Capt.Nemo 0 Posted October 4, 2013 Share Posted October 4, 2013 It appears that my server (Windows Server 2003 R2) with Eset NOD32 4.x Antivirus installed was compromised last night. Starting at 7:53pm, most .PDF and .XLS(X) files were modified and are now corrupted and cannot be opened. Corrupted files opened in Notepad yield a file full of square blocks...I have backups, so that isn't a problem. However, I would like to know what happened and how I got attacked. Any tips on how to track down the source? One of my workstations quarantined a couple files yesterday and today. It quarantined "Spy.Zbot.AAU" trojan, "Filecoder.BQ" trojan, and "Kryptik.BLTM" trojan. The first one was quarantined 5 hrs. before server files were modified and the next two were 9 hrs. after they were modified. I realize NOD32 is an older version. I have Endpoint Antivirus on all my workstations. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted October 4, 2013 Administrators Share Posted October 4, 2013 Do those files have a special extension added, such as OMG, GOD, etc? It's likely that the files got encrypted with GpCode or a recent advanced Filecoder variant and the chance of recovering them is low. Anyway, send me 2-3 encrypted files attached to a personal message for analysis. For more information about Filecoder ransomware and the way they get into computers, please read these blogs: hxxp://www.welivesecurity.com/2013/09/23/filecoder-holding-your-data-to-ransom hxxp://www.welivesecurity.com/2013/09/16/remote-desktop-rdp-hacking-101-i-can-see-your-desktop-from-here Link to comment Share on other sites More sharing options...
Capt.Nemo 0 Posted October 4, 2013 Author Share Posted October 4, 2013 Thank you for the quick reply, Marcos. I don't see that file extensions have been added/changed. I am sending you some of the corrupted files via personal message right now.I know the chance for recovery is slim. I just want to find the problem make sure I don't corrupt backups when I try to restore... Link to comment Share on other sites More sharing options...
OceanLC 0 Posted October 8, 2013 Share Posted October 8, 2013 (edited) Hi I am suffering the same problem. A user seemed to have got the virus via email last night/early this morning and not only are EVERY file on their laptop corrupt (Office files, photos, PDFs) but as that user had access to network shares all files within the folders they had access to are also corrupt. Same as, I had backups from last night, but the hassle is the restoration My concern is - how did the virus get onto the Exchange server, then to the user mailbox when the server is running eSET Mail Security and was up to date - why did the user laptop allow the user to open the email attachment when they were on Endpoint AV 5 and up to date? From reviewing logs on ALL internal computers and also on the server, it seems the virus that came in was Spy.Zbot.AAU trojan Edited October 8, 2013 by OceanLC Link to comment Share on other sites More sharing options...
mattspchelp 4 Posted October 20, 2013 Share Posted October 20, 2013 (edited) Hi Ocean LC , We have also experienced this infection getting past Eset, I believe this was accomplished by hiding inside a zip file as an attachment on an email, but also would have been opened by a member of staff, luckily any of our customers with eset mail secuirty for exchange we have enabled rules to remove any files that are .exe .zip .rar ect... which has prevented the infection on a lot of customers, however standard antivirus protection from eset doesn't stop the infection at all, we are beginning to look into the lockdown bleeping computer have suggested as a preventative measure by using software security via group policy. Block CryptoLocker executable Path: %AppData%\*.exeSecurity Level: DisallowedDescription: Don't allow executables to run from %AppData%. Block Zbot executable Path: %AppData%\*\*.exeSecurity Level: DisallowedDescription: Don't allow executables to run from immediate subfolders of %AppData%. Block executables run from archive attachments opened with WinRAR: Path: %Temp%\Rar*\*.exeSecurity Level: DisallowedDescription: Block executables run from archive attachments opened with WinRAR. Block executables run from archive attachments opened with 7zip: Path: %Temp%\7z*\*.exeSecurity Level: DisallowedDescription: Block executables run from archive attachments opened with 7zip. Block executables run from archive attachments opened with WinZip: Path: %Temp%\wz*\*.exeSecurity Level: DisallowedDescription: Block executables run from archive attachments opened with WinZip. Block executables run from archive attachments opened using Windows built-in Zip support: Path: %Temp%\*.zip\*.exeSecurity Level: DisallowedDescription: Block executables run from archive attachments opened using Windows built-in Zip support. hxxp://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information Edited October 20, 2013 by mattspchelp Link to comment Share on other sites More sharing options...
Capt.Nemo 0 Posted October 22, 2013 Author Share Posted October 22, 2013 My experience with this was all very odd... File extensions were not changed and I never saw the actual ransom request as typically associated with Filecoder/Cryptolocker, et al. It seems as if the trojan/virus/infection never fully completed and somehow got stopped before being fully executed. I ran a couple A/V scans from multiple tools, cleaned everything I could find, and restored from backups rather than pay the ransom. Have had no further issues... There is no doubt it came from a user clicking a .zip attachment in a FedEx, UPS or DHL spoof. As "mattspchelp" stated above, it may be a good idea to implement some kind of security via group policy (or other methods) instead of relying on antivirus to stop this. Link to comment Share on other sites More sharing options...
mwlsystems2 0 Posted November 1, 2013 Share Posted November 1, 2013 i have the same problem on one of our servers. Completely corrupted a whole company data folder, not impressed with eset anymore Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 2, 2013 Administrators Share Posted November 2, 2013 i have the same problem on one of our servers. Completely corrupted a whole company data folder, not impressed with eset anymore One of the recent Filecoder variants I came across and for which ESET added detection (the variant was proactively blocked by web protection at user's computer) was not detected by any of the AV vendors on VirusTotal.com. I'm saying this because the statement "not impressed with ESET anymore" might cause somebody to think that another AV would protect him or her better which is apparently not the case. Of course, there's a chance that some AVs might have detected it by behavior blocker upon execution, etc. Speaking about servers, we observed targeted attacks via RDP when the attacker first disabled antivirus protection, then ran ransomware to encrypt the data on disks. For more information, read this article: hxxp://www.welivesecurity.com/2013/09/16/remote-desktop-rdp-hacking-101-i-can-see-your-desktop-from-here/ Link to comment Share on other sites More sharing options...
mattspchelp 4 Posted February 18, 2014 Share Posted February 18, 2014 if you have shadow copies enabled on the server you will be able to restore all the files without this corruption , I would however ensure your server is clear and run a full network scan via remote admin, aswell as enabling audit logging on file reads and writes this may then show you where these infections came from , potentially an employee using facebook or opening infected zip files from fake hrmc, tnt, dhl accounts. We have recently overcome this same infection for a new client, Regards Matt Link to comment Share on other sites More sharing options...
Recommended Posts