Monday, 15 August 2016

Cryptolocker & Ransomware Viruses - Information, Recovery & Prevention

One of the biggest bains of today's IT professionals is a relatively new breed of virus called "Cryptolocker". It is a type of ransomware that essentially takes your files hostage by encrypting them (when they are encrypted, your are unable to view or access them). The virus creator then demands payment for the "key" to decrypt these files.

These viruses are incredibly nasty, and it seems that most antivirus applications cannot stop them, or simply cannot keep up with the increasing number of variants of the virus. Given the money that antivirus companies charge for their applications, I'm not sure why they still seem unable to combat them, and find it frustrating that they don't.

So how do you get infected with a cryptolocker/ransomeware virus? In most cases users are tricked into running an application that contains the malicious code that encrypts your files. The application is normally sent as an attachment, or link/URL pointing to the application that is cleverly disguised as something else.

Some of the emails I've seen are from Australia Post, advising of a missed parcel delivery. From AGL sending you a link to your latest "Electricity Bill", or the Australian Federal Police with a link to a supposed speeding fine. Of course the best defense to these sorts of things is vigilance and common sense, and simply not opening these emails. Scrutinise everything is my best tip. There are normally a few things you can check/test if you're unsure about the legitimacy of an email you've received;

1. Emails sent from large companies like Australia Post, or AGL, will have a "From" address that contains their business name (eg. notifications@australiapost.com.au, or billing @agl.com.au). These cryptolocker emails will not have these full email addresses (see example below)



2. As I mentioned, common sense also plays a big part. Were/are you expecting a parcel/delivery from Australia Post? In Australia, speeding fines aren't issued via email, and they certainly aren't issued by the Australian Federal Police. And is AGL even your electricity provider? If you're not sure, you can always call these companies directly to check. A single phone call could save you alot of time, money and heart ache.

3. The emails will often have spelling or grammar mistakes which is a sure sign they are not legitimate.

If you do get infected with one of these encrytion viruses, in my experience it is unlikely (though not impossible) that you'll be able to get your files back, unless you are able to restore from a backup. Chances are by the time you realise you've been infected, all the files on your computer will be encrypted and no longer accessible.

You can quickly tell because the extension of the encrypted files will change to .encryted or .enc. A popup message will usually appear as well advising you that your files have been encrypted, and will provide a link/instructions on how to decrypt your files (via payment to the virus creator). The virus will scan all the files/folders on your computer, as well as any network/shared drives you have access to and encrypt all files it can find.

Decrypting your files
The following link contains some information/applications you can use to check if your encrypt files are recoverable. As previously stated, there are a large number of "variants" of the cryptolocker virus, some of which are able to be "cracked" using a special utility. You will need a copy of an encrypted file, and the unencrypted version of the same file in order for the process to complete. You can upload a sample and locate recovery tools (if available) from the below website:

https://id-ransomware.malwarehunterteam.com/identify.php

You can also follow this next link which has a full, detailed guide on removing cryptolocker, or other ransomware/malware from your computer if you do get infected. (Note that removing the virus/infection will not unencrypt or recover your files.)

https://malwaretips.com/blogs/malware-removal-guide-for-windows/

Backup Strategies
In my next blog post I will be outlining a free and easy way to implement a backup solution on your home laptop/PC. With the low cost of removable storage (eg. USB hard drives), and the increasing amount of personal photos/files stored on computers, a regular computer backup is a must do for all computer users!

Thursday, 27 March 2014

Check/Monitor Website URL with Windows Powershell

Windows Powershell has a built in web request module that you can use to test/check the availability of website URL(s).

The full script to do this is below;

[string] $url = "http://www.google.com"
[net.httpWebRequest] $req = [net.webRequest]::create($url)
$req.method = "HEAD"
[net.httpWebResponse] $res = $req.getresponse()

The first line is self explanatory - simply put in the full URL for the website you wish to check. In this example we will be checking http://www.google.com

[string] $url = "http://www.google.com"

The second line is where we create the actual web request instance in Powershell - under the $req variable

[net.httpWebRequest] $req = [net.webRequest]::create($url)

On the third line, we change the request method to be "HEAD" which means that only header information for the requested URL is retrieved. This speeds up the web request process as it does not pull all the data from the web URL - only the header information. If you leave this line out, the default method is "GET".

$req.method = "HEAD"

On the last line we actually submit the web request, and store the response in the $res variable

[net.httpWebResponse] $res = $req.getresponse()

For a successful web request, the response should look something like this:

IsMutuallyAuthenticated : False
Cookies                 : {}
Headers                 : {Cache-Control, Content-Type, Date, Expires...}
ContentLength           : -1
ContentEncoding         : 
ContentType             : text/html; charset=ISO-8859-1
CharacterSet            : ISO-8859-1
Server                  : gws
LastModified            : 28/03/2014 10:24:19 AM
StatusCode              : OK
StatusDescription       : OK
ProtocolVersion         : 1.1
ResponseUri             : http://www.google.com.au/?gfe_rd=cr&ei=I7M0U5P_BenC8gfRvIHADg
Method                  : HEAD
IsFromCache             : False

Based on this, you could check the statuscode or statusdescription properties of $res to make sure the value matches "OK".

Alternatively, if you enter an invalid URL for a website that doesn't exist, you will get an error, and the value of $res will be $null. The error you get will be something along the lines of;

Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (502) Bad Gateway."
At line:4 char:46
+ [net.httpWebResponse] $res = $req.getresponse <<<< ()
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Tuesday, 25 March 2014

Get Folder Size (including subfolders) in Windows Powershell

The method for obtaining the size of all items within a folder using Windows Powershell is unfortunately not as straight forward as it probably should be. The method outlined below is very useful for querying multiple folders to determine the size of all items inside, including all subfolders and files.

$dir = "C:\temp"
$totaldirsize = (get-childitem $dir -recurse -force | measure-object -property length -sum)

The first variable sets the directory that we wish to query - in this example it is C:\temp.

Next, we use a get-childitem to query the directory. The -recurse and -force switches mean that all sub directories and files are also included. We then pipe the results to measure-object and calculate the length of each child item (which is actually the size in bytes) and use the -sum switch to add them all up.

If you run the above command, and then look at the $totaldirsize variable, you will see something like below;

PS C:\> $totaldirsize

Count    : 38
Average  : 
Sum      : 51652089
Maximum  : 
Minimum  : 

Property : length

So from this we can see there are 38 items in total in the C:\temp directory, and the sum of all files is 51652089 bytes. To make this more useful, we can easily convert this value to KB, MB or GB

$mbsize = $totaldirsize.sum / 1MB

If we now look at $mbsize, we'll usually have an integer with a large number of decimal places. In this example, the result I got was 49.2592706680298. So as a final step, I'd like to round this number to 2 decimal places

$mbsize2 = "{0:N2}" -f $mbsize

Now if we look at the value of $mbsize2, the result is 49.26.

You can change the 2 in {0:N2} to any other digit to round the number to that many places after the decimal point.

Getting Windows Service Properties in Windows Powershell

We can use the get-wmiobject method in order to retrieve properties of windows services on local or remote servers.

The query below is an example on how to get the properties of the Print Spooler service on a local machine (ie. the same machine that the script is being executed on)

To get the "Service Name" of a windows service, go to services.msc, select a service, open it's properties (right click > Properties) and look at the "Service Name" at the top. 

$serviceprops = get-wmiobject -class win32_service -filter "name='Spooler'"

If we then run $serviceprops we get the following information;

ExitCode  : 0
Name      : Spooler
ProcessId : 1628
StartMode : Auto
State     : Running

Status    : OK

This information could therefore be used to check the respective windows process ID, start mode, state and status of a service

The query below is an example on how to get the properties of the Print Spooler service on a remote machine (server1)

$serviceprops = get-wmiobject -computername "server1" -class win32_service -filter "name='Spooler'"

As you can see, the command is mostly the same, we have simply added the argument "-computername "server1"" to make the get-wmiobject query run on the remote server.

We can then take this one step further and perform an action (aka method) on a service, such as starting or stopping it. To view the available methods for the service, run a get-member on the $serviceprops variable;

$serviceprops | get-member

You will then see a list of available methods (and properties) for the variable.

Two of the most common methods for a service would be to start or stop the service. We simply append the respective methods onto the end of the $serviceprops variable (after it has run the get-wmiobject query above to get the service properties).

To start a service;
$serviceprops.startservice()

To stop a service;
$serviceprops.stopservice()

Thursday, 2 May 2013

Adding Multiple Users to 'Accept Messages Only From' - Exchange 2007

Exchange 2007 has a feature that allows restrictions to be placed on a distribution group (I call them "distribution lists", or "DL's") that control who is allowed/permitted to send messages to them.

The Exchange Management Console enables you to search and add individual users to this list, but I found the process can be very slow and tedious, especially if you want to add a large number of users to this list, or want to add users to multiple DL's.

For this reason, I created the below script. Others who may have tried this using a simple "Set-DistributionGroup" command would have found that every time they tried to add a user it replaced any users who were already in the list. This script queries the already existing users and appends/adds the new user onto the already existing list. You will need to provide a list of users either within the script, or by importing a simple .txt file with a list of users you wish to add. For this example, I will use a .txt file.

The .txt file contains a simple list of users with a single name on each line;

firstname.lastname@domain.com
test.user1@domain.com
example.user2@domain.com

And here is the script:

#Name of Distribution Group/List to add user(s) to
$TargetDL = "DL_Test"

#Domain Controller Name - must be used to ensure each user is appended and not replaced. 
$DC = "domaincontrollername"

#Import List of Users to add from .txt file
$UserListFile = "C:\UserList.txt"
$UserList = Get-Content $UserListFile

#Cycle through list of users and add them to 'Accept Messages Only From' list for DL
ForEach ($User in $UserList)
     {
     Set-DistributionGroup "$TargetDL" -AcceptMessagesOnlyFrom ((Get-DistributionGroup -DomainController "$DC" -identity "$TargetDL").AcceptMessagesOnlyFrom + "$User") -DomainController "$DC"
     Write-Host "$User granted permission to send to $TargetDL"
     }


Replace the $TargetDL, $DC, and $UserListFile variables with the relevant information for your Exchange environment

Thursday, 7 February 2013

Querying Exchange Mailboxes with Powershell Pt 2

In my previous blog post, I outlined some methods to query Exchange mailboxes using the get-mailbox cmdlet. Whilst the information obtained using this cmdlet is very useful, it does not contain all the information that is available for an Exchange mailbox.

There is another cmdlet available called Get-MailboxStatistics. It is used/applied in the same way as the Get-Mailbox cmdlet, but contains different fields or properties, and therefore, different information relating to the mailbox.

If you run the command Get-MailboxStatistics -identity "MailboxName" | fl it will display the mailbox statistics for that particular mailbox.

This information includes;

  • Associated item count (ie. number of items within the mailbox)
  • Deleted item count
  • Last logon/logoff time
  • Total size of items
  • Total size of deleted items
So, for a practical example that you could potentially use to query this information. Let's say you want to query all your mailboxes to identify those that have more than 20,000 items within them. You could run the following command;

Get-Mailboxstatistics | Where {$_.ItemCount -gt "20000"} | Select DisplayName

You could replace $_.ItemCount with any of the other properties that are contained within the Get-MailboxStatistics cmdlet.

If you want the query to return more than just the DisplayName field for objects that match your query, you can add them after DisplayName and separate them with a comma (,), or if you want to return all properties then remove | Select DisplayName altogether.

You can also add | Export-CSV-path "C:\Export.csv" -notype to the end to export your query results to a .csv file.

Monday, 4 February 2013

Querying Exchange Mailboxes with Powershell

Exchange and Powershell go hand in hand - as it is essentially what Exchange is built on top of, and is what the Exchange Management Console (EMC) uses to execute commands you choose through the GUI. (Ever noticed you get the Powershell command line equivalent for commands you execute in EMC?)

One of the most common things an administrator will need to do is query all the mailboxes within the system for certain criteria, which I will explain and breakdown in this blog entry.

The command Get-Mailbox is one of the most useful and powerful commands you can use (for information gethering). It can be used to retrieve all the properties for all the mailboxes in your system, or can be tweaked to only return some of the properties for some of the mailboxes within your system.

If you execute the command Get-Mailbox on its own, you will probably be flooded with 1000 responses, followed by the following warning message;


WARNING: By default only the first 1000 items are returned. To change the number of items returned, specify the parameter "-ResultSize". To return all items specify "-ResultSize Unlimited" (Note: Returning all items may take a 
very long time and consume a large amount of memory depending on the actual number of items). It is not recommended to store the results in a variable; instead pipe the results to another task or script to perform batch changes

As per the message, the command on its own will only return the first 1000 results. You can change this by adding -ResultSize Unlimited to it, so it would look like this;

Get-Mailbox -ResultSize Unlimited

If you run this command it will run through and display the first few properties for every mailbox within your system. While this can be useful, the command can be further tweaked to run faster and provide more accurate/informative results.

To get all the properties for a single users mailbox, you can use the following command

Get-Mailbox -Identity "Morrissey, Peter"

You can replace what is between the " " with any identifier for the mailbox - such as Primary SMTP Address, Display Name or Alias.

When you run this command it will only display the first few properties as it is presenting the information in a table format. If you change the command to display in list format (by adding | fl), you get MUCH more information:

Get-Mailbox -Identity "Morrissey, Peter" | fl

Now you can view ALL the properties for an individual users mailbox. These properties apply to every mailbox within the system, so you can once again, modify the Get-Mailbox command to search on any of the properties you see in this list.

For example, if I wanted to query all the mailboxes within my system, and only return those whose 'Name' property contain the text "Peter", I would run the following command

Get-Mailbox -ResultSize Unlimited | Where {$_.Name -like "*Peter*"}

You still need to include -Resultsize Unlimited because although you aren't expecting more than 1000 results to be returned, you do want the Get-Mailbox command to query more than the first 1000 mailboxes, which it will not do if this omitted.

You can replace the $_.Name with any of the other properties for a mailbox - it just needs to have the $_. before it.

The -like operator can also be changed to use -eq (equal to) -ne (not equal to) -gt (greater than) -lt (less than) -le (less than or equal to) -ge (greater than or equal to)

Next you can fine tune the properties that you wish to display for each object whos name contains "Peter". Say you want to only display the DisplayName, Alias, Database and PrimarySMTPAddress properties for each of the results. You could use the following line

Get-Mailbox -ResultSize Unlimited | Where {$_.Name -like "*Peter*"} | Select DisplayName, Alias, Database, PrimarySMTPAddress

The benefit of doing this is that by retrieving fewer properties for each object, it speeds up the time it takes for the query to run. It also makes looking through the results much faster as you aren't reading over information you don't need. Once again, you can replace the properties I used with any of the properties available for each mailbox, as we discovered earlier.

Finally, you  can export the results of your query to a CSV file

Get-Mailbox -ResultSize Unlimited | Where {$_.Name -like "*Peter*"} | Select DisplayName, Alias, Database, PrimarySMTPAddress | Export-CSV -path "C:\Export.csv" -notype

Once you have the information in a CSV file you can attach it to an email and send it to yourself (or someone else) as per my previous blog post