WannaCry Exploit Could Infect Windows 10

Ways Wannacry can get into enterprise environments via Eternalblue:

1. Port 445 is open on the firewall from the Internet to an unpatched Windows machine
2. A notebook outside the enterprise gets infected. User brings in the notebook to the enterprise internal network, and attaches it to the network
3. A computer outside the enterprise gets infected. User VPNs into the enterprise environment
   
4. One company gets infected. It has a connection to another company, and port 445 is allowed in the firewall to an unpatched Windows.
5. I am sure there are others, but probably these were the main factors

 

Or home network for that matter. When you use a VPN, a tunnel is being established bypassing all local based firewalls.

 

Ummm, Pete, I explained to you and guest on at least one occasion both of the first two scenarios listed here:

https://www.wilderssecurity.com/thr...-infect-windows-10.394550/page-4#post-2685295

I also mentioned on several occasions that I have a hunch that someone discovered some pretty serious vulnerabilities in various routers... you know how a couple of the router manufacturers have had issues the last year or so, and had to patch their firmware.

The attack vector is not the issue... you should safely assume that the attack will find its way.

SRP and AE's sole purpose is application control. The issue is whether their mechanisms are able to stop the payload DP from installing or not, when the attack is inside the scope of application control.

 

Enterprise related scenarii, most home users won't be in that position.

i dont live with fearmonging hypothesis but with real world facts, there is very few chance that any attackers will directly target home users, they will just deploy weaponized email campaigns and let the happy clicker do the job for them. it was like this and will always be. and we know Security Apps are effective against that.

Are you kidding me?! the attack vectors is the most important point, if not why did you developed VS as an anti-exe, added Ai/VT rep and a sandbox...
You always complained why some "testers" clicked the "allow" button , because they allowed a vector that shouldn't be allowed.
If the vector is not the issue to you so you should develop a virtualization apps like Shadow Defender instead of an Anti-exe. so you will reverse any actions made by any attacks wherever they come from...

Who cares that application X block stage 1,2,3 of a malware , once the system is compromised , i don't waste one minute letting my security soft trying to reduce the damage of a malware; i just reformat/restore/rollback right away.

But when it is not , there is nothing to even discuss about. SRP/AE are made to block executables (and Dlls/drivers for some), that is it . Don't try to make them appears as what they are not.

 

Not true at all… home users are exposed to the exact same risks as businesses.

Exactly… “SRP/AE are made to block executables”. You are only confirming my point.

Keep in mind, there are only a handful of hackers that could design a nation state attack as sophisticated and effective as the EB / DP attack, which was not a serious issue until the attack was leaked.

The concern is that as Windows 10 is hardened, blackhats will find it necessary to resort to attacks similar to the EB / DP attack… after all, they now have a phenomenal example / user guide to work from. This is not unlike how bacteria becomes resistant to antibiotics, and more powerful antibiotics must be discovered and developed to ensure the infection is mitigated.

While patching Windows is vital, it does little or nothing to prevent the next zero day.

What started the massive argument in the first place was the following post, and my subsequent testing.

https://malwaretips.com/threads/is-...lblue-doublepulsar-attacks.71722/#post-632722

You, Pete and a couple of other people have told me to mind my own business in this matter. But when an agent of a competitor (or forum moderator) claims that certain products block an attack, while VoodooShield does not, it becomes my business. I have every right to dispute illegitimate claims directed towards VoodooShield, especially when the exact opposite of the claim is proven to be the case.

Not only is it my business, but it is my responsibility as a software security vendor to test VoodooShield properly, to ensure our customers are protected.

I thought you guys finally understood the issue… but apparently not. We should release our private group discussion and let the community decide.

 

whatever you say...i don't really care about. keep promoting VS as you wish but stop bringing your VS vs AG personal war on every threads...thanks, bye

 

guest... you realize that other people can go back and review this entire thread, correct?

Do not think for a second that you can continue to discuss this issue while telling lies and half truths, without my input.

What do you say... are all 5 participants in the 4.333 page private group conversation okay with us releasing it to the community?

 

"I have every right to dispute illegitimate claims directed towards VoodooShield, especially when the exact opposite of the claim is proven to be the case.

Absolutely, its as bad as trolling...Obsessive behaviour.

 

The funny thing is... I just upgraded my home router tonight.

www.voodooshield.com/artwork/Router.PNG

I have not researched this in depth, but as you can see, routers are basically simple computers that are subject to vulnerabilities as well.

I'm telling ya... I really think there is something to this .

 

Please folks if you want to "duke it out," do so in the PM discussion started previously.

At this point, I am still awaiting a response from the test tool developer as to whether it will run on Win 10 1607+. We need to get the test tool to work as designed before we can test anything that might or might not detect the unique memory code execution DoublePulsar does from another process.

Is anyone running Win 7 or 8? If so, the test tool should work on those versions.

 

Yes it would be cool to see if VS can also block Peddlecheap. If it can't, then perhaps VS doesn't block DoublePulsar either? Because Peddlecheap also gets loaded via DP, if I'm correct.

OK, I see. So it all depends on where the payload is dropped. And even though this attack could have been prevented quite easily by patching and a well configured firewall, it was still fascinating. And what if it was a zero day, know what I mean? It was a great chance for security tools to shine, but I have a feeling that most of the companies that were affected probably used basic protection tools.

 

Unbelievable, people (sheeple) can be brought into a "Media-hype frenzy" over almost nothing.
No, not unbelievable in these times.
Really makes me wanncry.

 

@Rasheed187
Hehehe, VS has no problem blocking DP. I started setting up the Peddlecheap configuration yesterday and I ran into a roadblock. So I will probably wait a few days to see if there is more documentation, and in the meantime finish up the next release of VS. From what I understand of the Peddlecheap attack, VS should have no problem blocking this as well, but we will not know for sure until we test.

@Circuit
I would not call 300,000+ infections hype , especially since now the genie is out of the bottle. This is a BFD.

 

Rasheed
Did you get a chance to look at my post # 66? I think it might even give a link to a nurtured sample.

 

I wouldn't be doing any "back slapping" about PeddleCheap detection since it is not in the "same league" as the DoublePulsar implant as noted below:

https://www.countercept.com/our-thinking/analyzing-and-detecting-the-in-memory-peddlecheap-implant/

 

itman

That is the same link I posted in #66

guess nobody reads my links.

 

Hehehe, I certainly am not doing any "back slapping" .

Do you agree that the attack is either within the scope of an application control utility, or it is not?

If the attack is within the scope of an application control utility such as an SRP or AE, if the payload is not blocked by the application control utility, then it is a failure.

If the attack is outside the scope of an application control utility, then only an anti-exploit mechanism will block the attack (or a Windows patch).

Do you get my point?

 

Please, infections that happen are mostly business that spread to low informed users. They are the least protected compared to people on this forum, profits over security.
I know this paranoid level is raining gold for Anti-malware. Nothing wrong making a profit off of ...

 

I would not call shutting down hospitals not effecting common people.

 

Like I said, Profits over security.

 

Great point!

Has anyone seen some actual statistics on home vs business infections from the outbreak, or are we just assuming that it was mainly businesses that were infected?

If I had to guess, I would think the infections would be randomly and evenly distributed, unless the hackers specifically targeted businesses.

The fear mongering for profits make me sick to my stomach. If a company is going to use fear, uncertainty and doubt to market their product, they should at a minimum offer a free version that is as effective as the paid version.

Instead, what we are seeing are vendors who only offer paid products, creating videos of them "testing" against the WannaCry "attack", by simply double clicking the executable. It is laughable.

There is nothing wrong with making money, but there is something very wrong with making "blood money".

 

Unfortunately you are correct Sir .

 

Thank you!

 

This would be nice to know. We see different numbers but I wonder , how did they come up with these numbers? And they don't all agree. Find it hard to believe there was some sort of logging system.

 

All valid points. But not in the context of the postings of the discussions on the DoublePulsar implant in this thread. Suggest you open a thread in regards to PeddleCheap detection and mitigation.