Welcome to the DoItYourself Forums!

To post questions, help other DIYers and reduce advertising (like the one on your left), join our DIY community. It's free!

Wannacry Ransomeware Worm


donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-13-17, 02:17 PM   #1 (permalink)  
Wannacry Ransomeware Worm

Ransomeware encrypts the data on your PC & demands money to unlock it. A worm travels from one network to another. Wannacry has hit many networks in 74 countries so far.

MS has patched Windows Defender (Don't bash it yet) & posted a separate patch for XP. Update Defender NOW & download the XP patch. Backup your data now & disconnect USB drives.

PS. It a service message block attack (SMB)

 
Sponsored Links
Vermont's Avatar
Member

Join Date: Jan 2010
Posts: 1,767
VT

05-13-17, 02:24 PM   #2 (permalink)  
I wonder if Walmart was hit; all afternoon, they've been unable to access my Order History.

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-14-17, 05:12 AM   #3 (permalink)  
It seems that Walmart wasn't affected. The only company here was FedEx in Tennessee. Also, the worm was created by the NSA & leaked to the public.

 
Tolyn Ironhand's Avatar
Group Moderator

Join Date: Nov 2007
Posts: 11,251
MN

05-14-17, 05:22 AM   #4 (permalink)  
Also, the worm was created by the NSA & leaked to the public.
Can you back that up with some "real" sources? (not just black helicopter stuff)


Electrical AC/DC and lighting Moderator
Professional Electrician, Handyman, all around swell guy!
40,000 people die in auto accidents per year in the US. We should ban cars.

 
taz420's Avatar
Member

Join Date: Nov 2007
Posts: 391
NJ

05-14-17, 06:03 AM   #5 (permalink)  
Umm, Google it? Three stories about it showed up on my Now feed this morning...

A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers...

https://arstechnica.com/security/201...ers-worldwide/

This is hardly the first time the NSA has been caught creating zero-day exploits and hiding them from the public and the software developers for their own nefarious use - and this worm is exactly the consequence. They found the Heartbleed vulnerability too and sat on it so they could spy on SSL sessions until it was made public

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-14-17, 06:24 AM   #6 (permalink)  
Can you back that up with some "real" sources? (not just black helicopter stuff)
Absolutely! Forbes, CNN & The Intercept just to name a few. You decide what helicopter it is.

This is hardly the first time the NSA has been caught creating zero-day exploits and hiding them from the public and the software developers for their own nefarious use - and this worm is exactly the consequence.
That's about the gist of it. Other agencies have their own tools. One of them was made to evesdrop on Series F Samsung Smart TVs when the TV is off.

 
Davejb's Avatar
Member

Join Date: May 2002
Posts: 742
NH

05-14-17, 10:33 AM   #7 (permalink)  
This was briefly halted by a researcher and about $10. It has since gone active again.

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-14-17, 01:11 PM   #8 (permalink)  
This was briefly halted by a researcher and about $10. It has since gone active again.
Yes, it was a young fellow 22 years old who goes by the name Malware Tech. His full name wasn't released but he works for a firm in LA. He also warned about copy cat malware.

 
Davejb's Avatar
Member

Join Date: May 2002
Posts: 742
NH

05-14-17, 01:29 PM   #9 (permalink)  
From what I've gathered there's a new strain in the wild with no kill switch.

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-14-17, 01:47 PM   #10 (permalink)  
https://blog.comae.io/wannacry-new-v...d-b8908fefea7e

It looks like that is correct. The details at the above site were posted 5 hours ago. Another site called the verge said that it's up to 150 countries.

It all comes down to 3 things. Backup, backup & backup. Either backup your data or don't complain.

 
jefferson17's Avatar
Banned. Rule And/Or Policy Violation

Join Date: Feb 2013
Posts: 63
PA

05-14-17, 04:03 PM   #11 (permalink)  
Interesting that Russia is taking the brunt of it. LOL! Karma?

The single best thing to do is use something like GMAIL for your primary email and keep a SECOND EMAIL on something like Yahoo for posting info on public sites. This will help prevent spam to your primary. And companies like that are really quite good at pre-filtering messages that are even vaguely suspicious. There is the occasional exception, of course. But if one does this, there is very little chance of "catching anything".

Even my 89 year old father won't click on links in emails from unknown sources. It only takes a few seconds to hover over a link to see where it REALLY GOES. No big deal.

Honestly, I haven't bothered to actively run anti virus or anti malware on my personal machines. I have them installed and once in a while I'll do a scan. I'd rather not have that stuff eating up my memory and processing power.

If one takes a few very minor precautions and uses Internet Mail, there is minimal exposure. It's NOT like the bad old days where stuff ran rampant.

--------------------------------------------------
Experienced IT professional 25+ years

 
Davejb's Avatar
Member

Join Date: May 2002
Posts: 742
NH

05-14-17, 04:21 PM   #12 (permalink)  
Rule number one for any experienced IT person, never, ever recommend Yahoo services to people.

 
jefferson17's Avatar
Banned. Rule And/Or Policy Violation

Join Date: Feb 2013
Posts: 63
PA

05-14-17, 05:12 PM   #13 (permalink)  
Hi Dave,

Read what I wrote. The Yahoo email (or whatever) is simply used as a secondary email - strictly for posting onto sites where one would rather avoid getting onto that many more spam and email distribution lists, and to help hide one's true online identity.

For example, I would happily use a Yahoo email for accounts that i create on sites like this one. Or on Craigslist or various internet forums, etc. That way, if I really wanted to, I could change the email on the sites that I want to keep to merely another new email, and walk away from that email account - since it isn't really related to any of my REAL LIFE stuff (airlines, credit cards, real personal email, etc).

I also wouldn't have to care about some forum site being hacked and my real info being exposed. It's darn good practice. If you don't like Yahoo for the other purpose, just pick a different one.

 
Davejb's Avatar
Member

Join Date: May 2002
Posts: 742
NH

05-14-17, 05:45 PM   #14 (permalink)  
Yahoo has been hacked like 4 times in the last three years, IMHO it isn't a good option for any purpose.

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-14-17, 05:50 PM   #15 (permalink)  
I wouldn't recommend gmail or yahoo for anything, especially privacy or hiding one's identity.

 
jefferson17's Avatar
Banned. Rule And/Or Policy Violation

Join Date: Feb 2013
Posts: 63
PA

05-14-17, 06:08 PM   #16 (permalink)  
Oh? Would you care to RECOMMEND anything?

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-15-17, 08:23 AM   #17 (permalink)  
It depends on how anonymous you want to be & from whom you are hiding your identity.
Read The Art Of Invisibility by Keven Mitnick

 
zoesdad's Avatar
Member

Join Date: Jan 2008
Posts: 2,342
PA

05-15-17, 10:00 AM   #18 (permalink)  
Malwarebytes has the actual code for one variation of the problem posted here:

https://blog.malwarebytes.com/threat...s-wanacrypt0r/

You can give credit to the guy who looked at the code a figured out that the WannaCry kill switch mechanism won’t work if you are using a proxy server – give him credit. But that feature isn’t exactly buried very deep – the code is simple and straight forward.

The idea in the WannaCry code is to try and connect to a specific url and if it is able to do so then it won’t infect the computer – I guess that’s the kill switch. But the connection attempt won’t work if you are using a proxy server – that’s what the young guy recognized.

The code in that area is pretty straight forward and all it takes is a little (very little) bit of digging to see that the second argument (1u) in the InternetOpenA() call will preclude a proxy server, so the code won’t be able to connect to the kill switch url if you are using a proxy server – and hence the kill switch won’t work – and thus the system will be infected.

It’s hard to believe almost everyone who looked at this didn’t notice immediately that the WannaCry kill switch mechanism was implemented in such a way that it wouldn’t work with proxy servers – which I think most big enterprises use (not sure though). Does that mean these bad guys are pretty incompetent? I guess you really have to figure out how they really wanted to use the kill-switch mechanism – but as the article states the kill switch mechanism has been used against them to defeat the infection (except in the proxy case). Can’t see how the authors wanted that!

I put some comments in boxes in the pic:



 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-15-17, 10:09 AM   #19 (permalink)  
Good point on the proxy server. I don't think that most enterprises use them but I'm not sure either. I use a VPN most of the time but they can disconnect & leave the network vulnerable.

 
jefferson17's Avatar
Banned. Rule And/Or Policy Violation

Join Date: Feb 2013
Posts: 63
PA

05-15-17, 08:49 PM   #20 (permalink)  
Purchased! Thanks for the heads-up. Now I merely need to make time for it, if I can find the time to make the time to take the time. This could make for some cool reading while we're in Europe next month.

I have to admit - I LIKE that cookies have made my life easier w/ some sites and helped me find things that otherwise would not have come onto my radar. The oatmeal cookies are the best ...

It's a catch-22, I suppose. How one must choose to strike "the right balance" of transparency, paranoia, security, fear, legitimate threats, etc.

Somehow I expect that book will be so scary that I'll pull a Chuck McGill, gut my electrical panel and live under a space blanket.

 
Hal_S's Avatar
Member

Join Date: Nov 2012
Posts: 436
PA

05-19-17, 08:25 AM   #21 (permalink)  
Do not restart a computer hit by WannaCry- WannaKey -decrypt possible

Do not restart a computer hit by WannaCry.

The ransom key can be decrypted from a prime number left in RAM on XP computers, similar solution is/is coming for Windows 7.

Decrypt program

WannaKey

is available online.


Last edited by Hal_S; 05-19-17 at 08:40 AM.
 
zoesdad's Avatar
Member

Join Date: Jan 2008
Posts: 2,342
PA

05-19-17, 05:40 PM   #22 (permalink)  
Doesn’t seem like those ransomware people are all that sharp! I think this stuff we hear in the media about how smart these people are is pure BS. It makes everything seem dramatic, it’s good for ratings because it creates interest, and I’m sure Microsoft loves it when the exploiters are portrayed as evil geniuses because it deflects attention away from the real negligence on Microsoft’s part.

It makes it seem like Microsoft didn’t actually do a bad job when it comes to security, it’s just that they are up against the army of evil geniuses – what can they do ?LOL

It looks like the “bug” (design bug not coding bug) in the evildoers code only exists for XP, and they weren’t targeting XP in the first place – but still it shows IMHO how sloppy, or even more likely , how incompetent they are.

This is one of the API interfaces they used for key encryption/decryption when they were done and wanted to destroy the key they used. But the API description clearly states that the keys won’t be destroyed (they will remain in memory) after the function is called.

Thus if you don’t reboot after the attack (because the evildoers used this function) the key pair can be retrieved from memory with the correct RAM-scanning tool and you may be able to find the key and decrypt the data after all without paying the ransom. So don’t reboot after the attack and you might be saved. (but only works for XP now – as Hal_S said).

This is the API call to destroy the key when you are finished (they used this)

BOOL WINAPI CryptDestroyKey(
_In_ HCRYPTKEY hKey
);
This is the Microsoft description (my red font) for the API and it clearly says the public/private key pair is not destroyed.

If the handle refers to a session key, or to a public key that has been imported into the cryptographic service provider (CSP) through CryptImportKey, this function destroys the key and frees the memory that the key used. Many CSPs overwrite the memory where the key was held before freeing it. However, the underlying public/private key pair is not destroyed by this function. Only the handle is destroyed.
https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-19-17, 06:29 PM   #23 (permalink)  
I'm sure that you can write better code. However, if the current coders make money & don't get caught, that's all that counts.

 
Tolyn Ironhand's Avatar
Group Moderator

Join Date: Nov 2007
Posts: 11,251
MN

05-19-17, 06:54 PM   #24 (permalink)  
Rule #1: Patch your software. The vulnerability was found by the NSA (not created) released by somebody (not the NSA) and Microsoft released a patch months ago.


Electrical AC/DC and lighting Moderator
Professional Electrician, Handyman, all around swell guy!
40,000 people die in auto accidents per year in the US. We should ban cars.

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-20-17, 06:59 AM   #25 (permalink)  
The vulnerability was found by the NSA (not created)
When I said that it was created by the NSA, you asked me for sources not just "black helicopter stuff". I named Forbes, CNN & Intercept. What are your sources not just jingoism.

 
Tolyn Ironhand's Avatar
Group Moderator

Join Date: Nov 2007
Posts: 11,251
MN

05-20-17, 07:07 AM   #26 (permalink)  
I got the info from your sources. Namely CNN.


Electrical AC/DC and lighting Moderator
Professional Electrician, Handyman, all around swell guy!
40,000 people die in auto accidents per year in the US. We should ban cars.

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-20-17, 08:15 AM   #27 (permalink)  
I never liked them anyway.

 
zoesdad's Avatar
Member

Join Date: Jan 2008
Posts: 2,342
PA

05-20-17, 08:38 AM   #28 (permalink)  
I'm sure that you can write better code. However, if the current coders make money & don't get caught, that's all that counts.
I think people put too much emphasis on coding. Anyone can write “code”, that’s the easy part. It’s a tool to implement a set of ideas.

Wannacry actually WAS NOT VERY SUCCESSFUL, and it appears it was because of the authors own incompetence. They designed the software (NOT the code) to attempt at startup to reach a specific domain, and if it can be reached the malware terminates. That’s their kill-switch. They were outsmarted very quickly because someone(Hutchins) recognized that feature and quickly “sinkholed” (registered) the domain so that the malware will now always be able to reach that domain, and thus the kill-switch is always ON, and thus the malware is neutralized. Their error was NOT in coding – but in thinking, that is, the error is in their design.

This is Hutchins comment on the copycats who are out there now trying to reactivate the malware by ensuring access to the sinkhole (for the kill-switch domain) cannot occur, by using denial of service. Although he is talking about the copycats and not the original authors I think it’s significant:

“Now any idiot and their dog can set up a Mirai botnet,” Hutchins says. He believes the attackers are likely nihilistic, low-skilled hackers using public tools to cause mayhem for their own entertainment.
Here is what another article has to say about the kill-switch:

Building anti-analysis defenses into malware is common, but the WannaCry hackers appear to have botched the implementation. By relying on a static, discoverable address, whoever found it—in this case MalwareTech—could just register the domain and trigger WannaCry’s shutdown defense.
This is from a security company blog about the sinkhole:
Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. If the malware can successfully reach that domain, it terminates - so don’t block access.
It just surprises me how technically naïve these guys seem to be – but I guess they made a few bucks for their work!

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-20-17, 02:48 PM   #29 (permalink)  
]Wannacry actually WAS NOT VERY SUCCESSFUL
but I guess they made a few bucks for their work!
Do we have any idea how much they made?t The concept of successful is different for everyone. Would you consider $10,000 successful?

 
taz420's Avatar
Member

Join Date: Nov 2007
Posts: 391
NJ

05-20-17, 04:41 PM   #30 (permalink)  
Rule #1: Patch your software. The vulnerability was found by the NSA (not created) released by somebody (not the NSA) and Microsoft released a patch months ago.
Ahem. Yes. The vulnerability was found by the NSA over a YEAR ago. And they sat on it. Kept their mouths shut.. Why? So they could use it to infect machines with their own malware (which THEY created) in order to spy on people all over the world - including Americans.

So yeah I guess you're one who just allows Windows Update to run at its leisure, installing any and all privacy invasive telemetry that Microsoft cooks up, right?

And I guess you think Edward Snowden is a traitor too, considering he exposed the unconstitutional domestic surveillance they are engaged in?

 
donoli2016's Avatar
Banned. Rule And/Or Policy Violation

Join Date: May 2016
Posts: 551

05-21-17, 07:28 AM   #31 (permalink)  
So far you hit the nail on the head, taz. That's what they do. They keep the info for their own use.

 
Vermont's Avatar
Member

Join Date: Jan 2010
Posts: 1,767
VT

05-21-17, 07:43 AM   #32 (permalink)  
Posted By: Tolyn Ironhand ". . . I got the info from your sources. Namely CNN . . ."
I'm surprised they didn't blame it on Trump !

Isn't he the source of all evil in the World ?

 
Davejb's Avatar
Member

Join Date: May 2002
Posts: 742
NH

05-21-17, 07:45 AM   #33 (permalink)  
Do we have any idea how much they made?t The concept of successful is different for everyone. Would you consider $10,000 successful?
Their haul has been pretty pitiful compared to other ransomware. I would label successful as hundreds of thousands at least, not tens of thousands. But hey, either way it's more money than I have so who am I to say. I believe the Locky variants are currently in the millions.

 
zoesdad's Avatar
Member

Join Date: Jan 2008
Posts: 2,342
PA

05-21-17, 02:28 PM   #34 (permalink)  
My 2 cents:

It seems to me there is something morally and ethically wrong with what the NSA did and it looks like maybe things are going to change (if I read some things correctly), but I think there should be some real criticism of Microsoft here.

This flaw which NSA found and exploited has been around for many years. How come the NSA could find the flaw but Microsoft didn’t? Is it because the NSA has more skilled people? Well isn’t Microsoft supposed to have the most skilled people around?

Is it because the NSA developed tools to specifically look for security flaws? Well shouldn’t Microsoft have developed tools to find security flaws? After all, they are the experts in development aren’t they - so they should be able to develop the best tools. Security has been the number one issue for a long time and so by now Microsoft should have the best toolset in the world to look for security flaws in their own software – shouldn’t they?

Microsoft knows the complete design and has all the source code and so should be light-years ahead of the NSA when it comes to analysis of their own software (I don’t think the NSA has all that information).

So why then did the NSA find the flaw and Microsoft didn’t? It just seems to me that Microsoft to a large extent must be reactive, and not proactive, when it comes to security issues in their software. I could be wrong! Maybe NSA uses an extremely large team and spends an enormous amount of money to find the particular flaws like the Eternal Blue used by Wannacry – and so maybe it is unreasonable to expect Microsoft to dedicate that amount of resources to find the security flaws.

But if that’s true then the taxpayer is subsidizing Microsoft by using the NSA to find Microsoft’s problems. All too complicated for me, but interesting -lol!!!

It just seems like “something ain’t right here” with Microsoft.

 
Shadeladie's Avatar
Super Moderator

Join Date: Jan 2005
Posts: 3,609
PA

05-21-17, 02:36 PM   #35 (permalink)  
OK, enough of this. Thread closed.


In our hearts, we all know that it's wrong to harm an animal and that we should take action to protect them -
Patrick McDonnell

Adopt a shelter pet!
Spay or neuter your pet!
Please don't leave pets or kids in a hot car!

 
Search this Thread