So,

My windows server box at home got hit, tonight, by a virus/spyware/malware.

In C:\program files (x86)\ I found this new directory: "1C", containing a "boot.exe" executable, which was of course running at the time of the discovery, and had been placed among the executables to be run at system boot.

I stopped it and removed it immediately, but in the rush I was silly enough not to keep it for further analysis.

Apparently, what the malware has been doing since 2:00am tonight circa, until 9:00am circa when I discovered it, is to either delete or encrypt files in various locations of my file system.
It did not hit C:
It hit G:, where my web and ftp servers are running from.
It apparently started to hit K:, which is another unit where I keep some files.
It's leaving traces (See below), so it seems it started from G: and operated progressively in every dir in alphabetic order, only to move to K: and start form the first directory, where it stopped (apparently consistent with the time when I stopped boot.exe from running).

Apparently it deletes *.JPG files, possibly others (I'll find out tonight as I get back home and start to restore the missing files).
It also leaves this files in each of the directories it hits:

[email protected] 1.2.0.0.id-IJKLLMNOOPQQQRSTUUUVWWXYZZZAABCDDDEF-2@11@2016 1@51@54 AM8203103.randomname-TUVVWXYZZZABCCDEEEFGGHIIIJKKLM.NNN.cbf

The first part of the file name is always the same (up to "ver"), the rest changes. Extension is also always the same: CBF . Finally, size is also varying, from few kb to hundred of MB, which seems to suggest that those are my files, encrypted in some way.


Fortunately, it seems I stopped it before it did too much damage - I do have current backup of all files it hit -. But, I am concerned for few reasons:

1. I have not identified which Trojan/virus/ransomwhare this is, precisely
2. I am not 100% sure I have yet removed it completely from my system. Not knowing what it is, I do not know what else to look for
3. This is really worrying: my window sever box is updated to the minute. Id downloads and installs updates as soon as they are released, automatically, and it did reboot tonight around 3:00am, so right AFTER the boox.exe file had been placed on the HDD. Unfortunately, too late.
This machine is exposed to the internet via IIS (web and ftp servers) and RDP, via ports 80, 21, 22, 443, and 3389). All other ports are closed both on the server and on the edge router in my home. I did not run anything suspicious on the server, now have I been browsing the internet from it for weeks. So, how did the malware get there?

MS has issued security updates/bulletins yesterday. I wonder if those are related to this.

What do you guys think? Any help in sorting this out is more than welcome.

This is crypto-ransomware of some kind. It is encrypting your files, then deleting the originals. At some point there would be an offer to sell you the decryption keys.

Lovely.

How on earth did it get in?? I can't figure that out, yet, given what I say above in my first post.

Again, fortunately nothing was actually lost, except my time to cleanup and restore all files.

It's sadly not uncommon for exploits to be in wide use ahead of patches making it out to secure machines. Up to the day patching still has an unknown vulnerability time prior to the patch being coded, tested and distributed.

There are also entire groups dedicated to tearing apart the patches themselves to discover the exploit. They quickly update exploit kits to take advantage of the time gap between a vendors release and when machines get updated. This is a factor in why Microsoft made changes in Windows 10 home editions to mandate and not defer patches, along with using torrent like distribution. To at least try to close this gap a little in the consumer market while also ensuring a DDOS against their patch server CDNs isn't as effective.

To discover how it got in, I'd recommend looking through the list of what Microsoft patched in that latest round of updates. If anything IIS shows up, check your logs for any out of the ordinary traffic. Same for RDP. It's also possible it didn't go directly through IIS, and instead a flaw in whatever you are hosting on that web instance.

Ransomware is getting to be more and more common. There's a lot more money in this sort of stuff then there used to be ages ago. Larger groups will intentionally horde exploits not known by the vendor to sell to the rich, and smaller groups or individuals buy these exploits to turn around and hit machines like yours. There are literally point and click malware creator programs that wrap up processes like your build.exe that use those latest exploits.

For your machine, was it running any virus/malware protection?


On Windows, the ransom notes tend to show up in My Documents somewhere. There's a chance there's something already there depending on what variant hit your machine.

McAfee. Updated as well. I have a scan to all drives scheduled daily.

Is it set for real time scanning including of processes in memory? Do you also have anything else running for protection? I'm not up to speed on what works well on Windows these days, but personally would have Microsoft Defender on anything that touches the internet as well as a secondary product.

The timescale for the vulnerability is the key here. It could be too late if a full day passes to see what nastiness might make it to being written to disk. Exploit that uses memory buffer overflow through a network service (like IIS/RDP) might not even need to hit the disk ever until it's encrypting files.

Yes, real-time scanning, and no, no other product.

In my experience two AV running on the same machine will slow it down to unbearable levels. I'll probably reconsider that and give a second product another try.

McAfee has been OK so far. I've been using it for years (corporate version) as that is what we use at work corporate-wide and I am familiar with it.

(and BTW guys, thanks for the time you're putting in to give me ideas. I really appreciate it and this is being useful. I am really mad at this, right now, as you can imagine, it's great to have somebody to share my frustration with....)

If I only could understand WHICH ransomware it was, I could get the peace of mind of insuring I have fully removed it. I'll be back home in 1hr and my night of log analysis will start.

... and I forgot to mention possibly the most important thing: I also have my mail server there, IMAP and SMPT ports open, both encrypted.

How did it get in? Several possibilities:

- If you're running an Internet-facing service (you mention a mail server), then it could be using some sort of known exploit against that.

- You could have been hit by a "drive by download" sort of attack, where you visited a web page that exploited a hole in your browser. This is particularly pernicious with web advertising, which allows attackers to buy ads and then ship their malware through those ads. Ad blockers are actually a serious security mechanism these days.

- You could have gotten a malicious attachment of some sort which then exploited some native app (Adobe Reader, Microsoft Word, etc.). Your IMAP client might also have been the vector for the exploit.

So how do you decide how the attack got in? That's hard to say. You could try to figure out *when* it arrived, then go through your logs to see if it was a mail attachment or whatnot.

How do you clean it up? "Nuke it from orbit. It's the only way to be sure." Seriously, modern rootkits, once they get into your machine, are very good at covering their tracks. You're lucky you saw this at all. Take the drive out, reformat from a trusted machine, and rebuild everything from scratch. Even then, "firmware malware" is totally a thing, i.e., malware that rewrites your BIOS and other low-level crap to reinstall the infection on an otherwise-clean operating system. Hard to say whether you've got that or not.

How do you keep it from coming back? You didn't say exactly which version of Windows and all your other tools that you're running, but needless to say, there's a benefit to keeping all of those up to date. Also, you might seriously consider ditching IIS and going with something else, or even pushing that functionality somewhere besides your personal machine. Maybe run it in a VM to isolate it.

I'd put all of the Internet-facing stuff in a VM, even in separate VMs, such that they had no access to data you care about.

Further to that, I'd investigate using a VPN, rather than leave RDP etc. open to the Internet. The one built into Windows is probably pretty good.

I'd be reluctant to put the drive in a machine you care about. I'd either put it in a completely new machine (running a completely different OS, possibly), or I'd just throw the disk away. Disks are (arguably) cheap compared to your time and peace of mind.

Windows Server 2008 R2


So, my most weak possible point of entry is my mail server, Kerio. That is the one piece of software in my server that I have not updated for some time, because I always intended to move to some better free alternative that became available since last year: SmarterMail. It is free and it has very good reputation among Windows Mail Servers. This is the right time to take care of this.

Just guessing here. I've been investigating and searching on line, but the most interesting part - my logs - I still have to do.
I am taking it easy.

And here it is. Found it.

http://blog.checkpoint.com/2015/11/04/of...-communication/

Interestingly, my logs (I keep a lot of logs, basically forever) from that night, Feb 11th, are all safe. The ransomware did not have the time to delete/encrypt them (and if it did, those from the start time of the infection had already been backed up and were safe by then. Basically my backup scripts where operating DURING the infection.

I know the theoretical time of the infection from two sources: the name of the encrypted file, and the time when they were first created, which is consistent: 01:50am circa.

So, I have logs.

I think I'll find reference to C:\Program Files (x86)\1c\boot.exe, and to the "pr" registry entry that would run the boot.exe at boot, in the Windows System and Security Events. And I'll get to those (I am taking my time).

But, what else do you think I should be looking for? I can't think of a log I do not have (even though there may be, but I try to log all that I can, and I keep that stuff forever).

Part of me hopes that if/when I find out how this happened, I'll feel so totally stupid for overlooking at something. I am not sure I'd be happier in the very likely event I find out instead that all was caused by some zero-day vulnerability.

Also, I hear you when you say to nuke from orbit and re-start, guys. But, I am too curious now and I really want to know.

As an aside: Windows Server 2008 R2 has been out of mainstream support since Jan 2015 (though security patches are still included), and you've only got 4 years left for extended support. You should consider upgrading (or replacing) it soon.

Indeed. I am not sure if I want/should wait for Windows 10 Server (or, however they want to call it), or stick to Windows Server 2012 R2.

And so, as I feared and you guys guessed, the bastard broke into my system via RDP.

Logs show that he tried for few days, at different time of the day, starting from Feb 7th . System would reject his attempts, returning in the logs a "Remote DD security layer error, connection dropped for %ATTACKER-IP%." (wording of the error string not accurate).
The guy tried from 4 different IPs, but mainly and mostly from one specific one.

At some point, the night of the attack, I see he manages to login using a "tempAdministrator" user the server did not have originally.

I am still searching, but clearly the guy must have succeeded in creating this "tempAdminsitrator" user at some point that night, and used it to break in.

It would seem it all happened via RDP protocol and some bug in it.

I'll keep digging.

Fascinating story - thanks for the update!

-jk

Thank you guys. I am happy to share.
And as usual, any insight from the Empeg community is going to be worth more than weeks googling stuff.

Wow, so there is some kind of an exploit that allows users to remotely create an administrator account on a windows box? That's scary.

Well, at present that's my guess, but I am still pretty much in the dark here.
"tempAdministrator" is a username I would hardly use for any reason, and I can't really remember creating it.
However, while my home server may be for weeks or months sitting there alone, reliably doing its many jobs, occasionally I am on it testing and experimenting, and I did entertain the idea that it could've been me to create such user; maybe I forgot, right? But what makes this unlikely, though, is that Windows Server usually creates only two users that are marked as "built-in": Adminstrator and Guest (the latter being disabled by default). As I always do, I renamed the built-in administrator account to something entirely different (not tempAdministrator), and that account is still there, unchanged. I use it occasionally for this or that (which is possibly not entirely wise in itself...). Guest is also still there, still disabled.
Interestingly, this other "tempAdministrator" was also described as "built-in", which is unexpected in my experience. No reason to have a second built-in Admin account in the server. If I created a second admin account, it would not be marked as "built-in", because it would not be such.
Hence, I am guessing that tempAdministrator is the product of some hacking.

Now, I have seen few exploits that ended up producing an admin-level command prompt being produced BEFORE LOGIN, in the past. I tested one myself and it did work.
Yes, pretty scary. AFAIK all those exploits have been fixed (some of them go back quite a few years, others not so many). But, that's the only thing I can imagine. If the hacker, when presented by the RDP login screen, managed to use some zero-day exploit to pull up a cmd.exe session, admin level, then it is going to be very easy to generate a new administrator-level account from scratch, and then use that to logon and implant the ransomware.
My guess is that all the errors I see in the logs claiming the RemoteDD security layer disconnected him, were his attempt at pulling up an admin-level cmd.exe session. Maybe a specific string entered in the username or password field would cause this (buffer overflow), or a more complicated sequence of events that can be initiated by the hacker somehow.

But, I am not even sure I am making sense here. This is just my best guess.

There's a lot of interesting info I did not share yet.

The logs, funny enough, show that my server returned an error for not having drivers for a printer named something in russian. This happens after the first successful rdp logon of Mr. tempAdministrator. So, that's the name of this guy's printer, which, as it happens, the server was trying to connect to upon rdp logon. In other words, if your client is so configured, once your rdp a remote machine your printer gets connected to the remote server, so you can print from there to your local printer. Pretty nice and convenient feature. So, that gave away the most likely nationality of the attacker. That, and three IP addresses he connected from (which I am sure are not precisely his, but still...):
46.161.40.180
188.19.127.194
185.61.148.250

This one, instead, is a US IP, the only one among them:
38.95.108.244

The first IP I listed is the one used more than once, and the one the final attack was carried on from.

Of course, as far as I know, the guy could be my beyond suspicion old lady neighbour in Rome. Who knows.

I did not have the time to investigate the logs for the machine name the attack came from, which *should* be in there.

Having, I think, now a possibly complete list of all the attempts in terms of date and time, there's a much narrower search I can make on all the many other system logs to find out more.

Not sure how useful this is going to be, but at least I now know more. Enough to have some peace of mind. And, as I rebuild my next server, I can do things to prevent this, as much as I can.

... as a side observation:

This is a guy who spent a lot of time finding an RDP-open machine somewhere in the world, with some simple scanner, and put time and effort and knowledge in getting in, to find out it could be a "good" target, implant the ransom-ware, and hope all goes "well" so that I would pay him 300$, or maybe $1000. Of course, before finding me, the guy must have attempted at many other people. For every ransom you do get, maybe 100 attempts (1000?) fail.
This, guys, seems a real job. Not at all easy money. Maybe this guy works for a larger organization.
I mean, this is pretty different than emailing the ransomware to a million emails and wait. This is work put into penetrating a remote machine patched to the latest fix released. Pretty serious stuff, considering this is a home server of some guy, and not the NSA.

I am basically observing what Tom mentioned above.


It's just sad people put their time into this. I know I sound so rhetorical, but so many good things could be done instead of this stuff. This guy has a sad life... Oh well.

It is unlikely that he put much effort into it. He was far more likely just running a bunch of scripts/tools created by someone else. And he was likely attacking RDP endpoints en-masse at the same time as attacking yours.

Also, he/she could well be living somewhere that where $300 a couple of times a month is a good living.

Yes, maybe you're right. Good points Andie.

If you google "tempAdministrator" you find a lot of people writing scripts to do admin-y things by creating a temporary admin user with a fixed password, doing the admin-y thing, then deleting the user again at the end of the script. If that sort of fsckwittage is widespread in the Windows world, it might be worth it to a hacker to randomly try login attempts in the hope of catching a machine in the act of running such a script.

Peter

mmmh. That would mean that the tempAdministrator was already in my system, having been created by some script I used in the past. Or still being run regularly. I didn't do any such thing. Nor I can think of anything I ever used on my sever that could do it.

Worth looking into, though. I should be able to find out when the account was created (that should also be in the logs and I was in fact planning search for that).

Yep, Andy is likely spot on with the assessment. The person who did this was likely using a malware kit, and simply paid a little bit of money for it. Then a bit of money paid for an IP scanner, or a preexisting list.

I do tend to feel bad for the people doing this, as indeed the amount of money to them is a massive compared to the smaller value in the US/EU/AU regions. A group of Russian game crackers broke the basic protections shipped with Darksiders 1, reverse engineered the text localization system, and wrote the translation for their language. To make their time worth it, they turned around and sold the game as a pirate copy in various markets around Russia. Copies of the game were cheap in US or EU currencies, and it did well. THQ took that info, and ensured resources were allocated to translating future games and supporting that market directly, including selling the official copies much cheaper then in the west. Metro 2033 was a game developed by a Ukrainian development shop, and managed to do well on the more global market. It's a shame that game piracy in the west has a part in hindering game studios from being able to grow and support markets like Russia. I'd love to see game developers come up from many more regions around the world, to let more people express themselves and experiences through a very unique art medium.


Anyhow, back to the exploit discussion.

Tony F. shared this elsewhere, showing how the scanning game is changing with the adoption of IPv6. http://arstechnica.com/security/2016/02/...other-scanners/

IPv4 address space can be reasonably be searched in it's entirety with ease. IPv6, not so much. Triggering scans to known in use IPv6 addresses is already leading to black market lists being maintained and sold/traded.

Well, I consider myself knowledgeable enough to easily survive similar attacks, even in the worst case scenario where instead of few thousand files I had to restore everything, ground up.
But to many, being hit by ransomware means a big deal - economically, emotionally, psychologically.
Generally speaking, choosing to harm others in this way has no justification, if not in a very broad sense.
I don't hate this person. But I don't particularly like him/her either that much.

Of course, we cannot know. The guy may have had a gun at his head, or what not, for what we know.

Mostly agreed. The impact of being the victim of these actions is not trivial or good either. My feelings towards whomever did it is separate from my feelings towards their actions and the feelings I have towards your own personhood and actions in response.

My feeling bad for whomever is from a slight understanding of how hard life is in Russia. And for them possibly feeling that these actions they have taken may have been necessary in their world view. After close to 3 years of living in crisis again, it's renewed my desire to halt cycles of hatred or abuse, while also not letting my own humanity die in the process.

Don't get me wrong, I also completely get that the person who did this may have been doing so purely to be malicious, with no survival or other base aspects on the line. Those types of people in this world are thankfully very rare. I also refuse to allow actions from such people impact my general humanity towards any other living thing.

The reason I shared the game specific story is that I greatly appreciated THQ's response to illegal actions done against a game I helped create. THQ never condoned the actions that happened, however they did seek to understand the why, and resolve it in a great way for all involved. The team at Vigil was damn impressed on the technical side knowing what efforts the Russian group went through to reverse engineer a proprietary game engine to localize it.

(As a personal request, please be careful when quoting and replying to half a sentence/thought. The segment you cut was very much tied to why I said that, and the quote appears to drop the important context)

Tom, your full opinion is right here in this thread, few lines above. Quoting part of your post is just a way - quite conventional, i think - to quickly refer to what part of your post I am replying to. Sorry if you felt I misrepresented your ideas, I did not mean to.

BTW, thanks for sharing the interesting article from Ars Technica.

I may agree that, even in my experience, most people doing harm do so because *they* believe there's a valid reason for it. And I agree one should not let such events impact our faith in human kind. I am generally an optimist at that regard and I did not mean to suggest otherwise in telling you guys my story here.

I like to think that understanding the reasons for wrong doing and justifying those reasons are two different things. We should understand, be compassionate, help possibly, but not justify.

Incidentally, you'll be surprised how much better are Russian recently doing, which is great, and not related to this story. Just a side note.