Protecting against EFS based attacks

[pultneytooner]

Another trojan? Who cares? They do -- take care of themselves first, then they're going to 'take care' of you! "Recently a trojan was seen to take advantage of Encrypting File System (EFS) to protect itself & execute with administrative privileges. The trojan creates an administrator login account with a random name and random password. Using this login key pair it then encrypts the downloader component that it drops. It then creates a service that points to the encrypted file:

Link.........

One defence against auto-installation of malware is to make sure that your "everyday" user account does not have administrative privileges. Remember, only an adminsitrator can install certain types of software, modify the registry, modify the OS, create user accounts with administrator privileges, etc.

It's much better to just run as an ordinary user most of the time, and switch to an administrative account occasionally when required.

Oh, and make sure that all accounts on the machine, not just the administrators, have strong passwords.

[blueivy]

Hi pultneytooner,

Interesting article. It is just another case of a different attack method for malware. Nothing new there. What I think it dangerous is using another 'feature' of Windows to hide itself from the user. The article does suggest that home users are often using EFS to encrypt files and documents to keep them from prying eyes. I actually think to a user who really doesn't understand how it works it can be quite dangerous.

It's far too easy to encrypt files - it's just a tick box (as the article indicates) however you need to also backup your private key to allow you to unencrypt the files should anything happen to your account or computer.

See this article and the section title 'Performing Data Recovery' for information on backing up your private key.

I think the advice in the article is worth repeating and I will be adding the news and more information about it to my site. I didn't want to clog up the forums here with a long message about preventing attacks when it may not interest everybody.

I'll post a message when the information is up, hopefully later tonight or tomorrow morning.

[blueivy]

I've posted a new news article on my site about preventing this trojan. It takes the advice given in the original blog entry and pads it out a little with a better explanation for less technical users. I've also added some information on the detection of the trojan that I hope is useful.

It's available at the Small Business IT website under the news section " Trojan Uses Windows Feature To 'Hide' ".

Hope it's useful. Constructive feedback as always, is appreciated.

[pultneytooner]

Excellent article blueivy.

[blueivy]

Thanks pultneytooner. Hope others think so too and find it useful. If you (or anybody else) has any more links or resources to add to the article, please let me know.