Malware Issue on File Shares

[D!ABOL!C]

I'm not sure if this should be in the server section, but here it goes.

 

This is the second time I've had this issue occur. It appears that someone is getting a piece of malware that is infecting the public share on the server. I've been able to restore the data from backup, so we are OK on that front, but obviously that is not a solution to the problem if this keeps happening.

 

I just wanted to get opinions on how to tackle this. I talked with Trend Micro as they are the antivirus we are using and they said the ways these work is that they release the payload and then then it auto deletes itself form the infected machine. So if we try to do a malware scan, we won't find any traces of it.

 

My thoughts are first, to remove Admin rights from all the machines. I guess my second thought would be to see if any of the users have any local files that are encrypted as well.

 

Any thoughts would appreciated.

 

This is an all windows environment, Windows 7 Pro workstatations with SBS2011 as the only server.

[ProgRocker]

Is Volume Shadow Copies turned on? Great way to roll back files incase this happens, especially with a Cryptowall or Cryptolocker virus hits a user. We also use Trend for antivirus (OfficeScan 10.6). I would DEFINITELY remove admin privileges. People are stupid and will click on anything. I'd also implement group policy to block app data installs which is a popular place for malware to run in (See this thread at the bottom). Also install the Microsoft EMET 5.1 program on the client machines http://support.microsoft.com/kb/2458544. 

[techbeck]

Removing admin rights will not work.  Malware, like cryptolocker, does not require admin rights to install on a client PC.

 

First I would look at to narrow down the issue, who all has access to write to that file share?

[D!ABOL!C]

  On 29/10/2014 at 16:31, techbeck said:

Removing admin rights will not work.  Malware, like cryptolocker, does not require admin rights to install on a client PC.

 

First I would look at to narrow down the issue, who all has access to write to that file share?

 

Unfortunately, it is the "Public" folder, so anyone with Domain rights, will have access to it.

[ProgRocker]

But who can write to it? And what do you mean it's the Public folder? You mean like the default user profile "Public"?

[D!ABOL!C]

  On 29/10/2014 at 16:48, ProgRocker said:

But who can write to it? And what do you mean it's the Public folder? You mean like the default user profile "Public"?

 

It is a folder that all domain users have access to. All domain users have full control. We've had these permissions for the past 10 years or so and never had this issue. I suppose we could limit permissions to all the sub-folders to limit access and perhaps narrow it down.

[techbeck]

  On 29/10/2014 at 16:57, D!ABOL!C said:

It is a folder that all domain users have access to. All domain users have full control. We've had these permissions for the past 10 years or so and never had this issue. I suppose we could limit permissions to all the sub-folders to limit access and perhaps narrow it down.

 

Think locking down shares needs to be done eventually.  Big security issue and hard to troubleshoot things like this.  Plus, cases more problems when people move/delete files they shouldnt.

 

What malware is it?

[ProgRocker]

  On 29/10/2014 at 16:57, D!ABOL!C said:

It is a folder that all domain users have access to. All domain users have full control. We've had these permissions for the past 10 years or so and never had this issue. I suppose we could limit permissions to all the sub-folders to limit access and perhaps narrow it down.

 

Yep, Read and Execute is probably sufficient for most. 

[D!ABOL!C]

  On 29/10/2014 at 17:01, techbeck said:

Think locking down shares needs to be done eventually.  Big security issue and hard to troubleshoot things like this.  Plus, cases more problems when people move/delete files they shouldnt.

 

What malware is it?

 

It's one of the Crypto Locker variants. It won't let you open any document (in this case Office Docs and PDF files) and it gives you a link to go to to decrypt the files etc.

 

At least the good news is that our backups work!

[techbeck]

  On 29/10/2014 at 17:06, D!ABOL!C said:

It's one of the Crypto Locker variants. It won't let you open any document (in this case Office Docs and PDF files) and it gives you a link to go to to decrypt the files etc.

 

At least the good news is that our backups work!

 

Ahh, PITA.  It writes to a the APPDATA folder on the clients.  We recently implemented a policy change that prevents users from writing to that specific location.  We had a few instance with that malware where we couldnt tell what site/where it was coming from.  But cryptolocker doesnt remove itself from the client.  At least I have never seen it uninstall itself. 

[AStaUK]

How many domain PC's are you talking, are they all running Trend Micro?  Why is this getting past your anti-virus, most up to date AV's should be detecting and blocking this type of file before it becomes a problem?

 

Hopefully this doesn't come across as a dig, it's certainly not meant to be.  But two questions I would be asking.

[D!ABOL!C]

  On 29/10/2014 at 17:14, AStaley said:

How many domain PC's are you talking, are they all running Trend Micro?  Why is this getting past your anti-virus, most up to date AV's should be detecting and blocking this type of file before it becomes a problem?

 

Hopefully this doesn't come across as a dig, it's certainly not meant to be.  But two questions I would be asking.

 

About 30 workstations total, all running Worry Free Business advanced.

 

And to be honest, why it is getting past the WFB is making me mad as well. It is up to date. I guess the only thing I can do is call Trend and make sure all the settings I have are correct.

[ProgRocker]

  On 29/10/2014 at 17:14, AStaley said:

How many domain PC's are you talking, are they all running Trend Micro?  Why is this getting past your anti-virus, most up to date AV's should be detecting and blocking this type of file before it becomes a problem?

 

Hopefully this doesn't come across as a dig, it's certainly not meant to be.  But two questions I would be asking.

Because A/V usually doesn't catch stuff, it gets rid of it after the fact. A lot of malware will disguise itself under a legit process to run the payload. There is no anti-virus that traps 100% of the stuff, it just doesn't work like that. 

[D!ABOL!C]

  On 29/10/2014 at 17:43, ProgRocker said:

Because A/V usually doesn't catch stuff, it gets rid of it after the fact. A lot of malware will disguise itself under a legit process to run the payload. There is no anti-virus that traps 100% of the stuff, it just doesn't work like that. 

 

I agree, but this software also has malware detection and it definitely didn't detect anything.

[sc302 Veteran]

It won't. There is no way to protect yourself 100%, well not a way that you would be happy with or your users. Local lan access only, no internet, no outside files, no usb or any other way to copy files on. That would be the only way that you can be 100%.

Every software is designed differently, where one would catch another will miss. There isn't one software that is 100%. You can be mad at the av vendor all you want, it isn't their fault. People program these things to be undetectable.

[ProgRocker]

I always refer to antivirus like a doctor. He isn't going to prevent you from getting a cold or the flu or breaking your arm. He's the "after-the-fact" remedy. 

 

I suggest reading the bleepingcomputer article i posted above. Implement the software restriction policies to prevent different extensions from running in the %appdata% and other known hotspot locations. Tell users to backup their stuff, if they don't have a backup of it, it's not important. With the cryptolocker stuff, once you get hit your only hope is backup, VSS, or pay the ransom. 

[AStaUK]

  On 29/10/2014 at 18:01, sc302 said:

It won't. There is no way to protect yourself 100%, well not a way that you would be happy with or your users. Local lan access only, no internet, no outside files, no usb or any other way to copy files on. That would be the only way that you can be 100%.

Every software is designed differently, where one would catch another will miss. There isn't one software that is 100%. You can be mad at the av vendor all you want, it isn't their fault. People program these things to be undetectable.

I agree that no AV is going to catch 100% of malware, it only takes a small modification to the payload to make the latest definitions obsolete. But Cryptlocker and its variants aren't a new threat they've been around a while and a good anti-malware setup should be running real time checks on file access etc.

It could be this time the guy has just been unfortunate and been hit by new variants not recognised by Trend Micro, but I would in his position still want to know how it got past my setup and what I could do to mitigate the threat from happening again (which is what he seems to be doing). At the very least it could indicate a hole in his setup that is exposing the rest of his network, such as someone plugging in an unauthorised laptop that doesn't have adequate protection.

[D!ABOL!C]

I guess at this point, i'm going to upgrade to the newest version of Worry Free Business.

 

I'm also going to have them check and see if any user has any locally encrypted files. What sucks, is they have some users on laptops, that pop in and out of the office, so it's possible someone comes in with an infected notebook, it does the damage and they leave.

[+BudMan MVC]

Well doesn't matter if this specific bug doesn't require admin rights..  There are many that do - there should be no reason for a user to have local admin rights.  Is it their machine to maintain and administer or yours? 

 

Also why does your auditing not tell you which machine last touched the files - this way you would know which machine encrypted them.   Turn on auditing and you can find the machine/user that is doing it.

 

Once you know the user/machine that is doing it.. You can get more details on the actual method of infection from the user - what they did, etc. is their machine infested..  As others have said there is no 100% magic software that can protect against all bugs..  You have read the articles - antivirus is dead  ;)

 

http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html

[goretsky Supervisor]

Hello,

 

A common infection vector are email messages which contain a file attachment (or a URL to an downloadable file).  The attachment (or URL) is an archive file that contains the ransomware, either in the form of a dropper or the actual executable.  Another vector is malvertising (malicious banner advertisements which use some sort of exploit kit to perform a drive-by download) hosted on an otherwise legitimate website [the advertising is usually purchased with stolen credit cards, etc.].

 

You may wish to consider blocking messages which contain attachments that have executables in them (for example, a .ZIP, .7Z or .RAR files with .COM|.EXE|.PIF|.SCR|{...} files in them at the mail gateway. 

 

Regards,

 

Aryeh Goretsky

[+BudMan MVC]

While I agree that email with urls or attachments is a common attack vector - I just don't see how/why it is still viable..  In this day an age, with all the virus info that has been on major news outlets, etc..  How can anyone continue to click on ###### that they were not expecting??

 

Just freaking amazing the lack of what you would think is common sense..

[sc302 Veteran]

some people still want the free ipad or computer or vacation or that money from the nigerian prince...maybe this time will be different...

[AStaUK]

  On 31/10/2014 at 13:02, BudMan said:

While I agree that email with urls or attachments is a common attack vector - I just don't see how/why it is still viable..  In this day an age, with all the virus info that has been on major news outlets, etc..  How can anyone continue to click on ###### that they were not expecting??

 

Just freaking amazing the lack of what you would think is common sense..

 

I would agree, why would anyone click on what is often clearly a random link.  But then I look at my work emails and think "that's why"...

[+BudMan MVC]

I lost you AStaley?  What is in your work emails that would promote clicking random ######?

[D!ABOL!C]

  On 31/10/2014 at 13:02, BudMan said:

While I agree that email with urls or attachments is a common attack vector - I just don't see how/why it is still viable..  In this day an age, with all the virus info that has been on major news outlets, etc..  How can anyone continue to click on ###### that they were not expecting??

 

Just freaking amazing the lack of what you would think is common sense..

 

You would be surprised what they would click on. I know they usually send lots of Office type documents and I know some of these malware things like to tack on the exe at the end. If they don't see that, boom, it's over.

I do have the email protection to prevent that stuff, so I am hoping that is not the issue.