Slashdot Mirror
'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware (theguardian.com)
"An 'accidental hero' has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations..." writes The Guardian. An anonymous reader quotes their report:
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
Here is a factsheet: https://gist.github.com/slider23/bd617d0d376047c05d18980fde306840
The domain in question is "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com".
There's a good sumamry over at github.
Essentially, the malware looks for port 445 (SMB) on local computers and the internet. If you have this port open on the internet, and have older than Win10, and haven't updated with the Mar 2 patch, then you're vulnerable.
Note that WinXP has about 8% market share and cannot be patched. You can get infected from another machine on the local subnet as well.
Here is a good detailed description of how it works and what it does.
Note that the propagation has halted for now, however the virus also installs a rootkit on the user's machine. If the virus writer realizes that the domain has been taken, he could remotely change the hard-coded domain name on every currently-infected machine, thus restarting the propagation process.
Block these TOR domains in your hosts file to paralyze WannaCry (can't talk to them for orders in the 1st place):
0.0.0.0 gx7ekbenv2riucmf.onion
0.0.0.0 57g7spgrzlojinas.onion
0.0.0.0 Xxlvbrloxvriy2c5.onion
0.0.0.0 76jdd2ir2embyv47.onion
0.0.0.0 cwwnhwhlz52maqm7.onion
0.0.0.0 sqjolphimrr7jqw6.onion
* Per https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
APK
P.S.=> For the best custom hosts file creator bar-none? APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ for protection vs. other threats online + for more speed, security, reliability & anonymity FOR LESS (yet doing more than ANY other SINGLE "so-called 'solution'" that's "Bolt on 'MoAr'" illogic-logic vs. using what you already have natively in hosts files)... apk
It doesn't have to expose SMB to the outside world.
The exploit arrives as a phishing email. Once clicked, it looks for SMB on that machine. By using SMB, it can then infect other machines on the same network - and, more importantly, behind the firewall you carefully set up to block SMB from the Internet.
Moral: don't click on things you get randomly from the Internet. Also, don't click on things you get unexpectedly from colleagues in the same organization.
Look in the update history log for KB4012215
More info here
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?
MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here:
* https://support.microsoft.com/...
You can disable NetBIOS over TCP/IP:
* https://technet.microsoft.com/...
--
Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.
It does if the router is not configured to block SMB. I have a consumer router provided by my ISP. I had to dig through an entire menu system and scroll down to the very bottom of one screen to find the configuration menu option that disables SMB file sharing pass-through.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
Malwarebytes wrote: “This was probably some kind of kill switch... UPDATE: The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.”