PowerShell – Regin Malware Detection


The IT press has been full of stories about Symantec’s discovery of the Regin Malware threat. Symantec have released a security response about the threat (http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf) which includes MD5 file hashes, registry locations and known file locations associated with the malware. I needed a means of detecting of its presence on our network, so after seeing a post on Twitter from @jsnover I thought I would expand on the MD5 file check and include the file locations, registry items and compile the results into a text file which is stored on a central repository for review.

Note that for best results you should run the PS script under the local system account, you will also need these three files (rename these from .doc to .txt)
Files
MD5Signatures
Registry
The files should be placed in the location specified as $ReginSourceFiles.

Note that the script and source files are provided without support and should be used at your own risk. Details of the registry entries, MD5 hashes and file locations are taken from Symantec’s Regin analysis report.

<#	
	.NOTES
	===========================================================================
	 Created by:   	Maurice Daly
	 Filename:    ReginDetect.ps1 	
	===========================================================================
	.DESCRIPTION
		PowerShell script to scan for knownn registry, file names and MD5 hashes
		assoicated with the Regin malware threat. Results are uploaded to a
		central file share.
#>

Import-Module Storage
$ErrorActionPreference = "SilentlyContinue"
$ReginSourceFiles = "\\YOURSERVER\YOURSHARE\ReginSourceFiles"
$ReginResults = "\\YOURSERVER\YOURSHARE\ReginResults"
$ReginTemp = 'C:\Temp\ReginScan'
Get-ChildItem -Path $ReginSourceFiles | Copy-Item -Destination $ReginTemp -Include *.txt
If (!(Test-Path -Path $ReginTemp))
{
	New-Item -ItemType Directory -Path 'C:\Temp\ReginScan'
}
$MD5Values = Get-Content $ReginTemp\MD5Signatures.txt
$RegValues = Get-Content $ReginTemp\Registry.txt
$FileValues = Get-Content $ReginTemp\Files.txt
Clear-Host

# Checking for Registry entries
Write-Host -ForegroundColor 'White' "Regin Scanning Tool"
Write-Host -ForegroundColor 'Cyan' "Checking Registry for Regin entries"
$RegistryDetection = foreach ($RegEntry in $RegValues)
{
	for ($i = 1; $i -le 10; $i++)
	{
		write-progress -id 1 -activity "Scanning Registry Hive" -status "Checking for $RegEntry" -percentComplete ($i * 10);
		$RegTest = Test-Path $RegEntry
	}
	if ($RegTest -eq $true)
	{
		Write-Output "Regin registry entry found - $RegEntry"
	}
}
sleep 2

# Checking for known files
Write-Host -ForegroundColor 'White' "Commencing known file name scan."

$KnownFileDetection = foreach ($KnownFile in $FileValues)
{
	for ($i = 1; $i -le 10; $i++)
	{
		write-progress -id 1 -activity "Scanning Knonwn Files" -status "Scanning $KnownFile" -percentComplete ($i * 10);
		$FileTest = Test-Path $KnownFile
	}
	if ($FileTest -eq $true)
	{
		Write-Output "Known Regin file found at $KnownFile"
	}
}
sleep 2

# Check entire drive for MD5 hash values
Clear-Host
Write-Host -ForegroundColor 'White' "Commencing MD5 file hash scan, this might take several hours."
$FilesToScan = Get-ChildItem C:\ -Recurse -Exclude 0
$FileDetection = foreach ($File in $FilesToScan)
{
	for ($i = 1; $i -le 10; $i++)
	{
		write-progress -id 1 -activity "Scanning Files & Folders" -status "Scanning $File" -percentComplete ($i * 10);
		$FileTest = Get-FileHash -Path $File -Algorithm MD5 | ? Hash -In $MD5Values
	}
	if ($FileTest -eq $true)
	{
		Write-Output "Regin MD5 file hash found - $File"
	}
}

Clear-Host
Write-Host -ForegroundColor 'Green' "Scanning Complete"
Write-Host ""
$Result = If (($RegistryDetection -gt $null) -or ($KnownFileDetection -gt $null) -or ($FileDetection -gt $null))
{
	Clear-Host
	Write-Host -BackgroundColor 'White' -ForegroundColor 'Red' "Regin elements have been found on workstation $env:COMPUTERNAME"
	If ($RegistryDetection -gt $null)
	{
		Write-Host ""
		Write-Host -ForegroundColor 'White' -BackgroundColor 'Red' "Registry entries detected at the following locations:"
		$RegistryDetection
	}
	If ($KnownFileDetection -gt $null)
	{
		Write-Host ""
		Write-Host -ForegroundColor 'White' -BackgroundColor 'Red' "Known files detected at the following locations:"
		$KnownFileDetection
	}
	If ($FileDetection -gt $null)
	{
		Write-Host ""
		Write-Host -ForegroundColor 'White' -BackgroundColor 'Red' "Known files detected at the following locations:"
		$FileDetection
		Write-Host ""
	}
	$Result | Out-File -FilePath ("$ReginResults\" + $ENV:COMPUTERNAME + ".txt") -Force
	Write-Host ""
	Write-Host "Results uploaded to $ReginResults"
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s