WannaCrypt ransomware worm targets out-of-date systems

aigle · May 16, 2017

Rmus said: ↑

Hello aigle,

If your port 445 is open, this would be an easy way in. I referenced this in my first post regarding file and print sharing, which, if enabled, use port 445. Many exploits have used this entry point. But the puzzle is, how does this infection start in the first place?
Articles refer to home users as targets, but I've not seen any direct references to cases.

This thread has been interesting with getting inside the malware and following its path when installed. Not usually my area of interest, since I'm more concerned about how exploits get started in the first place.

How did the dropper initially get installed? No one is sure (as of today, anyway). Bogus emails have been suggested, but none have been shown.

Very puzzling!

----
rich
Click to expand...

Thanks dear!

aigle · May 16, 2017

Very interesting ransomware esp due to its large scale deployment. I played with it very shortly. No time for detailed testing, albeit crude one.

First one is Comodo sandbox.

aigle · May 16, 2017

Sandboxie is the next.

aigle · May 16, 2017

I can't top testing GesWall even if it is dead.

Rmus · May 16, 2017

aigle said: ↑

Sandboxie is the next.
Click to expand...

Hi aigle, aka, Tester !

I'm not set up to test anymore, so, always interested in your efforts.

Do I interpret correctly, that all of the dropper exes were caught?

thanks,

----
rich

aigle · May 16, 2017

And lastly Comodo HIPS - lot of pop ups but I will only show some of them.

aigle · May 16, 2017

Rmus said: ↑

Hi aigle, aka, Tester !

I'm not set up to test anymore, so, always interested in your efforts.

Do I interpret correctly, that all of the dropper exes were caught?

thanks,

----
rich
Click to expand...

Hi, I was too busy but could not stop myself. As I told above I did not check in detail but in case of GesWall, Sandboxie and Comodo Sandbox everything seemed sandboxed and my files were not encrypted. Regarding Comodo HIPS I tested even more briefly, there were so many pop ups but I am sure it will stop the ransomware dead.

Rmus · May 16, 2017

aigle said: ↑

Hi, I was too busy but could not stop myself. As I told above I did not check in detail but in case of GesWall, Sandboxie and Comodo Sandbox everything seemed sandboxed and my files were not encrypted. Regarding Comodo HIPS I tested even more briefly, there were so many pop ups but I am sure it will stop the ransomware dead.
Click to expand...

Thanks for your efforts - I know it takes time. I remember our AE and HIPS tests from years ago!

----
rich

EASTER · May 16, 2017

aigle said: ↑

I can't top testing GesWall even if it is dead.
Click to expand...

You are such a tease

Very nice walk with CFW. HIPS

Rmus · May 16, 2017

Peter2150 said: ↑

Has the "news" posted any proof [about N. Korea]. That always seems lacking
Click to expand...

No proof, Pete - just speculations.

Take your choice!:

http://www.csmonitor.com/Technology...could-be-behind-ransomware-attack-say-experts

Mr. Choi is one of a number of researchers around the world who have suggested a possible link between the "ransomware" known as WannaCry and hackers linked to North Korea. Researchers at Symantec and Kaspersky Lab have found similarities between WannaCry and previous attacks blamed on North Korea.

While Choi's speculation may deepen suspicions that the nuclear-armed state is responsible, the evidence is still far from conclusive.
Click to expand...

http://www.csmonitor.com/Technology/2017/0516/What-caused-the-global-WannaCry-ransomware-attack

Wellsmore and other cybersecurity experts say the identity of the perpetrators is still unknown...

"We don't expect this to be a sophisticated group," said Wellsmore. "We expect this is a small operation that is undertaking this. They just happen to hit the motherlode. Unfortunately for the rest of us, this thing went quite global quite quickly."
Click to expand...

And so it goes...

----
rich

Minimalist · May 17, 2017

Hero White Hat Who Stopped WannaCry Spread Awarded $10K by HackerOne

The security researcher that put a stop to the spread of WannaCry last week was rewarded a $10,000 bug bounty by HackerOne.
...

The young white hat doesn't plan to keep the money. According to his tweets, he plans to split the money between to-be-decided charities and purchasing infosec based books to give to students who can't afford them.
Click to expand...

http://news.softpedia.com/news/hero...-spread-awarded-10k-by-hackerone-515774.shtml

Minimalist · May 17, 2017

White House: Blame cyberattack on hackers, not spy agencies

President Donald Trump's homeland security adviser has a message to those blaming U.S. intelligence agencies for the cyberattack encircling the globe: Don't point a finger at the National Security Agency. Blame the hackers.
Click to expand...

http://newsok.com/white-house-blame-cyberattack-on-hackers-not-spy-agencies/article/feed/1225931

cruelsister · May 17, 2017

Aigle- If in Comodo the sandbox is set to a proper level there is absolutely no need for the HIPS to be enabled at all- therefore no popups.

aigle · May 17, 2017

Hi, Regarding the testing, I tested Comodo sandbox and HIPS separately. When I was testing the DefencePlus, auto-sandbox was disabled.

Otherwise in day to day use I agree that if auto-sandbox is enabled, HIPS are not needed. However I am not yet sure if it is true about fileless malware mitigation too. Will need to re-check. Fileless malware mitigation was introduced in the last version.

itman · May 17, 2017

@aigle - did you do your testing on a patched PC, i.e. all Win updates applied? If so, this confirms my previous assumption that this ransomware will still run w/o employing the NSA exploits.

itman · May 17, 2017

3 Security Firms Say WannaCry Ransomware Shares Code with North Korean Malware

While initially, we thought this would be a silly and unsubstantiated discovery, the number of security firms claiming they've identified and confirmed connections between the WannaCry ransomware and malware used by the Lazarus Group has now gone up to three.
Click to expand...

https://www.bleepingcomputer.com/ne...omware-shares-code-with-north-korean-malware/

hawki · May 17, 2017

itman said: ↑

3 Security Firms Say WannaCry Ransomware Shares Code with North Korean Malware

https://www.bleepingcomputer.com/ne...omware-shares-code-with-north-korean-malware/
Click to expand...

Are the particular characteristics of the code that has suggested this conclusion such that they could not possibly have been the result of an intentional "throw investigators off the right track" false flag??

itman · May 17, 2017

hawki said: ↑

Are the particular characteristics of the code that has suggested this conclusion such that they could not possibly have been the result of an intentional "throw investigators off the right track" false flag??
Click to expand...

According to the three companies, here are on what they base their claims on:

⍟ 2015 Contopee backdoor sample and February 2017 WannaCry sample use an identical random buffer generator function
⍟ Contopee and WannaCry were written in C++ and compiled using Visual Studio 6.0
⍟ the usage of leet speak inside the code

Some of these similarities are just ridiculous, as there is plenty of malware authors that write their code in C++, compile in Visual Studio 6.0, and use leet speak.

On the other hand, the code overlap between the Contopee and WannaCry samples is quite interesting.

"The implementation of this [random buffer generator] function is very unique," says Sergei Shevchenko and Adrian Nish, BAE Systems experts, "- it cannot be found in any legitimate software."

Symantec takes this explanation further.

"Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tool," the company explains, also revealing they found a similar SSL implementation in the Brambul backdoor, another of Lazarus Group's hacking tools.
Click to expand...

Trooper · May 17, 2017

itman said: ↑

Thanks for Eset for raising the backdoor possibility in this attack. I think I now have a pretty good idea on how this attack took place.

If it's anything NSA excels in, it is finding backdoors in existing software including Windows. For anyone who doesn't know what a backdoor is, they are built in access points used by developers to debug/monitor software execution. They are supposed to be removed once the software is released for production. Inevitably some are overlooked and remain. Also I have always believed that Microsoft has intentionally left select backdoors in the OS to likewise monitor it; especially after a new release. Additionally, malware can install its own backdoor. It can then lay dormant and use that backdoor at some later date. A backdoor can be accessed pretty much in the same way RDP works. That is a remote source can pretty much do anything the current logged on use can do.

As far as this WannaCry attack goes, the SMBv1 vulnerability patch MS issued is pretty a smoke screen for the real vulnerability that has existed in Win OSes up till Win 10. That is, the port 445 remote access vulnerability. What Microsoft actually patched was that vulnerability which coincidentally is used by SMB. If you review the Endgame detail analysis of WannaCry, you will clearly see the code to access port 445.

Observing recently ransomware attacks, I believe the malware developers have adopted NSA tactics to actively seek out existing software and OS backdoors. Many of these attacks are currently being mistaken for sloppy and insecure protection configurations for RDP use. Although that may be the case, I believe backdoor use is also exponentially increasing. If malware can gain remote access to a device via a backdoor, the first thing it will do is try to disable existing security software. The easiest way to do that is to access its GUI and disable it there. So security software GUI modification password/captcha access is recommended. If your security solution doesn't have such capability, find one that does. Additional backdoor mitigations are insuring that your router has NAT and statefull packet inspection(SPI) and your software firewall has SPI. SPI prevents any unsolicited inbound Internet traffic. This will require the malware to have to install something on the target device that will generate an outbound connection request. Likewise, it is important to periodically test router firewalls to ensure no open ports exist that aren't explicitly defined as such. Router firewalls can and have been hacked by insecure router security settings.
Click to expand...

What did ESET say about the backdoor possibility?

aigle · May 17, 2017

itman said: ↑

@aigle - did you do your testing on a patched PC, i.e. all Win updates applied?
Click to expand...

Unpatched Win7 VM.

Peter2150 · May 17, 2017

the NSA exploit only gets the malware to you after that it runs. There is a standalone version that can be tested. BTW has anyone noticed the 2nd protection under the crytoguard tab in HMPA. One of them is for the MBR and the other is for SMB.

itman · May 17, 2017

aigle said: ↑

Unpatched Win7 VM.
Click to expand...

Could you test on a patched ver. of Win 7? Still want to know if it will try to execute. Also if you fire up Process Monitor you could trace exactly what this bugger is doing.

itman · May 17, 2017

If anyone still has concerns over this malware, @aigle screenshots shows a .bat execution followed by a cmd.exe execution. So anyone currently monitoring script and cmd.exe would have caught this malware in the startup phase. I assume the cmd.exe execution is to run sc.exe -hidden to create the service the malware uses. Also don't believe this would have worked under a SUA since sc.exe requires at least limited admin privileges.

This also calms my fear that the malware was using RPC over SMB to run Service Control Manager remotely. To do so, the malware would need admin privledges.

itman · May 17, 2017

Trooper said: ↑

What did ESET say about the backdoor possibility?
Click to expand...

Per the link I posted here: https://www.wilderssecurity.com/thr...ut-of-date-systems.393974/page-3#post-2675856 , Eset stated delivery was possibly e-mail or backdoor.

To date, I haven't seen any posting that confirms an e-mail delivery which is indeed a bit odd given how widespread the attack was.

Trooper · May 17, 2017

itman said: ↑

Per the link I posted here: https://www.wilderssecurity.com/thr...ut-of-date-systems.393974/page-3#post-2675856 , Eset stated delivery was possibly e-mail or backdoor.

To date, I haven't seen any posting that confirms an e-mail delivery which is indeed a bit odd given how widespread the attack was.
Click to expand...

Thank you for the link. Much appreciated!

WannaCrypt ransomware worm targets out-of-date systems

aigle Registered Member

aigle Registered Member

Attached Files:

aigle Registered Member

Attached Files:

aigle Registered Member

Attached Files:

Rmus Exploit Analyst

aigle Registered Member

Attached Files:

aigle Registered Member

Rmus Exploit Analyst

EASTER Registered Member

Rmus Exploit Analyst

Minimalist Registered Member

Minimalist Registered Member

cruelsister Registered Member

aigle Registered Member

itman Registered Member

itman Registered Member

hawki Registered Member

itman Registered Member

Trooper Registered Member

aigle Registered Member

Peter2150 Global Moderator

itman Registered Member

itman Registered Member

itman Registered Member

Trooper Registered Member

Useful Searches