Solved

Determing who/what pc is modifying files via a network drive

Posted on 2014-12-17
13
115 Views
Last Modified: 2014-12-22
Hi I just dealt with a customer's windows 2003r2 server last night. They were infected with win32.pirate.b virus. That virus modifies all exe files and adds about 180k to the file. We were battling the issue and having a hard time identifying what system was causing these modifications. All of the pcs had a mapped drive letter to the server. The server showed no open files and just 1 or 2 sessions under computer management (we were fixing this after hours so there was very little pc use at the time), yet the files were being changed as soon as we restored them. Also the modified date of the files were not changing according to windows. I enabled file auditing and no events were created.

I saw similar issues with cryptowall at another site, there were no open files listed via computer management on the server, yet the files were clearly being modified while i was checking.

Does anyone know how the viruses are managing to modify a file without changing the modified date as well as going undetected in computer management, open files/sessions? Can anyone recommend an alternative way to identify what system has open files on a server. In the end we tracked the machine down by checking the registry of all computers. They had about 80 machines so it was tedious. In the past I had found using computer management/open files to be a reliable tool but the last few viruses I have encountered don't seem to show their activity on this screen.
0
Comment
Question by:Baran711
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 11

Expert Comment

by:andreas
ID: 40505581
are you sure the modifications are comming from the network and not from the server itself?

Test to diasconnect the server from any network connections, clean some files in the afected paths and wait to see if they become infected again.

This would also explain why you cant see the network sessions.

If the files keep intact without network, next would be to sniff the traffic on the lan port of the server to see which systems are communicationg with the server.

Does the server export any of those directories by ftp, NFS etc?
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40505723
Assuming that you have a central AV installed.. Do you not see it in the management server?

Otherwise..
you could do this really simple..

Just create a login script..
In the script have everyone reboot..
and delete the following files and keys..
Once you do that, you will likely have to figure out which user is getting popups of missing files or failed software launches.. But that should do it..  

%User Temp%\{random file name}.tmp - detected as PE_PARITE.A-O
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ "PINF"

Oh.. Also..
You can modify files through command prompt without changing dates, it's used when you backup a file, so that you know when it was last backed up or created.. depending on the script..
0
 

Author Comment

by:Baran711
ID: 40505752
The changes were definitely  coming from the network. We have cleaned the infections and identified the pc causing the issue. That being said we need a way to identify the pc modifying the files in a better way moving forward. The built in session/open files doesn't seem to work with modern viruses
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40505767
yikes..
The AV doesn't see the changes of the files as an infection?
That's a major issue.. because the changes themselves likely are done through simple DOS commands which don't show the change..
I wonder if there is anything added to the code, like a 000000xa or something to that effect in which then you can scan for..
The question i guess i am asking..
Any idea what it added to the file, other then the size?
0
 
LVL 11

Expert Comment

by:andreas
ID: 40505785
then instruct all users not to use the server but let the clients running and then sniff the network traffic. Or depending on how many clients you have turn off all clients and then only turn on one by one to check which one will introduce he problem.

finding the virus on the clients doesn't mean the server itself is clean. The server may even run another malware that only DROPS the thing you find in the exe files. You really should consider the server itself comromised too. Especially if you have logged on to one of the clients as domain admins or other accounts with higer privileges. This Worm also can spread by exploting windows security holes. So be sure your server and clients are up to date with all patches.
0
 
LVL 11

Expert Comment

by:andreas
ID: 40505790
@rob Its a polymorphic virus. therefore any AV does NOT have a chance to detect the modified binaries, as each copy has a different coding. You only can detect changes if you have checksums of the clean files.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Expert Comment

by:TRSTeam
ID: 40505802
Run a trial using netwrix network auditor, you'll find your answers
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40505813
Do you have a backup?
Since the virus is cleaned out, maybe just restore the entire drive?
No?
0
 

Author Comment

by:Baran711
ID: 40506184
we are a bit off topic, the issue is already fixed and the discussion about AV or backup is irrelevant. I am simply looking for a better way to track down the source of problems like this in the future, i have hundreds of clients, its bound to happen again somewhere else. i will need to look into netwrix as trsteam suggested, that looks like the closest thing to what i am asking for so far.I just want to be able to pinpoint the system that is modifying the files as fast as possible next time. checking each machine isnt ideal.
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40507079
I am pretty sure from a modification stand-point you could just use Microsoft Auditing in Group Policy. I am not 100% sure this is what you are looking for, or if it still exists, as the last time i used it was in 2k advanced server, but there are better tools 3rd party that will show more detail, i believe solarwinds LEM will do this in more detail, but it is a little expensive.

To do this through windows you can:
Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy
Start Explorer

Right click on the files/folders select Properties
Select the Security tab
Click the Advanced button
Select the Audit tab
Click Edit
Click Add
Select 'Everyone'
Click OK
Select the actions to audit such as 'List folder/read data'
Click OK
Click OK to all dialogs

The dialogue might be slightly different, and you may have to play with it a little to see if it still works in the Newer OS's but i am pretty sure this will do what you are looking for.. If it is still there..
0
 

Author Comment

by:Baran711
ID: 40507085
i did try enabling auditing, it only seemed to generate events when i looked at the directory. i assumed since the file modified date wasnt changing the audit trail wasnt firing either.
0
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40507228
Baran,
There is a fairly good article on this here:
http://dottech.org/11324/4-ways-to-monitor-who-is-accessing-your-shared-foldersfiles/
I wonder if one of these might work for the information you are trying to pull..?
0
 

Author Comment

by:Baran711
ID: 40512894
thanks rob, i was using the built in windows one but i will check out the other 3 mentioned in that post.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now