WannaCrypt ransomware worm targets out-of-date systems

Discussion in 'malware problems & news' started by ronjor, May 13, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I guess corps. never read this?
    https://support.microsoft.com/en-us...raffic-from-leaving-the-corporate-environment
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I decided to visit the sinkhole. ;) - hxxp://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "As The World Turns"

    According to https://intel.malwaretech.com/pewpew.html at this point in time WannaCry activity is exploding in China as Chinese Capitalists return to work and boot-up their Win XP PCs [as of 4/16 it was estimated that over 30% of PCs in China were using WIN XP -- http://www.computerworld.com/articl...rs-181m-pcs-two-years-after-support-ends.html massive numbers of which were pirated (and therfore likely unpatched) https://arstechnica.com/information...t-modifies-windows-os-for-chinese-government/]

    The above coincided with a sudden spike in botnet activity around the world.

    hawki has been transfixed on "The Accidental Hero's" live attack map and has not before seen anything approaching the current level of botnet activity worldwide.

    hawki wonders if something bigger is afoot .

    NB: There is no truth to the rumor that Dolly Parton has recorded a Chinese version of her all-time hit single as: "Thikin' 8 to 4+"

    See "Thinkin' 9 to 5: Security Awareness"

    https://www.youtube.com/watch?v=Y5SQeetmSc0
     
    Last edited: May 14, 2017
  5. plat1098

    plat1098 Guest

    The erupting crisis in China--is this involving the first WannaCry version, with the kill switch capability for the worm? I read there is a second, naturally without the kill switch, that has been detected already, though there's been some waffling around on that so I'm not posting the link. By the way, that malwaretech.com page is mesmerizing.:geek:
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Yes plat: I believe it is the result of the 1st version that had been laying dormant over the weekend,meaning it will not spread further from each reported attack

    [The China Explosion seems to have died down now that most have been at work for 30+ minutes and have already booted-up into Windows XP Oblivion. The world-wide botnet activity spike has also died off. The UK boots-up in approx six-seven hours.]

    As to the alleged second version, every report of that occurring that I have read relies upon an early report by a Kaspersky researcher, who later reported that his initial observation was in error.

    Indeed mesmerizing - hawki admits to having both a botnet and a vividly colored polka dot fetish :))

    hope you didn't miss the "Thinkin' 9 to 5 Security Awareness" video (while the link is still there). hawki couldn't resist -- The Devil made him do it.
     
    Last edited: May 14, 2017
  7. plat1098

    plat1098 Guest

    Yes got it. :) Better still to get rid of outdated operating systems NOW, even if you're not affected today. It's like throwing out your favorite pair of jeans, but hey. Invest in new computers if you have to, this isn't going away, it'll morph into other variants.
     
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "European, Asian companies short on cyber insurance before ransomware attack...

    ...The overall cost of getting businesses going again could run into the billions of dollars, with companies in Europe, including Russia, and Asia particularly vulnerable.

    Nearly nine out 10 cyber insurance policies in the world are in the United States, according to Kevin Kalinich, global head of Aon Plc's cyber risk practice. The annual premium market stands at $2.5-$3 billion.

    The biggest reason for the larger penetration in the United States, says Bob Parisi, U.S. cyber product leader for insurance broker Marsh, 'is that the U.S. has been living with state breach notification laws for the past 10 years.'

    The greater transparency created an incentive for U.S. companies to get insurance to compensate for damage from incidents they were required to report..."

    http://www.reuters.com/article/us-cyber-attack-insurance-idUSKCN18B00H
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    M$ will really need be ramping up demand to get those systems upgraded now.

    As swiftly proliferating and dramatic as this one was, you can bet the farm now that all the other big DRKc0de players are in line already formulating plans to pick those (and other) systems similar apart to get a piece of the action.

    This one made big press fast. Also showed the wide numbers of so many outdated vulnerable systems still in active operation.
     
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Windows XP more popular than Windows 10 with businesses...

    Spiceworks, which revealed the usage share figures of the main PC operating systems in the business space, says that Windows 7 has a share of 69 percent, followed by Windows XP with 14 percent. Windows 10 is in third place, with nine percent usage share..."

    https://betanews.com/2017/04/03/windows-xp-more-popular-windows-xp-business/
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi Easter! I haven't chatted with you for a long time.

    My opinion? I came to this thread hoping to find a link to see the email used in this attack. So far, none has surfaced.

    Anyway, as an exploit, this wanna-thingy is a big yawn. You know, it's the same old..., same old..., same old.......

    It suggests the old lyrics, "Oh when will they ever learn, oh when will they ever learn?"

    It recalls to me the infamous Conficker worm (aka Downadup). Here is a brief time line from my notes:

    October 23, 2008
    27 November, 2008
    December 2, 2008
    Thursday 15 January 2009
    _______________________________

    Conficker
    https://en.wikipedia.org/wiki/Conficker

    • Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.
    • The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus had spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.
    • On 2 February 2009, the Bundeswehr, the unified armed forces of Germany, reported that about one hundred of its computers were infected.
    • An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. The use of USB flash drives was banned, as this was believed to be the vector for the initial infection.
    • A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network.
    • In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.
    ________________________________

    Your heart has to go out in sympathy when attacks like these cause so much disruption. Yet, one would hope for lessons learned...

    Happy Computing, Easter, and stay safe (as I know you will!)

    ----
    rich
     
    Last edited: May 15, 2017
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Glad @Rmus brought up the Conficker issue. Best way to block that and most network worms for that matter is to block incoming connections to admin shares in SMB protocol. To do that, you need a security solution with an intrusion detection system(IDS).

    Note that from the previously posted Endgame detail analysis, WannaCry was using RPC over SMB via Service Control Manager i.e. MS-SCMR: https://msdn.microsoft.com/en-us/library/cc245832.aspx
     
    Last edited: May 15, 2017
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The Endgame link posted previously gives you all the details you need:

     
  14. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    hi
    but does this malware infect the first clean machine only via email ?
    thanks
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  16. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If you have a home network setup using Win HomeGroup feature, you are not vulnerable since it does not use SMB.

    SMB is used when a network of client PCs are connected to a server. However, there are ways to implement SMB in non-server environments: http://forum.kodi.tv/showthread.php?tid=63123. Also SMB is used if you start mapping network drives to your Win 10 OS installation as shown here: http://www.laptopmag.com/articles/map-network-drive-windows-10
     
    Last edited: May 15, 2017
  18. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    Hi Itman thanks for the explanation
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Sorry, but that article says nothing about an email:

    https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

    The other articles, when referring to an email, use language such as, "it appears", "most likely", "it is believed".

    However, as of this morning from isc.sans.edu"

    https://isc.sans.edu/forums/diary/WannaCryWannaCrypt Ransomware Summary/22420/
    And Microsoft, in their blog a few days ago, was cautious:

    https://blogs.technet.microsoft.com...-ransomware-worm-targets-out-of-date-systems/
    I have edited my previous post to indicate such.

    https://www.wilderssecurity.com/thr...gets-out-of-date-systems.393974/#post-2675086

    ______________________________________________

    Here are three analyses that show an email used in an attack:

    https://isc.sans.edu/diary/Targeted e-mail attacks asking to verify wire transfer details/6511

    https://arstechnica.com/security/20...ctory-party-with-new-spear-phishing-campaign/

    https://www.tripwire.com/state-of-s...ls-two-powershell-backdoors-victims-machines/

    _________________________________

    It would be informative to see such an email in the current attack under discussion.

    ----
    rich
     
  20. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    FWIW:

    "...The first version of the malware turned up on 10 February and was used in a short ransomware campaign that began on 25 March.
    Spam email and booby-trapped websites were used to distribute WannaCry 1.0, but almost no-one was caught out by it.

    Version 2.0, which wrought havoc over the weekend, was the same as the original apart from the addition of the module that turned it into a worm capable of spreading by itself..."

    http://www.bbc.com/news/technology-39924318
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks, but BBC doesn't give a source for that information about the email.

    BBC quotes F-Secure about other aspects of the attack, but F-Secure in its own analysis, does not mention spam email:

    https://safeandsavvy.f-secure.com/2017/05/13/what-you-need-to-know-about-wannacry-now/

    Still hoping to see an example!

    ----
    rich
     
  22. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Is the Anniversary Update for Windows 10 vulnerable to WCrypt?
     
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    While some early reports after The Shadow Brokers dumped ETERNAL BLUE claimed that WIN 10 AU was vulnerable to ETERNAL BLUE, that seems to have been largely debunked. If your up to date with patches the answer is clearly NO.
     
  24. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    They deserve every bit of bad PR they get from this.
     
  25. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    A load of BS. They should release more thoroughly vetted systems instead of constantly trying to exploit a customer's wallet with nonsensical upgrades and making win10 as annoying as it is.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.