File Monitoring (cryptolocker detection)

Anyone who has experienced a cryptolocker virus hitting there PC or worse there servers will know how devastating it can be and how disruptive to your companies ability to operate.

There is no substitute for having in place proper preventative measures such as

  • Firewall

  • Anti-Virus

  • Spam Filtering on emails

  • Backups of all data and multiple copies of them as well, backups backups backups

However if somehow the virus still manages to get on to a machine in your network it will quickly start encrypting any files it can find. In this instance you want to shut down any sources of key data quickly to minimise the amount of data you will have to recover. I decided to show how you can easily create a honeypot in python which will monitor a file in a folder and then alert you if it is changed and take an action such as shut the PC or server down.

I would recommend creating a folder at the top of your folder structure and placing the file within it. Make the file something that no one should touch and then basically forget about it.

For the script below to operate properly you will need to have access to a gmail account and enable unsecure apps in the settings so our program can email through it. I have setup a gmail account specifically for this purpose to test my code, that way I am not changing the security settings on my own account.

Ok here is the code

#import any modules
import time
from mailer import Mailer
import os


#create a monitor and alert class

class MonitorAndAlert():

    def __init__ (self):
        print('class initiated')
        self.filename = ''
        self.alert_email = ''


    def get_config(self):
        #set the config parameters, change these to suit your own
        self.filename = 'x:\afolder\afile.txt'
        self.folder = 'x:\afolder'
        self.alert_email = 'enduser@email.com'
        self.send_email = 'sendfrom@gmail.com'
        self.send_password = 'averysecurepasswordgoeshere'
        self.action = 'shutdown'

    def monitor_files(self):
        #this will check the file exists and then keep checking it every 15 seconds, you can 
        #change how often it checks but think about how much damage could be done in 
        #the period and set it according to what you think is safe
        i=0
        while i < 1:
            try:
                file_to_check = open(self.filename, 'r')
                if file_to_check:
                    print('file ok')
                    time.sleep(15)
                else:
                    mon.create_alerts()
                    i=1
            except:                
                i=1
                mon.create_alerts()



    def create_alerts(self): 
        #lets notify you that the file has been changed, give you a list of files
        #in that directory and then trigger the action       
        arr = os.listdir(mon_folder)        
        alert_msg = 'The monitored file no longer exists, here is a list of the files in that directory \n\n'
        for file in arr:
            alert_msg = alert_msg + file + ' \n'
        alert_msg = alert_msg + '\nThe saved action is to ' + self.action + ' so this has now been initiated.'
        mail = Mailer(email=self.send_email, password=self.send_password)
        mail.send(receiver=self.alert_email, subject='File Change Alert', message=alert_msg) 
        mon.run_action

    def run_action(self):
        if self.action == 'shutdown':
            print('shutting computer down')
            os.system("shutdown /s /t 1")



#call the class and start monitoring

mon = MonitorAndAlert()
mon.get_config()
mon.monitor_files()

You will notice that at the moment the only option is to shutdown for the action. This is the sure fire way to ensure the attack is stopped stone dead because even if you turned access to the shared folder off if the malicious program is actually running on the server it can still encrypt the files through a local file path. But if you had a preferred action and you understand why you want to do it then you can simply modify the actions function accordingly.

No Comments Yet