Detecting And Stopping Cryptolocker Type Viruses

Detecting And Stopping Cryptolocker Type Viruses

Cryptolocker type viruses can be a pain in the rear. Once a machine on your network is infected, it has the ability to hold all data on your network hostage by encrypting it and demanding a ransom.

Antivirus and user training is key to preventing an infection, but sometimes things slip past. Antivirus products mostly only detect known viruses, so if someone writes a new virus they haven't seen yet, for a couple of days that virus has a chance to infect you despite the antivirus software.

Backups are Key

Taking regular backups is key to recovering from any virus infection. Depending on your data, regular may mean weekly, daily or even hourly. You should always assume that you will have a data loss event such as an infection at some point and be prepared to recover.

It would be nice though if we could minimize the damage. I'd rather have to restore just a couple of gigabytes of data after an infection, rather than several terabytes stored on my network shares.

The Canary Principal

In olden days, miners would bring a canary underground with them. Canaries are more sensitive to dangerous gasses such as carbon monoxide that might fill the mine and would die before a person even recognized there was a problem. The canary became the early warning signal for miners that it wasn't safe anymore.

What we want to do is use a similar principal to detect a Cryptolocker type infection and immediately shut down all shared network folders.

Warning: Not for Everyone

This is not for everyone, and there are other more convoluted approaches that might be better. This method has some downsides, but lets say you have a home NAS device and you want it to shut down shares if someone in the family catches a cryptolocker virus.

First, turn on SAMBA detailed logging.

If you do get infected, you're going to want logs of what machine was infected and what they were able to damage before network shares were shut down. To enable this we want to use the full_audit module in Samba.

This assumes you're running Ubuntu 14.04. Other distributions might require you to install additional software, I don't know.

First, in your /etc/samba/smb.conf file you want to add the following lines in the [global] section:

vfs object = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:failure = connect
full_audit:facility = local7
full_audit:priority = notice

These settings tell it to log all new directories, read, write, rename and unlink events on the network shares to the local7 syslog group.

Next, edit /etc/rsyslog.d/50-default.conf with your favorite editor so we can peel those logs out to a separate file. Look for the line that says:

*.*;auth,authpriv.none          -/var/log/syslog

And change it to read:

*.*;auth,authpriv.none,local7.none		-/var/log/syslog

And add one line that says:

local7.notice			/var/log/samba-audit.log

This tells RSyslog to not place the local7 log entries in the /var/log/syslog file, but instead in their own file at /var/log/samba-audit.log

You'll also want to rotate that log out so edit /etc/logrotate.d/samba and add the following chunk to the bottom:

/var/log/samba-audit.log {
    rotate 4
        reload rsyslog > /dev/null 2>&1 || true

That swaps the log out weekly and keeps the last 4.

Now, restart rsyslog and samba with:

service rsyslog restart
service smbd restart

Now the Magic

First we'll need to install the inotify-tools package:

apt-get install inotify-tools

Next we want to create a script to monitor a "canary" file that is in your network share. If you have multiple shares you might want to use more than one copy of this script monitoring different locations. I use something like this:

#!/usr/bin/env bash
# Canary file - watches for changes to this file and shuts down the server if occurs.
# Used to detect and react to Cryptolocker type viruses
# Monitors a canary file and if it changes, it will stop the smbd service.


# Delete the file if it exists
rm $FILE
# Create a random file
head -c 1K </dev/urandom > $FILE
# Make sure it's writable by all!
chmod 666 $FILE

# Get the MD5 of it
MD5=`/usr/bin/md5sum $FILE`
MD52=`/usr/bin/md5sum $FILE`
# now watch it
while [ "$MD5" == "$MD52" ]
    /usr/bin/inotifywait $FILE
    MD52=`/usr/bin/md5sum $FILE`

# Sums have changed, kill samba and send mail
/usr/sbin/service smbd stop

# grab last bit of audit log
/usr/bin/tail -n 50 $SAMBALOG | mail -s "** CANARY VIOLATION ON $FILE" $NOTIFYMAIL
# Also page
/usr/bin/tail -n 1 $SAMBALOG | mail -s "** CANARY **" $NOTIFYSMS

Save this script as /root/ and make it executable. If you don't know what that means, don't try to do any of this...

This script will create a file at /var/sambashares/myfolder/do-not-edit.doc with 1K of random data in it. It then grabs an MD5 hash of the file and launches inotifywait to sit and do nothing until something happens to the file. If the file was simply read, the loop continues because the MD5 hash hasn't changed. But if the file is changed, renamed or deleted, it falls through the loop, stops the Samba service and sends out both an email and a email to txt message (assuming you have an email address that sends texts to your phone, that's handy.)

Now we want to get this script to run at every boot. There's many ways but I'm fond of placing things in /etc/rc.local. You could add something like this to the end of /etc/rc.local just before the "exit 0" line:

nohup /root/ &>/dev/null &

And then you can manually run that command as well to get it started right now.

That's it!

Now, if the specified canary file on your server gets changed or deleted, it will immediately shut down all of the samba shares on the box and notify you. Sure, you might get a false alarm if someone else in the house messes with the file, but that should be few and far between. While this won't stop an infection from occurring, it gives you early warning and possibly mitigates the amount of damage the virus can do to network shares. Also keep in mind this isn't tripped until this specific canary file is encrypted by the virus, so it's entirely possible that's the last file it encrypts and everything in the share is already lost. You might want to place multiples of these using multiple canary scripts that monitor files in various folders in the share.

Posted by Tony on Mar 14, 2016 | Linux Tricks, Servers, Virus, Network Security