activated on my lan users here is my squid access log.

omega-00 · March 30, 2009, 8:08am

yeah but the previous post I did was incorrect..
when you ran
/system run script XXXXX

it didn’t run the script at all.. because my syntax was wrong.

you need to run

/system script run XXXXXX

it was my message to you that had an error, I’ve also tried the script on one of my 3.17 boxes and it works fine.

pokeman · March 30, 2009, 8:41am

The Script was stuck-up how to debug ? currently using opendns nameserver terminal output

[admin@MikroTik] > /system script run daily-conficker-list
status: connecting
– [Q quit|D dump|C-z pause]
failure: connection failed

omega-00 · March 30, 2009, 9:01am

Hmm it would seem that your mikrotik is unable to download the files from my webserver.
Does the box you’re using have a default route (0.0.0.0/0) out to the internet?

The script as noted above does work fine on 3.17 which means there is an issue with your mikrotik being able to connect to my server somehow.

pokeman · March 30, 2009, 10:19am

mm strange ! anyway i just tweak with this script with my linux box downloaded files on linux box then retrive to local machine. files are http://192.168.0.1/conficker/www.epicwinrar.com/conficker/

after this get sucess but 20% the script now given this error

/system script run daily-conficker-list
status: connecting

status: finished
failure

i checked in files the only 1 file download 03-30-2009.txt

i changed in script marked

:local date [/system clock get date]
:local month [:pick $date 0 3]
:local day [:pick $date 4 6]
:local year [:pick $date 7 11]

#set month to numerical value
:if ([$month] = “jan”) do={ :set month “01” }
:if ([$month] = “feb”) do={ :set month “02” }
:if ([$month] = “mar”) do={ :set month “03” }
:if ([$month] = “apr”) do={ :set month “04” }
:if ([$month] = “may”) do={ :set month “05” }
:if ([$month] = “jun”) do={ :set month “06” }
:if ([$month] = “jul”) do={ :set month “07” }
:if ([$month] = “aug”) do={ :set month “08” }
:if ([$month] = “sep”) do={ :set month “09” }
:if ([$month] = “oct”) do={ :set month “10” }
:if ([$month] = “nov”) do={ :set month “11” }
:if ([$month] = “dec”) do={ :set month “12” }

#download current days domain list
/tool fetch address=192.168.0.1 host=192.168.0.1 mode=http src-path=“conficker/www.epicwinrar.com/conficker/$month-$day-$year.txt”
:log info “Download Complete”
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info “Begining Address List Modification”
:if ( [/file get [/file find name=“$month-$day-$year.txt”] size] > 0 ) do={

/ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

:local content [/file get [/file find name=“$month-$day-$year.txt”] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line “”;
:local lastEnd 0;

:do {
:set lineEnd [:find $content “\n” $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != “\n” ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve “$entry”]
:if ($listip != “failure” ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info “$listip”
}
}
}
} while ($lineEnd < $contentLen)
}
:log info “Address List Modification Complete”
#cleaning up
/file remove “$month-$day-$year.txt”

omega-00 · March 30, 2009, 11:28am

If it gets the failure message it means the :resolve has failed and stops the script from continuing (the bug mentioned in my second post)

If you’re using opendns servers (208.67.222.222 208.67.220.220) as your dns servers this should not happen as any invalid requests will instead be returned an opendns address (normally in the 208.67.X.X range)

pokeman · March 30, 2009, 1:20pm

Thanks Mate

Now its working but i think something wrong. The script add duplicate ips . its fine or something missing in script .
Dude can you do one more thing can you make simple this script. i have also linux box and make script to fatch and export list to the file with crontab just confuse with MT scripting here is my simple script to fatch file from local machine this local machine fatch data from site. conf.txt is located on my server

#download current days domain list
/tool fetch address=192.168.0.1 host=192.168.0.1 mode=http src-path=“conficker/www.epicwinrar.com/conficker/conf.txt”
:log info “Download Complete”
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info “Begining Address List Modification”
:if ( [/file get [/file find name=conf.txt] size] > 0 ) do={

/ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

:local content [/file get [/file find name=conf.txt] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line “”;
:local lastEnd 0;

:do {
:set lineEnd [:find $content “\n” $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != “\n” ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve “$entry”]
:if ($listip != “failure” ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info “$listip”
}
}
}
} while ($lineEnd < $contentLen)
}
:log info “Address List Modification Complete”
#cleaning up
/file remove conf.txt

Aug · March 30, 2009, 1:44pm

This works fine on 3.19 as long as the dns servers are set to opendns as stated above.

Is there any way to prevent duplicate ip addresses from being added to the address list since many of the ips are the same.