Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Coal Miners may have had it right. Put the bird out.... Crypto Detector Honeypot

  • Please log in to reply
No replies to this topic

#1 Cyberzero


  • Members
  • 4 posts
  • Gender:Male
  • Local time:09:20 PM

Posted 27 February 2016 - 02:25 PM

Ok I wrote a batch script that looks at every file and checks to see if it has a Crypto style ext or Crypto style ransom note.

I.E. known file ext and ransom notes.


But I am looking answers to a few questions to help my quest.


In order to help me build my idea below.....


Here is my questions...

With the crypto lockers or remote trojan or Powershell virus's.....

Does anyone have a list know any of the following??



1St What types of items or services do this items typically go after...


I.E. I understand and have a good working list of types of files that they look for but again

What items do you all understand they go after.


Yes jpg's pdf docs etc but what is your list?


2 What services do they go after (alter or disable) (Maybe Virus's in general)


3 What area's do the bad guys try to put symlinks?

And or list of common links they add.


4 Does anyone have an understanding of locations or method of infection?

I.E. is it any file with jpg or only c:\users\xxxx\pictures

And yes I understand 50 50 some hit all some hit just some directors?


I am looking for specif directories they like / generally target.


5 Does anyone have an understanding of order in which they infect. (In General) again 50 50.

But has anyone been able to determine how or order they infect?



Some other order? 


6 Anyone know if these crypto agents can go after hidden directories?


7 Anyone know of a Free filewatcher service or best way to enable auditing and monitor logs to try to maybe watch live and trigger responds? Without killing a system with overhead?


I was hoping to be able to ad rules to my antivirus to look for some of this but.. .With mine.. Not so much..



Here is my idea.


Make a Carney in a cage or Honeypot..

Put test files of jpg's / doc's / pdf's etc in directories any run test scripts watching these files.


Why this vs all?

My testing writting all files to a text file via batch takes about 5 mins and a bunch of cpu and 30 meg or more to do this every X mins.


I'm thinking only do a big scan at night and small honeypot scans during the day.


But I need to help my odds by it more quickly finding these by maybe naming test directories like

000 AAA ZZZ 

I.E. if they are hitting 0-Z it would get hit first. ZZZ if they are hitting backwards


Also by watching services.

I.E. if X services are suddenly disabled.


Kind of a poormans tripwire but more targeted for windows machines and lest impactful as possible.


Again just looking to fill in the gaps that my A/v is note watching to detecting.

Any yes I am using policy's and crypto prevent to try to stop some of this, but they got through 2 systems with full a/v policies and cryptoprotect (Non full) via a regular user (I think).








BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users