Hello all,

Just finished posting a wiki article on a script I've done up to help identify private network (lan) users infected with variants of the conficker virus.

Implementation of the script will give you a way to get the IP addresses of users on your network attempting to access sites that conficker 'phones home' to periodically.

If anyone has any questions, bugs or suggestions on the script feel free to voice them here.

Wiki article: http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X
Workaround for me was to use OpenDNS as the name servers, so that all requests would resolve, then just catch the users heading to non opendns IP's.

http://forum.mikrotik.com/viewtopic.php?f=1&t=29419 - could you please try to fix this for us mikrotik? The bug has been around since Feb.

Thanks.

Thanks!

Hi there

i use this script in x3.17 its not working for me i just modified the script to check they resolve the ips . i created the file name conf.txt and put the all domain which listed on site. i used opendns for nameserver

:local content [/file get [/file find name="conf.txt"] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line "";
:local lastEnd 0;

:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info "$listip"
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"

Yes, as noted in my post above, I only found out after finishing the scrip that the mikrotik :resolve command is currently broken, any failed resolution simple forces the script to quit, hence using opendns is the only way I see to get it to complete at this time.. too bad we've got no other solution for the 1st April

However, if you're still getting an error in the script even thou all addresses are resolving, run it from terminal instead and let me know what line it errors on and I'll have a look.

Thanks.

I managed to get it working and it's popping up hits on several of my access points.
I copied the address list and firewall rule to the access points to isolate the customer.
I checked some of the ip address against arin.
208.69.36.132 opendns
72.167.202.5 godaddy
72.14.205.102 google

Does that seem right??

Also, could one just block the ip addresses from the list daily-conficker?

Yes you can block the addresses, I've done so on my sites and haven't had any users call with issues accessing google :-/ (Roughly 3000 users its running across at the moment)

as for the ARIN listings, try the following addition. Change the line
to
This should give you a listing of the domain that each address was resolved from so you can see exactly which domain is which.
I've updated the script to include this.

Yes, as noted in my post above, I only found out after finishing the scrip that the mikrotik :resolve command is currently broken, any failed resolution simple forces the script to quit, hence using opendns is the only way I see to get it to complete at this time.. too bad we've got no other solution for the 1st April

However, if you're still getting an error in the script even thou all addresses are resolving, run it from terminal instead and let me know what line it errors on and I'll have a look.

Dude
Can you post the resolve export ips list so i can direcly add in addresses list

got error when i post the script on terminal window

the whole reason the script goes through and resolves each of the IP's is because conficker uses a new set of domains each day, if I were to resolve all of them now and just provide an IP list, this list could easily change within a few days time given that a) new domains that weren't resolving previously may have now been purchased. b) old domains that were pointing elsewhere before could have records updated to point to new sites.

When I say run it from terminal I mean goto terminal and type in

/system run script daily-conficker-list

then paste the output.

Pasting in terminal like that simply won't work.

Thanks for your prompt response. actully i have over 2500 user. most of the user are infacted with this virus.

here is terminal output

[admin@MikroTik] > /system run script daily-conficker-list
bad command name run (line 1 column 9)
[admin@MikroTik] >

arggh sorry, typo

/system script run daily-conficker-list

is what you want to do.

arggh sorry, typo

/system script run daily-conficker-list

is what you want to do.

something wrong in script when i run given error. see my last post


the worm has been activated on my lan users here is my squid access log.

1238397620.731 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
53 -1238397620.747 1037 192.168.0.5 TCP_MISS/200 345 GET http://210.2.138.215/tradingterminal/Ex ... 2676355183 - DIRECT/210.2.138.215 text/xml
1238397620.760 296 192.168.0.5 TCP_MISS/204 187 GET http://www.google.com/uds/stats?r0=hl%7Csearch - DIRECT/216.239.61.104 text/html
1238397620.762 1 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.789 338 192.168.0.5 TCP_MISS/204 277 GET http://www.google.com.pk/csi?v=3&s=webh ... 51,xjs.301 - DIRECT/216.239.61.104 text/html
1238397620.791 1 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.794 344 192.168.0.5 TCP_MISS/200 390 GET http://www.google-analytics.com/__utm.g ... D(none)%3B - DIRECT/72.14.235.100 image/gif
1238397620.823 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.852 10 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.858 424 192.168.0.5 TCP_MISS/200 427 GET http://us.bc.yahoo.com/b?P=FFc7D2KIcFH5 ... 8968295436 - DIRECT/68.142.228.136 image/gif
1238397620.882 1 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.912 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.919 4454 192.168.0.5 TCP_MISS/200 92057 GET http://www.cartoonnetwork.com/data/_mas ... l?c=530375 - DIRECT/64.236.29.72 application/xml
1238397620.929 494 192.168.0.5 TCP_MISS/200 1440 GET http://ads.cartoonnetwork.com/js.ng/sit ... 3718938321 - DIRECT/64.236.29.63 application/x-javascript
1238397620.941 3438 192.168.0.5 TCP_REFRESH_HIT/304 149 GET http://download.im.alisoft.com/aliim/Al ... k100859391 - DIRECT/121.0.30.96 -
1238397620.942 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.950 453 192.168.0.5 TCP_HIT/200 869 GET http://static4.orkut.com/img/castro/i_phototag.gif - NONE/- image/gif
1238397620.950 1270 192.168.0.5 TCP_REFRESH_HIT/200 634 GET http://i.cdn.turner.com/toon/games/tool ... bottom.jpg - DIRECT/209.84.4.126 image/jpeg
1238397620.972 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.973 459 192.168.0.5 TCP_MISS/304 208 GET http://outfits.zwinky.com/users/common/ ... female.xml - DIRECT/66.235.126.132 -
1238397620.989 538 192.168.0.5 TCP_MISS/200 5856 GET http://ad.yieldmanager.com/st?ad_type=i ... 04760/R=0/* - DIRECT/77.238.172.11 -
1238397621.002 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397621.032 2 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397621.051 617 192.168.0.5 TCP_MISS/302 734 GET http://login.live.com/login.srf?wa=wsig ... 3&id=41839 - DIRECT/65.54.186.107 text/html
1238397621.052 618 192.168.0.5 TCP_MISS/200 544 GET http://w88.go.com/b/ss/wdgespcricinfo,w ... &%5BAQE%5D - DIRECT/66.235.139.70 image/gif
1238397621.058 564 192.168.0.5 TCP_MISS/206 8531 GET http://msgr.dlservice.microsoft.com/dow ... up-cvr.exe - DIRECT/87.248.218.175 application/octet-stream
1238397621.062 3 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397621.082 2774 192.168.0.5 TCP_REFRESH_HIT/200 7997 GET http://img301.imageshack.us/img301/5350 ... lergz7.jpg - DIRECT/38.99.76.172 image/jpeg
1238397621.092 6 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html

yeah but the previous post I did was incorrect..
when you ran
/system run script XXXXX

it didn't run the script at all.. because my syntax was wrong.

you need to run

/system script run XXXXXX

it was my message to you that had an error, I've also tried the script on one of my 3.17 boxes and it works fine.

yeah but the previous post I did was incorrect..
when you ran
/system run script XXXXX

it didn't run the script at all.. because my syntax was wrong.

you need to run

/system script run XXXXXX

it was my message to you that had an error, I've also tried the script on one of my 3.17 boxes and it works fine.

The Script was stuck-up how to debug ? currently using opendns nameserver terminal output

[admin@MikroTik] > /system script run daily-conficker-list
status: connecting
-- [Q quit|D dump|C-z pause]
failure: connection failed

Hmm it would seem that your mikrotik is unable to download the files from my webserver.
Does the box you're using have a default route (0.0.0.0/0) out to the internet?

The script as noted above does work fine on 3.17 which means there is an issue with your mikrotik being able to connect to my server somehow.

mm strange ! anyway i just tweak with this script with my linux box downloaded files on linux box then retrive to local machine. files are http://192.168.0.1/conficker/www.epicwi ... conficker/

after this get sucess but 20% the script now given this error

/system script run daily-conficker-list
status: connecting

status: finished
failure

i checked in files the only 1 file download 03-30-2009.txt


i changed in script marked

:local date [/system clock get date]
:local month [:pick $date 0 3]
:local day [:pick $date 4 6]
:local year [:pick $date 7 11]

#set month to numerical value
:if ([$month] = "jan") do={ :set month "01" }
:if ([$month] = "feb") do={ :set month "02" }
:if ([$month] = "mar") do={ :set month "03" }
:if ([$month] = "apr") do={ :set month "04" }
:if ([$month] = "may") do={ :set month "05" }
:if ([$month] = "jun") do={ :set month "06" }
:if ([$month] = "jul") do={ :set month "07" }
:if ([$month] = "aug") do={ :set month "08" }
:if ([$month] = "sep") do={ :set month "09" }
:if ([$month] = "oct") do={ :set month "10" }
:if ([$month] = "nov") do={ :set month "11" }
:if ([$month] = "dec") do={ :set month "12" }

#download current days domain list
/tool fetch address=192.168.0.1 host=192.168.0.1 mode=http src-path="conficker/www.epicwinrar.com/conficker/$month-$day-$year.txt"
:log info "Download Complete"
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info "Begining Address List Modification"
:if ( [/file get [/file find name="$month-$day-$year.txt"] size] > 0 ) do={

/ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

:local content [/file get [/file find name="$month-$day-$year.txt"] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line "";
:local lastEnd 0;

:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info "$listip"
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"

If it gets the failure message it means the :resolve has failed and stops the script from continuing (the bug mentioned in my second post)

If you're using opendns servers (208.67.222.222 208.67.220.220) as your dns servers this should not happen as any invalid requests will instead be returned an opendns address (normally in the 208.67.X.X range)

Thanks Mate

Now its working but i think something wrong. The script add duplicate ips . its fine or something missing in script .
Dude can you do one more thing can you make simple this script. i have also linux box and make script to fatch and export list to the file with crontab just confuse with MT scripting here is my simple script to fatch file from local machine this local machine fatch data from site. conf.txt is located on my server

#download current days domain list
/tool fetch address=192.168.0.1 host=192.168.0.1 mode=http src-path="conficker/www.epicwinrar.com/conficker/conf.txt"
:log info "Download Complete"
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info "Begining Address List Modification"
:if ( [/file get [/file find name=conf.txt] size] > 0 ) do={

/ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

:local content [/file get [/file find name=conf.txt] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line "";
:local lastEnd 0;

:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info "$listip"
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove conf.txt

This works fine on 3.19 as long as the dns servers are set to opendns as stated above.

Is there any way to prevent duplicate ip addresses from being added to the address list since many of the ips are the same.

Hi There

did you found any removal tool for this worm ?

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X

Hey Man , is that means it won't work on 3.x !!?
and what about 2.x
something else , should i make a firewall filter rule to block any connection to these sites ?
i have a deep bad feeling about this mess , MS is crashing down
harry up man , tomorrow is the date

sorry , one more thing , this happened after i used this script from wiki

is this this right ?

If it gets the failure message it means the :resolve has failed and stops the script from continuing (the bug mentioned in my second post)

If you're using opendns servers (208.67.222.222 208.67.220.220) as your dns servers this should not happen as any invalid requests will instead be returned an opendns address (normally in the 208.67.X.X range)

Thanks Dude its working now the issue was in my Firewall

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X

Hey Man , is that means it won't work on 3.x !!?
and what about 2.x
something else , should i make a firewall filter rule to block any connection to these sites ?
i have a deep bad feeling about this mess , MS is crashing down
harry up man , tomorrow is the date

sorry , one more thing , this happened after i used this script from wiki

is this this right ?

mm i think you are using web-proxy service the virus create reverse connection and loop with you local MT proxy . in my case i have external linux box same loop connection are seen in cachelog

Nmap has released a new (beta) release that enables Conficker infections
just by scanning the network.

For more information (including commands for Conficker scanning) see:
http://insecure.org/

An original tool (before it was added into nmap) is also available:
http://iv.cs.uni-bonn.de/uploads/media/scs.zip

And further info can be found at these sites:
http://www.honeynet.org/
(https://www.honeynet.org/node/389)
http://iv.cs.uni-bonn.de/wg/cs/applicat ... conficker/

Just received these from a security consultant friend. Combined with the script here this should help us pickup any infected users but requires a computer on the inside (we use an older server with ESXi which allows remote access) which i believe is a good investment for any sites over 500 users.

You don't have permission to access /nmap-dist/nmap-4.85BETA5-setup.exe on this server.

Just curious.... the download server from insecure.org has got this error.

Hello
As omega-00 told, I have a problem with resolve names, it give an error and the script stop working! How can I solve this problem? I look in the other post and there is not solution!
Look this is the problem! So when MKT read its, stop working with the script. And the problem is that this is the first in the list!!
Thank
Rafael Lore

Use opendns servers.
clear dns cache.

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=\
208.67.220.220 secondary-dns=208.67.222.222
/ip dns cache flush

Thanks very much AUG, problems solved
Rafael Lore

Hi omega-00


I found in logs many domain are not listed in dailyconficker list . after googing i found this url may be this will be help-out you

http://iv.cs.uni-bonn.de/wg/cs/applicat ... conficker/

I've noticed that if a customer is using opendns as their dns server, they get a lot of hits.
I believe these are false hits.
Anybody else run into this?

aug: any hits to opendns aren't nessicarily conficker hits seeing as open dns doesn't host a specific conficker warning page, jsut a standard "this site is unsafe/blocked blah blah blah" page that users hit. so you have to remove opendns hits from your list (would be great if :resolve just worked like it's supposed to thou wouldn't it :-/ )

pokeman: when you say you've found domains that aren't in the list, do you mean my list is missing some? or my list has ones that website doesnt?

If you're saying the first, I know this.. conficker c generates 50,000 domains a day .. mikrotik only gives me a 4096 char string I can work with to block a and b (as listed on my script page) - http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking

but thanks for the links, any more info is helpful.

Try remote script execution for example via ssh. And generate mikrotik script code from template ;)
Executing that script every day from remote machine

Ive been running the script, but for some reason it just don't get out the "while" statement... I trying to figure it out. I just don't see the final log message saying that modifications are completed. Thanks for the script anyway!

Ozelo as discussed above the mikrotik :resolve command is broken :-/ and causes the script to crash if it can't resolve an address *sigh*
so the fix is to use just opendns servers for the time being.

The following script will stop the addition of duplicate IP's.
You should be able to see from the comments what it replaces, but if not I've updated the wiki entry to reflect the new script.

The following script will stop the addition of duplicate IP's.

Code: Select all

#resolve each new line and add to the address list daily-conficker. updated to list domain as comment
        :if ( [:pick $line 0 1] != "\n" ) do={
          :local entry [:pick $line 0 ($lineEnd ) ]
          :if ( [:len $entry ] > 0 ) do={
              :local listip [:resolve "$entry"]
              :if ($listip != "failure" ) do={
                :if ((/ip firewall address-list find list=daily-conficker address=$listip) = "") do={
                  /ip firewall address-list add list=daily-conficker address=$listip comment=$entry
                  :log info "$listip"
              } else={:log info "duplicate IP $entry"}
           }
       } 
    }
 } while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"

You should be able to see from the comments what it replaces, but if not I've updated the wiki entry to reflect the new script.

At this part script stops. Last output in log is "duplicate IP fnsqijun.org"

Use opendns servers.
clear dns cache.

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=\
208.67.220.220 secondary-dns=208.67.222.222
/ip dns cache flush

Not work for me!, is I put set allow-remote-requests=yes work, but if it works but makes the blocks that have previously configured, the only way NAT works is redirected from the udp port 53 to the OpenDNS DNS server but that's how I mark the cache IP - DNS - Cache

but your list stoped updating



why isnt it up o date today or a month back?

can you fix that as it was working well for me

I don't have the time to maintain the lists and as the newer generations of conficker (generation 'c' onwards) have a list of 50,000 new domains a day it becomes near impossible to handle that normally and would require me to completely recode what I've done on the script to handle multiple files with domains in them.

As it stands I might look at this again when v4.X re-adds the LUA functions.

Regards,
Andrew Cox
Omega-00

were can i find the lists then to try my own thing?

http://blogs.technet.com/msrc/archive/2 ... ation.aspx

Down the bottom of the page.

thanks for the link

Hi there
I stumbled upon your script on the wiki, and need it. The problem is the website epicwinrar seems to not be working anymore ? Has it been moved somewhere else ?