k3nundrum/wormBB
1
0
Fork 0
forked from ek0mssavi0r/wormBB
Code Pull Requests Activity
main
wormBB/worm_bb_detector.go
ek0ms savi0r ed5e2ab5f0 Upload files to "/"
2026-05-31 00:35:14 +00:00

1293 lines
39 KiB
Go
Raw Permalink Blame History

// worm_bb_detector.go - Worm-BB Detection and Removal Tool
// RED TEAM / BLUE TEAM UTILITY - Authorized Use Only
package main
import (
"bufio"
"bytes"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net"
"net/http"
"os"
"os/exec"
"path/filepath"
"regexp"
"runtime"
"strings"
"syscall"
"time"
"golang.org/x/sys/windows"
"golang.org/x/sys/windows/registry"
)
// ========== CONSTANTS ==========
const (
VERSION = "1.0"
MUTEX_NAME = "Global\\SystemUpdateMutex"
MULTICAST_ADDR = "239.255.42.42:4242"
LOCK_FILE = "/tmp/.system-update.lock"
WORM_PATHS_WINDOWS = "C:\\Windows\\Temp\\system-update.exe,%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\SystemUpdate.exe,%TEMP%\\worm*.exe"
WORM_PATHS_LINUX = "/tmp/system-update,/tmp/.system-update,/etc/systemd/system/system-update.service,/tmp/.system-update.lock"
WORM_REGISTRY_KEYS = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemUpdate,HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemUpdate"
WORM_SCHEDULED_TASKS = "SystemUpdateTask,SystemUpdateTask_startup"
WORM_CRON_JOBS = "@reboot /tmp/system-update,*/30 * * * * /tmp/system-update"
WORM_SYSTEMD_SERVICE = "system-update.service"
WORM_WMI_FILTER = "SystemUpdateFilter"
WORM_WMI_CONSUMER = "SystemUpdateConsumer"
WORM_USB_AUTORUN = "autorun.inf"
WORM_USB_EXE = "SystemUpdate.exe"
WORM_SSH_KEY_PATTERN = "worm-bb-key"
WORM_UDEV_RULE = "99-usb-autorun.rules"
)
// ========== DATA STRUCTURES ==========
type DetectionResult struct {
Timestamp time.Time `json:"timestamp"`
Hostname string `json:"hostname"`
OS string `json:"os"`
IPAddress string `json:"ip_address"`
WormDetected bool `json:"worm_detected"`
Severity string `json:"severity"` // CRITICAL, HIGH, MEDIUM, LOW
Findings []Finding `json:"findings"`
Remediations []Remediation `json:"remediations"`
ScanDuration time.Duration `json:"scan_duration"`
}
type Finding struct {
Category string `json:"category"` // PROCESS, FILE, REGISTRY, SCHEDULED_TASK, CRON, SERVICE, NETWORK, USB, WMI, SSH
Location string `json:"location"`
Details string `json:"details"`
Confidence string `json:"confidence"` // HIGH, MEDIUM, LOW
RemediationID string `json:"remediation_id"`
}
type Remediation struct {
ID string `json:"id"`
Action string `json:"action"` // KILL_PROCESS, DELETE_FILE, DELETE_REGISTRY, DELETE_TASK, DELETE_CRON, STOP_SERVICE, BLOCK_NETWORK, CLEAN_USB
Target string `json:"target"`
Command string `json:"command"`
RequiresReboot bool `json:"requires_reboot"`
Status string `json:"status"` // PENDING, COMPLETED, FAILED
}
type WormSignature struct {
Name string `json:"name"`
Pattern string `json:"pattern"`
Type string `json:"type"` // FILENAME, HASH, REGEX, PE_IMPORT, STRING
Severity string `json:"severity"`
Hashes []string `json:"hashes,omitempty"`
}
// ========== WORM SIGNATURES ==========
var wormSignatures = []WormSignature{
{
Name: "Worm-BB Process Name",
Pattern: `(?i)(system-update|SystemUpdate|worm_bb|worm-bb)`,
Type: "REGEX",
Severity: "HIGH",
},
{
Name: "Worm-BB Mutex",
Pattern: "Global\\\\SystemUpdateMutex",
Type: "STRING",
Severity: "HIGH",
},
{
Name: "Worm-BB Multicast Communication",
Pattern: "239.255.42.42",
Type: "STRING",
Severity: "HIGH",
},
{
Name: "Worm-BB File Name - Linux",
Pattern: "/tmp/system-update",
Type: "STRING",
Severity: "HIGH",
},
{
Name: "Worm-BB Service Name",
Pattern: "system-update.service",
Type: "STRING",
Severity: "MEDIUM",
},
{
Name: "Worm-BB Registry Key",
Pattern: "SystemUpdate",
Type: "STRING",
Severity: "MEDIUM",
},
}
// ========== DETECTION ENGINE ==========
type DetectionEngine struct {
results *DetectionResult
findings []Finding
remediations []Remediation
mu sync.Mutex
wormHashes map[string]bool
networkScan bool
}
func NewDetectionEngine(networkScan bool) *DetectionEngine {
return &DetectionEngine{
results: &DetectionResult{
Timestamp: time.Now(),
Hostname: getHostname(),
OS: runtime.GOOS,
IPAddress: getLocalIP(),
WormDetected: false,
Severity: "LOW",
Findings: []Finding{},
Remediations: []Remediation{},
},
findings: []Finding{},
remediations: []Remediation{},
wormHashes: make(map[string]bool),
networkScan: networkScan,
}
}
func (de *DetectionEngine) RunFullScan() {
startTime := time.Now()
defer func() {
de.results.ScanDuration = time.Since(startTime)
de.results.Findings = de.findings
de.results.Remediations = de.remediations
}()
fmt.Println("[Worm-BB Detector] Starting comprehensive scan")
fmt.Println("================================================")
// Process scanning
fmt.Println("[*] Scanning for worm processes...")
de.scanProcesses()
// File system scanning
fmt.Println("[*] Scanning for worm files...")
de.scanFiles()
// Registry scanning (Windows only)
if runtime.GOOS == "windows" {
fmt.Println("[*] Scanning registry...")
de.scanRegistry()
fmt.Println("[*] Scanning scheduled tasks...")
de.scanScheduledTasks()
fmt.Println("[*] Scanning WMI subscriptions...")
de.scanWMI()
}
// Linux-specific scans
if runtime.GOOS == "linux" {
fmt.Println("[*] Scanning cron jobs...")
de.scanCronJobs()
fmt.Println("[*] Scanning systemd services...")
de.scanSystemdServices()
fmt.Println("[*] Scanning udev rules...")
de.scanUdevRules()
}
// Common scans
fmt.Println("[*] Scanning SSH authorized_keys...")
de.scanSSHKeys()
fmt.Println("[*] Scanning USB drives...")
de.scanUSBDrives()
if de.networkScan {
fmt.Println("[*] Scanning network for worm peers...")
de.scanNetwork()
}
fmt.Println("[*] Scanning memory for signatures...")
de.scanMemory()
fmt.Println("[*] Calculating file hashes...")
de.calculateHashes()
// Determine overall severity
de.calculateSeverity()
fmt.Println("================================================")
fmt.Printf("[+] Scan completed in %v\n", de.results.ScanDuration)
if de.results.WormDetected {
fmt.Printf("[!] WORM DETECTED! Severity: %s\n", de.results.Severity)
fmt.Printf("[!] Found %d indicators\n", len(de.findings))
} else {
fmt.Println("[+] No worm detected")
}
}
func (de *DetectionEngine) scanProcesses() {
var processes []map[string]interface{}
if runtime.GOOS == "windows" {
processes = de.getWindowsProcesses()
} else {
processes = de.getLinuxProcesses()
}
for _, proc := range processes {
procName := proc["name"].(string)
procPID := proc["pid"].(int)
// Check against signatures
for _, sig := range wormSignatures {
if sig.Type == "REGEX" {
matched, _ := regexp.MatchString(sig.Pattern, procName)
if matched {
de.addFinding(Finding{
Category: "PROCESS",
Location: fmt.Sprintf("PID: %d", procPID),
Details: fmt.Sprintf("Suspicious process: %s (matched signature: %s)", procName, sig.Name),
Confidence: "HIGH",
RemediationID: "remediate_process",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "KILL_PROCESS",
Target: fmt.Sprintf("%d", procPID),
Command: de.getKillCommand(procPID),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
}
// Check command line for suspicious strings
if cmdline, ok := proc["cmdline"].(string); ok {
if strings.Contains(cmdline, "system-update") ||
strings.Contains(cmdline, "SystemUpdate") ||
strings.Contains(cmdline, "worm_bb") {
de.addFinding(Finding{
Category: "PROCESS",
Location: fmt.Sprintf("PID: %d", procPID),
Details: fmt.Sprintf("Suspicious command line: %s", cmdline),
Confidence: "HIGH",
RemediationID: "remediate_process",
})
de.results.WormDetected = true
}
}
}
}
func (de *DetectionEngine) getWindowsProcesses() []map[string]interface{} {
var processes []map[string]interface{}
cmd := exec.Command("tasklist", "/FO", "CSV", "/NH")
output, err := cmd.Output()
if err != nil {
return processes
}
lines := strings.Split(string(output), "\n")
for _, line := range lines {
if line == "" {
continue
}
parts := strings.Split(strings.Trim(line, "\""), "\",\"")
if len(parts) >= 2 {
proc := map[string]interface{}{
"name": parts[0],
"pid": atoi(parts[1]),
}
// Get command line
cmdline := exec.Command("wmic", "process", "where", fmt.Sprintf("processid=%d", proc["pid"]), "get", "commandline")
cmdlineOut, _ := cmdline.Output()
proc["cmdline"] = string(cmdlineOut)
processes = append(processes, proc)
}
}
return processes
}
func (de *DetectionEngine) getLinuxProcesses() []map[string]interface{} {
var processes []map[string]interface{}
files, err := ioutil.ReadDir("/proc")
if err != nil {
return processes
}
for _, file := range files {
if file.IsDir() && isNumeric(file.Name()) {
pid := atoi(file.Name())
if pid == 0 {
continue
}
// Read process name
cmdlinePath := fmt.Sprintf("/proc/%d/cmdline", pid)
cmdlineData, err := ioutil.ReadFile(cmdlinePath)
if err != nil {
continue
}
cmdline := strings.Replace(string(cmdlineData), "\x00", " ", -1)
procName := filepath.Base(cmdline)
if procName == "" {
procName = "unknown"
}
processes = append(processes, map[string]interface{}{
"name": procName,
"pid": pid,
"cmdline": cmdline,
})
}
}
return processes
}
func (de *DetectionEngine) scanFiles() {
var paths []string
if runtime.GOOS == "windows" {
paths = strings.Split(WORM_PATHS_WINDOWS, ",")
// Expand environment variables
for i, path := range paths {
paths[i] = os.ExpandEnv(path)
}
} else {
paths = strings.Split(WORM_PATHS_LINUX, ",")
}
for _, path := range paths {
if _, err := os.Stat(path); err == nil {
de.addFinding(Finding{
Category: "FILE",
Location: path,
Details: fmt.Sprintf("Suspicious file found: %s", path),
Confidence: "HIGH",
RemediationID: "remediate_file",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_FILE",
Target: path,
Command: de.getDeleteCommand(path),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
// Calculate hash for future detection
de.hashFile(path)
}
}
// Recursive scan of common directories
scanDirs := []string{}
if runtime.GOOS == "windows" {
scanDirs = []string{os.Getenv("TEMP"), os.Getenv("APPDATA"), "C:\\Windows\\Temp"}
} else {
scanDirs = []string{"/tmp", "/var/tmp", "/dev/shm"}
}
for _, dir := range scanDirs {
de.recursiveFileScan(dir)
}
}
func (de *DetectionEngine) recursiveFileScan(dir string) {
files, err := ioutil.ReadDir(dir)
if err != nil {
return
}
for _, file := range files {
if file.IsDir() {
// Avoid recursion depth issues
if strings.HasPrefix(file.Name(), ".") {
continue
}
de.recursiveFileScan(filepath.Join(dir, file.Name()))
} else {
// Check filename against patterns
for _, sig := range wormSignatures {
if sig.Type == "REGEX" {
matched, _ := regexp.MatchString(sig.Pattern, file.Name())
if matched {
fullPath := filepath.Join(dir, file.Name())
de.addFinding(Finding{
Category: "FILE",
Location: fullPath,
Details: fmt.Sprintf("Suspicious filename: %s", file.Name()),
Confidence: "MEDIUM",
RemediationID: "remediate_file",
})
de.hashFile(fullPath)
}
}
}
}
}
}
func (de *DetectionEngine) hashFile(path string) {
data, err := ioutil.ReadFile(path)
if err != nil {
return
}
hash := sha256.Sum256(data)
hashStr := hex.EncodeToString(hash[:])
// Check against known worm hashes (would be populated from threat intel)
de.wormHashes[hashStr] = true
}
func (de *DetectionEngine) scanRegistry() {
if runtime.GOOS != "windows" {
return
}
keys := strings.Split(WORM_REGISTRY_KEYS, ",")
for _, keyPath := range keys {
// Parse registry path
parts := strings.Split(keyPath, "\\")
if len(parts) < 2 {
continue
}
hive := parts[0]
key := strings.Join(parts[1:], "\\")
var regKey registry.Key
var err error
switch hive {
case "HKCU":
regKey, err = registry.OpenKey(registry.CURRENT_USER, key, registry.READ)
case "HKLM":
regKey, err = registry.OpenKey(registry.LOCAL_MACHINE, key, registry.READ)
default:
continue
}
if err == nil {
value, _, err := regKey.GetStringValue(filepath.Base(key))
if err == nil && value != "" {
de.addFinding(Finding{
Category: "REGISTRY",
Location: keyPath,
Details: fmt.Sprintf("Suspicious registry value: %s = %s", keyPath, value),
Confidence: "HIGH",
RemediationID: "remediate_registry",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_REGISTRY",
Target: keyPath,
Command: fmt.Sprintf("reg delete \"%s\" /v %s /f", keyPath, filepath.Base(key)),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
regKey.Close()
}
}
}
func (de *DetectionEngine) scanScheduledTasks() {
if runtime.GOOS != "windows" {
return
}
tasks := strings.Split(WORM_SCHEDULED_TASKS, ",")
for _, task := range tasks {
cmd := exec.Command("schtasks", "/query", "/tn", task, "/fo", "csv", "/nh")
err := cmd.Run()
if err == nil {
de.addFinding(Finding{
Category: "SCHEDULED_TASK",
Location: task,
Details: fmt.Sprintf("Suspicious scheduled task: %s", task),
Confidence: "HIGH",
RemediationID: "remediate_task",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_TASK",
Target: task,
Command: fmt.Sprintf("schtasks /delete /tn %s /f", task),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
}
func (de *DetectionEngine) scanWMI() {
if runtime.GOOS != "windows" {
return
}
// Check for WMI event filter
cmd := exec.Command("powershell", "-Command",
"Get-WmiObject -Namespace root\\subscription -Class __EventFilter | Where-Object {$_.Name -eq 'SystemUpdateFilter'} | Select-Object -Property Name")
output, err := cmd.Output()
if err == nil && strings.Contains(string(output), "SystemUpdateFilter") {
de.addFinding(Finding{
Category: "WMI",
Location: "root\\subscription",
Details: "Suspicious WMI event filter detected",
Confidence: "HIGH",
RemediationID: "remediate_wmi",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_WMI",
Target: "SystemUpdateFilter",
Command: "Get-WmiObject -Namespace root\\subscription -Class __EventFilter | Where-Object {$_.Name -eq 'SystemUpdateFilter'} | Remove-WmiObject",
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
func (de *DetectionEngine) scanCronJobs() {
if runtime.GOOS == "windows" {
return
}
cmd := exec.Command("crontab", "-l")
output, err := cmd.Output()
if err != nil {
return
}
cronContent := string(output)
cronJobs := strings.Split(WORM_CRON_JOBS, ",")
for _, job := range cronJobs {
if strings.Contains(cronContent, job) {
de.addFinding(Finding{
Category: "CRON",
Location: "/var/spool/cron/crontabs",
Details: fmt.Sprintf("Suspicious cron job: %s", job),
Confidence: "HIGH",
RemediationID: "remediate_cron",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_CRON",
Target: job,
Command: "crontab -l | grep -v 'system-update' | crontab -",
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
}
func (de *DetectionEngine) scanSystemdServices() {
if runtime.GOOS == "windows" {
return
}
servicePath := fmt.Sprintf("/etc/systemd/system/%s", WORM_SYSTEMD_SERVICE)
if _, err := os.Stat(servicePath); err == nil {
de.addFinding(Finding{
Category: "SERVICE",
Location: servicePath,
Details: "Suspicious systemd service detected",
Confidence: "HIGH",
RemediationID: "remediate_service",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "STOP_SERVICE",
Target: WORM_SYSTEMD_SERVICE,
Command: fmt.Sprintf("systemctl stop %s && systemctl disable %s && rm %s", WORM_SYSTEMD_SERVICE, WORM_SYSTEMD_SERVICE, servicePath),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
func (de *DetectionEngine) scanUdevRules() {
if runtime.GOOS == "windows" {
return
}
udevPath := fmt.Sprintf("/etc/udev/rules.d/%s", WORM_UDEV_RULE)
if _, err := os.Stat(udevPath); err == nil {
de.addFinding(Finding{
Category: "UDEV",
Location: udevPath,
Details: "Suspicious udev rule for USB auto-execution detected",
Confidence: "HIGH",
RemediationID: "remediate_udev",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_FILE",
Target: udevPath,
Command: fmt.Sprintf("rm %s", udevPath),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
func (de *DetectionEngine) scanSSHKeys() {
homeDir, _ := os.UserHomeDir()
sshPath := filepath.Join(homeDir, ".ssh", "authorized_keys")
data, err := ioutil.ReadFile(sshPath)
if err != nil {
return
}
if strings.Contains(string(data), WORM_SSH_KEY_PATTERN) {
de.addFinding(Finding{
Category: "SSH",
Location: sshPath,
Details: "Suspicious SSH key detected (worm-bb-key)",
Confidence: "HIGH",
RemediationID: "remediate_ssh",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "DELETE_SSH_KEY",
Target: sshPath,
Command: fmt.Sprintf("sed -i '/%s/d' %s", WORM_SSH_KEY_PATTERN, sshPath),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
}
func (de *DetectionEngine) scanUSBDrives() {
if runtime.GOOS == "windows" {
for _, drive := range "ABCDEFGHIJKLMNOPQRSTUVWXYZ" {
path := string(drive) + ":\\"
if _, err := os.Stat(path); err == nil {
de.checkUSBPath(path)
}
}
} else {
mountPoints := []string{"/media/", "/mnt/", "/run/media/"}
for _, mp := range mountPoints {
files, err := ioutil.ReadDir(mp)
if err == nil {
for _, f := range files {
if f.IsDir() {
de.checkUSBPath(filepath.Join(mp, f.Name()))
}
}
}
}
}
}
func (de *DetectionEngine) checkUSBPath(path string) {
// Check for autorun.inf
autorunPath := filepath.Join(path, WORM_USB_AUTORUN)
if _, err := os.Stat(autorunPath); err == nil {
de.addFinding(Finding{
Category: "USB",
Location: autorunPath,
Details: "Suspicious autorun.inf on USB drive",
Confidence: "HIGH",
RemediationID: "remediate_usb",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "CLEAN_USB",
Target: path,
Command: de.getUSBDeleteCommand(autorunPath),
RequiresReboot: false,
Status: "PENDING",
})
de.results.WormDetected = true
}
// Check for worm executable
exePath := filepath.Join(path, WORM_USB_EXE)
if _, err := os.Stat(exePath); err == nil {
de.addFinding(Finding{
Category: "USB",
Location: exePath,
Details: "Suspicious executable on USB drive",
Confidence: "HIGH",
RemediationID: "remediate_usb",
})
de.addRemediation(Remediation{
ID: generateID(),
Action: "CLEAN_USB",
Target: path,
Command: de.getUSBDeleteCommand(exePath),
RequiresReboot: false,
Status: "PENDING",
})
}
}
func (de *DetectionEngine) scanNetwork() {
// Check for multicast listener on worm port
addr, err := net.ResolveUDPAddr("udp", MULTICAST_ADDR)
if err != nil {
return
}
conn, err := net.ListenMulticastUDP("udp", nil, addr)
if err == nil {
defer conn.Close()
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
buffer := make([]byte, 1024)
n, _, err := conn.ReadFromUDP(buffer)
if err == nil && n > 0 {
de.addFinding(Finding{
Category: "NETWORK",
Location: MULTICAST_ADDR,
Details: fmt.Sprintf("Worm multicast traffic detected: %s", string(buffer[:n])),
Confidence: "HIGH",
RemediationID: "remediate_network",
})
de.results.WormDetected = true
}
}
// Check for listening ports
ports := []int{4242, 4243, 4444, 8443}
for _, port := range ports {
conn, err := net.DialTimeout("tcp", fmt.Sprintf("127.0.0.1:%d", port), 1*time.Second)
if err == nil {
de.addFinding(Finding{
Category: "NETWORK",
Location: fmt.Sprintf("127.0.0.1:%d", port),
Details: fmt.Sprintf("Worm listening port detected: %d", port),
Confidence: "HIGH",
RemediationID: "remediate_network",
})
conn.Close()
de.results.WormDetected = true
}
}
}
func (de *DetectionEngine) scanMemory() {
// This would use more advanced memory scanning techniques
// Simplified version - check for loaded modules/dlls
if runtime.GOOS == "windows" {
cmd := exec.Command("tasklist", "/M")
output, err := cmd.Output()
if err == nil {
for _, sig := range wormSignatures {
if strings.Contains(string(output), sig.Pattern) {
de.addFinding(Finding{
Category: "MEMORY",
Location: "Process memory",
Details: fmt.Sprintf("Worm signature found in memory: %s", sig.Name),
Confidence: "MEDIUM",
RemediationID: "remediate_process",
})
de.results.WormDetected = true
}
}
}
}
}
func (de *DetectionEngine) calculateHashes() {
// In production, would submit hashes to VirusTotal or threat intel
for hash := range de.wormHashes {
fmt.Printf("[*] Found suspicious hash: %s\n", hash)
}
}
func (de *DetectionEngine) calculateSeverity() {
highCount := 0
for _, finding := range de.findings {
if finding.Confidence == "HIGH" {
highCount++
}
}
if highCount >= 5 {
de.results.Severity = "CRITICAL"
} else if highCount >= 3 {
de.results.Severity = "HIGH"
} else if highCount >= 1 {
de.results.Severity = "MEDIUM"
} else {
de.results.Severity = "LOW"
}
}
func (de *DetectionEngine) addFinding(finding Finding) {
de.mu.Lock()
defer de.mu.Unlock()
de.findings = append(de.findings, finding)
}
func (de *DetectionEngine) addRemediation(rem Remediation) {
de.mu.Lock()
defer de.mu.Unlock()
de.remediations = append(de.remediations, rem)
}
// ========== REMEDIATION ENGINE ==========
type RemediationEngine struct {
remediations []Remediation
results map[string]bool
mu sync.Mutex
autoApprove bool
}
func NewRemediationEngine(autoApprove bool) *RemediationEngine {
return &RemediationEngine{
remediations: []Remediation{},
results: make(map[string]bool),
autoApprove: autoApprove,
}
}
func (re *RemediationEngine) LoadRemediations(remediations []Remediation) {
re.remediations = remediations
}
func (re *RemediationEngine) ExecuteRemediations() {
fmt.Println("\n[Remediation] Starting cleanup process")
fmt.Println("================================================")
for _, rem := range re.remediations {
if rem.Status != "PENDING" {
continue
}
if !re.autoApprove {
fmt.Printf("\n[?] Remediation: %s\n", rem.Action)
fmt.Printf(" Target: %s\n", rem.Target)
fmt.Printf(" Command: %s\n", rem.Command)
fmt.Print(" Execute? (y/N): ")
var response string
fmt.Scanln(&response)
if strings.ToLower(response) != "y" {
fmt.Println(" Skipped")
continue
}
}
fmt.Printf("[*] Executing: %s on %s\n", rem.Action, rem.Target)
err := re.executeRemediation(rem)
re.mu.Lock()
if err == nil {
rem.Status = "COMPLETED"
re.results[rem.ID] = true
fmt.Printf("[+] Success: %s completed\n", rem.Action)
} else {
rem.Status = "FAILED"
re.results[rem.ID] = false
fmt.Printf("[-] Failed: %s - %v\n", rem.Action, err)
}
re.mu.Unlock()
}
fmt.Println("================================================")
re.printSummary()
}
func (re *RemediationEngine) executeRemediation(rem Remediation) error {
switch rem.Action {
case "KILL_PROCESS":
return re.killProcess(rem.Target)
case "DELETE_FILE":
return re.deleteFile(rem.Target)
case "DELETE_REGISTRY":
return re.deleteRegistry(rem.Target)
case "DELETE_TASK":
return re.deleteTask(rem.Target)
case "DELETE_CRON":
return re.deleteCron(rem.Command)
case "STOP_SERVICE":
return re.stopService(rem.Command)
case "CLEAN_USB":
return re.cleanUSB(rem.Target)
case "DELETE_WMI":
return re.deleteWMI(rem.Command)
case "DELETE_SSH_KEY":
return re.deleteSSHKey(rem.Command)
default:
return re.executeCommand(rem.Command)
}
}
func (re *RemediationEngine) killProcess(pidStr string) error {
pid := atoi(pidStr)
if pid <= 0 {
return fmt.Errorf("invalid PID: %s", pidStr)
}
process, err := os.FindProcess(pid)
if err != nil {
return err
}
if runtime.GOOS == "windows" {
return process.Kill()
}
return process.Signal(syscall.SIGTERM)
}
func (re *RemediationEngine) deleteFile(path string) error {
return os.RemoveAll(path)
}
func (re *RemediationEngine) deleteRegistry(keyPath string) error {
if runtime.GOOS != "windows" {
return fmt.Errorf("registry operations not supported on this OS")
}
return re.executeCommand(fmt.Sprintf("reg delete \"%s\" /f", keyPath))
}
func (re *RemediationEngine) deleteTask(taskName string) error {
return re.executeCommand(fmt.Sprintf("schtasks /delete /tn \"%s\" /f", taskName))
}
func (re *RemediationEngine) deleteCron(command string) error {
return re.executeCommand(command)
}
func (re *RemediationEngine) stopService(command string) error {
return re.executeCommand(command)
}
func (re *RemediationEngine) cleanUSB(path string) error {
// Delete worm files from USB
filesToDelete := []string{
filepath.Join(path, WORM_USB_AUTORUN),
filepath.Join(path, WORM_USB_EXE),
filepath.Join(path, "System Update.lnk"),
}
for _, file := range filesToDelete {
os.Remove(file)
}
return nil
}
func (re *RemediationEngine) deleteWMI(command string) error {
return re.executeCommand(fmt.Sprintf("powershell -Command \"%s\"", command))
}
func (re *RemediationEngine) deleteSSHKey(command string) error {
return re.executeCommand(command)
}
func (re *RemediationEngine) executeCommand(command string) error {
var cmd *exec.Cmd
if runtime.GOOS == "windows" {
cmd = exec.Command("cmd", "/C", command)
} else {
cmd = exec.Command("bash", "-c", command)
}
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("command failed: %s - %v", string(output), err)
}
return nil
}
func (re *RemediationEngine) printSummary() {
completed := 0
failed := 0
for _, success := range re.results {
if success {
completed++
} else {
failed++
}
}
fmt.Printf("\n[Remediation Summary]\n")
fmt.Printf(" Total remediations: %d\n", len(re.remediations))
fmt.Printf(" Completed: %d\n", completed)
fmt.Printf(" Failed: %d\n", failed)
if failed > 0 {
fmt.Println("\n[!] Some remediations failed. Manual cleanup may be required.")
fmt.Println(" Review findings above and perform manual removal.")
} else {
fmt.Println("\n[+] All remediations completed successfully!")
fmt.Println(" Reboot recommended to ensure complete cleanup.")
}
}
// ========== REPORTING ENGINE ==========
type ReportEngine struct {
result *DetectionResult
}
func NewReportEngine(result *DetectionResult) *ReportEngine {
return &ReportEngine{result: result}
}
func (re *ReportEngine) PrintReport() {
fmt.Println("\n" + strings.Repeat("=", 80))
fmt.Println("WORM-BB DETECTION REPORT")
fmt.Println(strings.Repeat("=", 80))
fmt.Printf("Timestamp: %s\n", re.result.Timestamp.Format("2006-01-02 15:04:05"))
fmt.Printf("Hostname: %s\n", re.result.Hostname)
fmt.Printf("OS: %s\n", re.result.OS)
fmt.Printf("IP Address: %s\n", re.result.IPAddress)
fmt.Printf("Worm Detected: %v\n", re.result.WormDetected)
fmt.Printf("Severity: %s\n", re.result.Severity)
fmt.Printf("Scan Duration: %v\n", re.result.ScanDuration)
fmt.Printf("Findings: %d\n", len(re.result.Findings))
fmt.Printf("Remediations: %d\n", len(re.result.Remediations))
if len(re.result.Findings) > 0 {
fmt.Println("\n" + strings.Repeat("-", 80))
fmt.Println("DETAILED FINDINGS")
fmt.Println(strings.Repeat("-", 80))
for i, finding := range re.result.Findings {
fmt.Printf("\n[%d] Category: %s\n", i+1, finding.Category)
fmt.Printf(" Location: %s\n", finding.Location)
fmt.Printf(" Details: %s\n", finding.Details)
fmt.Printf(" Confidence: %s\n", finding.Confidence)
}
}
fmt.Println(strings.Repeat("=", 80))
}
func (re *ReportEngine) SaveJSON(filename string) error {
data, err := json.MarshalIndent(re.result, "", " ")
if err != nil {
return err
}
return ioutil.WriteFile(filename, data, 0644)
}
// ========== UTILITY FUNCTIONS ==========
func getHostname() string {
hostname, err := os.Hostname()
if err != nil {
return "unknown"
}
return hostname
}
func getLocalIP() string {
addrs, err := net.InterfaceAddrs()
if err != nil {
return "127.0.0.1"
}
for _, addr := range addrs {
if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
if ipnet.IP.To4() != nil {
return ipnet.IP.String()
}
}
}
return "127.0.0.1"
}
func getKillCommand(pid int) string {
if runtime.GOOS == "windows" {
return fmt.Sprintf("taskkill /F /PID %d", pid)
}
return fmt.Sprintf("kill -9 %d", pid)
}
func getDeleteCommand(path string) string {
if runtime.GOOS == "windows" {
return fmt.Sprintf("del /F /Q \"%s\"", path)
}
return fmt.Sprintf("rm -f \"%s\"", path)
}
func getUSBDeleteCommand(path string) string {
if runtime.GOOS == "windows" {
return fmt.Sprintf("del /F /Q /A:H \"%s\"", path)
}
return fmt.Sprintf("rm -f \"%s\"", path)
}
func generateID() string {
data := fmt.Sprintf("%d", time.Now().UnixNano())
hash := sha256.Sum256([]byte(data))
return hex.EncodeToString(hash[:8])
}
func atoi(s string) int {
var result int
fmt.Sscanf(s, "%d", &result)
return result
}
func isNumeric(s string) bool {
for _, c := range s {
if c < '0' || c > '9' {
return false
}
}
return true
}
// ========== MAIN ==========
func main() {
fmt.Println(strings.Repeat("=", 80))
fmt.Println("WORM-BB DETECTION AND REMOVAL TOOL")
fmt.Printf("Version: %s\n", VERSION)
fmt.Println("Authorized Use Only - Blue Team / Incident Response")
fmt.Println(strings.Repeat("=", 80))
// Parse command line arguments
autoRemediate := false
networkScan := false
outputFile := ""
for i, arg := range os.Args {
switch arg {
case "--auto", "-a":
autoRemediate = true
case "--network", "-n":
networkScan = true
case "--output", "-o":
if i+1 < len(os.Args) {
outputFile = os.Args[i+1]
}
case "--help", "-h":
printHelp()
return
}
}
// Run detection
detector := NewDetectionEngine(networkScan)
detector.RunFullScan()
// Generate report
reporter := NewReportEngine(detector.results)
reporter.PrintReport()
if outputFile != "" {
if err := reporter.SaveJSON(outputFile); err != nil {
fmt.Printf("[-] Failed to save report: %v\n", err)
} else {
fmt.Printf("[+] Report saved to %s\n", outputFile)
}
}
// Run remediation if worm detected
if detector.results.WormDetected && len(detector.remediations) > 0 {
fmt.Println("\n" + strings.Repeat("=", 80))
fmt.Println("REMEDIATION PHASE")
fmt.Println(strings.Repeat("=", 80))
remediator := NewRemediationEngine(autoRemediate)
remediator.LoadRemediations(detector.remediations)
remediator.ExecuteRemediations()
}
fmt.Println("\n[+] Scan complete")
if detector.results.WormDetected {
fmt.Println("\n[!] Worm detected and remediated. Reboot recommended.")
os.Exit(1)
}
fmt.Println("\n[+] No worm detected. System appears clean.")
os.Exit(0)
}
func printHelp() {
fmt.Println(`
Usage: worm_bb_detector [options]
Options:
-a, --auto Automatic remediation (no user prompts)
-n, --network Enable network scanning (multicast, port checks)
-o, --output Save JSON report to file
-h, --help Show this help message
Examples:
# Basic scan with user prompts
worm_bb_detector
# Full automatic scan with network detection
worm_bb_detector --auto --network
# Scan and save report
worm_bb_detector --output report.json
Exit Codes:
0 - No worm detected
1 - Worm detected and remediated
Note: Run with elevated privileges (Administrator/root) for full detection capability
`)
}
View Git Blame Copy Permalink