Protecting against EFS based attacks.

Overview

Encrypting File System (EFS) [1], is integrated in Microsoft’s Windows platform since Windows 2000. Additionally, Windows XP Professional, Windows 2003 Server and Windows 2005 Media Center operating systems also support it. EFS uses public key cryptography that makes use of a user’s account login and password pair to encrypt a private key. The private key is used to encrypt the original data (files or folders). Encrypting any files or folders, in the supported operating systems, is a trivial task and can be done in many ways. For example as shown in the image below calc.exe can be encrypted just by clicking on “advanced” and then checking “Encrypt contents to secure data”.

Programmatically this can be achieved using calling various APIs that support file encryption like CreateFile with FILE_ATTRIBUTE_ENCRYPTED flag or EncryptFile function. Microsoft’s commandline utility Cipher.exe can also be used for encrypting directories and their contents. The result of such encryption is that only authorized user can view these files. Many businesses or home users frequently use it to encrypt the confidential data that needs to be protected from hackers, uploader trojans or somebody gaining physical access to machine.

Concerns

Recently a trojan was seen to take advantage of EFS to protect itself and execute with administrative privileges. This malware is composed of obfuscated DLL and PE files that are thoughtfully crafted. It has two main components, a dialer component that is detected as Qdial-45 the other is a downloader/dropper component detected as Spy-Agent.bf that drops this dialer along with an EFS encrypted downloader file. McAfee has been detecting variants of this trojan since August 02, 2006, however we have observed an upsurge in infection rates in last few weeks.

The trojan creates an administrator login account with a random name and random password. Using this login key pair it then encrypts the downloader component that it drops. It then creates a random service that points to the encrypted file with logon properties of the newly created login and password. This service can be arbitrarily started. The encrypted file is executed with the logon credentials that the trojan created, to download the updated variants of spy-agent.bf. Some variants of this trojan also drops a Browser Helper Object, a DLL file in alternate data streams. The DLL file is obfuscated as well and tries to download updated copies of Spy-Agent.bf trojan.

It has been observed to contact the following IPs and domains for updates and DNS queries.

• shiptrop.com
• 195.225.176.85
• 195.225.177.22
• esthost.com
• wscooler.com

The downloader component of the trojan uses steganographic techniques to hide the downloaded packets from network sniffers. From its download servers it downloads a packed file with a “gif” header. It decrypts this fake gif file in memory and creates a random named executable in “C:Documets and Settings\%LocalUser%My Documents” folder and launches it. The origins of these trojans appear to be the domain names “Gromozon.com”, “xearl.com”, and “micotad.com”. Most of them resolves to IP addresses in range 195.225.176.* – 195.225.177.*. It is advisable not to visit these web sites as they may still contain various browser exploits. We have always seen a tendency toward copycat malware. More malware may adopt similar techniques of self preservation using EFS. It is useful to understand what proactive steps can be taken to prevent such an attack.

Prevention

1. As a best practice disable download of unsigned ActiveX controls in the browser and always update Windows and McAfee products for latest signatures and updates.

2. VirusScan Access Protection rules.

• Block Access to Cipher.exe so that it cannot be used to encrypt arbitrary files and folders.
• Prevent Creation of NTFS stream in windows and its subdirectories by adding following rule to prevent file creation.
  • “%windir%**:*”

3. If EFS is not needed it can be disabled by following registry modifications.

• Navigate to the key HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionEFS
• On the right pane, right click to select New, and then click DWORD Value.
• Enter EfsConfiguration for the value name and 1 for the value data to disable EFS.
• Restart the system.
• Any attempt to encrypt the file at this stage will result in the following message. “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

4. EFS can also be disabled by adding a desktop.ini file, with the following lines, in the folder that needs to be protected from adding encrypted files.

[Encryption]
Disable=1;

5. Programmatically EFS can also be disabled using API EncryptionDisable(DirPath, BOOL) [2].

References

[1] Encrypting File Systems in Windows XP and Windows Server 2003

[2] Disabling EFS for a Specific Folder