Comprehensive data protection for all workloads
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

I've done a YARA scan on some of my Windows devices (btw...all A/V minus the 1 I mentioned above have scanned out "ok") and, like others above have shared, I'm seeing Chrome Cache files come back as "onion links" (data_3, and some "rules" files are a few..and seem legit); but it appears the Malware engine is detecting valid executables also (C:\Windows\System32\curl.exe and C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe ...and I've seen a few others) as an Onion Link (OL)? Well, let me be a bit more specific, the YARA scan tool I'm using is detecting those files as OLs (YARA binaries from: https://github.com/VirusTotal/yara/releases/tag/v4.5.1). If Veeam scans blocks in a somewhat similar fashion the YARA tool scans files/directories, then my assumption is these are the files Veeam "sees" as OLs and thus why Veeam created OL events on my VMs this morning.

Dima - Should I open a case to report some of my latest findings?

Thanks!
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
GaborCs
Novice
Posts: 3
Liked: 2 times
Joined: Jun 12, 2024 11:40 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by GaborCs » 1 person likes this post

Hi Everybody,

we've got the same "ONION links found" Malware alert here

manually YARA scan doesn't got any hit on the VM

meanwhile we rewrote the OnionLinks.yara rule, and now we are running it on the "infected" backups

this "new" rule is good for old v2 and new v3 onion urls, and fixed a little mistake in the earlier version, where a "\" missed in front of the ".onion"

here is the modified YARA rule:

Code: Select all

rule OnionLinks
{
    meta:
        description = "Onion link"

    strings:
	$onion_linkv2 = /\b([a-z2-7]{16}\.onion)\b/i
        $onion_linkv3 = /\b([a-z2-7]{56}\.onion)\b/i

    condition:
	any of ($onion_linkv2,$onion_linkv3)
}
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 1 person likes this post

Thanks for sharing the update @GaborCs

I've actually had to temporarily disable Inline scanning for now as I was getting too many false 'hits' since updating Veeam to v12.1.2. :/
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz » 1 person likes this post

Dima P. wrote: Jun 11, 2024 4:54 pm Pagefile is excluded correctly however if it's parts are physically allocated within the block where normal file resides (the file that must be included in the backup) we will store entire block including the file and such small portion of the pagefile in the backup. Based on our investigation such file parts are causing the mentioned false positive reports during inline scan.
Thanks for the information Dima. Now I understand why it is not an easy fix or at least not the easiest one. You need to somehow stop the scanning of data within blocks belonging to the excluded pagefile...
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

coolsport00 wrote: Jun 11, 2024 5:38 pm I thought it would be good to state the Malware Engine does have benefit (I've always said that). ;)
Correct, in my case it has found a dnscat.ps1-file which I used for testing a while ago. Was surprised a bit that it had even found a "silent" powershell-script...
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello guys,

Thank you for sharing the updates!
Now, history has told me they're false pos's cuz...up to this point, they have been. You may be interested to know the 1st VM I did an A/V scan on actually did seemingly have a 'trojan' file on it (Trojan:Win32/Leonem)
Glad to help and thank you for sharing!
I'm seeing Chrome Cache files come back as "onion links" (data_3, and some "rules" files are a few..and seem legit); but it appears the Malware engine is detecting valid executables also (C:\Windows\System32\curl.exe and C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe ...and I've seen a few others) as an Onion Link (OL)? Dima - Should I open a case to report some of my latest findings?
Thank you! We are aware of this problem too and we will include the fine tuning for this issue together with the fix for pagefile leftovers. You can raise a ticket to get a private fix once it's ready.
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

Dima, when do we know that it's ready? Will you post it here?
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

Sure, I'll update this thread. The code is ready, now we are building and then verifying the build in QA labs.
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

Hi @dima - yeah...think I will create a case to get that fix. Like I mentioned above I have disabled Malware scanning for now, but would rather have it on. Appreciate the info.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

@Dima -
My case is Case #07301631

Thank you.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

Noted, thank you Shane!
Joris360
Novice
Posts: 5
Liked: 4 times
Joined: Feb 19, 2024 8:36 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by Joris360 » 1 person likes this post

GaborCs wrote: Jun 12, 2024 11:47 am

Code: Select all

rule OnionLinks
{
    meta:
        description = "Onion link"

    strings:
	$onion_linkv2 = /\b([a-z2-7]{16}\.onion)\b/i
        $onion_linkv3 = /\b([a-z2-7]{56}\.onion)\b/i

    condition:
	any of ($onion_linkv2,$onion_linkv3)
}
Hi GaborCs,

I've tried your Yara rule, with the yara rule scanning from Scan backup in Veeam, and now I don't receive a pagefile.sys detection (while the other rules did on that same server).
But it's detecting some other files from Edge browser. These are:

C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.13\Filtering Rules
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\35\10.34.0.13\Ruleset Data
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.52\Filtering Rules
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\36\10.34.0.52\Ruleset Data

When looking in the first file, I can find some onions links in it. This make sense as it looks like a filtering/blocking file.

@Dima P.
Perhaps the scanning Veeam does is also detecting these and therefor giving the "Onion link" detection.
I've uploaded the logs to the Veeam case we opened (ID: 07297542)
stewsie
Veteran
Posts: 281
Liked: 24 times
Joined: May 22, 2015 7:16 am
Full Name: Paul
Contact:

Re: Malware detection, Ransomware Notice found

Post by stewsie »

I am using the above YARA rule and still receive pagefile.sys notifications.

I also see the Edge messages similar to yours
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 1 person likes this post

I get the same Ruleset & Filtering paths, but for Chrome.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello guys,

Thank you for all the help with investigation! The fix for pagefile exclusion and non-text onion link false positives is now ready. You can get via support channel by raising a support case.
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

created a case. Will update this thread once I've got some news from my side... Thanks Dima!
GaborCs
Novice
Posts: 3
Liked: 2 times
Joined: Jun 12, 2024 11:40 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by GaborCs »

also created a case

@Joris360 - yep, those files are some filters/rules, and there are some real ".onion" links in it,

like this:
Äň nzbindex.com ř3ţ˙ đ ˜Ö Ë nytimes3xbfgragh.onion 04ţ˙$ ¸ $ĺ \Ö ÄĘ X› Hú nytimes.com h4ţ˙ ˜Ę nytco.com Ś4ţ˙ $] Ä6
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

ok, received the fix and installed the files. did another YARA-scan (onion-files) for one of the affected vm's and this time I got an error telling me "YARA scan has encountered a match", no additional details. Under Inventory -> Malware Detection I don't see any vm's listed there... Any ideas? I'm confused a bit...
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 1 person likes this post

I already have a case...and will get the fix. But first, I want to see response from @mcz 's comment on what could be the issue there.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

ok, short update: I was stupid enough to forget that there's the button to lookup for the found malware and there it again listed the pagefile.sys... The question is if I also have to update the .so-file on the hardened repository. right now we use it as repository only...
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

mcz wrote: Jun 19, 2024 12:11 pm ok, received the fix and installed the files. did another YARA-scan (onion-files) for one of the affected vm's and this time I got an error telling me "YARA scan has encountered a match", no additional details. Under Inventory -> Malware Detection I don't see any vm's listed there... Any ideas? I'm confused a bit...
I think some instructions on how the new tool/update works would be of benefit as well?
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

Well, the tool works as before. Regarding the fix: You just have to replace a file on all of the proxies, that's all.
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 2 people like this post

Hello guys,

To make sure we are on the same page: the fix tunes the inline scan engine allowing it to skip the pagefile leftovers and non text files for onion link analysis. It does not change the way how backup job or YARA engine works. Thank you!
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz » 2 people like this post

Ah, thanks Dima for the clarification. So to make it simple: After applying the fix it is expected that the inline scan engine won't report any malware during or after backup jobs, but (manual) YARA scans would still show false positives in e.g. pagefile.sys because as yara is an independent scan engine. Correct?
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

Yes, this is correct.
mcz
Veeam Legend
Posts: 943
Liked: 217 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz » 3 people like this post

ok, so I can confirm that I don't get any malware reports after the backup jobs, which means that the fix works. Thanks a lot to all who have been involved!
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Glad to hear, thank you for the feedback Michael!
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 1 person likes this post

Going to (hopefully) apply the fix in my environment today! We'll see how it goes... :wink:
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
coolsport00
Veeam Legend
Posts: 116
Liked: 29 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 2 people like this post

mcz wrote: Jun 21, 2024 9:44 am ok, so I can confirm that I don't get any malware reports after the backup jobs, which means that the fix works. Thanks a lot to all who have been involved!
Same. Been running a few days...looking good thus far.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Dima P.
Product Manager
Posts: 14684
Liked: 1693 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

Awesome! Thank you for sharing your reports!
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests