Incident Response Playbook: Microsoft File Server - Folder File tampering
Introduction
File server tampering by malware can happen in multiple different ways listed are some of the example scenarios:
- Legitimate office document files .doc/.xls etc have their attributes modified to be Hidden/System and new executables with duplicate names are created with a shell icon that resembles the correct office document
- Legitimate folders are set to Hidden/System and duplicate named files are created with icons that resemble folders. In some cases the new files may be shortcuts to new malware in the same path in some cases the new files may be malware executables directly. (there are families using the exploit code from MS10-046 to create .lnk files that automatically run when viewed from the explorer shell)
- Autoruns.inf files with corresponding malware executables are dropped in the root of the file share typically in hope that autoruns are enabled and a user double clicking a mapped drive pointed the share will automatically execute the malware.
All of the examples above require user interaction at some level for the malware to spread off the share. Unfortunately, due to shell manipulation for the folder/file icons it is fairly simple to deceive most users into at least double clicking on the malicious files.
Detection
Detection is typically pretty simple as an administrator on the file server make sure you have view Hidden and Protected files on for your folder view and applied to all folders. With this enabled, you should be able to see the mischief that is occurring in the share folders.
Mitigations
FSRM File Server Resource Manager (need 2003 R2 or 2008 Server) can be used to block the creation of .exe/.lnk/.scr etc files on the file share as it uses a mini filter to screen IO and allows you to create custom screens for file types you wish to disallow.
If you are using SAMBA use the *veto files *parameter to block executables and other possibly malicious files perhaps something that looks like this "Veto files = /*.exe/*.com/*.dll/" however keep in mind there is a performance hit for using the veto files parameter.
If you are using Netapp Filers you may be able to use built-in fpolicy functions to block the creation of .exe's on the file systems check out http://www.gossamer-threads.com/lists/netapp/toasters/8697 for a thread on this functionality. There are also 3rd party "file screen" servers that plug into Netapp Filers that offer more granular functionality but that may not be available in all situations.
Use ACL's to prevent modification of the attributes of the folders in the root level of the file share
- The following will set a deny ACE for EVERYONE to the Write Attribute permission on all Folders in the root level. One thing to note is that this does seem to affect creating a new file in a subfolder in the Explorer shell however if you save/create files there from an application it seems to work just fine. Probably due to Explorer.exe wanting that permission for its "New" object right click functionality.
- for /f "tokens=*" %1 in ('dir /B /AD') do icacls "%1" /deny Everyone:(WA)
- If you need to reverse this you can use the following
- for /f "tokens=*" %1 in ('dir /B /AD') do icacls "%1" /grant Everyone:(WA)
- The following will set a deny ACE for EVERYONE to the Write Attribute permission on all Folders in the root level. One thing to note is that this does seem to affect creating a new file in a subfolder in the Explorer shell however if you save/create files there from an application it seems to work just fine. Probably due to Explorer.exe wanting that permission for its "New" object right click functionality.
Find the clients causing the problem and take them off the network. Tools you can use to do this:
- Process Monitor - Must change default filter and filter on System process as Server is contained within it, check Details for the user it is Impersonating
- Auditing - Obviously the OS auditing capabilities can pick up the creation of the malware files as well as tampering with existing folder/files if it is turned on properly although security event logs can be somewhat time consuming and daunting to review real time.
- On the wire filtering - Wireshark, Netmon and triggering on filtering for the SMB create files for the exe's although this isn't foolproof. Also, network traces on a heavily utilized file server are typically unwieldy as real-time filters can be CPU intensive (more so with Netmon and conversations enabled as well)
Disable autoruns via Group Policy for the entire environment.
For situations where malware is creating randomly named executables only in the root of the file share consider disabling creation of files in the root of your file shares (while leaving folder creation and file creation in subfolders intact) using icacls.exe as follows
- icacls filesharerootpath /deny Everyone:(WD)
Remediation:
- Removal of the malicious files
This needs to be performed by the AntiVirus client. The malicious files are typically .exe's and samples should be gathered and submitted to the respective AV vendor as quickly as possible in order to have new signatures created to deal with this threat.
- Removal of other effects
There are typically multiple items to deal with here such as the legitimate files/folders that have been set with System/Hidden attributes, removing the shortcut .lnk files and autoruns.inf files that pointed towards malware. Unfortunately, from an AV perspective it is not always easy to remove the shortcuts and autoruns.inf files as it is hard to corroborate those with malware and remove as doing so greatly increases the chance of having more false positive detections with the AV client.
- Removing the Hidden System Attributes on folders can be done by running the following in the root level folder
- for /f "tokens=*" %1 in ('dir /B /AD') do attrib -H -S "%1"
- Removing the Hidden & System attributes on files can be done by running the following in the folder where you need to unhide files
- for /f "tokens=*" %1 in ('dir /B /AHS') do attrib -H -S "%1"
- Removing the Hidden & System attributes on files in both the root folder and all subfolders
- for /f "tokens=*" %1 in ('dir /B /AHS /S') do attrib -H -S "%1"
- If there are .lnk files you could delete those with a simple del *.lnk or del *.lnk /S to delete all .lnk's in subfolders as well
- If there are .scr files you could delete those with a simple del *.scr or del *.scr /S to delete all .scr's in subfolders as well
- If there are .inf files you could delete those with a simple del *.inf or del *.inf /S to delete all *.inf's in subfolders as well