[UPDATE 2023-03-31T20:19] Seit dem 29.03.2023 ist ein neuer Trojaner mit dem Namen WIN64/SamScissor / Win64.DEEFFACE.A im Umlauf. Er hat sich vermutlich durch ein Update der 3CX Telefonsoftware (APP) eingeschlichen. Da viele unserer geschätzten Kunden die 3CX Telefonsoftware nutzen und damit verbundene Schnittstellen verwenden, haben wir uns entschieden, einen einfachen Scanner zu erstellen, der anhand der bekannten Hashes die Festplatte nach infizierten Dateien durchsucht. Der Scanner bietet sowohl einen Schnellmodus als auch einen erweiterten Modus mit dem Schalter -all, welcher alle Programm-Dateien durchsucht.
Das Skript kann ganz einfach in eine Powershellkonsole eingefügt werden. Anschließend wird man gefragt, ob man das mehrzeilige Skript ausführen möchte, was man bestätigen muss. Bitte beachten Sie, dass die Ausführung einige Zeit in Anspruch nehmen kann (10 Minuten und mehr), da dies vom System und der Plattengröße abhängt. Wir möchten jedoch betonen, dass diese Maßnahme ein Zusatzschutz ist.
Zusätzlich empfehlen wir, dass Sie auch Ihren Virenscanner aktualisieren und eine vollständige Überprüfung Ihrer Festplatte durchführen. Stellen Sie sicher, dass Sie die neuesten Virendefinitionen (Patterns) installiert haben, um sicherzustellen, dass Ihr Virenscanner auf dem neuesten Stand ist und somit auch in der Lage ist, den WIN64/SamScissor Trojaner zu erkennen und zu entfernen. Die Kombination aus dem von uns bereitgestellten Scanner und der Aktualisierung Ihres Virenscanners bietet Ihnen eine zusätzliche Schutzebene, um die Sicherheit Ihres Computersystems zu erhöhen.
Das PowerShell-Skript:
function Find-Malware {
<#
.SYNOPSIS
Scans the specified drive for files matching the provided patterns and
compares their hash values against a list of known
Trojan:Win64/SamScissors or Trojan Win64.DEEFFACE.A hashes.
.DESCRIPTION
The Find-Malware function scans the specified drive for files matching
the provided file name patterns. It calculates the SHA256 hash for each
found file and compares the hash values against a list of known malware
hashes. If a match is found, it outputs a warning message indicating that
Trojan:Win64/SamScissors or Trojan Win64.DEEFFACE.A was detected.
The function returns an array of custom PowerShell objects with file
path and SHA256 hash for each file.
.PARAMETER Drive
The drive to scan for potential malware files. Defaults to 'C:'.
.PARAMETER All
A switch that, when used, causes the script to search for all
'.exe', '.com', and '.dll' files instead of using the specified
file name patterns.
.PARAMETER FileNames
An array of file name patterns to search for on the specified drive.
Supports wildcards. Defaults to @('ffmpeg.dll', 'd3dcompiler_47.dll').
.PARAMETER Hashes
An array of file malware hashes for detecting Trojan:Win64/SamScissors.
.EXAMPLE
Find-Malware -drive 'D:' -FileNames @('example.dll', 'malicious*.exe')
Scans the 'D:\' drive for files named 'example.dll' and files with
names starting with 'malicious' and ending with '.exe'.
.EXAMPLE
Find-Malware -all
Scans the default 'C:\' drive for all '.exe', '.com', and '.dll' files.
.NOTES
Ensure the malware hashes list is up-to-date. Using a Volume Shadow Copy
can improve chances of scanning files currently in use by other processes.
Admin rights may be required for scanning certain files and creating a VSC.
ATTENTION! Please perform a complete system scan using the virus scanner
of your choice. This script is intended to provide additional assistance
only.
MIT License
-----------
Copyright (c) 2023 EULANDA Software GmbH*
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Author
------
2023-03-30
EULANDA Software GmbH
Germany
#>
param (
[string]$drive = 'C:\',
[switch]$all,
[string[]]$fileNames = @('ffmpeg.dll', 'd3dcompiler*.dll', '3CXDesktopApp.exe','trololo.dll','update.exe','3cxdesktopapp*.msi'),
[string[]]$hashes = @(
'11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03',
'210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d',
'2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de',
'268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca',
'2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f',
'4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f',
'5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a',
'54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02',
'5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290',
'59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983',
'5a017652531eebfcef7011c37a04f11621d89084f8f9507201f071ce359bea3f',
'5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734',
'72349cf4971607c1bc66314069f0c864e8aa4336a663f2afbc2cb7e852465430',
'7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896',
'87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c',
'8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d',
'92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61',
'a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c',
'a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203',
'a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67',
'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868',
'aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973',
'b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb',
'c13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396',
'c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02',
'c62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd',
'd0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e',
'd45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae',
'd459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090',
'd51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a',
'dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc',
'e059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c',
'e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec',
'f1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182',
'f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3',
'f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952',
'fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405',
'fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7'
)
)
$result = @()
$totalFiles = 0
$processedFiles = 0
$searchPatterns = @()
if ($all) {
$searchPatterns += '*.exe', '*.com', '*.dll'
} else {
foreach ($fileName in $FileNames) {
$searchPatterns += $fileName
}
}
foreach ($pattern in $searchPatterns) {
$foundFiles = Get-ChildItem -Path $Drive -Filter $pattern -Recurse -ErrorAction SilentlyContinue -Force
$totalFiles += $foundFiles.Count
foreach ($file in $foundFiles) {
try {
$processedFiles++
$progressPercentage = ($processedFiles / $totalFiles) * 100
Write-Progress -Activity "Scanning for malware" -Status "Processing $($file.FullName)" -PercentComplete $progressPercentage
$fileStream = [System.IO.File]::Open($file.FullName, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read)
$hash = Get-FileHash -InputStream $fileStream -Algorithm SHA256
$fileStream.Close()
if ($hashes -contains $hash.Hash) {
Write-Host -ForegroundColor Red "WARNING: Malware found! $($file.FullName)"
$item = [PSCustomObject]@{
FilePath = $file.FullName
SHA256Hash = $hash.Hash
}
$result += $item
} else {
$item = [PSCustomObject]@{
FilePath = $file.FullName
SHA256Hash = $hash.Hash
}
# $result += $item
}
} catch {
Write-Warning "Could not process file: $($file.FullName). Error: $($_.Exception.Message)"
}
}
}
Write-Progress -Activity "Scanning for malware" -Completed
return $result
}
# Scann all files with switch '-all' excample: Find-Malware -all | Out-GridView
Find-Malware | Out-GridView
