'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware

"An 'accidental hero' has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations..." writes The Guardian. An anonymous reader quotes their report: A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."

UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"

unregistered domain

I suppose pre-registering the domain would effectively be adding a signature admitting liability

Re:unregistered domain

The disgusting part is that people at the NSA would have KNOWN of this failsafe but chose NOT to act and end the proliferation of the malware.
Where are the world's media when it comes to asking that question ?
Silent as always.

Re:unregistered domain

[eric_harris_76]

Or rather, the people within the NSA who knew didn't have the authority (or willingness) to announce it, and the people within the NSA who had the authority (or willingness) to announce it didn't know.

It's possible one or both of those two sets of people -- the knowledgeable and the authorized-and-willing -- were not the null set.

My money would be on the NSA knowing and choosing not to reveal. Not that we'll ever know.

Re: unregistered domain

Know what ðY(TM)ðY(TM)ðY(TM)S

Re: unregistered domain

Why would the nsa know about the domain? They found the vulnerability, they didn't write the exploit.

Factsheet

Here is a factsheet: https://gist.github.com/slider23/bd617d0d376047c05d18980fde306840
The domain in question is "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com".

Re:Factsheet

So the malware author is someone using a western keyboard layout then.

Re:Factsheet

[mikael]

At some time, they must have checked to see if it was possible to register, and was not already taken.

Re:Factsheet

Sadly not - with that long of a (presumably) randomly generated string, the odds that it is taken are so minuscule that you wouldn't bother checking, precisely because that might leave a trail. If I were doing the same thing, I'd generate a nice long random string and happily presume that it's still available.

Re:Factsheet

.. or is not, but wants the world to believe he is.

Re:Factsheet

[wbr1]

And what trail would searching for a domain leave? Valid names are easily determinable with the RFC and other public information. Checking registration is as easy as a whois lookup from behind any obfuscation you desire. There would be no trail.

Re:Factsheet

[ColdWetDog]

Hey, that's the combination to my luggage!

Re:Factsheet

[vtcodger]

If the url existed, you'd find out about it when you rolled out your malware and it didn't work. ... or if you tested your product before deploying it, but who does that nowadays?

Re: Factsheet

I think it was a cat

Re:Factsheet

It doesn't appear random. Look at your keyboard. Quite a lot of bias towards adjacent keys.

Re:Factsheet

[mysidia]

the odds that it is taken are so minuscule that you wouldn't bother checking

Yep.... Odds are it was quick and dirty. If it wasn't, then they'd probably have used algorithmically-generated domain names, try 3 URLs at random from a list, and require the URL attempted to present a digitally-signed file for the switch to take affect. Badware authors have done things like that in the past, etc, etc.

Re: Factsheet

And then bake it into code you plan to distribute worldwide? Yeah, nobody will ever find that random string. Brilliant plan.

More likely: some shit-for-brains found code for an exploit that he didn't fully understand, and he let it go on the net. For shits and giggles, or as a real ransomware scam; it doesn't matter. He overlooked the kill switch URL and didn't register it.

Re: Factsheet

That's not helpful. Many non westerners (like me) use western keyboards because they are cheaper, it's easier to find software for it and we are used to it.

We just use special software to write in non western languages.

Patch your macs now!

They are not as safe as people think..

Re: Patch your macs now!

Recent events would appear to have contradicted your assertion, good sir.

Re:Patch your macs now!

[hcs_$reboot]

They are not as safe as people think..

While it seems the need urgency level is lower than for windows, Macs are good at updating the system efficiently in a less obtrusive way

Re: Patch your macs now!

[TuballoyThunder]

What? I don't find OS X better (or worse) at patching than Windows. Quite often a restart is required, which does not fit into the definition of "unobtrusively."

Re: Patch your macs now!

[Highdude702]

With the way software is written today, And i was told there was a security patch for an OS component that didnt require a restart, I would still fear that the issue in question was not completely patched. and maybe just had a bandaid attached to it with a little bit of bubblegum. as ive seen too many times that one security patch turns into a new 0day the very next day. The white hat hackers are smart. and they do alot of good. and the black hats just try to stay a step ahead of the whitehat. the real winners are the grey hats. they have the real knowledge and alot of time you cant tell the difference between them and the other hackers. and most of the time they work real deep in the industry.

Re: Patch your macs now!

So what? You want a cookie?

Re: Patch your macs now!

[Highdude702]

yes! as you can tell from my name. i may be a lil stoned.. and a cookie sounds great!

Re: Patch your macs now!

[hcs_$reboot]

https://yro.slashdot.org/comments.pl?sid=10613705&cid=54420419

How did it actually work?

[mccalli]

For my education please - I mean step-by-step. I can see it's a phishing thing. I can see it could copy itself to SMB 1 shares. But...err...then what? How did it spread, or did it not spread and the impact is 'only' to the files visible on the original machine?

Reminds me an awful lot of the old I Love You virus, which was a vbs script and which copied itself to shares as well. This new one is more sophisticated obviously, but I was around for that particular piece of 'fun'.

Re:How did it actually work?

[jeremyp]

Please read the post before mouthing off. The first three words "for my education please" are an admission of ignorance and a request for information.

Re:How did it actually work?

[Pieroxy]

Please read the post before mouthing off. The first three words "for my education please" are an admission of ignorance and a request for information.

"for my education please" is four words, no?

Re: How did it actually work?

You missed the 'first' in the phrase 'first three words.' A little too busy trying to score cheap points to notice that? :)

Re: How did it actually work?

You missed that it was immediately followed by a quote showing the first 'three' words, which were in fact four words. A little too much of a hurry to post? ;)

Re:How did it actually work?

[Highdude702]

Im not 100% sure as i havent looked into this. but if it was me writing it. heres how it would work. SMB is a filesharing server that windows uses to talk to linux mac and other windows machines. when there is a SMB exploit sometimes it just allows you to view files, and copy/write files(like an auth bypass) Then sometimes there is privilege escalation. meaning i give server this string which it unwittingly passes onto the windows OS to give me full admin rights. Then you get to overwrite system files(see where im going?) Sometimes you can also break out of the main process to a shell, or just execute code as if you were the smb server. in any of those instances you can 1) Overwrite explorer.exe, and then wait for the system to call it. 2) upload file, open shell and execute file. 3) Inject raw data into memory and make SMB run data from memory.

Re: How did it actually work?

No idiot, he is saying the first three words OF "the quotes"

So if it was the first three words of "your moms a cunt"

The first three words would be "your moms a"

This isn't hard.

Re: How did it actually work?

Did.... Did you just argue against yourself?

Re: How did it actually work?

you need to read it again.

Re:But

[negRo_slim]

We needed this to spread further, we needed a shock to the system so we change our security practices... all this "hero" did was ensure the next time this happens it will be even more devastating.

Here's how it works

[Okian+Warrior]

There's a good sumamry over at github.

Essentially, the malware looks for port 445 (SMB) on local computers and the internet. If you have this port open on the internet, and have older than Win10, and haven't updated with the Mar 2 patch, then you're vulnerable.

Note that WinXP has about 8% market share and cannot be patched. You can get infected from another machine on the local subnet as well.

Here is a good detailed description of how it works and what it does.

Note that the propagation has halted for now, however the virus also installs a rootkit on the user's machine. If the virus writer realizes that the domain has been taken, he could remotely change the hard-coded domain name on every currently-infected machine, thus restarting the propagation process.

Re:Here's how it works

Microsoft.com released a fixes for EOLed Windows.

Re:Here's how it works

Oops, while this static announcement page is up, it seems the actual download pages are slashdotted (by thousands of NHS workers?)

Re: Here's how it works

For those saying how terrible that people are running unpatched, some hospital equipment runs on XP and the only update possible is sometimes to buy a new scanner, which is not necessarily affordable. It can have knock on effects elsewhere in the infrastructure too.

Even just verifying that a scanner produced the same output with a new operating system on the front end, where this is possible, is not necessarily cheap to do.

Re: Here's how it works

How is it that we can't track down this fucker via any other domain name registrations? I tell you what, we can all bet our asses that governments all over will make host name registration info to be cross referenced and validated!

Re:Here's how it works

[bertvanleussen]

Thanks for the summary. I can't find the answer to this question anywhere: is the attack mitigated if the user isn't using an Administrator account?

Re: Here's how it works

I'd go after anonymous money transfers as well. Western Union, Paypal... Funny how that there is so much financial fraud with these "untraceable transaction" that the governments never do anything about them.

Re:Here's how it works

[Highdude702]

In this particular exploit, no

Re: Here's how it works

[Aristos+Mazer]

Then why is it on the network? Give the scanner a local net of just itself and a proxy. Let the proxy run something modern and patched. There's no reason to have the antiquated system directly exposed.

Re: Here's how it works

[geoskd]

The people who designed these systems, those that operate them, and those that hold the purse strings are all stupid enough to be integrating microsoft windows into a potentially life critical piece of equipment, then networking them together. The original manufacturer should be held liable for even putting windows on the damned things in the first place. There have been plenty of network hardened micro-kernels available since the 80s that the military complex uses for various things. They are more expensive, but when were talking about medical devices, the manufacturer charges a premium for them anyways, sicne they are supposed to be "medical grade", not medical grade price with consumer grade electronics, and supersize profits.

Re: Here's how it works

A 15 year old, unpatched linux os would be running with tons of vulnerabilites as well.

Re: Here's how it works

[omnichad]

The NHS were paying for continued security updates for XP...until April 2015.... Then they decided it was too expensive to renew. They could have kept paying for patches - which would probably still be cheaper than migrating earlier than they were ready for.

Re: Here's how it works

[vtcodger]

Then why is it on the network?

Exactly! I don't see any problem with using XP, Windows 95, or MSDOS as an embedded controller OS provided they will do the job. But why would you not plug any RJ-45 sockets with chewing gum?

Why, other than rampant masochism would you connect ANYTHING that doesn't absolutely need to be networked to a network -- local or remote?

Re: Here's how it works

[gumbi+west]

whoa whoa whoa. So MS has the patches but only shares them if you pay? We need a national OS, big time. Windows has only been getting worse since XP, so the national OS would either start better than Windows or eventually become better--either way, it would be an improvement.

Re: Here's how it works

[Brockmire]

Right, because increasing the cost of life saving equipment is better than just following proper network design. The patient using the equipment doesn't give a shit what OS runs as long as their hospital can afford one.

Re: Here's how it works

[toonces33]

My recollection is that MS was doubling the price of the support every year - they really want to force people off of these old OSes.

You have to wonder how many of them were really using any form of SMB - a band-aid would just be to turn it off for systems that don't use it.

I had this thought that one could disable the Microsoft SMB and replace it with Samba ported to Windows. That would at least get you a relatively modern protocol version.

Re:Here's how it works

[hairyfeet]

Uhh you must have missed the memo as MSFT released a patch for all their no longer supported systems including XP SP2 & 3, 2K3, Vista, and Windows 8.

Re: Here's how it works

They want to force people off old OSes?
Then they should recall it. Admit the product is defective.

Re: Here's how it works

Bullshit. I'm running my old scanners on Windows XP mode without a network connection, and so can they.

Re: Here's how it works

All childrens comments. How many of you even designed a publiclly released product? And then a public operating system?

Not one that posts these children's comments.

Re: Here's how it works

[jabuzz]

Simple solution is that any device sold to the NHS must be supplied with updates that work on a supported version of an OS for the lifetime of the equipment. Should such a manufacture try measures to get around that, then that equipment (say Siemens, Toshiba, GEC etc.) many not be purchased by the NHS until the situation is rectified.

The NHS one of the biggest victims here has the clout to make this mandatory and make it stick. Just needs the political will to make it the law. Loosing the NHS market because you want to try and gouge on updated software is not worth the loss, because one of your competitors will decided it's worth capturing the whole market.

Re: Here's how it works

Wait. There's this saying "never attribute to malice that which is adequately explained by stupidity" and this is true. I work for an instrument manufacturer. Our instruments run Linux, and this gives us a lot of headaches in the sales process. It goes like this:

customer's IT department: "We only allow systems on our network which have the company-vetted anti-virus software on it."
our sales person: "Your company-vetted anti-virus software can't be installed on our system. It doesn't run Windows."
customer's IT department: "We only allow systems on our network which have the company-vetted anti-virus software on it."

In my previous job, we built similar instruments, but much more expensive (multi-million dollars). Those *did* have Windows PC's running the system software. Customers were super happy with it, because they liked to install their office apps and whatever directly on the system PCs. We told them not to and warned them that this was not supported, but they basically asked "OK but we *can,* right?" and did it anyway.

Re: Here's how it works

For those saying how terrible that people are running unpatched, some hospital equipment runs on XP and the only update possible is sometimes to buy a new scanner, which is not necessarily affordable. It can have knock on effects elsewhere in the infrastructure too.

Even just verifying that a scanner produced the same output with a new operating system on the front end, where this is possible, is not necessarily cheap to do.

Then I suppose we'll just simply continue to excuse the (highly profitable) medical industry from managing their infrastructure and budgets properly, and allow ignorance to put a price tag on losing a shitload of medical data to ransomware. I mean, HIPAA violations and lawsuits are cheap, right?

XP was retired in 2014. Guess my tolerance factor has reached zero for companies who continue to not budget properly for new equipment when it's been necessary for years now.

malware author can rerelease patched malware

And the malware author can easily take out the "kill switch" and spread the new "improved" version of the malware.

TOR C&C domains to block WannaCry uses

Block these TOR domains in your hosts file to paralyze WannaCry (can't talk to them for orders in the 1st place):

0.0.0.0 gx7ekbenv2riucmf.onion
0.0.0.0 57g7spgrzlojinas.onion
0.0.0.0 Xxlvbrloxvriy2c5.onion
0.0.0.0 76jdd2ir2embyv47.onion
0.0.0.0 cwwnhwhlz52maqm7.onion
0.0.0.0 sqjolphimrr7jqw6.onion

* Per https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

APK

P.S.=> For the best custom hosts file creator bar-none? APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ for protection vs. other threats online + for more speed, security, reliability & anonymity FOR LESS (yet doing more than ANY other SINGLE "so-called 'solution'" that's "Bolt on 'MoAr'" illogic-logic vs. using what you already have natively in hosts files)... apk

Re: TOR C&C domains to block WannaCry uses

Or, instead of touching thousands of hosts and relying on an anachronistic method using some executable that's maintained by a sociopathic egomaniac, you can simply blackhole those addresses in your DNS once.

Re:TOR C&C domains to block WannaCry uses

[gmajoe]

This won't accomplish what you intend - the .onion addresses are looked up within Tor, bypassing your standard DNS infrastructure.

Re:TOR C&C domains to block WannaCry uses

[Highdude702]

^5 APK, instead of just senselessly plugging your pages. you gave us the information we needed. i sometimes feel like you almost misinform when you go on your rants. but this. i can stand this. im not saying your program doesnt work as ive never once downloaded it to check what you actually block in the created hosts file.

Re:TOR C&C domains to block WannaCry uses

The stand-alone Pup-Advert-Blocker is a nice little app that ships with Puppy Linux. It updates a series of addresses every time it boots and lets you edit the hosts file in a very simple way. I think it does what the proverbial APK's hosts engine does. I can't live without it when on Puppy/Slacko.

Re:TOR C&C domains to block WannaCry uses

[phantomfive]

Wow, this post is actually useful.

Re:TOR C&C domains to block WannaCry uses

You do realize that Tor traffic can use the DNS server of a remote node? Thereby bypassing the hosts file of your local machine and the hosts file of your router/gateway? So your above comment in plain wrong.

Re:TOR C&C domains to block WannaCry uses

Not 'can use'.

'uses'.

Besides, null-routing onion URLs wouldn't help anyway since they're routed internally on the Tor network and never touch the DNS stack of the machine(s) ever.

Re:But

[hcs_$reboot]

I beg to disagree, totally, despite of what she says.

Just wait for tomorrow's news...

[Gravis+Zero]

A new version of WannaCry ransomware is on the loose!

This is a game of cat and mouse, so don't assume you have won.

Re:Just wait for tomorrow's news...

[tomxor]

A new version of WannaCry ransomware is on the loose!

This is a game of cat and mouse, so don't assume you have won.

Those were my first thoughts too, but although this is part M$ being shit and part NSA harbouring vulnerabilities. It all only works if users are clueless...

Hopefully this widespread incident was enough to inform more people without costing them in anyway. Then more can understand the importance of using secure systems and keeping backups, or just not storing anything important on a machine.

Re:Just wait for tomorrow's news...

[StormReaver]

This is a game of cat and mouse, so don't assume you have won.

The only way to win is to not play: get rid of Windows.

Re:Just wait for tomorrow's news...

[mikael]

Online backups, shadow volumes can get encrypted as well.

Re:Just wait for tomorrow's news...

[Highdude702]

Which is why i feel all Windows PC's need to be behind a NAT which UPNP disabled(hopefully your router really disables it).

Re:Just wait for tomorrow's news...

[thegarbz]

And switch to what? This attack self replicates via an exploit across a local network but it infiltrates via a user executing something.

I suggest you tell as many people as possible to stay on Windows. If Linux becomes a popular desktop OS we'll just see the same thing happening on the desktops including more focus from the NSA on finding errr inserting holes.

Re:Just wait for tomorrow's news...

[phantomfive]

Yeah, but at least I won't have to use Windows at work. Instant bonus.

Re:Just wait for tomorrow's news...

offline... online backups are so inconvenient for 90% of web users anyway, all you 40Mbit people forget that most users still gota user 2Mbit and under. No one can hack offline without physically stealing from you.

Re:Just wait for tomorrow's news...

[BronsCon]

Online, in this context, means a connected disk. An offline disk, one which is not connected to the system, cannot be affected in any way. That's why any sane backup system involves multiple volumes which are only connected to the system (e.g. brought online) as needed.

Re: Just wait for tomorrow's news...

But but but all those open source supporters will be able to read the code and find all the problems, right?

Re:Just wait for tomorrow's news...

And switch to what? This attack self replicates via an exploit across a local network but it infiltrates via a user executing something.

I suggest you tell as many people as possible to stay on Windows. If Linux becomes a popular desktop OS we'll just see the same thing happening on the desktops including more focus from the NSA on finding errr inserting holes.

Microsoft is closed source.

Linux is not.

I'd sure as hell rather rely on a global user community than a single company when it comes to managing and fixing code, regardless of how or why it is being exploited.

Windows

[hcs_$reboot]

Will they ever contemplate the idea of rewriting completely that OS? It's about time.

Re: Windows

Yeah, we need new bugs and new security issues!

Re:Windows

[FaxeTheCat]

And how would they get users to upgrade?

Look at all the resistance to get rid of XP, and even (for Win7/8 users) getting people to do the free Win10 upgrade?

Re:Windows

[Xest]

I'm not really sure what it would achieve given that this attack was dependent on old versions of Windows, and people being dumb.

A new version of Windows will fix neither of these things given that installing the latest version would've already prevented it.

Re:Windows

Nag them to death, of course.

--sf

Re:Windows

By not doing the shit that makes people avoid Win10.

Duh.

"Hey, why aren't people buying my pies?". How about not going round and pissing on your competition's pies and running off going "My pies don't have piss on them!". It tends to make people not want to support your business.

Re:Windows

[Highdude702]

They should turn the Windows UI into an x-windows overlay and do what everybody has been asking for years. turn windows into a Linux/Unix derivative.

Re:Windows

[Highdude702]

i would a pie that didnt have piss on it.. but not if it has a Microsoft label on it.. think i would rather have the one with Piss on it that i know is an actual pie.

Re:Windows

[Highdude702]

uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.

Re: Windows

[Aristos+Mazer]

It should be straightforward to hide those unpatched machines behind a proxy. Give them an Ethernet connection to only one other machine and let that other machine be fully patched and updatable. That's a fix, but, honestly, I'm confused why critical medical equipment is fully exposed to the network in the first place.

Re:Windows

So no Windows software would run anymore, like Windows RT. And everyone would bitch cause their favorite app doesn't work. Genious.

Re: Windows

[CaptainDork]

Or, you could hack the registry to make them self-identify as embedded and get security updates from Microsoft until 2019.

Registry hack enables free Windows XP security updates until 2019

Re:Windows

[vtcodger]

Microsoft tried rewriting Windows in 2001 and the years following. It was a near total disaster. I think their enthusiasm for doing THAT again is nonexistent.

Re:Windows

[Nkwe]

uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.

Why would you expect Microsoft to pay for the mistake the CAT scan and MRI makers made in designing their equipment? If the MRI machine used a plastic gear to move some of the mechanics of the machine and it turned out that the gear would wear out and needed to be replaced by a metal gear, you wouldn't blame the manufacturer that made the gear or attempt to get the manufacturer to pay for a different kind of gear, you would blame the MRI designer for using a part that was inappropriate for the task at hand. The operating system is just part of the overall design of an MRI system and if you use an OS that doesn't perform adequately over the expected life of the machine, you have made a poor engineering decision. In addition if your operating system isn't rated as a life safety system (Windows and most operating systems are not), you may have made a dangerous engineering decision. (Yes the software of the MRI machine that actually directly controls the dangerous part of the machine is probably embedded and rated for life safety operations, but if a compromise of the Windows software can lead to bad instructions or control limits being sent to the embedded software, you have made a dangerous design mistake.)

Microsoft, for public relations reasons, may opt provide support beyond their original intentions, but it ultimately comes down to a business decision. It is not Microsoft's (or any vendor's) responsibility to pay big dollars forever to compensate for bad engineering decisions of other companies.

Re: Windows

Lol the irony. My eyes are bleeding. Genius cD

Re:Windows

[slashrio]

And how would they get users to upgrade?

That's not so difficult. Just keep the functionality and look-and-feel and people will be fine with an upgrade (not a down-grade to an OS that they actually don't want).

Re: Windows

Tech noob here, a casual & curious reader just passing by.

So you are telling me that one can have a yesteryear-computer, that has purposefully been absent from updates, (to avoid back-ported W10 telemetry etc), remain protected via a fully-patched computer shielding the vulnerable one by being in front of it?

May be an interesting purchase. An 'el cheepo computer W10 and "play the game" by letting it update, etc. All defaults set to normal.
Yes use the actual computer I prefer, the one connected to the W10 machine... Hmmm. I like it.

Re:Windows

[Xest]

Yes... so how would making a new version from scratch solve this problem exactly?

I'm not sure what the relevance of the first part of your reply is - the GP said Microsoft should write a new version from scratch, I pointed out it wouldn't make much difference because only old versions were effected - you replied to me highlighting that point, so um, thanks for proving my point I guess? My comment on it relying on people being dumb is based on the fact the only infection vector is either machine sat facing the open internet with no firewall and ports wide open, or people clicking e-mail attachments. Given it's been known this is a bad idea for any computer running any OS since near enough the dawn of the web and e-mail, then yes, for this to spread it required an exceptional amount of stupidity.

But regardless the rest of your argument really is fucking stupid - no longer updating a 16 year old OS is not a shitty business practice? especially when you gave a number of support extensions and gave people more than enough time and warning to upgrade? You'll find very few products in the world where the manufacturer still gives a shit after 5 years, let alone 16 years. Google for example stopped updating my Google branded Galaxy Nexus after only 18 months from UK release leaving it vulnerable, Microsoft have the longest support period of all major vendors - long support periods is one of Microsoft's greatest strengths, the fact there are people who wont upgrade ever is really not on Microsoft, especially when they had a free upgrade path to Windows 10 for 18 months which wasn't effected precisely because they were trying to do everything they could to get vulnerable OS off the internet.

It also didn't effect 90% of Windows systems new and old, I don't even know where you got that fake number from and can only assume you just outright pulled it out your ass because Windows 10 marketshare is alone at 26%, Windows 7 at 48%, and then Windows 8 at 9%, XP at 7%. So 64% of the OS market was vulnerable back in March before the exploit was in the wild when Microsoft released a patch. This was patched then, leaving 16% vulnerable with no patch options leaving 84% of the OS market safe from this exploit as of March this year if IT admins did their job, of which 74% of that share was Microsoft OS'.

Oh, and um, Windows XP came out in 2001, so no, they weren't convincing anyone to install it in the 90s. Really, let's be honest, what you were actually saying was "I'm an open source zealot, and you said something that gives Microsoft some kind of defence so I'm going to unthinkingly pounce on you!" wasn't it? because the first half of your argument agreed with me despite being written in a tone of disagreement, and the second part is just drivel that bitches at Microsoft for the sake of bitching at Microsoft regardless of rationality.

Re: Windows

[Highdude702]

Easier to use a decent router, and not allow any incoming traffic to your computer. but in either situation... it doesnt stop you from infecting yourself with phishing emails, or bad ads. stuff like that. things like chrome,edge,IE,firefox exploits are normally used when you load a page. and the only way to protect against those is decent AV software, adblocks, and pure knowledge of what not to do.

Re:Windows

A very good reason to switch to Linux or BSD....and implement any updates/upgrades immediately routinely.

Re: Windows

[Doke]

Quick answer: No.

Longer answer: A good proxy could help protect you from worms, but not from a stupid user downloading something bad, or clicking on something bad in email. Good deep-inspection proxies are also expensive. To protect against something like this, it would have to intercept the mail client protocol (probably IMAP or MAPI), unwrap any TLS encryption on it using MitM certificates, detect and decode the attachment (ie pdf), then decode it for embedded .docm files. That's a lot deeper than any cheap proxy can handle.

Another issue is many people confuse firewalls and proxies. Proxies are a subtype of firewall that actually intercepts and processes the connections. Most firewalls are not proxies, and operate at a shallower level where decisions are made based on packet header source and destination information. Some next-generation (expensive) firewalls can do both.

A home-style gateway is a low end firewall. It doesn't do deep inspection. Worse, they are normally configured to allow Universal Plug and Play (UPnP). This is a protocol that allows anything inside the firewall to request an inbound hole in the firewall. It's often used for games. So once one kind of malware is in (or many Internet of Things (IoT) devices), it opens the gates to other attacks.

The only way I know of to protect a system like this is to air-gap it. Information is carried to and from the protected system on removable storage drives, which are always virus checked before being connected to the internal system. That's very time consuming and annoying.

Re: Windows

That's a fix, but, honestly, I'm confused why critical medical equipment is fully exposed to the network in the first place.

In general, to be useful, it has to be connected to the network. It's not as bad as you describe it but it's not as good as one would want. Your standard MRI machine is controlled by a Windows box that is built and managed by the vendor of the MRI machine. It is pretty well locked down but still has to be accessible to the vendor probably through a VPN that is built to go through all the other hospital security, but otherwise, is pretty locked down and not (supposed to be) used for things like email or browsing. The machine itself if connected to the PACS system through several computers which connects to a server room full of computers that handle image receiving, storage, serving, and archiving. The MRI probably also connects to several other servers, possibly by other vendors that run special software for various purposes but they might also get their images from the PACS system. The PACS system has to talk to the RIS, EMR, and PHI systems and probably provide them, i.e. everybody at the hospital doing their jobs, some way to look at images. It must also connect to all the workstations the doctors are on to actually review the images, quite possibly across various hospitals and networks. Then there are the Medical Records department who are sending and receiving images to and from hospitals, patients, lawyers, etc. There are also the possibility of research systems. All in all it is a very complicated set of layers system of private networks, firewalls, VPNs, tight authorizations, logging, and many other things required by HIPAA that span several IT groups including hospital network security that is usually conservative enough that the usual problem are people losing connectivity as changes are made by any one of those IT groups and the new settings haven't been entered into the firewalls everywhere. Yet, you consider that "fully exposed to the network" as if they all had public IPs.

Researchers bought some time

[kevrichards]

IMO it has bought them some time until the attackers figure out another way to continue the attack. Even when the Wikileaks announced that it will work with the tech giants to fix the vulnerabilities but it does not seem to be the case, but it falls on the hands of organizations and people alike to keep their systems updated all the time. NHS has now been hit by ransomware twice in a row.

Re: Researchers bought some time

[guruevi]

In the case of NHS it's their own fault for continuing the bad practices. Typical for a government to want punishment of bad actors without any prevention.

Microsoft knew about various vulnerabilities for years and the Wikileaks revelations have been online for quite some time, the NSA didn't want them to patch it and even now Microsoft is obfuscating the patch amongst various other fixes and forced installations of adware. Now it's too late for many people that still rely on Windows.

Re:Researchers bought some time

[Highdude702]

Not all systems are user updatable.

Re:Researchers bought some time

Yes, it appears researchers 'bought some time'... a few days perhaps. But also begs the question, why didn't the NSA... seeing the (at least reported) world wide chaos, fork over the $11 and activate the kill switch themselves?

Lucky it was a kill switch

[DrXym]

In the next malware it might be "delete everything" switch.

Re:Lucky it was a kill switch

[Carewolf]

In the next malware it might be "delete everything" switch.

Why not both? :D

Bonus: It would also finally put some reality into that old trope of which wire to cut.

Re:Lucky it was a kill switch

[Ol+Olsoc]

Why not both? :D

Why not Zoidberg?

Re:Lucky it was a kill switch

[Highdude702]

because he will just try eating the malware and then be infected himself. What good is an encrypted Zoidberg without the key?

Re: Lucky it was a kill switch

"Woom woom woom woom"

**scurries off***

Why in hell...

... does any network expose SMB to the outside world?

Re:Why in hell...

[OolimPhon]

It doesn't have to expose SMB to the outside world.

The exploit arrives as a phishing email. Once clicked, it looks for SMB on that machine. By using SMB, it can then infect other machines on the same network - and, more importantly, behind the firewall you carefully set up to block SMB from the Internet.

Moral: don't click on things you get randomly from the Internet. Also, don't click on things you get unexpectedly from colleagues in the same organization.

Re:Why in hell...

[OneSmartFellow]

Thanks for the clarification.

Re:Why in hell...

[mikael]

It does if the router is not configured to block SMB. I have a consumer router provided by my ISP. I had to dig through an entire menu system and scroll down to the very bottom of one screen to find the configuration menu option that disables SMB file sharing pass-through.

Re:Why in hell...

[Highdude702]

The number of people that plug the wire from their modem into their computer, or buy a switch thinking its a router.. and then your whole windows exploitbox is live for the internet to see. each with their own ip if you use a switch inline(i have seen it done many of times by customers)

Re:Why in hell...

[Highdude702]

Are you sure that wasnt just for local LAN filesharing? if what youre saying is the case port 445 would be in your forwarding section, as they wouldnt be able to send all traffic to all pc's as TCP routing doesnt work like that.

Re:Why in hell...

but I'm afraid he's preaching to the choir here.

Thank you nevertheless for the clarification.

Re:Why in hell...

Quite possible that the attack started with a blank login for AMT/IME which is within NHS LAN. The blank login for AMT was reported here at /. and it is possible that attack vector was stringed together with port 445 (SMBv1) and that blank login.

Re:Why in hell...

[advocate_one]

Moral: don't click on things you get randomly from the Internet. Also, don't click on things you get unexpectedly from colleagues in the same organization.

more importantly, don't run software that can still be infected by opening an email or document?

Re:Why in hell...

[Hank+the+Lion]

I've seen it done by my ISP.
Yes, they delivered a router for your internet access configured as a switch.
Every computer you connected to it received a separate external IP address.
Their customer helpdesk was clueless.
Fortunately, this was easy to fix yourself, but a blunder of the first category nevertheless.

NSA LIABILITY = $1 BILLION ?

Can the EU and UK sue the US NSA for damages caused by the exploitation of their dangerous creation?

The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security, undoubtedly costing many actual lives (as people cannot go to particular hospitals, or have surgeries disrupted) and a huge amount of money, which could have been avoided if the NSA had instead helped SECURE the affected operating systems rather than developing a dangerous and effective software weapon which could be easily leaked and used by anyone on the planet to wreak havoc.

Re:NSA LIABILITY = $1 BILLION ?

[v1]

The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security,

It's sort of how the Ministry of Peace and Ministry of Truth work. Everything is working exactly as designed, in spite of the name given to them.

Re: NSA LIABILITY = $1 BILLION ?

This is alleged to have originated from the NSA. Do you have *proof* that it did?

Re: NSA LIABILITY = $1 BILLION ?

Proof requires evidence, right? Evidence means "that which is seen", and we've seen evidence that it comes from the NSA.

Therefore, yes, we have seen proof it comes from the NSA.

Re:NSA LIABILITY = $1 BILLION ?

[Highdude702]

The answer is no, The only people that i could see being liable would be Microsoft. you cant sue me because i found a major flaw in some software you use. now if i proceed to use it on you and you catch me. then i think there may be grounds. but since this isnt malware distributed by the NSA.. im going to say that they cant be sued for it. then again im only a jailhouse lawyer

Re: NSA LIABILITY = $1 BILLION ?

If you build a bomb, and someone else kills my wife with it, I'm going to kill you.

Get it?

Re: NSA LIABILITY = $1 BILLION ?

[BronsCon]

In this case, Microsoft built the bomb. You can't blame the guy who saw Microsoft's bomb and reported its existence when someone else takes Microsoft's bomb and kills your wife with it. You can blame Microsoft and whoever took and used the bomb, but not the guy who reported on the bomb's existence in the first place; the bomb still existed before he reported it and would still have been used had he not reported it.

Re: NSA LIABILITY = $1 BILLION ?

In this case, Microsoft built the bomb. You can't blame the guy who saw Microsoft's bomb and reported its existence when someone else takes Microsoft's bomb and kills your wife with it. You can blame Microsoft and whoever took and used the bomb, but not the guy who reported on the bomb's existence in the first place; the bomb still existed before he reported it and would still have been used had he not reported it.

Oh for fucks sake, knock it off already. Gun manufacturers build weapons that sometimes kill people. Drug manufacturers do the same.

Intent matters, so in this case, the NSA found a bug and intended to abuse the shit out of it for a while before doing the right thing to report it to the vendor to be fixed, so enough with the idiotic blame-the-vendor mentality already.

Obligatory: Change sentencing for these Aholes

[Crashmarik]

Simply put the time served should be no less than the time they cost the rest of the world. Your virus costs 10 million man hours to clean up, have fun with a 10 million man hour sentence.

Re:Obligatory: Change sentencing for these Aholes

Time? How about lives lost from the scrambling of medical records at hospitals?

Children play with fire; adults get burned. This is serious stuff and needs to be taken seriously.

Re: Obligatory: Change sentencing for these Aholes

Spread it evenly among all NSA employees and we should be set.

Re: Obligatory: Change sentencing for these Aholes

[guruevi]

I agree that Microsoft and the NSA should pay for it and their execs should get that sort of sentence.

Re: But

Damn script kiddies, get off my LAN!

How can I tell if I am fully patched?

[jonwil]

I am on Windows 7 Home Premium and have all the patches Windows Update offers me (including "Security Monthly Quality Rollup for Windows 7 for x64-based Systems" dated for May, April, March, January, December, November and October), am I patched?

Also, given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

Re: How can I tell if I am fully patched?

Look in the update history log for KB4012215

More info here

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Re:How can I tell if I am fully patched?

[UnknownSoldier]

> given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here:

* https://support.microsoft.com/...

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
Windows PowerShell 2.0 or a later version of PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force
To enable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

You can disable NetBIOS over TCP/IP:

* https://technet.microsoft.com/...

1. From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
2. On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
3. Click the Advanced button.
4. Click the WINS tab. Click Disable NetBIOS over TCP/IP .

--
Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.

Re: How can I tell if I am fully patched?

[UnknownSoldier]

Specifically,

Windows 8.1 or Windows Server 2012 R2 and later

For client operating systems:
1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
3. Restart the system.

For server operating systems:
1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
3. Restart the system.

--
Windows shit. Your mouse has moved. Please reboot. True Story

Re:How can I tell if I am fully patched?

[jonwil]

Thanks, I turned of SMB via the command lines given and I turned off NetBIOS over TCP/IP.

Since I dont connect my Windows PC to other Windows PCs (or to Linux machines running Samba or the like) I dont need SMB or NetBIOS and turning them off prevents all the exploits that involve SMB/NetBIOS from working.

Re:How can I tell if I am fully patched?

[thegarbz]

If you aren't directly exposed to the internet in the first place all you had to do was not fall for the phishing email.

Re:How can I tell if I am fully patched?

And trust anyone else on the local network not to do the same. Depending upon your situation, that might not be a reliable expectation, so it's still useful to know how to disable those protocols.

Re: Obligatory: Change sentencing for these Ahole

Spread it evenly among all Microsoft employees and we should be set.

FTFY

The NSA might be morally obligated to clean up the mess others made, but only Microsoft is legally obligated to clean up their own mess. Heck, they won't even permit transfer of liability: you are licensing use of the software, not buying it.

No, IANAL

Re: But

[hcs_$reboot]

Damn script kiddies, get off my LAN!

That's appropriate. Younger people do not know what's a LAN!

Re:But

I am also in two minds about this. Having it spread further could make more people realize that computer security is important, but due to the affected hospitals, people can die. This would probably be the first time that people die from a computer virus.

Easy solution

This infection via e-mail is a bit old now, no?

We just moved all e-mail traffic to the users' smartphone (or company phone if desired)
So if a phone is ever infected, we just replace it.

URL?

[nachtelfjeiu]

What is the url of the kill switch?

"Accidental" Hero?

[gurps_npc]

That sounds pejorative to me. Most discoveries involve accidents - just ask Alexander Fleming, Christopher Colombus, or Doctor Spencer Silver (post it notes).

Like all of these men, this HERO, was investigating something not fully understood, stumbled by accident on something interesting, REALIZED that it was interesting and worked hard to understand exactly what it was. The realization and hard work are not common, they make the difference between a real discovery and a random day.

This is no more accidental than 90% of scientific discoveries.

Re:"Accidental" Hero?

Indeed. It would only have been truly accidental if the guy had just decided on a lark to buy the domain in question, with no foreknowledge of the exploit or the kill switch; or maybe if he'd been about to buy a different domain, but he slipped and mashed a bunch of keys that just happened to be the right domain, then hit submit anyways.

Re:"Accidental" Hero?

I agree. This guy was doing his job, and he succeeded. He succeeded because he knew what he was doing, applied a methodology, and it worked.

There is nothing accidental about it. Somebody somewhere is trying to save face at this researcher's expense.

Re: But

I see what you did there O.o

Interesting situation

[Dan+East]

This brings up an interesting philosophical / moral issue. The release of this kind of source code, by Wikileaks and others, is literally giving military grade weapons to anyone with the modicum of technical knowledge required to wield it. Fortunately, in this case, the person setting it loose didn't have the technical aptitude (or couldn't even be bothered with) looking at the code and disabling or properly securing the "kill switch".

It makes me wonder if those responsible for releasing and distributing this tool to the public could be held responsible (at least in civil courts) for the damage caused by it.

Re:Interesting situation

I didn't check but it is likely that this killswitch code was added in the malware binary, not in the NSA exploit. I don't think it was really intended as a killswitch. I think it is a (poor) method to detect malware analysis VMs/honeypots. They often make all DNS resolve to an IP that accepts all connections. Running the ransomware in this environment would make nothing happen.

Can we ...

[PPH]

... just put this in our hosts file?

Re:Can we ...

[Dwedit]

The domain is already registered. If your computers have no Internet connection, the hosts file might help there.

Re:Can we ...

[PPH]

Just thinking out loud: I wonder if this kill switch URL was distributed to gov't agencies, contractors and other insiders when the tools were originally written. Just to keep certain intranets 'clean'.

Re: Can we ...

Ding ding ding come on down!!! You are the next contestant on the Price Is Right!!!!!!

DNS eats more/goes down/security issues (tons)

See subject & https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/

APK

P.S.=> Even China realized hosts' value! Imitation = flattery http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/

You'd like these too then (10 botnets stalled)

See subject & Jaff https://tech.slashdot.org/comments.pl?sid=10604829&cid=54407133/ yesterday too, & methbot https://news.slashdot.org/comments.pl?sid=10020701&cid=53529963/ , Ransonware https://it.slashdot.org/comments.pl?sid=9982895&cid=53468617/ , DDoS malware https://it.slashdot.org/comments.pl?sid=9978265&threshold=-1&commentsort=0&mode=thread&pid=53461435/ , Steganos https://it.slashdot.org/comments.pl?sid=9963399&cid=53442477/ , Mirai botnet https://it.slashdot.org/comments.pl?sid=10009063&threshold=-1&commentsort=0&mode=thread&pid=53507971/ , Zeus Floki Bot https://it.slashdot.org/comments.pl?sid=9974489&cid=53452359/ , DNSChanger style router attacks https://it.slashdot.org/comments.pl?sid=10006549&cid=53505145/ + More router attacking malware for botnets https://it.slashdot.org/comments.pl?sid=9995967&cid=53488427/

APK

P.S\ => Enjoy

Got proof of that? Why??

See subject: TOR.exe's just another networking exe that rides on the IP stack & hosts is part of that + a resolver (pre remote or local DNS & can be made to be higher still in order of operations).

APK

P.S.=> IF you can show me proof TOR.exe does its OWN resolutions bypassing the local system IP stack? I'll listen... apk

Re:Got proof of that? Why??

Why should he give you a proof? He is not your father.
Google the damn thing and suck it up.

Re: Here's how it works(in Radiology)

Most radiology scanner manufacturers require that the device be connected to the internet so that they can download system logs and troubleshoot problems. It is usually via a VPN. Some of the scanners that I know of have workstations as part of the device. The system is usually the physical scan device, an acquisition computer and a processing computer. They are configured so the technologist can be post processing one scan while another is being acquired. The national accreditation agencies require that radiology dosage reports be sent via the internet to be summarized and to help develop standard protocols. The data is anonamized before transmission.

In summary no one expects computers to be reliable it's all about cost. Even for the same manufacturer the MRI, CT and IR scanners may not be compatible. Usually the software development is outsourced. The device is FDA approved with a specific configuration. There are required directory exceptions for Anti-virus scans.
Sorry way too much information

I only post on hosts if they apply

Hosts work/do apply & I'll let /.'ers speak for my program: I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

* My code's liked + recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> ... & you'll like this post too (hosts stalls TONS of threats like this one https://it.slashdot.org/comments.pl?sid=10606355&cid=54410677/ ) ...apk

Re: I only post on hosts if they apply

Ironically your hosts file doesn't seem to be blocking your shitty posts. I want my money back.

Re: I only post on hosts if they apply

Ironically your shitty posts are full of shit. His program's free.

We needed to destroy the Web

[Latent+Heat]

in order to save it?

TOR C&C domains to block WannaCry uses

Block these TOR domains in your hosts file to paralyze WannaCry (can't talk to them for orders in the 1st place):

0.0.0.0 gx7ekbenv2riucmf.onion
0.0.0.0 57g7spgrzlojinas.onion
0.0.0.0 Xxlvbrloxvriy2c5.onion
0.0.0.0 76jdd2ir2embyv47.onion
0.0.0.0 cwwnhwhlz52maqm7.onion
0.0.0.0 sqjolphimrr7jqw6.onion

* Per https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/ [securelist.com]

APK

P.S.=> For the best custom hosts file creator bar-none? APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ for protection vs. other threats online + for more speed, security, reliability & anonymity FOR LESS (yet doing more than ANY other SINGLE "so-called 'solution'" that's "Bolt on 'MoAr'" illogic-logic vs. using what you already have natively in hosts files)... apk

CAT & MRI & CNC & 'whatevur' Manufactu

[williamyf]

uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.

1.) When said CAT/MRI/CNC/'Whatevur' manufacturers decided to use XP for their equipment, they were well aware of the support lifecycle for the OS. If the support lifecycle of the OS was not enough to cover the lifecycle of the rest of the equipment, that's the manufacturer's mistake, not Microsoft's.

2.) Said lifecycle should have ended on 2011, instead, it lasted until 2014. Again, if the lifetime of the equipment connected with that computer exceeded this extended support lifetime of the OS, that's the manufacturer's mistake, not Microsoft's

3.) Many of those manufacturers (if they are still in business) are big enough to be able to negotiate a custom support agreement for said machines and therefore continue to receive patches from Microsoft to this very day (Nokia did this for our OSS and BSS equipment, this was a big deal for us in the early 2000's when WinNT4 went out of support, in my case, that was mostly the NMS10, Traffica Z1 and Performance Reporting Station, I am certain the GEs and Siemens's of this world are big enough to do this too). If the manufacturer went broke, or did not care enough about their customers to negotiate said custom support agreements for that equipment, that's the manufacturer's mistake, not Microsoft's.

4.) There is a Windows SKU Supported with security patches until 2019 (WindowsXP POS), if the manufacturers did use plain Vanilla XP instead of WinXP POS, that's the manufacturer's fault, not Microsoft's.

5.) If the manufacturer went broke before being able to develop a version of said SW compatible with new versions of the OS, or did not care to develop said version, or developed it, but decided to charge and arm and a leg and a kidney and a king's ransom for said SW, that's the manufacturer's fault, not microsoft's.

6.) If, in your tender when buying said equipment, you requested a lifetime of 15 years, failing during your due diligence to realize that the OS controlling the machine was only supported for 10 years, that mistake is yours, not Microsoft's

7.) If you, as a customer, are running any of this equipment, and even tough your manufacturer negotiated an extended support contract, or used WinXP POS, you delayed applying said patches (or even worse, disabled updates entirely), it is your fault, dear user, not Microsoft's.

8.) If you are running equipment with plain vanilla XP, with no custom support contracts, and failed to mitigate said possible risk according to manufacturer guidance and/or best practices, the fault is with yours dear user, not microsoft's. For instance, many of these systems are supposed to run on a separate network (or even airgaped), and yet I've seen them end up on a shared network with all the office equipment and lot's of shared folders to/from the rest of the network...

So, let's put blame where blame is.

Not so fast...

[Picodon]

Malwarebytes wrote: “This was probably some kind of kill switch... UPDATE: The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.”

Re:CAT & MRI & CNC & 'whatevur' Manufa

[LinuxIsGarbage]

4.) "Windows POS Ready 2009" is the SKU you're referring to. As the name suggests it was intended for Point of sale devices, and was released in 2009.
This Microsoft Lifecycle page shows the lifecycle of embedded products. POS Ready was based on the "Windows Embedded Standard 2009", which is the last revision of XP embedded, with a similar end of life date.

A lot of these "embedded" XP systems were probably released between 2001- 2009 (the original hey day of XP) and didn't include a SKU that would be released in the future with longer support. Even if they included "Windows XP Embedded", "Windows XP Embedded Service Pack 3" support ended in 2016.

Malwaretechblog

I'm going to say that the hero here is also the author of the malware. Perhaps they let it out and hoped to get goodwill or perhaps some extra business helping to clean the malware. He rest is history...

Re:CAT & MRI & CNC & 'whatevur' Manufa

[williamyf]

From the link you provided:

Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.

Windows Embedded POSReady 2009. This product for point of sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released on 2009, and extended support will end on April 9, 2019.

Since these SKU's are still based on XP, It should have been trivial for the manufacturer to certify their product to these versions released 3 and 2 years (respectively) from the planned end of support of vanilla XP (2011), and 6 and 5 years (respectively) from the effective end of support of XP (2014), without charging an arm, a leg, a kidney, and a king's ransom for it...

This "recertification" of sorts would have extended the support 8 years from the planned end of support, and 5 from the actual one. So, still, the manufacturer's fault for not doing it.

Having said that, thank you for the correction and the link, if only slashdot let me edit posts, I'd gladly edit mine, and give you credit about it.

Track the bitcoin = find the culprit

Why is it so difficult to catch the culprit? In order to get the antidote, the victim has to send bitcoins to a given wallet. Given that the ledger is open and public, we can all see all the transactions in and out of this wallet. Presumably, if a lot of bitcoins accumulate in this walltet, it should not be easy to convert all of them into hard cash. The attacker at some point will have to use an exchange or transfer these bitcoins to someone who can use the exchange.

So my question is: Given that we can all trace all the transactions in and out of this wallet and any other subsequent transactions, why is it so difficult to find these criminals?

Kudos; yet now everyone knows!

[martinfb]

Pay that researcher a well deserved bonus for saving lots of money and aggravation.

Yet, am I naive, or would the public notification that the "kill switch" has been found and activated - for this version - prompt the culprit to release another mod of this malware?!
Would it make sense to keep this info (publicly) hush for a while?
At least long enough to allow a more permanent solution to be distributed?

Wrong: Blocking 1 hostname stalls it... apk

Wrong: Block it in router firewall (or hosts + software firewall) 0.0.0.0 iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com it stops working & TOR doesn't access THAT in this version of the malware!

I.E.-> It's a dummy the creator of it MADE to protect his own network obviously (no doubt using the methods I just extolled) & yes I added it to my firewalls (hardware + software) + hosts just in case after seeing it @ malwr.com & norton safeweb too!

APK

P.S.=> Guess what? I was RIGHT as usual - that domain/hostname (that didn't exist) KILLS IT/stops it working - blocking it the way I note does the job... apk

Wrong: Blocking 1 hostname stalls it... apk

Wrong: Block this host-domain name in router firewall/hosts/software firewall 0.0.0.0 iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com it stops working!

THAT's WHAT THIS ARTICLE's ABOUT ON THIS VERSION OF THIS MALWARE!

I.E.-> It's a dummy the creator of it MADE to protect his own network obviously (no doubt using the methods I just extolled) & yes I added it to my firewalls (hardware + software) + hosts just in case after seeing it @ malwr.com & norton safeweb too!

By the way - your TOR note (which sux it's so slow)? ONLY if they are an EXIT node & that way only is it as you say!

APK

P.S.=> Guess what? I was RIGHT - that domain/hostname (that didn't exist & BLOCKING IT makes sure IT DOES NOT EXIST (even if registered by someone which it NOW is - you can't REACH it so as far as this malware OR your IP stack is concerned? It does NOT exist & MALWARE SHUTS ITSELF OFF if blocked thus above). Yes, it KILLS IT/stops it working - blocking it the way I note does the job... apk

Lauren Weinstein?

Wasn't Weinstein shitcanned after weeks straight of political spam (see their posting history)? Why are they back and being taken seriously for anything?

Great

[campuscodi]

If you'd really cared about MalwareTech's privacy you wouldn't given this much attention to the fact he was doxxed. Now even more people will know about it. The journalists that wrote about MalwareTech being doxxed are as bad as the ones who first doxxed him.