Slashdot Mirror
'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware (theguardian.com)
"An 'accidental hero' has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations..." writes The Guardian. An anonymous reader quotes their report:
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
A new version of WannaCry ransomware is on the loose!
This is a game of cat and mouse, so don't assume you have won.
Anons need not reply. Questions end with a question mark.
... does any network expose SMB to the outside world?
Can the EU and UK sue the US NSA for damages caused by the exploitation of their dangerous creation?
The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security, undoubtedly costing many actual lives (as people cannot go to particular hospitals, or have surgeries disrupted) and a huge amount of money, which could have been avoided if the NSA had instead helped SECURE the affected operating systems rather than developing a dangerous and effective software weapon which could be easily leaked and used by anyone on the planet to wreak havoc.
I am also in two minds about this. Having it spread further could make more people realize that computer security is important, but due to the affected hospitals, people can die. This would probably be the first time that people die from a computer virus.
So the malware author is someone using a western keyboard layout then.
Sadly not - with that long of a (presumably) randomly generated string, the odds that it is taken are so minuscule that you wouldn't bother checking, precisely because that might leave a trail. If I were doing the same thing, I'd generate a nice long random string and happily presume that it's still available.
That sounds pejorative to me. Most discoveries involve accidents - just ask Alexander Fleming, Christopher Colombus, or Doctor Spencer Silver (post it notes).
Like all of these men, this HERO, was investigating something not fully understood, stumbled by accident on something interesting, REALIZED that it was interesting and worked hard to understand exactly what it was. The realization and hard work are not common, they make the difference between a real discovery and a random day.
This is no more accidental than 90% of scientific discoveries.
excitingthingstodo.blogspot.com
It should be straightforward to hide those unpatched machines behind a proxy. Give them an Ethernet connection to only one other machine and let that other machine be fully patched and updatable. That's a fix, but, honestly, I'm confused why critical medical equipment is fully exposed to the network in the first place.
Or, you could hack the registry to make them self-identify as embedded and get security updates from Microsoft until 2019.
Registry hack enables free Windows XP security updates until 2019
It little behooves the best of us to comment on the rest of us.
And how would they get users to upgrade?
That's not so difficult. Just keep the functionality and look-and-feel and people will be fine with an upgrade (not a down-grade to an OS that they actually don't want).
"Trump!!", the new Godwin.