WannaCrypt ransomware worm targets out-of-date systems

Thanks dear!

 

Very interesting ransomware esp due to its large scale deployment. I played with it very shortly. No time for detailed testing, albeit crude one.

First one is Comodo sandbox.

 

Sandboxie is the next.

 

I can't top testing GesWall even if it is dead.

 

Hi aigle, aka, Tester !

I'm not set up to test anymore, so, always interested in your efforts.

Do I interpret correctly, that all of the dropper exes were caught?

thanks,

----
rich

 

And lastly Comodo HIPS - lot of pop ups but I will only show some of them.

 

Hi, I was too busy but could not stop myself. As I told above I did not check in detail but in case of GesWall, Sandboxie and Comodo Sandbox everything seemed sandboxed and my files were not encrypted. Regarding Comodo HIPS I tested even more briefly, there were so many pop ups but I am sure it will stop the ransomware dead.

 

Thanks for your efforts - I know it takes time. I remember our AE and HIPS tests from years ago!

----
rich

 

You are such a tease

Very nice walk with CFW. HIPS

 

No proof, Pete - just speculations.

Take your choice!:

http://www.csmonitor.com/Technology...could-be-behind-ransomware-attack-say-experts

http://www.csmonitor.com/Technology/2017/0516/What-caused-the-global-WannaCry-ransomware-attack

And so it goes...

----
rich

 

http://news.softpedia.com/news/hero...-spread-awarded-10k-by-hackerone-515774.shtml

 

http://newsok.com/white-house-blame-cyberattack-on-hackers-not-spy-agencies/article/feed/1225931

 

Aigle- If in Comodo the sandbox is set to a proper level there is absolutely no need for the HIPS to be enabled at all- therefore no popups.

 

Hi, Regarding the testing, I tested Comodo sandbox and HIPS separately. When I was testing the DefencePlus, auto-sandbox was disabled.

Otherwise in day to day use I agree that if auto-sandbox is enabled, HIPS are not needed. However I am not yet sure if it is true about fileless malware mitigation too. Will need to re-check. Fileless malware mitigation was introduced in the last version.

 

@aigle - did you do your testing on a patched PC, i.e. all Win updates applied? If so, this confirms my previous assumption that this ransomware will still run w/o employing the NSA exploits.

 

3 Security Firms Say WannaCry Ransomware Shares Code with North Korean Malware

https://www.bleepingcomputer.com/ne...omware-shares-code-with-north-korean-malware/

 

Are the particular characteristics of the code that has suggested this conclusion such that they could not possibly have been the result of an intentional "throw investigators off the right track" false flag??

 

What did ESET say about the backdoor possibility?

 

Unpatched Win7 VM.

 

Could you test on a patched ver. of Win 7? Still want to know if it will try to execute. Also if you fire up Process Monitor you could trace exactly what this bugger is doing.

 

If anyone still has concerns over this malware, @aigle screenshots shows a .bat execution followed by a cmd.exe execution. So anyone currently monitoring script and cmd.exe would have caught this malware in the startup phase. I assume the cmd.exe execution is to run sc.exe -hidden to create the service the malware uses. Also don't believe this would have worked under a SUA since sc.exe requires at least limited admin privileges.

This also calms my fear that the malware was using RPC over SMB to run Service Control Manager remotely. To do so, the malware would need admin privledges.

 

Per the link I posted here: https://www.wilderssecurity.com/thr...ut-of-date-systems.393974/page-3#post-2675856 , Eset stated delivery was possibly e-mail or backdoor.

To date, I haven't seen any posting that confirms an e-mail delivery which is indeed a bit odd given how widespread the attack was.

 

Thank you for the link. Much appreciated!