public static List <string> GetFileInfo(IEnumerable <string> lFileHash, Bit9ReturnValues lBit9ReturnValues) { var lBit9Info = new List <string>(); var oBit9Return = new object[69]; var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null); sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1"); var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode); var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode); var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null); var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null); try { //todo: take connection string and encrypt to put in XML config var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60"); if (lFileHash != null) { //todo: SQL injection. Store query in database and fill variables when retrieving foreach (var CMD in lFileHash.Select(sFileHash => "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE MD5 = '" + sFileHash + "'").Select(sQuery => new SqlCommand(sQuery, vConnection))) { CMD.CommandType = CommandType.Text; ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info); } } else if (lBit9ReturnValues != null) { //todo: SQL injection. Store query in database and fill values when retrieving var sQuery = "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE FILE_NAME = '" + lBit9ReturnValues.FileName.ToLower() + "' AND Path_Name = '" + lBit9ReturnValues.FilePath.ToLower() + "' AND Computer_Name = '" + lBit9ReturnValues.HostName + "'"; var CMD = new SqlCommand(sQuery, vConnection) { CommandType = CommandType.Text }; ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info); } //if no count then no hash information exists if (lBit9Info.Count != 0) { } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving file information from Bit9:" + e); } return(lBit9Info); }
//if getevents is positive, get machine name and IP private static IEnumerable <string> GetHost(string sMD5) { var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null); sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1"); var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode); var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode); var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null); var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null); var oBit9Return = new object[4]; var lHostInfo = new List <string>(); try { //todo: encrypt and retrived these values from DB. var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10"); //todo: SQL injection. Store query in database and modify variables when retrieving var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'"; using (var cmd = new SqlCommand(sQuery, vConnection) { CommandType = CommandType.Text }) { vConnection.Open(); using (var objReader = cmd.ExecuteReader()) { if (objReader.HasRows) { while (objReader.Read()) { var quant = objReader.GetSqlValues(oBit9Return); if (oBit9Return.GetValue(0) != null) { lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3)); } } } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e); } return(lHostInfo); }
//This is the detector call for bit9. Its purpose is to get //the most recent hashes (last 60 secs (or so)) and parse them //over to our security feeds. If the security feeds find //relevant information get hostname/ip and call TheDirector. public static void GetEvents() { var lFidoReturnValues = new FidoReturnValues(); try { Console.WriteLine(@"Running Bit9 detector."); var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null); sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1"); var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode); var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode); var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null); var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null); var sBit9DetectorQuery = Object_Fido_Configs.GetAsString("fido.detectors.bit9.query", null); var sTempConn = Object_Fido_Configs.GetAsString("fido.detectors.bit9.connectionstring", null); var replacements = new Dictionary <string, string> { { "sUserID", sUserID }, { "sPwd", sPwd }, { "sBit9Server", sBit9Server }, { "sDB", sDb } }; //sTempConn = replacements.Aggregate(sTempConn, (current, srep) => current.Replace(srep.Key, srep.Value)); //todo: SQL injection. really? this was the best you could think of? remove this and do it properly. var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60"); var sqlCmd = new SqlCommand(sBit9DetectorQuery, vConnection) { CommandType = CommandType.Text }; var lBit9Hash = new List <string>(); vConnection.Open(); using (var objReader = sqlCmd.ExecuteReader()) { if (objReader.HasRows) { Console.WriteLine(@"New hashes found..."); while (objReader.Read()) { var oBit9Return = new object[objReader.FieldCount]; var quant = objReader.GetSqlValues(oBit9Return); if (oBit9Return.GetValue(4) != null) { lBit9Hash.Add(oBit9Return.GetValue(4).ToString()); } } } } if (lBit9Hash.Count == 0) { return; } Console.WriteLine(@"Processing " + lBit9Hash.Count().ToString(CultureInfo.InvariantCulture) + @" hashes."); var aryBit9Hash = lBit9Hash.ToArray(); lFidoReturnValues.Hash = lBit9Hash; //todo: write additional code to include other threat feeds. var vtReturn = Feeds_VirusTotal.ParseHash(aryBit9Hash); if (!vtReturn.Any()) { return; } //todo: if return is 'not seen before' right helper function to upload file to threat feed. foreach (var vtEntry in vtReturn) { if (vtEntry.Positives <= 0) { continue; } var sHostInfo = GetHost(vtEntry.Resource); foreach (var sHostInfoList in sHostInfo) { var sSingleHostInfo = sHostInfoList.Split(','); var sHostName = sSingleHostInfo[0].Split('\\'); //todo: need to write second tree for when file hasn't //executed, but does still exist on the system, //sSingleHostInfo[1].ToLower() == "yes" if (sSingleHostInfo[2].ToLower() != "yes") { continue; } if (lFidoReturnValues.Bit9 == null) { lFidoReturnValues.Bit9 = new Bit9ReturnValues(); } if (lFidoReturnValues.Bit9.VTReport == null) { lFidoReturnValues.Bit9.VTReport = new List <FileReport>(); } lFidoReturnValues.IsHostKnown = true; lFidoReturnValues.Hostname = sHostName[1]; lFidoReturnValues.SrcIP = sSingleHostInfo[1]; lFidoReturnValues.Bit9.HostName = sSingleHostInfo[0]; lFidoReturnValues.Bit9.VTReport.Add(vtEntry); lFidoReturnValues.Bit9.FileExecuted = sSingleHostInfo[2]; lFidoReturnValues.Bit9.FileDeleted = sSingleHostInfo[3]; lFidoReturnValues.CurrentDetector = "bit9"; lFidoReturnValues.MalwareType = "Malicious file"; lFidoReturnValues.IsTargetOS = true; lFidoReturnValues.DstIP = string.Empty; var lMD5 = new List <string> { vtEntry.MD5 }; lMD5 = GetFileInfo(lMD5, lFidoReturnValues.Bit9); lFidoReturnValues.Bit9.FileName = lMD5[5] + @"\" + lMD5[6]; lFidoReturnValues.Bit9.FileThreat = lMD5[51]; lFidoReturnValues.Bit9.FileTrust = lMD5[50]; //lFidoReturnValues.Hash = new List<FileReport> {vtEntry.MD5}; Console.WriteLine(@"Malicious hashes found... continue to process."); TheDirector.Direct(lFidoReturnValues); } } vConnection.Close(); Console.WriteLine(@"Exiting Bit9 detector."); } catch (Exception e) { // Get stack trace for the exception with source file information var st = new StackTrace(e, true); // Get the top stack frame var frame = st.GetFrame(0); // Get the line number from the stack frame var line = frame.GetFileLineNumber(); Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving alerts from Bit9 on line " + line + ":" + e); } }
//ReadEmail is the handler for email based detectors. It is designed //to retrieve email from a configured email service and parse the alerts public static void ReadEmail(string sVendor, string sFolderName, string sFolderNameTest, string sDetectorEmail, bool isParamTest) { switch (sVendor) { //Outlook based email plugin which requires the Outlook client to be installed. case "outlook": #region Microsoft Outlook Plugin //try //{ // //Setup connection information to mailstore // //If logon information is null then mailstore must be open already // //var oApp = new Microsoft.Office.Interop.Outlook.Application(); // //var sFolder = new Microsoft.Office.Interop.Outlook.Folder(sFolderName); // //var oNameSpace = oApp.GetNamespace("MAPI"); // //oNameSpace.Logon(null, null, true, true); // //var oInboxFolder = oNameSpace.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox); // //Outlook.Folder oFolder = oInboxFolder.Folder[sFolderName]; // //logging // //Logging_Fido.Main.RunLogging("Running FIDO on file " + sFolderName); // ////attach to folder and for each item in the folder then loop. During loop assign subject, body and detect malware type // //foreach (var item in sFolder.Items) // //{ // // var oMailItem = item as Microsoft.Office.Interop.Outlook._MailItem; // // if (oMailItem != null) // // { // // var sMessageBody = oMailItem.Body; // // } // // if (oMailItem != null) // // { // // var sSubject = oMailItem.Subject; // // } // //List<string> sERet = scan_email(sSubject, sMessageBody, sFolderName); // // if (sERet.First() == "Test Email") // // { // // oMailItem.Delete(); // // } // // else // // { // // fido.Form1.Run_FIDO(sMessageBody, sERet, "fubar", false, false, true, sVendor);//MalwareType // // oMailItem.Delete(); // // } // } #endregion //} //catch (Exception e) //{ // Fido_Modules.Fido.Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Outlook emailreceive area:" + e); //} break; case "exchange": #region Microsoft Exchange Plugin //still need to build out direct Exchange access #endregion break; //IMAP based email plugin which has been verified to work with Gmail case "imap": #region IMAP Plugin try { //get encrypted password and decrypt //then login var sfidoemail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var sfidopwd = Object_Fido_Configs.GetAsString("fido.email.fidopwd", null); var sfidoacek = Object_Fido_Configs.GetAsString("fido.email.fidoacek", null); var sImapServer = Object_Fido_Configs.GetAsString("fido.email.imapserver", null); var iImapPort = Object_Fido_Configs.GetAsInt("fido.email.imapport", 0); sfidoacek = Aes_Crypto.DecryptStringAES(sfidoacek, "1"); sfidopwd = Aes_Crypto.DecryptStringAES(sfidopwd, sfidoacek); IImapClient gLogin = new ImapClient(sImapServer, iImapPort, sfidoemail, sfidopwd, AuthMethod.Login, true); var sSeperator = new[] { "," }; gLogin.DefaultMailbox = isParamTest ? sFolderNameTest : sFolderName; var listUids = new List <uint>(); //seperate out list of email addresses handed to emailreceive //then run query based on each email from the specified folder //and finally convert to array string[] aryInboxSearch = sDetectorEmail.Split(sSeperator, StringSplitOptions.RemoveEmptyEntries); foreach (var search in aryInboxSearch) { listUids.AddRange(gLogin.Search(SearchCondition.From(search)).ToList()); } var uids = listUids.ToArray(); uids = uids.Take(50).ToArray(); var msg = gLogin.GetMessages(uids); var mailMessages = msg as MailMessage[] ?? msg.ToArray(); for (var i = 0; i < mailMessages.Count(); i++) { var sMessageBody = mailMessages[i].Body; var sSubject = mailMessages[i].Subject; var sERet = ScanEmail(sSubject, sMessageBody, sFolderName, isParamTest); if (sERet == "Test Email") { Console.WriteLine(@"Test email found, putting in processed folder."); gLogin.MoveMessage(uids[i], "Processed"); } else { Console.WriteLine(@"Finished processing email alert, puttig in processed folder."); gLogin.MoveMessage(uids[i], "Processed"); } } #endregion } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in IMAP emailreceive area:" + e); } Console.WriteLine(@"Finished processing email alerts."); break; } }