WannaCrypt ransomware worm targets out-of-date systems

Discussion in 'malware problems & news' started by ronjor, May 13, 2017.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    162,650
    Location:
    Texas
    msft-mmpcMay 12, 2017
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,970
    Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r
    https://www.bleepingcomputer.com/ne...s-versions-to-protect-against-wana-decrypt0r/

     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,501
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Evidently, there are at present, two attack methods,

    1) Victim opens an attachment in a bogus email

    EDIT: As of 17.05.15 9:20 AM PST, no copy of an email has been shown.

    2) Victim is on a network where unpatched computers communicate via SMBv1. Two SMB uses are:
    • File sharing
    • Printing over a network
    These communications are via Ports 139 and 445.

    It's not clear to me whether a stand-alone computer (not on an internal network) would be vulnerable if Ports 139 and 445 were open:

    https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
    ----
    rich
     
    Last edited: May 15, 2017
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,334
    Location:
    Italy
    https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/


    https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/

    ;):thumb:
     
  7. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,970
    WannaCrypt0r: The ransomware that hit computers all over the world
    https://blog.avira.com/wannacrypt0r-ransomware/
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
  9. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,632
    "FAQ on the WanaCry ransomware outbreak"
    by Fox-IT
    https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/

     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It will block outbound connection for sandboxed apps. It won't block inbound connection system-wide. After all, it's not a firewall ;)
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  13. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Rmus- the encryption process itself is not dependent on a network connection. So even if the system is totally disconnected it will proceed if the malware is executed.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    https://en.wikipedia.org/wiki/Server_Message_Block

    Port 139 is used by NetBIOS as noted above. So if that is still enabled, you could be vulnerable. NetBIOS is always the first thing I disable on any IPv4 network adapter connection.

    Port 445 is vulnerable on Win 7 and possibly Win 8. Microsoft finally properly secured that port in Win 10.

    Also, RDP users are vulnerable to this ransomware as Eset noted in this advisor: http://support.eset.com/alert6442/

    I have always personally disabled any SMB protocol usage via Eset IDS protection.

    As I posted previously, this ransomware was also delivering the NSA DoublePulsar exploit:
    https://www.bleepingcomputer.com/ne...oit-leaked-by-shadow-brokers-is-on-a-rampage/

    DoublePulsar is a kernel level backdoor and as such extremely difficult to detect and remove. So concerns infected with this ransomware really have other issues to resolve than just recovering their encrypted files.

    Detailed analysis of DoublePulsar here: https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
     
    Last edited: May 14, 2017
  15. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,970
    Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes
    https://www.bleepingcomputer.com/ne...th-wannacry-ransomware-6-times-in-90-minutes/
     
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    Maybe not yet:

    "...Costin Raiu, of web security firm Kaspersky Lab, told Hacker News that they had already seen versions of the malware that did not contain the website domain name used to shut down the program, but he later backtracked saying “my bad” and this was not actually the case..."

    http://www.independent.co.uk/life-s...ters-infected-virus-malwaretech-a7734911.html
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks, I thought as much, but wasn't sure, since I've not seen a complete analysis of the malware in action.

    ----
    rich
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, that safety procedure goes back to Win95 days, if my memory serves me.

    The problem is more with home users on some type of network, and businesses, who are likely to keep the ports open for file sharing and the like:
    It's curious that until the Blaster worm, Microsoft did not close ports 139 and 445:
    In the early days of the internet, not much thought was given to the security breeches possible in the various features and services that Microsoft began to include with Windows. After all, file sharing/printing is a wonderful tool, right?

    Yes, but...

    ----
    rich
     
  19. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,970
    How to make sure you won’t get hit by WannaCry/WannaCrypt
    https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks for that.
    I asked earlier if anyone had seen a copy of the bad email. It would be very revealing.
    I'm not sure about the first part of his statement, but I was surprised to read that the NHS was running so many XP machines. I know that some organizations don't upgrade all machines due to certain programs that are very expensive to upgrade. NHS suggests this:

    NHS Denies Widespread Windows XP Use
    http://www.bankinfosecurity.com/nhs-denies-widespread-windows-xp-use-a-9915
    and:

    UPDATED Statement on reported NHS cyber-attack (13 May)
    https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-
    ----
    rich
     
    Last edited: May 14, 2017
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    You are old hat as many of us rusting types Rmus. :cool:

    What's your opinion? I stretch back to Windows 98 and forward, some are from 95'ers LoL

    Don't you think this latest mess is finally caused Microsoft to stand up and take notice that it isn't so simple to distance and run away from their earlier system platforms so easily without catching a pile load of crap Bad PR.

    It's IMHO completely logical in one respect that they want to move folks up the ladder to a more securable Win O/S, sure, we all get that, but in the manner with the way that pushed the rollout to begin with on the Privacy/Forcing approach etc. it's kind of interesting now how these older systems have come back to haunt them in this way.

    And maybe more yet to come given the amount of active older systems apparently scattered all around the globe from home to businesses etc.
     
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Question is are they still recruiting X hackers like EP_XOFF? I remember those days too.
     
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    "Microsoft blasts spy agencies for hoarding security exploits

    It likens 'WannaCry' to someone stealing Tomahawk missiles.

    Microsoft is hopping mad that leaked NSA exploits led to the "WannaCry" (aka "WannaCrypt") ransomware wreaking havoc on computers worldwide. Company President Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an 'emerging pattern' of these stockpiles leaking out, he says, and they cause 'widespread damage' when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had 'some of its Tomahawk missiles stolen.'

    To Smith, this is a 'wake-up call.' Officials ought to treat a mass of exploits with the same caution that they would a real-world weapons cache, he argues..."

    https://www.engadget.com/2017/05/14/microsoft-blasts-spy-agency-exploit-hoarding/

    "The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack..."

    https://blogs.microsoft.com/on-the-...cyberattack/#sm.00001o41al5ladf11suafvt0b5n6y
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Exactly what I mean.

    Microsoft rolling happily and merrily along with refining Windows 10 and beyond when all of the sudden the previous versions which they had thought safely enough put in their rear view mirror instantly surfaces right back at them IN MASS!

    You can sure bet they're hopping mad because everyone and their brother knows by now that the last thing M$ wants to have to do is revisit and pamper those systems again.

    I dunno, maybe the price of moving too soon too fast before tying up those old loose ends first?

    Yeah they're outdated and such but you also almost must question why did they leave so many of the obvious (to hackers-simple elements) in them undone/unpatched long before moving ahead.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.