Malware Issue on File Shares


Recommended Posts

D!ABOL!C

I'm not sure if this should be in the server section, but here it goes.

 

This is the second time I've had this issue occur. It appears that someone is getting a piece of malware that is infecting the public share on the server. I've been able to restore the data from backup, so we are OK on that front, but obviously that is not a solution to the problem if this keeps happening.

 

I just wanted to get opinions on how to tackle this. I talked with Trend Micro as they are the antivirus we are using and they said the ways these work is that they release the payload and then then it auto deletes itself form the infected machine. So if we try to do a malware scan, we won't find any traces of it.

 

My thoughts are first, to remove Admin rights from all the machines. I guess my second thought would be to see if any of the users have any local files that are encrypted as well.

 

Any thoughts would appreciated.

 

This is an all windows environment, Windows 7 Pro workstatations with SBS2011 as the only server.

Link to post
Share on other sites
ProgRocker

Is Volume Shadow Copies turned on? Great way to roll back files incase this happens, especially with a Cryptowall or Cryptolocker virus hits a user. We also use Trend for antivirus (OfficeScan 10.6). I would DEFINITELY remove admin privileges. People are stupid and will click on anything. I'd also implement group policy to block app data installs which is a popular place for malware to run in (See this thread at the bottom). Also install the Microsoft EMET 5.1 program on the client machines http://support.microsoft.com/kb/2458544. 

Link to post
Share on other sites
techbeck

Removing admin rights will not work.  Malware, like cryptolocker, does not require admin rights to install on a client PC.

 

First I would look at to narrow down the issue, who all has access to write to that file share?

Link to post
Share on other sites
D!ABOL!C

Removing admin rights will not work.  Malware, like cryptolocker, does not require admin rights to install on a client PC.

 

First I would look at to narrow down the issue, who all has access to write to that file share?

 

Unfortunately, it is the "Public" folder, so anyone with Domain rights, will have access to it.

Link to post
Share on other sites
ProgRocker

But who can write to it? And what do you mean it's the Public folder? You mean like the default user profile "Public"?

Link to post
Share on other sites
D!ABOL!C

But who can write to it? And what do you mean it's the Public folder? You mean like the default user profile "Public"?

 

It is a folder that all domain users have access to. All domain users have full control. We've had these permissions for the past 10 years or so and never had this issue. I suppose we could limit permissions to all the sub-folders to limit access and perhaps narrow it down.

Link to post
Share on other sites
techbeck

It is a folder that all domain users have access to. All domain users have full control. We've had these permissions for the past 10 years or so and never had this issue. I suppose we could limit permissions to all the sub-folders to limit access and perhaps narrow it down.

 

Think locking down shares needs to be done eventually.  Big security issue and hard to troubleshoot things like this.  Plus, cases more problems when people move/delete files they shouldnt.

 

What malware is it?

Link to post
Share on other sites
ProgRocker

It is a folder that all domain users have access to. All domain users have full control. We've had these permissions for the past 10 years or so and never had this issue. I suppose we could limit permissions to all the sub-folders to limit access and perhaps narrow it down.

 

Yep, Read and Execute is probably sufficient for most. 

Link to post
Share on other sites
D!ABOL!C

Think locking down shares needs to be done eventually.  Big security issue and hard to troubleshoot things like this.  Plus, cases more problems when people move/delete files they shouldnt.

 

What malware is it?

 

It's one of the Crypto Locker variants. It won't let you open any document (in this case Office Docs and PDF files) and it gives you a link to go to to decrypt the files etc.

 

At least the good news is that our backups work!

Link to post
Share on other sites
techbeck

It's one of the Crypto Locker variants. It won't let you open any document (in this case Office Docs and PDF files) and it gives you a link to go to to decrypt the files etc.

 

At least the good news is that our backups work!

 

Ahh, PITA.  It writes to a the APPDATA folder on the clients.  We recently implemented a policy change that prevents users from writing to that specific location.  We had a few instance with that malware where we couldnt tell what site/where it was coming from.  But cryptolocker doesnt remove itself from the client.  At least I have never seen it uninstall itself. 

Link to post
Share on other sites
AStalUK

How many domain PC's are you talking, are they all running Trend Micro?  Why is this getting past your anti-virus, most up to date AV's should be detecting and blocking this type of file before it becomes a problem?

 

Hopefully this doesn't come across as a dig, it's certainly not meant to be.  But two questions I would be asking.

  • Like 1
Link to post
Share on other sites
D!ABOL!C

How many domain PC's are you talking, are they all running Trend Micro?  Why is this getting past your anti-virus, most up to date AV's should be detecting and blocking this type of file before it becomes a problem?

 

Hopefully this doesn't come across as a dig, it's certainly not meant to be.  But two questions I would be asking.

 

About 30 workstations total, all running Worry Free Business advanced.

 

And to be honest, why it is getting past the WFB is making me mad as well. It is up to date. I guess the only thing I can do is call Trend and make sure all the settings I have are correct.

Link to post
Share on other sites
ProgRocker

How many domain PC's are you talking, are they all running Trend Micro?  Why is this getting past your anti-virus, most up to date AV's should be detecting and blocking this type of file before it becomes a problem?

 

Hopefully this doesn't come across as a dig, it's certainly not meant to be.  But two questions I would be asking.

Because A/V usually doesn't catch stuff, it gets rid of it after the fact. A lot of malware will disguise itself under a legit process to run the payload. There is no anti-virus that traps 100% of the stuff, it just doesn't work like that. 

Link to post
Share on other sites
D!ABOL!C

Because A/V usually doesn't catch stuff, it gets rid of it after the fact. A lot of malware will disguise itself under a legit process to run the payload. There is no anti-virus that traps 100% of the stuff, it just doesn't work like that. 

 

I agree, but this software also has malware detection and it definitely didn't detect anything.

Link to post
Share on other sites
sc302

It won't. There is no way to protect yourself 100%, well not a way that you would be happy with or your users. Local lan access only, no internet, no outside files, no usb or any other way to copy files on. That would be the only way that you can be 100%.

Every software is designed differently, where one would catch another will miss. There isn't one software that is 100%. You can be mad at the av vendor all you want, it isn't their fault. People program these things to be undetectable.

  • Like 1
Link to post
Share on other sites
ProgRocker

I always refer to antivirus like a doctor. He isn't going to prevent you from getting a cold or the flu or breaking your arm. He's the "after-the-fact" remedy. 

 

I suggest reading the bleepingcomputer article i posted above. Implement the software restriction policies to prevent different extensions from running in the %appdata% and other known hotspot locations. Tell users to backup their stuff, if they don't have a backup of it, it's not important. With the cryptolocker stuff, once you get hit your only hope is backup, VSS, or pay the ransom. 

Link to post
Share on other sites
AStalUK

It won't. There is no way to protect yourself 100%, well not a way that you would be happy with or your users. Local lan access only, no internet, no outside files, no usb or any other way to copy files on. That would be the only way that you can be 100%.

Every software is designed differently, where one would catch another will miss. There isn't one software that is 100%. You can be mad at the av vendor all you want, it isn't their fault. People program these things to be undetectable.

I agree that no AV is going to catch 100% of malware, it only takes a small modification to the payload to make the latest definitions obsolete. But Cryptlocker and its variants aren't a new threat they've been around a while and a good anti-malware setup should be running real time checks on file access etc.

It could be this time the guy has just been unfortunate and been hit by new variants not recognised by Trend Micro, but I would in his position still want to know how it got past my setup and what I could do to mitigate the threat from happening again (which is what he seems to be doing). At the very least it could indicate a hole in his setup that is exposing the rest of his network, such as someone plugging in an unauthorised laptop that doesn't have adequate protection.

  • Like 1
Link to post
Share on other sites
D!ABOL!C

I guess at this point, i'm going to upgrade to the newest version of Worry Free Business.

 

I'm also going to have them check and see if any user has any locally encrypted files. What sucks, is they have some users on laptops, that pop in and out of the office, so it's possible someone comes in with an infected notebook, it does the damage and they leave.

  • Like 1
Link to post
Share on other sites
+BudMan

Well doesn't matter if this specific bug doesn't require admin rights..  There are many that do - there should be no reason for a user to have local admin rights.  Is it their machine to maintain and administer or yours? 

 

Also why does your auditing not tell you which machine last touched the files - this way you would know which machine encrypted them.   Turn on auditing and you can find the machine/user that is doing it.

 

Once you know the user/machine that is doing it.. You can get more details on the actual method of infection from the user - what they did, etc. is their machine infested..  As others have said there is no 100% magic software that can protect against all bugs..  You have read the articles - antivirus is dead  ;)

 

http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html

Link to post
Share on other sites
goretsky

Hello,

 

A common infection vector are email messages which contain a file attachment (or a URL to an downloadable file).  The attachment (or URL) is an archive file that contains the ransomware, either in the form of a dropper or the actual executable.  Another vector is malvertising (malicious banner advertisements which use some sort of exploit kit to perform a drive-by download) hosted on an otherwise legitimate website [the advertising is usually purchased with stolen credit cards, etc.].

 

You may wish to consider blocking messages which contain attachments that have executables in them (for example, a .ZIP, .7Z or .RAR files with .COM|.EXE|.PIF|.SCR|{...} files in them at the mail gateway. 

 

Regards,

 

Aryeh Goretsky

Link to post
Share on other sites
+BudMan

While I agree that email with urls or attachments is a common attack vector - I just don't see how/why it is still viable..  In this day an age, with all the virus info that has been on major news outlets, etc..  How can anyone continue to click on ###### that they were not expecting??

 

Just freaking amazing the lack of what you would think is common sense..

  • Like 1
Link to post
Share on other sites
sc302

some people still want the free ipad or computer or vacation or that money from the nigerian prince...maybe this time will be different...

Link to post
Share on other sites
AStalUK

While I agree that email with urls or attachments is a common attack vector - I just don't see how/why it is still viable..  In this day an age, with all the virus info that has been on major news outlets, etc..  How can anyone continue to click on ###### that they were not expecting??

 

Just freaking amazing the lack of what you would think is common sense..

 

I would agree, why would anyone click on what is often clearly a random link.  But then I look at my work emails and think "that's why"...

Link to post
Share on other sites
+BudMan

I lost you AStaley?  What is in your work emails that would promote clicking random ######?

Link to post
Share on other sites
D!ABOL!C

While I agree that email with urls or attachments is a common attack vector - I just don't see how/why it is still viable..  In this day an age, with all the virus info that has been on major news outlets, etc..  How can anyone continue to click on ###### that they were not expecting??

 

Just freaking amazing the lack of what you would think is common sense..

 

You would be surprised what they would click on. I know they usually send lots of Office type documents and I know some of these malware things like to tack on the exe at the end. If they don't see that, boom, it's over.

I do have the email protection to prevent that stuff, so I am hoping that is not the issue.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Abhay V
      A host of anti-virus engines are flagging recent Dell printer drivers as unsafe
      by Abhay Venkatesh



      Recent releases of Dell printer drivers for various versions of Windows are being flagged by a number of anti-virus programs as malware, as spotted and reported by journalist Brian Krebs on Twitter (via WindowsCentral). A few examples of such reports can be viewed on Virus Total that provides logs of malware detection by various anti-virus programs.

      The drivers in question seem to include releases from Dell in the past few months, including one from September 24, detailed here. Krebs posted the results of the file in the logs on Virus Total, which show the file being flagged as “Malware” or “Trojans” by a number of programs including the likes of Avast, McAfee, Microsoft, Fortinet, and more. The logs suggest that at least 29 anti-virus engines detected the file as unsafe.

      It is currently not clear what is triggering these detections, and if the said files are safe for installation or have been compromised. Krebs suggests that users that are looking to download the latest drivers hold off on downloading them for the time being. It is possible that the computer maker re-releases the drivers after scrutiny or provides an update at the least about the reports and the validity of its driver offerings.



    • By zikalify
      Nokia report warns of rising cyberattacks on IoT devices
      by Paul Hill



      Nokia’s latest Threat Intelligence Report has warned that cyberattacks on internet-connected devices are continuing to rise at an “alarming rate” due to poor security protections. The report found that IoT devices now make up 33% of infected devices, up from 16% in 2019.

      According to the report, the most affected IoT devices are those that are routinely assigned public-facing internet IP addresses. It highlighted that networks that use carrier-grade Network Address Translation see the infection rate of IoT devices reduced considerably because the vulnerable devices are not visible to network scans.

      Commenting on the findings in the report, Bhaskar Gorti, Nokia Software President and Chief Digital Officer, said:

      Pivoting away from IoT devices, the report also looks at how cybercriminals have used the COVID-19 pandemic to launch cyberattacks. It said that criminals are using people’s fears to spread malware, for example, it said that a coronavirus map application mimicked the Johns Hopkins University app and deployed malware on the devices it was installed on. To protect against these types of attacks, Nokia’s report suggests that people should only install applications from trusted sources such as Google and Apple.

    • By News Staff
      Mastering Malware Analysis ($39.99 Value) free offer ends today
      by Steven Parker

      Claim your complimentary eBook ($39.99 value) for free, before end of today Wednesday, July 29.



      What's it about?
      Master malware analysis to protect your systems from getting infected.

      With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches.



      You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents.

      Features

      Set up and model solutions, investigate malware, and prevent it from occurring in future Learn core concepts of dynamic malware analysis, memory forensics, decryption, and much more A practical guide to developing innovative solutions to numerous malware incidents This free offer expires today, Wednesday, July 29.

      How to get it
      Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last!

      >> Mastering Malware Analysis ($39.99 Value) - free download <<
      Offered by Packt Publishing, view their other free resources. Expires July 29.

      Not for you?
      That's OK, there are other free eBooks on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Or via our preferred partner:

      How can I disable these posts? Click here.

      Disclosure: A valid email address is required to fulfill your request. Complete and verifiable information is required in order to receive this offer. By submitting a request, your information is subject to TradePub.com's Privacy Policy.

    • By News Staff
      Mastering Malware Analysis ($39.99 Value) - free eBook download
      by Steven Parker

      Claim your complimentary eBook ($39.99 value) for free, before Wednesday, July 29.



      What's it about?
      Master malware analysis to protect your systems from getting infected.

      With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches.



      You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents.

      Features

      Set up and model solutions, investigate malware, and prevent it from occurring in future Learn core concepts of dynamic malware analysis, memory forensics, decryption, and much more A practical guide to developing innovative solutions to numerous malware incidents This free offer expires on Wednesday, July 29.

      How to get it
      Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last!

      >> Mastering Malware Analysis ($39.99 Value) - free download <<
      Offered by Packt Publishing, view their other free resources. Expires July 29.

      Not for you?
      That's OK, there are other free eBooks on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Or via our preferred partner:

      How can I disable these posts? Click here.

      Disclosure: A valid email address is required to fulfill your request. Complete and verifiable information is required in order to receive this offer. By submitting a request, your information is subject to TradePub.com's Privacy Policy.

    • By News Staff
      Mastering Malware Analysis eBook ($39.99 Value) - free download
      by Steven Parker

      Claim your complimentary eBook ($39.99 value) for free, before the offer expires on July 29.



      What's it about?
      Master malware analysis to protect your systems from getting infected.

      With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches.



      You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents.

      Features

      Set up and model solutions, investigate malware, and prevent it from occurring in future Learn core concepts of dynamic malware analysis, memory forensics, decryption, and much more A practical guide to developing innovative solutions to numerous malware incidents This free offer expires on July 29.

      How to get it
      Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last!

      >> Mastering Malware Analysis ($39.99 Value) - free download <<
      Offered by Packt Publishing, view their other free resources. Expires July 29.

      Not for you?
      That's OK, there are other free eBooks on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Or via our preferred partner:

      How can I disable these posts? Click here.

      Disclosure: A valid email address is required to fulfill your request. Complete and verifiable information is required in order to receive this offer. By submitting a request, your information is subject to TradePub.com's Privacy Policy.