Wannacry Ransomeware Worm
#1
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Wannacry Ransomeware Worm
Ransomeware encrypts the data on your PC & demands money to unlock it. A worm travels from one network to another. Wannacry has hit many networks in 74 countries so far.
MS has patched Windows Defender (Don't bash it yet) & posted a separate patch for XP. Update Defender NOW & download the XP patch. Backup your data now & disconnect USB drives.
PS. It a service message block attack (SMB)
MS has patched Windows Defender (Don't bash it yet) & posted a separate patch for XP. Update Defender NOW & download the XP patch. Backup your data now & disconnect USB drives.
PS. It a service message block attack (SMB)
#3
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
It seems that Walmart wasn't affected. The only company here was FedEx in Tennessee. Also, the worm was created by the NSA & leaked to the public.
#5
Member
Join Date: Nov 2007
Posts: 295
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Umm, Google it? Three stories about it showed up on my Now feed this morning...
A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers...
https://arstechnica.com/security/201...ers-worldwide/
This is hardly the first time the NSA has been caught creating zero-day exploits and hiding them from the public and the software developers for their own nefarious use - and this worm is exactly the consequence. They found the Heartbleed vulnerability too and sat on it so they could spy on SSL sessions until it was made public
A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers...
https://arstechnica.com/security/201...ers-worldwide/
This is hardly the first time the NSA has been caught creating zero-day exploits and hiding them from the public and the software developers for their own nefarious use - and this worm is exactly the consequence. They found the Heartbleed vulnerability too and sat on it so they could spy on SSL sessions until it was made public
#6
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Can you back that up with some "real" sources? (not just black helicopter stuff)
This is hardly the first time the NSA has been caught creating zero-day exploits and hiding them from the public and the software developers for their own nefarious use - and this worm is exactly the consequence.
#8
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
This was briefly halted by a researcher and about $10. It has since gone active again.
#10
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
https://blog.comae.io/wannacry-new-v...d-b8908fefea7e
It looks like that is correct. The details at the above site were posted 5 hours ago. Another site called the verge said that it's up to 150 countries.
It all comes down to 3 things. Backup, backup & backup. Either backup your data or don't complain.
It looks like that is correct. The details at the above site were posted 5 hours ago. Another site called the verge said that it's up to 150 countries.
It all comes down to 3 things. Backup, backup & backup. Either backup your data or don't complain.
#11
Banned. Rule And/Or Policy Violation
Join Date: Feb 2013
Location: usa
Posts: 60
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Interesting that Russia is taking the brunt of it. LOL! Karma?
The single best thing to do is use something like GMAIL for your primary email and keep a SECOND EMAIL on something like Yahoo for posting info on public sites. This will help prevent spam to your primary. And companies like that are really quite good at pre-filtering messages that are even vaguely suspicious. There is the occasional exception, of course. But if one does this, there is very little chance of "catching anything".
Even my 89 year old father won't click on links in emails from unknown sources. It only takes a few seconds to hover over a link to see where it REALLY GOES. No big deal.
Honestly, I haven't bothered to actively run anti virus or anti malware on my personal machines. I have them installed and once in a while I'll do a scan. I'd rather not have that stuff eating up my memory and processing power.
If one takes a few very minor precautions and uses Internet Mail, there is minimal exposure. It's NOT like the bad old days where stuff ran rampant.
--------------------------------------------------
Experienced IT professional 25+ years
The single best thing to do is use something like GMAIL for your primary email and keep a SECOND EMAIL on something like Yahoo for posting info on public sites. This will help prevent spam to your primary. And companies like that are really quite good at pre-filtering messages that are even vaguely suspicious. There is the occasional exception, of course. But if one does this, there is very little chance of "catching anything".
Even my 89 year old father won't click on links in emails from unknown sources. It only takes a few seconds to hover over a link to see where it REALLY GOES. No big deal.
Honestly, I haven't bothered to actively run anti virus or anti malware on my personal machines. I have them installed and once in a while I'll do a scan. I'd rather not have that stuff eating up my memory and processing power.
If one takes a few very minor precautions and uses Internet Mail, there is minimal exposure. It's NOT like the bad old days where stuff ran rampant.
--------------------------------------------------
Experienced IT professional 25+ years
#12
Member
Rule number one for any experienced IT person, never, ever recommend Yahoo services to people.
#13
Banned. Rule And/Or Policy Violation
Join Date: Feb 2013
Location: usa
Posts: 60
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Hi Dave,
Read what I wrote. The Yahoo email (or whatever) is simply used as a secondary email - strictly for posting onto sites where one would rather avoid getting onto that many more spam and email distribution lists, and to help hide one's true online identity.
For example, I would happily use a Yahoo email for accounts that i create on sites like this one. Or on Craigslist or various internet forums, etc. That way, if I really wanted to, I could change the email on the sites that I want to keep to merely another new email, and walk away from that email account - since it isn't really related to any of my REAL LIFE stuff (airlines, credit cards, real personal email, etc).
I also wouldn't have to care about some forum site being hacked and my real info being exposed. It's darn good practice. If you don't like Yahoo for the other purpose, just pick a different one.
Read what I wrote. The Yahoo email (or whatever) is simply used as a secondary email - strictly for posting onto sites where one would rather avoid getting onto that many more spam and email distribution lists, and to help hide one's true online identity.
For example, I would happily use a Yahoo email for accounts that i create on sites like this one. Or on Craigslist or various internet forums, etc. That way, if I really wanted to, I could change the email on the sites that I want to keep to merely another new email, and walk away from that email account - since it isn't really related to any of my REAL LIFE stuff (airlines, credit cards, real personal email, etc).
I also wouldn't have to care about some forum site being hacked and my real info being exposed. It's darn good practice. If you don't like Yahoo for the other purpose, just pick a different one.
#14
Member
Yahoo has been hacked like 4 times in the last three years, IMHO it isn't a good option for any purpose.
#17
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
It depends on how anonymous you want to be & from whom you are hiding your identity.
Read The Art Of Invisibility by Keven Mitnick
Read The Art Of Invisibility by Keven Mitnick
#18
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 3,386
Received 124 Upvotes
on
115 Posts
Malwarebytes has the actual code for one variation of the problem posted here:
https://blog.malwarebytes.com/threat...s-wanacrypt0r/
You can give credit to the guy who looked at the code a figured out that the WannaCry kill switch mechanism won’t work if you are using a proxy server – give him credit. But that feature isn’t exactly buried very deep – the code is simple and straight forward.
The idea in the WannaCry code is to try and connect to a specific url and if it is able to do so then it won’t infect the computer – I guess that’s the kill switch. But the connection attempt won’t work if you are using a proxy server – that’s what the young guy recognized.
The code in that area is pretty straight forward and all it takes is a little (very little) bit of digging to see that the second argument (1u) in the InternetOpenA() call will preclude a proxy server, so the code won’t be able to connect to the kill switch url if you are using a proxy server – and hence the kill switch won’t work – and thus the system will be infected.
It’s hard to believe almost everyone who looked at this didn’t notice immediately that the WannaCry kill switch mechanism was implemented in such a way that it wouldn’t work with proxy servers – which I think most big enterprises use (not sure though). Does that mean these bad guys are pretty incompetent? I guess you really have to figure out how they really wanted to use the kill-switch mechanism – but as the article states the kill switch mechanism has been used against them to defeat the infection (except in the proxy case). Can’t see how the authors wanted that!
I put some comments in boxes in the pic:
https://blog.malwarebytes.com/threat...s-wanacrypt0r/
You can give credit to the guy who looked at the code a figured out that the WannaCry kill switch mechanism won’t work if you are using a proxy server – give him credit. But that feature isn’t exactly buried very deep – the code is simple and straight forward.
The idea in the WannaCry code is to try and connect to a specific url and if it is able to do so then it won’t infect the computer – I guess that’s the kill switch. But the connection attempt won’t work if you are using a proxy server – that’s what the young guy recognized.
The code in that area is pretty straight forward and all it takes is a little (very little) bit of digging to see that the second argument (1u) in the InternetOpenA() call will preclude a proxy server, so the code won’t be able to connect to the kill switch url if you are using a proxy server – and hence the kill switch won’t work – and thus the system will be infected.
It’s hard to believe almost everyone who looked at this didn’t notice immediately that the WannaCry kill switch mechanism was implemented in such a way that it wouldn’t work with proxy servers – which I think most big enterprises use (not sure though). Does that mean these bad guys are pretty incompetent? I guess you really have to figure out how they really wanted to use the kill-switch mechanism – but as the article states the kill switch mechanism has been used against them to defeat the infection (except in the proxy case). Can’t see how the authors wanted that!
I put some comments in boxes in the pic:
#19
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Good point on the proxy server. I don't think that most enterprises use them but I'm not sure either. I use a VPN most of the time but they can disconnect & leave the network vulnerable.
#20
Banned. Rule And/Or Policy Violation
Join Date: Feb 2013
Location: usa
Posts: 60
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Purchased! Thanks for the heads-up. Now I merely need to make time for it, if I can find the time to make the time to take the time. This could make for some cool reading while we're in Europe next month.
I have to admit - I LIKE that cookies have made my life easier w/ some sites and helped me find things that otherwise would not have come onto my radar. The oatmeal cookies are the best ...
It's a catch-22, I suppose. How one must choose to strike "the right balance" of transparency, paranoia, security, fear, legitimate threats, etc.
Somehow I expect that book will be so scary that I'll pull a Chuck McGill, gut my electrical panel and live under a space blanket.
I have to admit - I LIKE that cookies have made my life easier w/ some sites and helped me find things that otherwise would not have come onto my radar. The oatmeal cookies are the best ...
It's a catch-22, I suppose. How one must choose to strike "the right balance" of transparency, paranoia, security, fear, legitimate threats, etc.
Somehow I expect that book will be so scary that I'll pull a Chuck McGill, gut my electrical panel and live under a space blanket.
#21
Member
Do not restart a computer hit by WannaCry- WannaKey -decrypt possible
Do not restart a computer hit by WannaCry.
The ransom key can be decrypted from a prime number left in RAM on XP computers, similar solution is/is coming for Windows 7.
Decrypt program
WannaKey
is available online.
The ransom key can be decrypted from a prime number left in RAM on XP computers, similar solution is/is coming for Windows 7.
Decrypt program
WannaKey
is available online.
Last edited by Hal_S; 05-19-17 at 08:40 AM.
#22
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 3,386
Received 124 Upvotes
on
115 Posts
Doesn’t seem like those ransomware people are all that sharp! I think this stuff we hear in the media about how smart these people are is pure BS. It makes everything seem dramatic, it’s good for ratings because it creates interest, and I’m sure Microsoft loves it when the exploiters are portrayed as evil geniuses because it deflects attention away from the real negligence on Microsoft’s part.
It makes it seem like Microsoft didn’t actually do a bad job when it comes to security, it’s just that they are up against the army of evil geniuses – what can they do ?LOL
It looks like the “bug” (design bug not coding bug) in the evildoers code only exists for XP, and they weren’t targeting XP in the first place – but still it shows IMHO how sloppy, or even more likely , how incompetent they are.
This is one of the API interfaces they used for key encryption/decryption when they were done and wanted to destroy the key they used. But the API description clearly states that the keys won’t be destroyed (they will remain in memory) after the function is called.
Thus if you don’t reboot after the attack (because the evildoers used this function) the key pair can be retrieved from memory with the correct RAM-scanning tool and you may be able to find the key and decrypt the data after all without paying the ransom. So don’t reboot after the attack and you might be saved. (but only works for XP now – as Hal_S said).
This is the API call to destroy the key when you are finished (they used this)
This is the Microsoft description (my red font) for the API and it clearly says the public/private key pair is not destroyed.
https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx
It makes it seem like Microsoft didn’t actually do a bad job when it comes to security, it’s just that they are up against the army of evil geniuses – what can they do ?LOL
It looks like the “bug” (design bug not coding bug) in the evildoers code only exists for XP, and they weren’t targeting XP in the first place – but still it shows IMHO how sloppy, or even more likely , how incompetent they are.
This is one of the API interfaces they used for key encryption/decryption when they were done and wanted to destroy the key they used. But the API description clearly states that the keys won’t be destroyed (they will remain in memory) after the function is called.
Thus if you don’t reboot after the attack (because the evildoers used this function) the key pair can be retrieved from memory with the correct RAM-scanning tool and you may be able to find the key and decrypt the data after all without paying the ransom. So don’t reboot after the attack and you might be saved. (but only works for XP now – as Hal_S said).
This is the API call to destroy the key when you are finished (they used this)
BOOL WINAPI CryptDestroyKey(
_In_ HCRYPTKEY hKey
);
_In_ HCRYPTKEY hKey
);
If the handle refers to a session key, or to a public key that has been imported into the cryptographic service provider (CSP) through CryptImportKey, this function destroys the key and frees the memory that the key used. Many CSPs overwrite the memory where the key was held before freeing it. However, the underlying public/private key pair is not destroyed by this function. Only the handle is destroyed.
#25
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
The vulnerability was found by the NSA (not created)
#28
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 3,386
Received 124 Upvotes
on
115 Posts
I'm sure that you can write better code. However, if the current coders make money & don't get caught, that's all that counts.
Wannacry actually WAS NOT VERY SUCCESSFUL, and it appears it was because of the authors own incompetence. They designed the software (NOT the code) to attempt at startup to reach a specific domain, and if it can be reached the malware terminates. That’s their kill-switch. They were outsmarted very quickly because someone(Hutchins) recognized that feature and quickly “sinkholed” (registered) the domain so that the malware will now always be able to reach that domain, and thus the kill-switch is always ON, and thus the malware is neutralized. Their error was NOT in coding – but in thinking, that is, the error is in their design.
This is Hutchins comment on the copycats who are out there now trying to reactivate the malware by ensuring access to the sinkhole (for the kill-switch domain) cannot occur, by using denial of service. Although he is talking about the copycats and not the original authors I think it’s significant:
“Now any idiot and their dog can set up a Mirai botnet,” Hutchins says. He believes the attackers are likely nihilistic, low-skilled hackers using public tools to cause mayhem for their own entertainment.
Building anti-analysis defenses into malware is common, but the WannaCry hackers appear to have botched the implementation. By relying on a static, discoverable address, whoever found it—in this case MalwareTech—could just register the domain and trigger WannaCry’s shutdown defense.
Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. If the malware can successfully reach that domain, it terminates - so don’t block access.
#29
Banned. Rule And/Or Policy Violation
Thread Starter
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes
on
0 Posts
]Wannacry actually WAS NOT VERY SUCCESSFUL
but I guess they made a few bucks for their work!
but I guess they made a few bucks for their work!
#30
Member
Join Date: Nov 2007
Posts: 295
Upvotes: 0
Received 0 Upvotes
on
0 Posts
Rule #1: Patch your software. The vulnerability was found by the NSA (not created) released by somebody (not the NSA) and Microsoft released a patch months ago.
So yeah I guess you're one who just allows Windows Update to run at its leisure, installing any and all privacy invasive telemetry that Microsoft cooks up, right?
And I guess you think Edward Snowden is a traitor too, considering he exposed the unconstitutional domestic surveillance they are engaged in?
#32
Originally Posted by Tolyn Ironhand
". . . I got the info from your sources. Namely CNN . . ."
Isn't he the source of all evil in the World ?
#33
Member
Do we have any idea how much they made?t The concept of successful is different for everyone. Would you consider $10,000 successful?
#34
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 3,386
Received 124 Upvotes
on
115 Posts
My 2 cents:
It seems to me there is something morally and ethically wrong with what the NSA did and it looks like maybe things are going to change (if I read some things correctly), but I think there should be some real criticism of Microsoft here.
This flaw which NSA found and exploited has been around for many years. How come the NSA could find the flaw but Microsoft didn’t? Is it because the NSA has more skilled people? Well isn’t Microsoft supposed to have the most skilled people around?
Is it because the NSA developed tools to specifically look for security flaws? Well shouldn’t Microsoft have developed tools to find security flaws? After all, they are the experts in development aren’t they - so they should be able to develop the best tools. Security has been the number one issue for a long time and so by now Microsoft should have the best toolset in the world to look for security flaws in their own software – shouldn’t they?
Microsoft knows the complete design and has all the source code and so should be light-years ahead of the NSA when it comes to analysis of their own software (I don’t think the NSA has all that information).
So why then did the NSA find the flaw and Microsoft didn’t? It just seems to me that Microsoft to a large extent must be reactive, and not proactive, when it comes to security issues in their software. I could be wrong! Maybe NSA uses an extremely large team and spends an enormous amount of money to find the particular flaws like the Eternal Blue used by Wannacry – and so maybe it is unreasonable to expect Microsoft to dedicate that amount of resources to find the security flaws.
But if that’s true then the taxpayer is subsidizing Microsoft by using the NSA to find Microsoft’s problems. All too complicated for me, but interesting -lol!!!
It just seems like “something ain’t right here” with Microsoft.
It seems to me there is something morally and ethically wrong with what the NSA did and it looks like maybe things are going to change (if I read some things correctly), but I think there should be some real criticism of Microsoft here.
This flaw which NSA found and exploited has been around for many years. How come the NSA could find the flaw but Microsoft didn’t? Is it because the NSA has more skilled people? Well isn’t Microsoft supposed to have the most skilled people around?
Is it because the NSA developed tools to specifically look for security flaws? Well shouldn’t Microsoft have developed tools to find security flaws? After all, they are the experts in development aren’t they - so they should be able to develop the best tools. Security has been the number one issue for a long time and so by now Microsoft should have the best toolset in the world to look for security flaws in their own software – shouldn’t they?
Microsoft knows the complete design and has all the source code and so should be light-years ahead of the NSA when it comes to analysis of their own software (I don’t think the NSA has all that information).
So why then did the NSA find the flaw and Microsoft didn’t? It just seems to me that Microsoft to a large extent must be reactive, and not proactive, when it comes to security issues in their software. I could be wrong! Maybe NSA uses an extremely large team and spends an enormous amount of money to find the particular flaws like the Eternal Blue used by Wannacry – and so maybe it is unreasonable to expect Microsoft to dedicate that amount of resources to find the security flaws.
But if that’s true then the taxpayer is subsidizing Microsoft by using the NSA to find Microsoft’s problems. All too complicated for me, but interesting -lol!!!
It just seems like “something ain’t right here” with Microsoft.