Firmware replying trojan that uses genuine windows remoting to take over (2024)

Another 4104 Powershell script:

Creating Scriptblock text (2 of 4):


$sb = New-Object System.Text.StringBuilder $textToEscape.Length;
for($i=0; $i -lt $textToEscape.Length; $i++)
{
$curChar = $textToEscape[$i];
if($curChar -eq '\n')
{
$null = $sb.Append("\par");
}
elseif(($curChar -lt 0x20) -or ($curChar -eq '{') -or ($curChar -eq '}') -or ($curChar -eq '\\'))
{
$null = $sb.Append("\'");
$null = $sb.Append(([int]$curChar).ToString("X2", [System.Globalization.CultureInfo]::InvariantCulture));
}
elseif($curChar -lt 0x80)
{
$null = $sb.Append($curChar);
}
else
{
$null = $sb.Append("\u");
$null = $sb.Append(([int]$curChar).ToString([System.Globalization.CultureInfo]::InvariantCulture));
$null = $sb.Append('?');
}

}

return $sb.ToString();

}

function IsValidURL($URL)
{
&{
$uri = [System.URI]($URL);
$scheme = $uri.scheme;
if(($scheme -eq "http" ) -or ($scheme -eq "https") -or ($scheme -eq "ftp"))
{
return $uri.ToString();
}
else
{
return $null;
}
}
trap [Exception]
{
return $null;
}
}

function GetDefaultBrowser()
{
[string]$assocString = $null
$dll = "NetworkDiagnosticSnapIn.dll"

try
{
RegSnapin $dll

$assocString = [Microsoft.Windows.Diagnosis.Network.AssociationInfo]::GetAssociation("http","open");
trap [Exception]
{
$assocString = $null;
}
}
finally
{
UnregSnapin $dll
}

return $assocString;
}

function GetWebNDFIncidentData($URL, $DefaultConnectivity)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>URL</Name><Type>AT_STRING</Type><Value><![CDATA[" + $URL + "]]></Value></HelperAttribute>"
if($DefaultConnectivity)
{
#sqm explorer as the client rather than sdiaghost.exe
$haXML += "<HelperAttribute><Name>NDFSQMCallerApplication</Name><Type>AT_STRING</Type><Value>Windows\Explorer.EXE</Value></HelperAttribute>"
$defaultBrowser = GetDefaultBrowser;
if($defaultBrowser)
{
$haXML += "<HelperAttribute><Name>AppID</Name><Type>AT_STRING</Type><Value>"+ $defaultBrowser + "</Value></HelperAttribute>"
}
}
$haXML += "</HelperAttributes>"
return @{"HelperClassName" = "WinInetHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidURL($CandidateURL)
{
$toReturn = $null
$url = IsValidURL $CandidateURL
if($url -eq $null)
{
if($CandidateURL.IndexOf("://") -eq -1)
{
$updatedURL = "http://" + $CandidateURL
$url = IsValidURL $updatedURL
if($url)
{
$toReturn = $url
}
}
}
else
{
$toReturn = $url
}

return $toReturn
}

function GetErrorRTF($Description, $Error)
{
$escapedDesc = EscapeForRTF $Description;
$escapedError = EscapeForRTF $Error;
$rtf = LoadResourceString($ERROR_MSG_RTF_RESOURCE);
return $rtf.Replace("%DESC%", $escapedDesc).Replace("%ERROR%", $escapedError);
}

function WebEntry()
{
$IT_WebChoice = Get-DiagInput -ID "IT_WebChoice"
if($IT_WebChoice -eq $null)
{
#Failed retriving Web Choice
return $null
}

$IT_URL = $DefaultDiagURL
if(!($IT_WebChoice -eq "Internet"))
{
$IT_URL = Get-DiagInput -ID "IT_URL"
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}

#verify that it is a valid URL
$validURL = GetValidURL $IT_URL[0]
while($validURL -eq $null)
{
#build the RTF text
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidURL_FormatError, $IT_URL[0]);
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidURL_Desc) ($replacedError);

#reprompt for input
$IT_URL = Get-DiagInput -ID "IT_Invalid_URL" -p @{"URL" = $IT_URL; "RTFText" = $RTFText}
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}

$validURL = GetValidURL $IT_URL[0]
}
}

return GetWebNDFIncidentData $validURL $false
}

function IsUNCFormat($UNC)
{
&{
$uri = [System.URI]($UNC);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
if($uri.IsUnc)
{
return $uri.LocalPath;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}

#function assumes passed in UNC is in \\host\share form (share can be missing)
function ContainsInvalidUNCChars($UNC)
{
&{
#will return an exception if the string has invalid characters
$ignoreResult = [System.IO.Path]::IsPathRooted($UNC)

#check the path for invalid characters
#remove the starting slashes
$tmp = $UNC.Substring(2)
$nextSlash = $tmp.IndexOf("\")
if(($nextSlash -lt 0) -or ($nextSlash -eq ($nextSlash.Length - 1)))
{
#string only contains hostname
#hostname is already validated in IsUNCFormat function
return $false
}
#remove host and backslash after host
$UNCPath = $tmp.Substring($nextSlash+1)

#under certain circ*mstances some of these make it through the above check
#so we do a direct sanity check here
if(!($UNCPath.IndexOfAny(@('/',':','*','?','"','<','>','|')) -eq -1))
{
return $true;
}

return $false;
}
trap [Exception]
{
return $true;
}
}

function GetValidUNC($CandidateUNC)
{
$toReturn = $null

#is it valid
$unc = IsUNCFormat $CandidateUNC
if($unc)
{
$invalidChars = ContainsInvalidUNCChars $unc
if($invalidChars)
{
$toReturn = -1;
}
else
{
$toReturn = $unc
}
}

return $toReturn;
}


function GetUNCNDFIncidentData($UNC)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>UNCPath</Name><Type>AT_STRING</Type><Value><![CDATA[" + $UNC + "]]></Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "SMBHelperClass"; "HelperAttributes" =$haXML}
}

function FileSharingEntry()
{
$IT_UNC = Get-DiagInput -ID "IT_UNC"
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}

#assign input to non-array variable to facilitate usage and transform
$validUNC = GetValidUNC $IT_UNC[0]
while((!$validUNC) -or ($validUNC -eq -1))
{
#build the RTF text
#use original entry for re-prompt even though "file://" UNC may have been transformed
$replacedError = "";
if(!$validUNC)
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_FormatError, $IT_UNC[0]);
}
else
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_CharError, $IT_UNC[0]);
}
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidUNC_Desc) ($replacedError);

#reprompt for input
$IT_UNC = Get-DiagInput -ID "IT_Invalid_UNC" -p @{"UNC" = $IT_UNC; "RTFText" = $RTFText}
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}

$validUNC = GetValidUNC $IT_UNC[0]
}

return GetUNCNDFIncidentData $validUNC
}

function NetworkAdapterEntry()
{
#enumerate interfaces to build options list
$interfaces = get-wmiobject -class Win32_NetworkAdapter
#hash table with options
$optionList = @()
foreach($curInterface in $interfaces)
{
if($curInterface.GUID -ne $null)
{
$curHash = @{"Name"=$curInterface.NetConnectionID}
$curHash += @{"Description"=$curInterface.NetConnectionID}
$curHash += @{"Value"=$curInterface.GUID}

$optionList += @($curHash)
}
}

if($optionList.Count -gt 1)
{
#add zero guid entry to check all interfaces
$optionList += @(@{"Name"=$localizationString.interaction_AllAdapters; "Description"=$localizationString.interaction_AllAdapters; "Value"="{00000000-0000-0000-0000-000000000000}"; "ExtensionPoint"="<Default />"})

#get interface selection from user
$IT_NetworkAdapter = Get-DiagInput -ID "IT_NetworkAdapter" -c $optionList

if($IT_NetworkAdapter -eq $null) {
throw "Failed retriving Network Connetion ID from user"
}
}
elseif($optionList.Count -eq 1)
{
$IT_NetworkAdapter = $optionList[0]["Value"]
}
else
{
#No NICs, do zero GUID diag
$IT_NetworkAdapter = "{00000000-0000-0000-0000-000000000000}"
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>guid</Name><Type>AT_GUID</Type><Value>" + $IT_NetworkAdapter + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "NetConnection"; "HelperAttributes" =$haXML}
}

function WinsockEntry()
{
$IT_RemoteAddress = Get-DiagInput -ID "IT_RemoteAddress"
if($IT_RemoteAddress -eq $null -or $IT_RemoteAddress[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}

$IT_Protocol = Get-DiagInput -ID "IT_Protocol"
if($IT_Protocol -eq $null -or $IT_Protocol[0].Length -eq 0) {
#Failed retriving Remote Port
return $null
}

$IT_ApplicationID = Get-DiagInput -ID "IT_ApplicationID"
if($IT_ApplicationID -eq $null -or $IT_ApplicationID[0].Length -eq 0) {
#Failed retriving Application ID
return $null
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>remoteaddr</Name><Type>AT_SOCKADDR</Type><Value>" + $IT_RemoteAddress + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>protocol</Name><Type>AT_UINT32</Type><Value>" + $IT_Protocol + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>localaddr</Name><Type>AT_SOCKADDR</Type><Value>0.0.0.0</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>appid</Name><Type>AT_STRING</Type><Value>" + $IT_ApplicationID + "</Value></HelperAttribute>";
$haXML += "</HelperAttributes>";
return @{"HelperClassName" = "Winsock"; "HelperAttributes" =$haXML}
}

function GroupingEntry()
{
$IT_GroupName = Get-DiagInput -ID "IT_GroupName"
if($IT_GroupName -eq $null -or $IT_GroupName[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>groupname</Name><Type>AT_STRING</Type><Value>" + $IT_GroupName + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "GroupingHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidExePath($File)
{
&{
$uri = [System.URI]($File);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
#make sure it send in .exe
if($File.ToLower().IndexOf(".exe") -eq ($File.Length - 4))
{
return $File;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}

function InboundEntry()
{
$staticOptionRes = @($INBOUND_FILESHARE_RESOURCE, $INBOUND_REMOTEDESKTOP_RESOURCE, $INBOUND_DISCOVERY_RESOURCE)
$staticOptions = @($INBOUND_FILESHARE_PARAM, $INBOUND_REMOTEDESKTOP_PARAM, $INBOUND_DISCOVERY_PARAM)
# If defined for the corresponding option, the item will be filtered out if the current sku matches anything in the list
# Sku values as defined in the OperatingSystemSKU property of Win32_OperatingSystem
$SKUFilters = @($null, @(2,3,5,11), $null)

#get the SKU, to filter out inappropriate static options
$SKUObject = get-wmiobject -class Win32_OperatingSystem -property "OperatingSystemSKU"
$SKU = $SKUObject.OperatingSystemSKU

$optionList = @()
$curOptionIndex = 0
for($curStaticOption = 0; $curStaticOption -lt $staticOptions.Length; $curStaticOption++)
{
$SKUFilter = $SKUFilters[$curStaticOption]
if($SKUFilter)
{
if($SKUFilter -contains $SKU)
{
#should filter out this option from the list because it is not present in the SKU
continue;
}
}

$curApp = LoadResourceString($staticOptionRes[$curStaticOption])
$curHash = @{}
$curHash.Add("Name",$curApp)
$curHash.Add("Value",$curOptionIndex)
$curHash.Add("Description",$curApp)
$curHash.Add("HelperAttributeName","serviceid")
$curHash.Add("HelperAttributeValue",$staticOptions[$curStaticOption])
$optionList += $curHash
$curOptionIndex++
}

#add dynamic options (do not fail if call fails)
$script:ExpectingException = $true

$dll = "NetworkDiagnosticSnapIn.dll"

try
{
RegSnapin $dll

$droppedApps = [Microsoft.Windows.Diagnosis.Network.FirewallApi.ManagedMethods]::GetDiagnosticAppInfo()
$script:ExpectingException = $false
if($droppedApps)
{
foreach($droppedApp in $droppedApps)
{
#omit svchosts since we cannot display a friendly name for them
if($droppedApp.Path.IndexOf("svchost") -eq -1)
{
$appEntryDisplayStr = [System.String]::Format([System.Globalization.Cul

ScriptBlock ID: 9dde433b-59f7-43ff-9724-da85bd9a7705
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_fc401818-2c95-4b72-9b00-d91a618105c1\UtilityFunctions.ps1

Firmware replying trojan that uses genuine windows remoting to take over (2024)

FAQs

How do I get rid of a fake Trojan virus on Windows 10? ›

Removing Trojans Pretending To Be Programs
  1. Open your PC's settings.
  2. Click Apps.
  3. Go to Apps & Features.
  4. Click the name of the Trojan program.
  5. Select Uninstall.

What to do if Windows detects a Trojan? ›

How do you remove Trojans?
  1. Step 1: Disconnect internet. Before you start removing the Trojan, make sure that you disconnect from the internet. ...
  2. Step 2: Launch antivirus program. ...
  3. Step 3: Remove Trojan in Safe Mode. ...
  4. Step 4: Perform system recovery. ...
  5. Final option: Reinstall Windows 11.
Oct 27, 2023

How do I get rid of Trojan Virus permanently? ›

Installing and using a trusted antivirus solution is also one of the top ways to get rid of trojans. An effective antivirus program searches for valid trust and app behavior, as well as trojan signatures in files in order to detect, isolate and then promptly remove them.

Will resetting a PC remove Trojan? ›

Resetting a PC will remove all programs, settings, and files, including any malware or viruses that may be present. However, it's important to note that resetting your PC should only be done as a last resort, and there are other methods to remove less drastic viruses that won't delete all your data.

How to remove Trojan agent virus? ›

The best way to clean up a Trojan infection is to use Malwarebytes' free trojan scanner, and then consider Malwarebytes Premium for proactive protection against future Trojan infections. Malwarebytes Premium will initiate a scan for Trojans and then remove Trojans so they can't cause further damage.

Can Trojan virus be fake? ›

Fake trojans appear in the form of a pop-up window, usually in a browser, and claim that your computer has been infected and you need to take urgent action to get rid of it. This article will deal with what you should do if you find yourself in that situation.

How do I get rid of Trojan killer? ›

Most of the computer programs have uninstall.exe or uninst000.exe in their installation folders.
  1. Go to the installation folder of Trojan Killer. Most of the times it is located in C:\Programs files or C:\Program files(x86)
  2. Double click the file to start the uninstallation process.

How to be sure a Trojan is gone? ›

Use security software: Install reputable antivirus or anti-malware management programs that specialize in monitoring for hidden threats. Full system scans often detect anomalies indicative of Trojan infiltration. Inspect program lists: Look through the list of installed programs on your device.

Top Articles
Latest Posts
Article information

Author: Golda Nolan II

Last Updated:

Views: 5766

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Golda Nolan II

Birthday: 1998-05-14

Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958

Phone: +522993866487

Job: Sales Executive

Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet

Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.