public static List <string> GetFileInfo(IEnumerable <string> lFileHash, Bit9ReturnValues lBit9ReturnValues)
{
var lBit9Info = new List <string>();
var oBit9Return = new object[69];
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
try
{
//todo: take connection string and encrypt to put in XML config
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
if (lFileHash != null)
{
//todo: SQL injection. Store query in database and fill variables when retrieving
foreach (var CMD in lFileHash.Select(sFileHash => "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE MD5 = '" + sFileHash + "'").Select(sQuery => new SqlCommand(sQuery, vConnection)))
{
CMD.CommandType = CommandType.Text;
ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info);
}
}
else if (lBit9ReturnValues != null)
{
//todo: SQL injection. Store query in database and fill values when retrieving
var sQuery = "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE FILE_NAME = '" + lBit9ReturnValues.FileName.ToLower() + "' AND Path_Name = '" + lBit9ReturnValues.FilePath.ToLower() + "' AND Computer_Name = '" + lBit9ReturnValues.HostName + "'";
var CMD = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
};
ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info);
}
//if no count then no hash information exists
if (lBit9Info.Count != 0)
{
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving file information from Bit9:" + e);
}
return(lBit9Info);
}
//if getevents is positive, get machine name and IP
private static IEnumerable <string> GetHost(string sMD5)
{
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var oBit9Return = new object[4];
var lHostInfo = new List <string>();
try
{
//todo: encrypt and retrived these values from DB.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10");
//todo: SQL injection. Store query in database and modify variables when retrieving
var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'";
using (var cmd = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
})
{
vConnection.Open();
using (var objReader = cmd.ExecuteReader())
{
if (objReader.HasRows)
{
while (objReader.Read())
{
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(0) != null)
{
lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3));
}
}
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e);
}
return(lHostInfo);
}
//This is the detector call for bit9. Its purpose is to get
//the most recent hashes (last 60 secs (or so)) and parse them
//over to our security feeds. If the security feeds find
//relevant information get hostname/ip and call TheDirector.
public static void GetEvents()
{
var lFidoReturnValues = new FidoReturnValues();
try
{
Console.WriteLine(@"Running Bit9 detector.");
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var sBit9DetectorQuery = Object_Fido_Configs.GetAsString("fido.detectors.bit9.query", null);
var sTempConn = Object_Fido_Configs.GetAsString("fido.detectors.bit9.connectionstring", null);
var replacements = new Dictionary <string, string>
{
{ "sUserID", sUserID },
{ "sPwd", sPwd },
{ "sBit9Server", sBit9Server },
{ "sDB", sDb }
};
//sTempConn = replacements.Aggregate(sTempConn, (current, srep) => current.Replace(srep.Key, srep.Value));
//todo: SQL injection. really? this was the best you could think of? remove this and do it properly.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
var sqlCmd = new SqlCommand(sBit9DetectorQuery, vConnection)
{
CommandType = CommandType.Text
};
var lBit9Hash = new List <string>();
vConnection.Open();
using (var objReader = sqlCmd.ExecuteReader())
{
if (objReader.HasRows)
{
Console.WriteLine(@"New hashes found...");
while (objReader.Read())
{
var oBit9Return = new object[objReader.FieldCount];
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(4) != null)
{
lBit9Hash.Add(oBit9Return.GetValue(4).ToString());
}
}
}
}
if (lBit9Hash.Count == 0)
{
return;
}
Console.WriteLine(@"Processing " + lBit9Hash.Count().ToString(CultureInfo.InvariantCulture) + @" hashes.");
var aryBit9Hash = lBit9Hash.ToArray();
lFidoReturnValues.Hash = lBit9Hash;
//todo: write additional code to include other threat feeds.
var vtReturn = Feeds_VirusTotal.ParseHash(aryBit9Hash);
if (!vtReturn.Any())
{
return;
}
//todo: if return is 'not seen before' right helper function to upload file to threat feed.
foreach (var vtEntry in vtReturn)
{
if (vtEntry.Positives <= 0)
{
continue;
}
var sHostInfo = GetHost(vtEntry.Resource);
foreach (var sHostInfoList in sHostInfo)
{
var sSingleHostInfo = sHostInfoList.Split(',');
var sHostName = sSingleHostInfo[0].Split('\\');
//todo: need to write second tree for when file hasn't
//executed, but does still exist on the system,
//sSingleHostInfo[1].ToLower() == "yes"
if (sSingleHostInfo[2].ToLower() != "yes")
{
continue;
}
if (lFidoReturnValues.Bit9 == null)
{
lFidoReturnValues.Bit9 = new Bit9ReturnValues();
}
if (lFidoReturnValues.Bit9.VTReport == null)
{
lFidoReturnValues.Bit9.VTReport = new List <FileReport>();
}
lFidoReturnValues.IsHostKnown = true;
lFidoReturnValues.Hostname = sHostName[1];
lFidoReturnValues.SrcIP = sSingleHostInfo[1];
lFidoReturnValues.Bit9.HostName = sSingleHostInfo[0];
lFidoReturnValues.Bit9.VTReport.Add(vtEntry);
lFidoReturnValues.Bit9.FileExecuted = sSingleHostInfo[2];
lFidoReturnValues.Bit9.FileDeleted = sSingleHostInfo[3];
lFidoReturnValues.CurrentDetector = "bit9";
lFidoReturnValues.MalwareType = "Malicious file";
lFidoReturnValues.IsTargetOS = true;
lFidoReturnValues.DstIP = string.Empty;
var lMD5 = new List <string> {
vtEntry.MD5
};
lMD5 = GetFileInfo(lMD5, lFidoReturnValues.Bit9);
lFidoReturnValues.Bit9.FileName = lMD5[5] + @"\" + lMD5[6];
lFidoReturnValues.Bit9.FileThreat = lMD5[51];
lFidoReturnValues.Bit9.FileTrust = lMD5[50];
//lFidoReturnValues.Hash = new List<FileReport> {vtEntry.MD5};
Console.WriteLine(@"Malicious hashes found... continue to process.");
TheDirector.Direct(lFidoReturnValues);
}
}
vConnection.Close();
Console.WriteLine(@"Exiting Bit9 detector.");
}
catch (Exception e)
{
// Get stack trace for the exception with source file information
var st = new StackTrace(e, true);
// Get the top stack frame
var frame = st.GetFrame(0);
// Get the line number from the stack frame
var line = frame.GetFileLineNumber();
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving alerts from Bit9 on line " + line + ":" + e);
}
}
//ReadEmail is the handler for email based detectors. It is designed
//to retrieve email from a configured email service and parse the alerts
public static void ReadEmail(string sVendor, string sFolderName, string sFolderNameTest, string sDetectorEmail, bool isParamTest)
{
switch (sVendor)
{
//Outlook based email plugin which requires the Outlook client to be installed.
case "outlook":
#region Microsoft Outlook Plugin
//try
//{
// //Setup connection information to mailstore
// //If logon information is null then mailstore must be open already
// //var oApp = new Microsoft.Office.Interop.Outlook.Application();
// //var sFolder = new Microsoft.Office.Interop.Outlook.Folder(sFolderName);
// //var oNameSpace = oApp.GetNamespace("MAPI");
// //oNameSpace.Logon(null, null, true, true);
// //var oInboxFolder = oNameSpace.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox);
// //Outlook.Folder oFolder = oInboxFolder.Folder[sFolderName];
// //logging
// //Logging_Fido.Main.RunLogging("Running FIDO on file " + sFolderName);
// ////attach to folder and for each item in the folder then loop. During loop assign subject, body and detect malware type
// //foreach (var item in sFolder.Items)
// //{
// // var oMailItem = item as Microsoft.Office.Interop.Outlook._MailItem;
// // if (oMailItem != null)
// // {
// // var sMessageBody = oMailItem.Body;
// // }
// // if (oMailItem != null)
// // {
// // var sSubject = oMailItem.Subject;
// // }
// //List<string> sERet = scan_email(sSubject, sMessageBody, sFolderName);
// // if (sERet.First() == "Test Email")
// // {
// // oMailItem.Delete();
// // }
// // else
// // {
// // fido.Form1.Run_FIDO(sMessageBody, sERet, "fubar", false, false, true, sVendor);//MalwareType
// // oMailItem.Delete();
// // }
// }
#endregion
//}
//catch (Exception e)
//{
// Fido_Modules.Fido.Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Outlook emailreceive area:" + e);
//}
break;
case "exchange":
#region Microsoft Exchange Plugin
//still need to build out direct Exchange access
#endregion
break;
//IMAP based email plugin which has been verified to work with Gmail
case "imap":
#region IMAP Plugin
try
{
//get encrypted password and decrypt
//then login
var sfidoemail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sfidopwd = Object_Fido_Configs.GetAsString("fido.email.fidopwd", null);
var sfidoacek = Object_Fido_Configs.GetAsString("fido.email.fidoacek", null);
var sImapServer = Object_Fido_Configs.GetAsString("fido.email.imapserver", null);
var iImapPort = Object_Fido_Configs.GetAsInt("fido.email.imapport", 0);
sfidoacek = Aes_Crypto.DecryptStringAES(sfidoacek, "1");
sfidopwd = Aes_Crypto.DecryptStringAES(sfidopwd, sfidoacek);
IImapClient gLogin = new ImapClient(sImapServer, iImapPort, sfidoemail, sfidopwd, AuthMethod.Login, true);
var sSeperator = new[] { "," };
gLogin.DefaultMailbox = isParamTest ? sFolderNameTest : sFolderName;
var listUids = new List <uint>();
//seperate out list of email addresses handed to emailreceive
//then run query based on each email from the specified folder
//and finally convert to array
string[] aryInboxSearch = sDetectorEmail.Split(sSeperator, StringSplitOptions.RemoveEmptyEntries);
foreach (var search in aryInboxSearch)
{
listUids.AddRange(gLogin.Search(SearchCondition.From(search)).ToList());
}
var uids = listUids.ToArray();
uids = uids.Take(50).ToArray();
var msg = gLogin.GetMessages(uids);
var mailMessages = msg as MailMessage[] ?? msg.ToArray();
for (var i = 0; i < mailMessages.Count(); i++)
{
var sMessageBody = mailMessages[i].Body;
var sSubject = mailMessages[i].Subject;
var sERet = ScanEmail(sSubject, sMessageBody, sFolderName, isParamTest);
if (sERet == "Test Email")
{
Console.WriteLine(@"Test email found, putting in processed folder.");
gLogin.MoveMessage(uids[i], "Processed");
}
else
{
Console.WriteLine(@"Finished processing email alert, puttig in processed folder.");
gLogin.MoveMessage(uids[i], "Processed");
}
}
#endregion
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in IMAP emailreceive area:" + e);
}
Console.WriteLine(@"Finished processing email alerts.");
break;
}
}
