Jump to content

Files corrupted by unidentified virus. Server protected with NOD32.


Recommended Posts

It appears that my server (Windows Server 2003 R2) with Eset NOD32 4.x Antivirus installed was compromised last night. Starting at 7:53pm, most .PDF and .XLS(X) files were modified and are now corrupted and cannot be opened. Corrupted files opened in Notepad yield a file full of square blocks...

I have backups, so that isn't a problem. However, I would like to know what happened and how I got attacked. Any tips on how to track down the source?

 

One of my workstations quarantined a couple files yesterday and today. It quarantined "Spy.Zbot.AAU" trojan, "Filecoder.BQ" trojan, and "Kryptik.BLTM" trojan. The first one was quarantined 5 hrs. before server files were modified and the next two were 9 hrs. after they were modified.

 

I realize NOD32 is an older version. I have Endpoint Antivirus on all my workstations.

Link to post
Share on other sites
  • Administrators

Do those files have a special extension added, such as OMG, GOD, etc? It's likely that the files got encrypted with GpCode or a recent advanced Filecoder variant and the chance of recovering them is low. Anyway, send me 2-3 encrypted files attached to a personal message for analysis. 

For more information about Filecoder ransomware and the way they get into computers, please read these blogs:

hxxp://www.welivesecurity.com/2013/09/23/filecoder-holding-your-data-to-ransom

hxxp://www.welivesecurity.com/2013/09/16/remote-desktop-rdp-hacking-101-i-can-see-your-desktop-from-here

Link to post
Share on other sites

Thank you for the quick reply, Marcos. I don't see that file extensions have been added/changed. I am sending you some of the corrupted files via personal message right now.

I know the chance for recovery is slim. I just want to find the problem make sure I don't corrupt backups when I try to restore...

Link to post
Share on other sites

Hi

 

I am suffering the same problem.  A user seemed to have got the virus via email last night/early this morning and not only are EVERY file on their laptop corrupt (Office files, photos, PDFs) but as that user had access to network shares all files within the folders they had access to are also corrupt.

 

Same as, I had backups from last night, but the hassle is the restoration

 

My concern is

- how did the virus get onto the Exchange server, then to the user mailbox when the server is running eSET Mail Security and was up to date

- why did the user laptop allow the user to open the email attachment when they were on Endpoint AV 5 and up to date?

 

From reviewing logs on ALL internal computers and also on the server, it seems the virus that came in was Spy.Zbot.AAU trojan

Link to post
Share on other sites
  • 2 weeks later...

Hi Ocean LC ,

 

We have also experienced this infection getting past Eset, I believe this was accomplished by hiding inside a zip file as an attachment on an email, but also would have been opened by a member of staff, luckily any of our customers with eset mail secuirty for exchange we have enabled rules to remove any files that are .exe .zip .rar ect... which has prevented the infection on a lot of customers, however standard antivirus protection from eset doesn't stop the infection at all, we are beginning to look into the lockdown bleeping computer have suggested as a preventative measure by using software security via group policy.

 

Block CryptoLocker executable

Path: %AppData%\*.exe

Security Level: Disallowed

Description: Don't allow executables to run from %AppData%
.

Block Zbot executable

Path: %AppData%\*\*.exe

Security Level: Disallowed

Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path: %Temp%\Rar*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path: %Temp%\7z*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path: %Temp%\wz*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path: %Temp%\*.zip\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened using Windows built-in Zip support.

hxxp://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Link to post
Share on other sites

My experience with this was all very odd... File extensions were not changed and I never saw the actual ransom request as typically associated with Filecoder/Cryptolocker, et al. It seems as if the trojan/virus/infection never fully completed and somehow got stopped before being fully executed.

 

I ran a couple A/V scans from multiple tools, cleaned everything I could find, and restored from backups rather than pay the ransom. Have had no further issues...

 

There is no doubt it came from a user clicking a .zip attachment in a FedEx, UPS or DHL spoof. As "mattspchelp" stated above, it may be a good idea to implement some kind of security via group policy (or other methods) instead of relying on antivirus to stop this.

Link to post
Share on other sites
  • 2 weeks later...
  • Administrators

i have the same problem on one of our servers. Completely corrupted a whole company data folder, not impressed with eset anymore

 

One of the recent Filecoder variants I came across and for which ESET added detection (the variant was proactively blocked by web protection at user's computer) was not detected by any of the AV vendors on VirusTotal.com. I'm saying this because the statement "not impressed with ESET anymore" might cause somebody to think that another AV would protect him or her better which is apparently not the case. Of course, there's a chance that some AVs might have detected it by behavior blocker upon execution, etc.

 

Speaking about servers, we observed targeted attacks via RDP when the attacker first disabled antivirus protection, then ran ransomware to encrypt the data on disks. For more information, read this article: hxxp://www.welivesecurity.com/2013/09/16/remote-desktop-rdp-hacking-101-i-can-see-your-desktop-from-here/

Link to post
Share on other sites
  • 3 months later...

if you have shadow copies enabled on the server you will be able to restore all the files without this corruption , I would however ensure your server is clear and run a full network scan via remote admin, aswell as enabling audit logging on file reads and writes this may then show you where these infections came from , potentially an employee using facebook or opening infected zip files from fake  hrmc, tnt, dhl accounts.

 

We have recently overcome this same infection for a new client,

 

Regards

 

Matt

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...