Overclock.net - Overclocking.net
     
 
Home Gallery Reviews Blogs Register Today's Posts Mark Forums Read Members List


Go Back   Overclock.net - Overclocking.net > Software, Programming and Coding > Coding and Programming
Reload this Page [C#] Confiker elimination tool. Need a bit of help disabling a few things.

Reply
 
LinkBack Thread Tools
Old 10-16-09   #1 (permalink)
Luck : 10pts
 
Licht's Avatar
 
amd ati

Join Date: Mar 2007
Location: Fl, US
Posts: 12,853
Blog Entries: 3

Rep: 365 Licht is a proven memberLicht is a proven memberLicht is a proven memberLicht is a proven member
Unique Rep: 242
Trader Rating: 0
Default [C#] Confiker elimination tool. Need a bit of help disabling a few things.
A network at a local business just got hit with Confiker. The little devil seems to have penetrated the whole system, and as soon as i clean one PC it gets attacked again. The business in question has over 80 PCs. I can't spend days going around cleaning every one and basically have their network in shambles as i do it to prevent reinfection. Nor can i reformat all of those PCs (obviously.) So i need a quick and efficient fix.

After doing research into Confiker's attack methods and established removal methods, i think i have a way to take care of this issue. But i will need a bit of help coding up a very simple application to assist in taking out the little bastard. The application needs to accomplish the following :

  1. Disable autorun. -This Windows feature is not needed. And spreads the virus.
  2. Disable system restore. -It has been reported this Windows component is used by Confiker.
  3. Disable network adapters. -I'm not going around and unplugging cables everywhere as instructions call for. That much physical work my panic the business, which is already worrying.
  4. Launch the first removal tool.
  5. Upon the exiting of that tool, check to see if confiker is still present by means of checking connectivity to Microsoft, McAffee and other sites.
  6. If it detects confiker is still present, launch the next tool.
  7. Repeat.
  8. If Confiker is eliminated, install the Windows patch to prevent reinfection.
  9. Block known Confiker update sites in the host file.
  10. Reboot.
  11. Reenable System Restore, Network Adapters, and so on.
  12. Display a completion message.
Any steps to be added you guys can think of is nice. Mainly i just want System Restore, auto-run, and the network adapters disabled. Other then that the rest can be done manually. But just those three things would speed up this process so much.

I think most of this stuff can be done in registry and simple commands that should be built into .Net.

Going to go to lunch and think over my battle plan. When i get back i'll start the VS project and see what i can do. I would greatly appreciate your help in all of this, thank you.

System: Uzicht #4.5
CPU
Phenom II X4 920		 Motherboard
Gigabyte 790X AM2+		 Memory
6GB Kingston DDR2 667MHZ 		Graphics Card
HD4850 + HD3870
Hard Drive
4x WD1600AAJS RAID0		 Sound Card
X-Fi Extreme Gamer Professional		 Power Supply
OCZ Game-X-Stream 700w		 Case
NZXT Black Steel
CPU cooling
Xigmatec Rifle		 GPU cooling
Stock Saphire 3870 Cooling		 OS
Windows 7 Ultimate x86-x64		 Monitor
Samsung SyncMaster 19"Wide
Last edited by Licht : 10-16-09 at 12:15 PM
Licht is online now Overclocked Account Licht's Gallery   Reply With Quote
Old 10-16-09   #2 (permalink)
WaterCooler
 
killnine's Avatar
 
intel ati

Join Date: Aug 2005
Posts: 3,362

Rep: 161 killnine is acknowledged by manykillnine is acknowledged by many
Unique Rep: 144
FAQs Submitted: 1
Trader Rating: 9
Default
most of this seems like file system commands that may be pretty simple to implement. A lot of the other windows stuff (disabling adapters and system restore and such) may not be feasible through C#, per se. Instead, maybe batching out commands would allow you to do this.

Rather than disabling adapters, why not backup, then overwrite the existing hosts file and point all IPs back to localhost so that you effectively stop traffic. IIRC, the hosts file is always the first reference for name resolution so regardless of what their network DNS says, you will reroute to localhost.

System: Teh System
CPU
Intel i7 920 (3.2Ghz @ 1.0V)		 Motherboard
Asus Rampage II Gene		 Memory
6Gb Corsair XMS DDR3 (1333) 		Graphics Card
VisionTek 4870
Hard Drive
Seagate 7200rpm (160)		 Sound Card
X-fi Fatal1ty Pro		 Power Supply
Silverstone Strider 750W		 Case
Mini P180B
CPU cooling
OCZ Vendetta 2		 GPU cooling
HR-03 GT		 OS
Windows 7 (x64) RC1		 Monitor
Dell 2001FP 20.1"
killnine is offline   Reply With Quote
Old 10-16-09   #3 (permalink)
Case Modder
 
noldevin's Avatar
 
intel nvidia

Join Date: Dec 2007
Location: New Jersey
Posts: 808

Rep: 49 noldevin is acknowledged by some
Unique Rep: 46
Hardware Reviews: 3
Trader Rating: 3
Default
You will need to re-enable the network adapter in order to test connectivity to key websites before running the second tool. That may open the machine up to reinfection so perhaps you are better off just running both tools no matter what?

Also, if they are running vista you will want to temporarily disable UAC to make your life much easier.
__________________

The Black Mesa Survivors Club

System: DarkArmor
CPU
Q9550 (450x8.5) 1.296v		 Motherboard
EVGA 780i		 Memory
2x2gb DDR2-1000 G.Skill 		Graphics Card
EVGA GTX260 Core 216
Hard Drive
Seagate 7200.11 500gb		 Sound Card
X-Fi Xtremegamer		 Power Supply
Silverstone DA850		 Case
Modded Tt Armor
CPU cooling
Fuzion v2 + AS5		 GPU cooling
Stock		 OS
Vista Home Premium x64		 Monitor
ASUS 23" HDMI 1080p
noldevin is online now   Reply With Quote
Old 10-16-09   #4 (permalink)
Luck : 10pts
 
Licht's Avatar
 
amd ati

Join Date: Mar 2007
Location: Fl, US
Posts: 12,853
Blog Entries: 3

Rep: 365 Licht is a proven memberLicht is a proven memberLicht is a proven memberLicht is a proven member
Unique Rep: 242
Trader Rating: 0
Default
Quote:
Originally Posted by noldevin View Post
You will need to re-enable the network adapter in order to test connectivity to key websites before running the second tool. That may open the machine up to reinfection so perhaps you are better off just running both tools no matter what?

Also, if they are running vista you will want to temporarily disable UAC to make your life much easier.
There are no Vista PCs. Their medical software doesn't work with it.

--

Just spoke with the technician who is going to be there in person. I'm revising my plan to make this as painless as possible. And easiest to do in person and remotely simultaneously (probably can't make my way over there.)

Current plan is to push the Windows XP update down via group policy and reboot the entire network. I'm worried about bandwidth and possibly crashing the network. There is a massive bottleneck when you get 80+ PCs on 100mbps. After that we'll use a script i found that allows group policy to disable auto-run. Code below.

Code:
; US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly
; http://www.us-cert.gov/cas/techalerts/TA09-020A.html
;
;FIX:
;REGEDIT4
;   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
;   @="@SYS:DoesNotExist"
;
;
CLASS MACHINE
    CATEGORY !!RegistryFixes
        POLICY !!AutoRunInfSYSDoesNotExist
            #if version >= 4
                SUPPORTED !!SUPPORTED_WindowsXPSP2
            #endif
            EXPLAIN !!AutoRunInfSYSDoesNotExist_Help
            KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
            VALUENAME ""
                VALUEON "@SYS:DoesNotExist"
                VALUEOFF DELETE
        END POLICY
    END CATEGORY ; DisableRemovableStorage
[strings]
RegistryFixes="Registry Settings"
SUPPORTED_WindowsXPSP2="Microsoft Windows XP Professional SP2 or later"
AutoRunInfSYSDoesNotExist="Disable auto handling of Autorun.inf"
AutoRunInfSYSDoesNotExist_Help="As per US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly\n\n\nhttp://www.us-cert.gov/cas/techalerts/TA09-020A.html"
http://www.arricc.net/group-policy-t...le-autorun.php

So i can install the patch to prevent reinfection by the Windows vulnerability Confiker uses. Then i can push down a modification to kill auto-run to prevent reinfection by that method. Once i'm done with that i kill Confiker using a number of patches i found for variant C (the one we see on the network.) Thank god we have a badass firewall installed on the router in this place. Only thing i can think of to keep Confiker from updating to versions D or E.

Trying my best to avoid writing my own program in this. Don't want to worry about glitches. But i sure as hell am writing an article about how we cleared this thing.

System: Uzicht #4.5
CPU
Phenom II X4 920		 Motherboard
Gigabyte 790X AM2+		 Memory
6GB Kingston DDR2 667MHZ 		Graphics Card
HD4850 + HD3870
Hard Drive
4x WD1600AAJS RAID0		 Sound Card
X-Fi Extreme Gamer Professional		 Power Supply
OCZ Game-X-Stream 700w		 Case
NZXT Black Steel
CPU cooling
Xigmatec Rifle		 GPU cooling
Stock Saphire 3870 Cooling		 OS
Windows 7 Ultimate x86-x64		 Monitor
Samsung SyncMaster 19"Wide
Last edited by Licht : 10-16-09 at 02:32 PM
Licht is online now Overclocked Account Licht's Gallery   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools



All times are GMT -5. The time now is 10:19 PM.

Contact Us - Overclock.net - Archive - Top

Overclock.net is a Carbon Neutral Site Creative Commons License

Terms of Service / Forum Rules | Privacy Policy | DMCA Info | Advertising | Become an Official Vendor
Copyright © 2009 Shogun Interactive Development. Most rights reserved.
Page generated in 0.12682 seconds with 8 queries