Hanjian File Bomb Explained: Risks, Symptoms, and Protection
What it is
A “file bomb” is malware or a crafted file designed to consume system resources (disk space, CPU, memory) or trigger destructive behavior when opened. The Hanjian File Bomb refers to a specific instance or family of such payloads (named “Hanjian”) that typically aim to overwhelm systems, corrupt data, or act as a delivery mechanism for additional malware.
Risks
- Rapid disk-space exhaustion causing system crashes or data loss.
- High CPU/memory usage degrading performance and availability.
- Corruption or unauthorized deletion of files.
- Lateral movement: can be used to propagate across networks.
- Secondary payloads: may drop backdoors, ransomware, or data exfiltration tools.
Common symptoms
- Sudden full disk or rapidly increasing storage consumption.
- Processes pegged at high CPU or memory with unknown origin.
- Repeated crashes, slowdowns, or inability to open files.
- New or modified files with unexpected names or large sizes.
- Alerts from antivirus or endpoint detection tools flagging suspicious files.
Detection
- Scan with updated endpoint antivirus/EDR solutions.
- Monitor disk I/O and filesystem changes (large file creations, mass writes).
- Check process lists for unfamiliar executables consuming resources.
- Review logs for unusual network activity or file access patterns.
- Use hash-based lookups (if known) against threat intelligence feeds.
Immediate response / containment
- Isolate the affected host from the network to prevent spread.
- Stop or quarantine suspicious processes; collect memory and disk images for analysis.
- Preserve logs and copies of suspicious files (write-protected) for forensics.
- If disk space is exhausted, boot from trusted media to avoid running payloads while recovering data.
- Notify your security team and follow incident-response procedures.
Eradication and recovery
- Restore affected systems from clean backups made before the incident.
- Wipe and rebuild compromised hosts when necessary.
- Patch vulnerabilities and remove insecure credentials that allowed propagation.
- Rotate credentials and secrets potentially exposed.
Protection and prevention
- Keep OS and applications up to date; apply security patches promptly.
- Use reputable endpoint protection with behavioral detection (EDR).
- Implement least privilege for users and services; restrict write permissions.
- Network segmentation to limit lateral movement.
- Regular, offline backups and tested recovery procedures.
- Monitor for anomalies with centralized logging, SIEM, and alerting.
- Educate users about suspicious attachments and unsafe file-handling practices.
Forensics and post-incident
- Perform forensic analysis to determine initial access vector and scope.
- Extract Indicators of Compromise (IoCs) — file hashes, IPs, filenames — and share with relevant teams.
- Conduct a post-incident review to fix gaps and update playbooks.
Leave a Reply