Sunday, July 13, 2008

USB as a Threat Vector

Over the past weeks I have monitored several incidences per week of clients bringing in infected USB media and hard drives. It seems that the USB-aware malware is increasing and becoming a more common feature of Internet-delivered maladies. This allows the malware access to infect machines laterally within an organization, as well as directly from the Internet.

Wednesday, July 2, 2008

Script to identify domains and IP addresses by ASN and CC

I wrote this more than a year ago and it has been tested pretty well. Figured since Jim over at ISC has released a similar tool, it's time to publish mine.

Usage:
# cat > queries.txt
domain1
domain2
ip3
domain4
ip5
...
^C
# perl finger.pl queries.txt

###### finger.pl ######

#This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.


if (-e "$ARGV[0]") {
open (IFILE, "$ARGV[0]");
while () {
chomp;
undef $ipaddr; undef @whois_results; undef @resolve_results; undef $domainname; undef $a; undef @results; undef @resultr;
if (/^\s*$/) {
next;
} elsif (/^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $_;
@whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif (/.+?\...?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\.....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT LINE: $_\n"; }
}
} elsif ($ARGV[0] =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $ARGV[0];
@whois_results = &resolve($ipaddr);
# @whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\...?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\.....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT: $ARGV[0]\n"; }


sub resolve {
undef $domain; undef @answersr; undef $answerr; undef @reresolve; undef @resultr; undef $infor;
my $domain = shift;
if ($domain =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @answersr = `dig +short -x $domain`;
@resultr;
foreach my $answerr (@answersr) {
my @whois_resultr = &whois($domain);
foreach my $whois_answerr (@whois_resultr) {
if ($answerr =~ /^\s*$/) {
$infor = join(' | ', "NO RDNS", $whois_answerr);
} else {
$infor = join(' | ', substr($answerr,0,$answerr-1), $whois_answerr);
}
@resultr = (@resultr,$infor);
}
}
return @resultr;
# } elsif ($domain =~ /.+?\.....?\.?$/) {
} else {
my @answersr = `dig +short $domain`;
chomp(@answersr);
@resultr;
foreach my $answerr (@answersr) {
if ($answerr =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @whois_resultr = &whois($answerr);
foreach my $whois_answerr (@whois_resultr) {
$infor = join(' | ', $domain, $whois_answerr);
@resultr = (@resultr,$infor);
}
# } elsif ($answerr =~ /.+?\.....?\.$/) {
} else {
my @reresolve = &resolve(substr($answerr,0,$answerr-1));
foreach $reresolve (@reresolve) {
@resultr = (@resultr,$reresolve);
}
# } else { print "COULD NOT RESOLVE: $domain\n"; }
}
}
return @resultr;
# } else {
# print "BAD DOMAIN: $domain\n";
# return("$domain \| UNKNOWN");
}
}


sub whois {
undef $octet1; undef $octet2; undef $octet3; undef $octet4;
undef @answers; undef @results;

my $ip = shift;
if ($ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
my $octet1 = $1;
my $octet2 = $2;
my $octet3 = $3;
my $octet4 = $4;

# Perform the IP WHOIS lookup and parse the result
my @answers = `dig +short -t TXT $octet4\.$octet3\.$octet2\.$octet1\.origin\.asn\.cymru\.com`;
chomp(@answers);
foreach my $answer (@answers) {
undef @afields;
undef $ip_as; undef $ip_netblock; undef $ip_cc; undef $ip_as_source; undef $ip_as_date;
undef $as_num; undef $as_cc; undef $as_source; undef $as_date; undef $as_desc;
undef $info;

$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $ip_as = $afields[0];
my $ip_netblock = $afields[1];
my $ip_cc = $afields[2];
my $ip_as_source = $afields[3];
my $ip_as_date = $afields[4];

# Perform the AS WHOIS lookup and parse the result
$answer = `dig +short -t TXT AS$ip_as\.asn\.cymru\.com`;
chomp($answer);
$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $as_num = $afields[0];
my $as_cc = $afields[1];
my $as_source = $afields[2];
my $as_date = $afields[3];
my $as_desc = $afields[4];

my $info = join(' | ',sprintf("%15.15s",$ip),sprintf("%18.18s",$ip_netblock),sprintf("%2.2s",$ip_cc),sprintf("%5.5s",$ip_as),$as_desc);
@results = (@results,$info);
}

return(@results);
} else {
print "BAD IP ADDRESS: $ip\n";
return("$ip \| UNKNOWN");
}

}