Sunday, January 26, 2014

Did I Visit a Malicious Site?

A Perl script that will download the Malware Domain List hosts file and compare the domains listed in the file to domains present in the Chrome History database (an SQLite DB).  It will print out a list of any domains in the History DB that are listed on the Malware Domain list.  Note: the script assumes that a copy of the History DB is in the same directory as the script. 


use DBI;
use List::MoreUtils qw(uniq);
use List::Compare;
use LWP::Simple;
use strict;
use warnings;

my @MalDomains;
my @VisitedDomains;

#obtains a list of malicious domains from a the malware domain list hosts file
my $MalHosts = get '';
open( my $hosts, '<', \$MalHosts );
   my $host=$_;     
   #remove loopback from each entry
   if($host=~s/127\.0\.0\.1  //){
      #remove newline
      $host =~ s/\r?\n$//;
      push(@MalDomains, $host);
close $hosts;

#opens the History database and pulls out all visited domains
my $dbh = DBI->connect("dbi:SQLite:dbname=History","","");
my $sth=$dbh->selectall_arrayref( "SELECT url FROM urls" );
foreach my $data (@$sth) {
               (my $url)=@$data;
               #obtain domain from visited URL
               my $url2 = URI->new("$url");
    my $domain = $url2->host;
    push(@VisitedDomains, $domain);

#remove duplicate domains to speed processing
my @UVDomains = uniq(@VisitedDomains);

#finds the intersection of each array
my $lc = List::Compare->new(\@MalDomains, \@UVDomains);
my @intersection = $lc->get_intersection;

print "You browsed the following malicious domains: \n";
               print $_ . "\n";

Friday, January 24, 2014

Calling PowerShell from Within Perl

Recently, I’ve been doing a bit of scripting for use inside a Windows environment and as such became somewhat interested in some of the functionality that is offered up by PowerShell.  As a result I began experimenting with calling PowerShell commands from within a Perl script.  Below is a simple example, that when run with appropriate privileges can take a list of PC names and clear the security log on each PC.  

use strict;
use warnings;

open(my $hosts, "<", "hosts.txt")
   or die "cannot open < hosts.txt: $!";
   my $host=$_;
   system("powershell -Command \"& {Clear-EventLog -Logname Security -ComputerName $host;}\"");

close $hosts;