Introduction:
The last couple of days we have seen an increased spreading of the trojan Trojan.Gpcoder. This trojan encrypts 50% of all files on the local computer or on shared network drives mapped in explorer.
The spesific version we have seen encrypts all files to a file extention of .EnCiPhErEd
When the files have been encrypted a message box prompts the user to pay €50 in ransom to receive an decryption key. A text file called “How to Decrypt Files.txt” is also created in all folders.
The text file contains the following information.
Attention! All your files are encrypted! You are using unlicensed programms!
To restore your files and access them,send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail Koeserg@gmail.com. During the day you receive the answer with the code.You have 5 attempts to enter the code. If you exceed this of all data irretrievably spoiled. Be careful when you enter the code! |
Symantec Endpoint Protection protection technologies
The trojan mutates rapidly and we have seen that the virus vendors are struggling to keep up with virus defintions that blocks the trojan. SEP 12.1 clients are protected with Symantec Insight, but SEP 11.x costumers are unfortunately still vulnerable.
This specific version of the trojan usually infects the computer by a website drive-by download. Customers that use SEP IPS are therefore more protected as SEP IPS does a very good job in blocking webexploits.
Custom IPS to help spreding
The biggest problem with this trojan is the fact that it encrypts files on fileshares. Imagine having your 1TB Common area totally encrypted. To avoid this spreading I have created a Custom IPS that blocks the creation and modifying of . .EnCiPhErEd files on fileshares. This rule will not block the infection itself from occurring, but it will protect your storage areas if a computer happens to be infected.
Below is one of the Custom IPS rules that block the writing. I have created 4 rules that are included in the Custom IPS that will block both incoming and outgoing traffic.
Note that this rule will also stop users from browsing shares that contain files with the .EnCiPhErEd extensions and that an IPS alert will be sent to the SEPM every time a user open a shared folder that contains .EnCiPhErEd files.
How to use the policy
Import the policy under Custom IPS. After you import the IPS signatures I have experienced that Custom IPS signatures won't update on the clients until you do a policy configuration on the group you apply it to. Just do some sort of update on the group. Change restart options for example to change the Policy version. You can test the policy by going to ww.ulv.no. The page just lists a wolf and a test alert should be seen in the SEP logs.
The IPS rules are attatched. All use is at own risk and you are expected to test the IPS rule thoroughly in your environment before it is deployed.
Note that Custom IPS are dependent on the Firewall component, even if you are on SEP 12.1. http://www.symantec.com/business/support/index?page=content&id=TECH162230&actp=search&viewlocale=en_US&searchid=1334310865093
The rules are also submitted to Symantec and they are currently evaluating the code to be implemented in a Liveupdate release.
(I have also tried creating an Application & Device Control Policy for this, but the malware runs as a driver making the A/D policy that only checks processes useless)
Torbjørn Remmen - Senior Systems Engineer
Syscom AS