- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
Automatically Backup Module against Ransomware Attack
展开查看详情
1 .Automatically Backup Module against Ransomware Attack 2018/06/26 Vice President/OSS/Security Evangelist Kazuki Omo(面 和毅) © SIOS Technology, Inc. All rights Reserved. 1
2 . Agenda 1. Ransomware? 2. Prepare for Ransomware infection. 3. Server Side Solution 4. Implementation 5. (+Demo) © SIOS Technology, Inc. All rights Reserved. 2
3 . Who am I? ● Security Researcher/Engineer (18 years) ● SELinux/MAC Evangelist (14 years) ● Antivirus Engineer (3 years) ● SIEM Engineer (3 years) ● CISSP (#366942) ● 120kg Bench Press Max ● Member of Secure OSS-Sig © SIOS Technology, Inc. All rights Reserved. 3
4 . 1. Ransomware © SIOS Technology, Inc. All rights Reserved. 4
5 . What is Ransomware? Ransomware [TrendMicro definition] Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. (Ref: https://www.trendmicro.com/vinfo/us/security/definition/ransomware) © SIOS Technology, Inc. All rights Reserved. 5
6 . So, what Ransomware do? p p © SIOS Technology, Inc. All rights Reserved.
7 . Workaround? “Ransomware is a type of malware” Let’s think about - Detect/Reject Ransomware. → Antivirus - Prepare for Ransomware infection. → ??? © SIOS Technology, Inc. All rights Reserved.
8 .Workaround 1. Antivirus File Server © SIOS Technology, Inc. All rights Reserved.
9 .Workaround 1. Antivirus File Server 0-day? No Antivirus HW? © SIOS Technology, Inc. All rights Reserved.
10 . Workaround Prepare for Ransomware infection. File Server 0-day? No Antivirus HW? © SIOS Technology, Inc. All rights Reserved.
11 .2. Prepare for Ransomware infection. © SIOS Technology, Inc. All rights Reserved. 11
12 . File Server Side: “Prepare for Ransomware” (From Server point of view) - Fight with Ransomware (AntiVirus, etc.) © SIOS Technology, Inc. All rights Reserved.
13 . File Server Side: “Prepare for Ransomware” (From Server point of view) - Fight with Ransomware (AntiVirus, etc.) → Difficult © SIOS Technology, Inc. All rights Reserved.
14 . Client Side: How Ransomware work (from Client Side). Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file © SIOS Technology, Inc. All rights Reserved.
15 . File Server: How Ransomware work (from File Server). Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file • sys_open/sys_read • Write some file • Delete file on shared File through smbd etc. on shared volume Volume through smbd. Server through smbd. • sys_close to target file(?) © SIOS Technology, Inc. All rights Reserved.
16 . File Server: How Ransomware work (from File Server). Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file • sys_open/sys_read • Write some file • Delete file on shared File through smbd etc. on shared volume Volume through smbd. Server through smbd. • sys_close to target file(?) Usual behavior as File Server. © SIOS Technology, Inc. All rights Reserved.
17 . File Server Side: “Prepare for Ransomware” (From Server point of view) - Fight with Ransomware (AntiVirus, etc.) → Difficult - Prepare a way to restore the file. → Take Backup. © SIOS Technology, Inc. All rights Reserved.
18 . File Server: So, How we can do? Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file • sys_open/sys_read • Write unknown file • Delete file on shared File through smbd etc. on shared volume Volume through smbd. Server through smbd. • sys_close to target file(?) Let’s think about here. © SIOS Technology, Inc. All rights Reserved.
19 . Linux+Samba Config Recycle bin on Samba 3/4. “vfs objects = recycle” to enable Recycle bin. [Share] comment = Public Stuf path = /Share/ browseable = yes writable = yes printable = no vfs objects = recycle guest ok = yes read only = no recycle:repository = .recycle recycle:keeptree = yes © SIOS Technology, Inc. All rights Reserved.
20 . Linux+Samba Config Recycle bin on Samba 3/4. “vfs objects = recycle” to enable Recycle bin. [Share] comment = Public Stuf path = /Share/ browseable = yes writable = yes printable = no vfs objects = recycle guest ok = yes read only = no .recycle/ recycle:repository = .recycle recycle:keeptree = yes © SIOS Technology, Inc. All rights Reserved.
21 . How about Modify? What about “Modify”, not “Delete”? Encrypt Write Delete Client Modify File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. - Encrypt file • sys_open/sys_read • Write unknown file • Delete Client Modify file on File through smbd etc. on shared volume shared Volume through smbd. through smbd. Server • sys_close to target file(?) What about this situation? © SIOS Technology, Inc. All rights Reserved.
22 . 3. Server side Solution. © SIOS Technology, Inc. All rights Reserved. 22
23 . From File Server: PC/User Kernel User System Call fopen() sys_open() fread() sys_read() fwrite() sys_write() Server: Can’t find User or Ransomware!! © SIOS Technology, Inc. All rights Reserved. 23
24 . From File Server: (Auto Backup) PC/User User Kernel System Call fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 24
25 . From File Server: (fanotify solution) PC/User Create backup “before writing” by using Fanotify/inotify Kernel User SystemCall FAN_MODIFY FAN_CLOSE_WRITE fopen() FAN_CLOSE_NOWRITE sys_open() fread() sys_read() fwrite() sys_write() Fanotify is hooking“after writing”. - > Can’t take backup “before writing”. © SIOS Technology, Inc. All rights Reserved. 25
26 . From File Server: (LSM solution) PC/User Create backup “before writing” by using LSM. User Kernel System Call file_backup(LSM) fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 26
27 . From File Server: (LSM solution) PC/User Performance….. User Kernel System Call file_backup(LSM) fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 27
28 . From File Server: (LSM solution) PC/User Limit to backup “Labeled” file. User Kernel System Call file_backup(LSM) fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 28
29 . File Label user@local:~/testdir$ ls -lh total 4.0K -rw-r--r-- 1 user user 148 Jun 1 10:43 h123 user@local:~/testdir$ getfattr h123 # file: h123 user.backup_label user@local:~/testdir$ © SIOS Technology, Inc. All rights Reserved. 29