[UPDATE 2023-03-31T20:19] Seit dem 29.03.2023 ist ein neuer Trojaner mit dem Namen WIN64/SamScissor / Win64.DEEFFACE.A im Umlauf. Er hat sich vermutlich durch ein Update der 3CX Telefonsoftware (APP) eingeschlichen. Da viele unserer geschätzten Kunden die 3CX Telefonsoftware nutzen und damit verbundene Schnittstellen verwenden, haben wir uns entschieden, einen einfachen Scanner zu erstellen, der anhand der bekannten Hashes die Festplatte nach infizierten Dateien durchsucht. Der Scanner bietet sowohl einen Schnellmodus als auch einen erweiterten Modus mit dem Schalter -all, welcher alle Programm-Dateien durchsucht.
Das Skript kann ganz einfach in eine Powershellkonsole eingefügt werden. Anschließend wird man gefragt, ob man das mehrzeilige Skript ausführen möchte, was man bestätigen muss. Bitte beachten Sie, dass die Ausführung einige Zeit in Anspruch nehmen kann (10 Minuten und mehr), da dies vom System und der Plattengröße abhängt. Wir möchten jedoch betonen, dass diese Maßnahme ein Zusatzschutz ist.
Zusätzlich empfehlen wir, dass Sie auch Ihren Virenscanner aktualisieren und eine vollständige Überprüfung Ihrer Festplatte durchführen. Stellen Sie sicher, dass Sie die neuesten Virendefinitionen (Patterns) installiert haben, um sicherzustellen, dass Ihr Virenscanner auf dem neuesten Stand ist und somit auch in der Lage ist, den WIN64/SamScissor Trojaner zu erkennen und zu entfernen. Die Kombination aus dem von uns bereitgestellten Scanner und der Aktualisierung Ihres Virenscanners bietet Ihnen eine zusätzliche Schutzebene, um die Sicherheit Ihres Computersystems zu erhöhen.
Das PowerShell-Skript:
function Find-Malware { <# .SYNOPSIS Scans the specified drive for files matching the provided patterns and compares their hash values against a list of known Trojan:Win64/SamScissors or Trojan Win64.DEEFFACE.A hashes. .DESCRIPTION The Find-Malware function scans the specified drive for files matching the provided file name patterns. It calculates the SHA256 hash for each found file and compares the hash values against a list of known malware hashes. If a match is found, it outputs a warning message indicating that Trojan:Win64/SamScissors or Trojan Win64.DEEFFACE.A was detected. The function returns an array of custom PowerShell objects with file path and SHA256 hash for each file. .PARAMETER Drive The drive to scan for potential malware files. Defaults to 'C:'. .PARAMETER All A switch that, when used, causes the script to search for all '.exe', '.com', and '.dll' files instead of using the specified file name patterns. .PARAMETER FileNames An array of file name patterns to search for on the specified drive. Supports wildcards. Defaults to @('ffmpeg.dll', 'd3dcompiler_47.dll'). .PARAMETER Hashes An array of file malware hashes for detecting Trojan:Win64/SamScissors. .EXAMPLE Find-Malware -drive 'D:' -FileNames @('example.dll', 'malicious*.exe') Scans the 'D:\' drive for files named 'example.dll' and files with names starting with 'malicious' and ending with '.exe'. .EXAMPLE Find-Malware -all Scans the default 'C:\' drive for all '.exe', '.com', and '.dll' files. .NOTES Ensure the malware hashes list is up-to-date. Using a Volume Shadow Copy can improve chances of scanning files currently in use by other processes. Admin rights may be required for scanning certain files and creating a VSC. ATTENTION! Please perform a complete system scan using the virus scanner of your choice. This script is intended to provide additional assistance only. MIT License ----------- Copyright (c) 2023 EULANDA Software GmbH* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Author ------ 2023-03-30 EULANDA Software GmbH Germany #> param ( [string]$drive = 'C:\', [switch]$all, [string[]]$fileNames = @('ffmpeg.dll', 'd3dcompiler*.dll', '3CXDesktopApp.exe','trololo.dll','update.exe','3cxdesktopapp*.msi'), [string[]]$hashes = @( '11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03', '210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d', '2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de', '268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca', '2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f', '4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f', '5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a', '54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02', '5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290', '59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983', '5a017652531eebfcef7011c37a04f11621d89084f8f9507201f071ce359bea3f', '5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734', '72349cf4971607c1bc66314069f0c864e8aa4336a663f2afbc2cb7e852465430', '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896', '87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c', '8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d', '92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61', 'a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c', 'a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203', 'a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67', 'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868', 'aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973', 'b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb', 'c13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396', 'c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02', 'c62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd', 'd0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e', 'd45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae', 'd459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090', 'd51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a', 'dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc', 'e059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c', 'e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec', 'f1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182', 'f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3', 'f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952', 'fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405', 'fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7' ) ) $result = @() $totalFiles = 0 $processedFiles = 0 $searchPatterns = @() if ($all) { $searchPatterns += '*.exe', '*.com', '*.dll' } else { foreach ($fileName in $FileNames) { $searchPatterns += $fileName } } foreach ($pattern in $searchPatterns) { $foundFiles = Get-ChildItem -Path $Drive -Filter $pattern -Recurse -ErrorAction SilentlyContinue -Force $totalFiles += $foundFiles.Count foreach ($file in $foundFiles) { try { $processedFiles++ $progressPercentage = ($processedFiles / $totalFiles) * 100 Write-Progress -Activity "Scanning for malware" -Status "Processing $($file.FullName)" -PercentComplete $progressPercentage $fileStream = [System.IO.File]::Open($file.FullName, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read) $hash = Get-FileHash -InputStream $fileStream -Algorithm SHA256 $fileStream.Close() if ($hashes -contains $hash.Hash) { Write-Host -ForegroundColor Red "WARNING: Malware found! $($file.FullName)" $item = [PSCustomObject]@{ FilePath = $file.FullName SHA256Hash = $hash.Hash } $result += $item } else { $item = [PSCustomObject]@{ FilePath = $file.FullName SHA256Hash = $hash.Hash } # $result += $item } } catch { Write-Warning "Could not process file: $($file.FullName). Error: $($_.Exception.Message)" } } } Write-Progress -Activity "Scanning for malware" -Completed return $result } # Scann all files with switch '-all' excample: Find-Malware -all | Out-GridView Find-Malware | Out-GridView