Sunday, August 10, 2014

I’m sure there is a better way to accomplish this…

In my GSD blog post Anti-Malware Response "Go Kit" I outlined a variety of tool-sets and standalone tools that I carry on my USB flash drive for dealing with malware responses on friends/family systems.

Keeping the IR tool-sets (Confessor, MIR-ROR, rapier, TR3 Tool Kit v2, and triage-ir) updated is a lower priority for a number of reasons.

  1. It’s a lot of work,
  2. the developers often require (due to licensing) the end user (me and you) to download the supporting binaries directly from the developers’ sites, and
  3. you always run the risk that a later utility update may break the way the scripts run on the package.

None of those are deal-breakers, but because of that, keeping those updated (aside from the main IR package) leads me to not update them as frequently, maybe once a quarter to biannually.

The ones that I do update frequently are the ones that are used to to sweeps for malware and/or viruses.

Most of these are signature based, and if they are updated, there there is a high likelihood a scan with an older tool may miss something critical!

So to keep them updated, I have a bookmark folder with URL links to all the tools. I then go down the list, click, download, copy to USB, rinse and repeat.

So yesterday I wondered if I could automate the process a bit. Kind of like a poor-man’s version of NirLauncher or KLS SOFT’s WSCC - Windows System Control Center.

I’m sure there is a better way to do this, but this was my “it works for me” result.  I’m not posting the actual files (at least in fullness for now) but will show you the basics so you can build your own if you want.

First, I considered (and may still go to) a process/script that uses Wget for Windows - GnuWin32.

But I wanted to start with what I knew (or thought I did) for now.

To get the ball rolling, I made a “landing zone” folder on my Windows system at C:\TEMP\AMW_Packages

This is where I wanted to download the updated files into. I wanted to keep it separate in case I decided I didn’t want to end up overwriting any of my previous files. So once all the packages are downloaded here, I will manually copy them over onto my USB drive folder where they reside full-time.

I then created a Windows BAT file called “a-AMW_Package downloader.bat”

It does a few things.

It deletes all the files/folders in the “C:\TEMP\AMW_Packages” location to get a clean start.

It then runs down a list of the utilities I need to get/update, and downloads them into the “C:\TEMP\AMW_Packages” folder using PowerShell. (I know! Cool!)

Then, there are some packages that have some fancy dynamic page tricks/EULA’s that make getting those binary files a bit of a hassle. Some of those I was able to work around with the PowerShell commands below. However others were not so cooperative. And that was OK.

So at the end of the BAT file, it calls a custom EXE called “a-BAT-IECall.exe”.  That file was a different PowerShell script block I came up with to open up all those “problem” site URL’s in a single Internet Explorer window session, each in a different tab; more on it in a bit.

The resulting automatically opened IE window allows me to review/download those “manually” as needed.  (I guess I could put it at the front so I could be manually downloading those as the script continues to run in the background. But this made sense to me. I also dropped some FYI URL pages as well there to remind me of some tricks I keep forgetting or to see if any new tools are available that I may want to add to my tool-kit.

Here is an abbreviated version of the BAT file “a-AMW_Package downloader.bat” contents. You should be able to get the gist of what I am doing and add more lines for other resources you may want/need.

:: Anti-Malware Response “Go-Kit” Downloader

:: Clean Up Download folder first

set folder="C:\Temp\AMW_Packages"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

:: Now Let's Get the Files!

:: Process Explorer
powershell -Command "(New-Object Net.WebClient).DownloadFile('
http://download.sysinternals.com/files/ProcessExplorer.zip', 'ProcessExplorer.zip')"
powershell -Command "Invoke-WebRequest
http://download.sysinternals.com/files/ProcessExplorer.zip -OutFile C:\temp\AMW_Packages\ProcessExplorer.zip"

:: AutoRuns
powershell -Command "(New-Object Net.WebClient).DownloadFile('
http://download.sysinternals.com/files/Autoruns.zip', 'Autoruns.zip')"
powershell -Command "Invoke-WebRequest
http://download.sysinternals.com/files/Autoruns.zip -OutFile C:\temp\AMW_Packages\Autoruns.zip"

:: Microsoft Safety Scanner & Malicious Software Removal Tool  (+ download others manually in a bit)
powershell -Command "(New-Object Net.WebClient).DownloadFile('
http://go.microsoft.com/fwlink/?LinkId=212732', 'msert.exe')"
powershell -Command "Invoke-WebRequest
http://go.microsoft.com/fwlink/?LinkId=212732 -OutFile C:\temp\AMW_Packages\msert.exe"

::And so on, and so forth for all the other tools as needed

:: Trend Micro Anti-Threat Toolkit  (download manually in a bit)
:: VIPRE Rescue (download manually in a bit)
:: AdwCleaner (download manually in a bit)
:: ComboFix (download manually in a bit)
:: Rootkit Buster - x86 - Trend Micro  (download manually in a bit)
:: System Explorer (download manually in a bit)

:: Misc Tools and Utilities (Now we fire up IE via a PowerShell script) so we can launch IE and the link URLs in tabs for manual download if we need them.

a-BAT-IECall.exe

Exit

Just add more of those download lines for all the tools you need as long as the URL download links are functional with this method.

So next, about that “a-BAT-IECall.exe”

This took a bit of creative work to generate.  There are other ways to launch IE in a standard BAT file, but it ended up opening each URL in a separate IE window that cluttered up my system, despite my best attempts. So this way worked perfectly, and because: PowerShell!

The PowerShell script that is the heart of the engine looks like this:

$ie = New-Object -ComObject InternetExplorer.Application
$ie.Navigate2("
http://systemexplorer.net/download.php")
$ie.Navigate2("http://www.vipreantivirus.com/live/",0x1000)
$ie.Navigate2("https://toolslib.net/downloads/viewdownload/1-adwcleaner/",0x1000)
$ie.Navigate2("http://www.bleepingcomputer.com/download/combofix/",0x1000)
$ie.Navigate2("http://www.bleepingcomputer.com/forums/t/403413/cannot-execute-exe-reg-regedit/",0x1000)
$ie.Navigate2("http://free.antivirus.com/us/rootkit-buster/index.html",0x1000)
$ie.Navigate2("http://www.microsoft.com/security/scanner/en-us/default.aspx",0x1000)
$ie.Navigate2("http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx",0x1000)
$ie.Navigate2("http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline",0x1000)
$ie.Navigate2("http://esupport.trendmicro.com/solution/en-us/1059509.aspx",0x1000)
$ie.Navigate2("http://support.kaspersky.com/viruses/utility",0x1000)
$ie.Navigate2("http://firesage.com/mbrwizard.php?x=4x",0x1000)
$ie.Navigate2("http://freeofvirus.blogspot.com/2009/05/remove-fake-antivirus-10.html",0x1000)
$ie.Navigate2("http://www.bleepingcomputer.com/download/rkill/",0x1000)
$ie.Navigate2("http://www.bleepingcomputer.com/download/unhide/",0x1000)
$ie.Navigate2("http://www.bleepingcomputer.com/download/windows/security-utilities/",0x1000)
$ie.Navigate2("http://support.microsoft.com/kb/299357",0x1000)
$ie.Visible = $true
stop-process $PID
#

Add/remove/change URLs accordingly.

To create the EXE version for this PowerShell script to include the call to in your main BAT file:

  1. Edit the PowerShell script block above to add/change/remove any URLs
  2. Save it somewhere for quick future re-editing.
  3. Launch the PowerGUI Script Editor.
  4. Create a new workspace tab.
  5. Copy those lines into it.
  6. From the menu bar select “Tools” then “Compile Script…”
  7. Select where you want to save it...should be same place as the “a-AMW_Package downloader.bat” BAT file…and what name you want to give it, for me I used “a-BAT-IECall.exe”
  8. I left the Target framework set at “Microsoft .NET Framework 4.0” for my system.
  9. I guess you could give it a cool custom icon if you wanted. I didn’t for now.
  10. Select “OK” and let it build!
  11. Close stuff out when done.
  12. Find/test! (see result below)

3kq2ba2q.oox

Now, when I want to update my IR package tools, I just fire off the main BAT file and away it rips, leaving me to manually download just a few packages myself -- if desired -- from IE.

Misc Notes and references.

I wasn’t aware until composing this post that the PowerGUI project appears to have been taken over by Dell: Welcome to the New Home of PowerGUI. OK.

I’m sure there are WAY BETTER ways to deal with this with Wget, PowerShell, BAT files, but this works and I learned a lot in the process. I’m open to recommendations/suggestions.

The PowerShell commands in the BAT file are pretty flexible.

powershell -Command "(New-Object Net.WebClient).DownloadFile('URL-path-for-binary.file', 'binary.file’)"
powershell -Command "Invoke-WebRequest
URL-path-for-binary-file -OutFile C:\temp\AMW_Packages\binary.file"

This one is straight forward with the pattern:

:: AutoRuns
powershell -Command "(New-Object Net.WebClient).DownloadFile('
http://download.sysinternals.com/files/Autoruns.zip', 'Autoruns.zip')"
powershell -Command "Invoke-WebRequest
http://download.sysinternals.com/files/Autoruns.zip -OutFile C:\temp\AMW_Packages\Autoruns.zip"

I was able to make changes to some of the “binary.file” names to change the name as it got saved, and in some cases the URL path didn’t actually contain a binary.file name in the path but it still handled it OK. Once you have the format down you can experiment a bit. See below for one example:

:: Microsoft Safety Scanner & Malicious Software Removal Tool  (+ download others manually in a bit)
powershell -Command "(New-Object Net.WebClient).DownloadFile('
http://go.microsoft.com/fwlink/?LinkId=212732', 'msert.exe')"
powershell -Command "Invoke-WebRequest
http://go.microsoft.com/fwlink/?LinkId=212732 -OutFile C:\temp\AMW_Packages\msert.exe"

Here are the URL’s of many of the sites/tips I reviewed to get me to this stage, and a few that I wanted to do but couldn’t quite get to work like I wished.

Again, any tips, tricks or alternative suggestions would be appreciated!

Cheers!

--Claus V.

P.S. Microsoft has a number of tools for scanning/removing malware from a system.

Microsoft Malicious Software Removal Tool - This is on most all Windows systems as the MRT.EXE file. Type “MRT.exe” in the RUN bar and you will be off to the races (assuming Windows Updates are current, otherwise download the file manually above or effectiveness will be diminished.)

Then there is the heavy-duty version Microsoft Safety Scanner which gets updated every 10 days.

And, in my original post I mentioned the Microsoft Standalone System Sweeper from Microsoft that was available only via the Microsoft Connect site unless you went through a third-part download source. See this Utility Spotlight: Repair Your PC Infection from TechNet Magazine to get more info on it.

Working on the URL/Download location for this one led me to discover the Windows Defender Offline tool that may have replaced (?) the Microsoft Standalone System Sweeper.  This one is for most “modern” versions of Windows but if you are running Windows 8.1 you will need to jump to this Windows Defender Offline Beta build page.

--cv

1 comment:

Anonymous said...

Don't forget MDOP either... DART has system sweeper. WDO is the fastest because it is prepped with updates. But DART can have needed drivers bundled.