Slashdot Mirror
'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware (theguardian.com)
"An 'accidental hero' has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations..." writes The Guardian. An anonymous reader quotes their report:
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
I suppose pre-registering the domain would effectively be adding a signature admitting liability
Here is a factsheet: https://gist.github.com/slider23/bd617d0d376047c05d18980fde306840
The domain in question is "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com".
For my education please - I mean step-by-step. I can see it's a phishing thing. I can see it could copy itself to SMB 1 shares. But...err...then what? How did it spread, or did it not spread and the impact is 'only' to the files visible on the original machine?
Reminds me an awful lot of the old I Love You virus, which was a vbs script and which copied itself to shares as well. This new one is more sophisticated obviously, but I was around for that particular piece of 'fun'.
We needed this to spread further, we needed a shock to the system so we change our security practices... all this "hero" did was ensure the next time this happens it will be even more devastating.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
There's a good sumamry over at github.
Essentially, the malware looks for port 445 (SMB) on local computers and the internet. If you have this port open on the internet, and have older than Win10, and haven't updated with the Mar 2 patch, then you're vulnerable.
Note that WinXP has about 8% market share and cannot be patched. You can get infected from another machine on the local subnet as well.
Here is a good detailed description of how it works and what it does.
Note that the propagation has halted for now, however the virus also installs a rootkit on the user's machine. If the virus writer realizes that the domain has been taken, he could remotely change the hard-coded domain name on every currently-infected machine, thus restarting the propagation process.
I beg to disagree, totally, despite of what she says.
Slashdot, fix the reply notifications... You won't get away with it...
A new version of WannaCry ransomware is on the loose!
This is a game of cat and mouse, so don't assume you have won.
Anons need not reply. Questions end with a question mark.
They are not as safe as people think..
While it seems the need urgency level is lower than for windows, Macs are good at updating the system efficiently in a less obtrusive way
Slashdot, fix the reply notifications... You won't get away with it...
IMO it has bought them some time until the attackers figure out another way to continue the attack. Even when the Wikileaks announced that it will work with the tech giants to fix the vulnerabilities but it does not seem to be the case, but it falls on the hands of organizations and people alike to keep their systems updated all the time. NHS has now been hit by ransomware twice in a row.
In the next malware it might be "delete everything" switch.
Yeah, we need new bugs and new security issues!
And how would they get users to upgrade?
Look at all the resistance to get rid of XP, and even (for Win7/8 users) getting people to do the free Win10 upgrade?
... does any network expose SMB to the outside world?
I'm not really sure what it would achieve given that this attack was dependent on old versions of Windows, and people being dumb.
A new version of Windows will fix neither of these things given that installing the latest version would've already prevented it.
Can the EU and UK sue the US NSA for damages caused by the exploitation of their dangerous creation?
The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security, undoubtedly costing many actual lives (as people cannot go to particular hospitals, or have surgeries disrupted) and a huge amount of money, which could have been avoided if the NSA had instead helped SECURE the affected operating systems rather than developing a dangerous and effective software weapon which could be easily leaked and used by anyone on the planet to wreak havoc.
Simply put the time served should be no less than the time they cost the rest of the world. Your virus costs 10 million man hours to clean up, have fun with a 10 million man hour sentence.
Damn script kiddies, get off my LAN!
I am on Windows 7 Home Premium and have all the patches Windows Update offers me (including "Security Monthly Quality Rollup for Windows 7 for x64-based Systems" dated for May, April, March, January, December, November and October), am I patched?
Also, given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?
Damn script kiddies, get off my LAN!
That's appropriate. Younger people do not know what's a LAN!
Slashdot, fix the reply notifications... You won't get away with it...
I am also in two minds about this. Having it spread further could make more people realize that computer security is important, but due to the affected hospitals, people can die. This would probably be the first time that people die from a computer virus.
What? I don't find OS X better (or worse) at patching than Windows. Quite often a restart is required, which does not fit into the definition of "unobtrusively."
What is the url of the kill switch?
That sounds pejorative to me. Most discoveries involve accidents - just ask Alexander Fleming, Christopher Colombus, or Doctor Spencer Silver (post it notes).
Like all of these men, this HERO, was investigating something not fully understood, stumbled by accident on something interesting, REALIZED that it was interesting and worked hard to understand exactly what it was. The realization and hard work are not common, they make the difference between a real discovery and a random day.
This is no more accidental than 90% of scientific discoveries.
excitingthingstodo.blogspot.com
This won't accomplish what you intend - the .onion addresses are looked up within Tor, bypassing your standard DNS infrastructure.
With the way software is written today, And i was told there was a security patch for an OS component that didnt require a restart, I would still fear that the issue in question was not completely patched. and maybe just had a bandaid attached to it with a little bit of bubblegum. as ive seen too many times that one security patch turns into a new 0day the very next day. The white hat hackers are smart. and they do alot of good. and the black hats just try to stay a step ahead of the whitehat. the real winners are the grey hats. they have the real knowledge and alot of time you cant tell the difference between them and the other hackers. and most of the time they work real deep in the industry.
They should turn the Windows UI into an x-windows overlay and do what everybody has been asking for years. turn windows into a Linux/Unix derivative.
i would a pie that didnt have piss on it.. but not if it has a Microsoft label on it.. think i would rather have the one with Piss on it that i know is an actual pie.
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
It should be straightforward to hide those unpatched machines behind a proxy. Give them an Ethernet connection to only one other machine and let that other machine be fully patched and updatable. That's a fix, but, honestly, I'm confused why critical medical equipment is fully exposed to the network in the first place.
This brings up an interesting philosophical / moral issue. The release of this kind of source code, by Wikileaks and others, is literally giving military grade weapons to anyone with the modicum of technical knowledge required to wield it. Fortunately, in this case, the person setting it loose didn't have the technical aptitude (or couldn't even be bothered with) looking at the code and disabling or properly securing the "kill switch".
It makes me wonder if those responsible for releasing and distributing this tool to the public could be held responsible (at least in civil courts) for the damage caused by it.
Better known as 318230.
Wow, this post is actually useful.
"First they came for the slanderers and i said nothing."
Have gnu, will travel.
Most radiology scanner manufacturers require that the device be connected to the internet so that they can download system logs and troubleshoot problems. It is usually via a VPN. Some of the scanners that I know of have workstations as part of the device. The system is usually the physical scan device, an acquisition computer and a processing computer. They are configured so the technologist can be post processing one scan while another is being acquired. The national accreditation agencies require that radiology dosage reports be sent via the internet to be summarized and to help develop standard protocols. The data is anonamized before transmission.
In summary no one expects computers to be reliable it's all about cost. Even for the same manufacturer the MRI, CT and IR scanners may not be compatible. Usually the software development is outsourced. The device is FDA approved with a specific configuration. There are required directory exceptions for Anti-virus scans.
Sorry way too much information
Or, you could hack the registry to make them self-identify as embedded and get security updates from Microsoft until 2019.
Registry hack enables free Windows XP security updates until 2019
It little behooves the best of us to comment on the rest of us.
in order to save it?
Microsoft tried rewriting Windows in 2001 and the years following. It was a near total disaster. I think their enthusiasm for doing THAT again is nonexistent.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
Why would you expect Microsoft to pay for the mistake the CAT scan and MRI makers made in designing their equipment? If the MRI machine used a plastic gear to move some of the mechanics of the machine and it turned out that the gear would wear out and needed to be replaced by a metal gear, you wouldn't blame the manufacturer that made the gear or attempt to get the manufacturer to pay for a different kind of gear, you would blame the MRI designer for using a part that was inappropriate for the task at hand. The operating system is just part of the overall design of an MRI system and if you use an OS that doesn't perform adequately over the expected life of the machine, you have made a poor engineering decision. In addition if your operating system isn't rated as a life safety system (Windows and most operating systems are not), you may have made a dangerous engineering decision. (Yes the software of the MRI machine that actually directly controls the dangerous part of the machine is probably embedded and rated for life safety operations, but if a compromise of the Windows software can lead to bad instructions or control limits being sent to the embedded software, you have made a dangerous design mistake.)
Microsoft, for public relations reasons, may opt provide support beyond their original intentions, but it ultimately comes down to a business decision. It is not Microsoft's (or any vendor's) responsibility to pay big dollars forever to compensate for bad engineering decisions of other companies.
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
1.) When said CAT/MRI/CNC/'Whatevur' manufacturers decided to use XP for their equipment, they were well aware of the support lifecycle for the OS. If the support lifecycle of the OS was not enough to cover the lifecycle of the rest of the equipment, that's the manufacturer's mistake, not Microsoft's.
2.) Said lifecycle should have ended on 2011, instead, it lasted until 2014. Again, if the lifetime of the equipment connected with that computer exceeded this extended support lifetime of the OS, that's the manufacturer's mistake, not Microsoft's
3.) Many of those manufacturers (if they are still in business) are big enough to be able to negotiate a custom support agreement for said machines and therefore continue to receive patches from Microsoft to this very day (Nokia did this for our OSS and BSS equipment, this was a big deal for us in the early 2000's when WinNT4 went out of support, in my case, that was mostly the NMS10, Traffica Z1 and Performance Reporting Station, I am certain the GEs and Siemens's of this world are big enough to do this too). If the manufacturer went broke, or did not care enough about their customers to negotiate said custom support agreements for that equipment, that's the manufacturer's mistake, not Microsoft's.
4.) There is a Windows SKU Supported with security patches until 2019 (WindowsXP POS), if the manufacturers did use plain Vanilla XP instead of WinXP POS, that's the manufacturer's fault, not Microsoft's.
5.) If the manufacturer went broke before being able to develop a version of said SW compatible with new versions of the OS, or did not care to develop said version, or developed it, but decided to charge and arm and a leg and a kidney and a king's ransom for said SW, that's the manufacturer's fault, not microsoft's.
6.) If, in your tender when buying said equipment, you requested a lifetime of 15 years, failing during your due diligence to realize that the OS controlling the machine was only supported for 10 years, that mistake is yours, not Microsoft's
7.) If you, as a customer, are running any of this equipment, and even tough your manufacturer negotiated an extended support contract, or used WinXP POS, you delayed applying said patches (or even worse, disabled updates entirely), it is your fault, dear user, not Microsoft's.
8.) If you are running equipment with plain vanilla XP, with no custom support contracts, and failed to mitigate said possible risk according to manufacturer guidance and/or best practices, the fault is with yours dear user, not microsoft's. For instance, many of these systems are supposed to run on a separate network (or even airgaped), and yet I've seen them end up on a shared network with all the office equipment and lot's of shared folders to/from the rest of the network...
So, let's put blame where blame is.
*** Suerte a todos y Feliz dia!
Malwarebytes wrote: “This was probably some kind of kill switch... UPDATE: The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.”
And how would they get users to upgrade?
That's not so difficult. Just keep the functionality and look-and-feel and people will be fine with an upgrade (not a down-grade to an OS that they actually don't want).
"Trump!!", the new Godwin.
4.) "Windows POS Ready 2009" is the SKU you're referring to. As the name suggests it was intended for Point of sale devices, and was released in 2009.
This Microsoft Lifecycle page shows the lifecycle of embedded products. POS Ready was based on the "Windows Embedded Standard 2009", which is the last revision of XP embedded, with a similar end of life date.
A lot of these "embedded" XP systems were probably released between 2001- 2009 (the original hey day of XP) and didn't include a SKU that would be released in the future with longer support. Even if they included "Windows XP Embedded", "Windows XP Embedded Service Pack 3" support ended in 2016.
From the link you provided:
Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.
Windows Embedded POSReady 2009. This product for point of sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released on 2009, and extended support will end on April 9, 2019.
Since these SKU's are still based on XP, It should have been trivial for the manufacturer to certify their product to these versions released 3 and 2 years (respectively) from the planned end of support of vanilla XP (2011), and 6 and 5 years (respectively) from the effective end of support of XP (2014), without charging an arm, a leg, a kidney, and a king's ransom for it...
This "recertification" of sorts would have extended the support 8 years from the planned end of support, and 5 from the actual one. So, still, the manufacturer's fault for not doing it.
Having said that, thank you for the correction and the link, if only slashdot let me edit posts, I'd gladly edit mine, and give you credit about it.
*** Suerte a todos y Feliz dia!
Yes... so how would making a new version from scratch solve this problem exactly?
I'm not sure what the relevance of the first part of your reply is - the GP said Microsoft should write a new version from scratch, I pointed out it wouldn't make much difference because only old versions were effected - you replied to me highlighting that point, so um, thanks for proving my point I guess? My comment on it relying on people being dumb is based on the fact the only infection vector is either machine sat facing the open internet with no firewall and ports wide open, or people clicking e-mail attachments. Given it's been known this is a bad idea for any computer running any OS since near enough the dawn of the web and e-mail, then yes, for this to spread it required an exceptional amount of stupidity.
But regardless the rest of your argument really is fucking stupid - no longer updating a 16 year old OS is not a shitty business practice? especially when you gave a number of support extensions and gave people more than enough time and warning to upgrade? You'll find very few products in the world where the manufacturer still gives a shit after 5 years, let alone 16 years. Google for example stopped updating my Google branded Galaxy Nexus after only 18 months from UK release leaving it vulnerable, Microsoft have the longest support period of all major vendors - long support periods is one of Microsoft's greatest strengths, the fact there are people who wont upgrade ever is really not on Microsoft, especially when they had a free upgrade path to Windows 10 for 18 months which wasn't effected precisely because they were trying to do everything they could to get vulnerable OS off the internet.
It also didn't effect 90% of Windows systems new and old, I don't even know where you got that fake number from and can only assume you just outright pulled it out your ass because Windows 10 marketshare is alone at 26%, Windows 7 at 48%, and then Windows 8 at 9%, XP at 7%. So 64% of the OS market was vulnerable back in March before the exploit was in the wild when Microsoft released a patch. This was patched then, leaving 16% vulnerable with no patch options leaving 84% of the OS market safe from this exploit as of March this year if IT admins did their job, of which 74% of that share was Microsoft OS'.
Oh, and um, Windows XP came out in 2001, so no, they weren't convincing anyone to install it in the 90s. Really, let's be honest, what you were actually saying was "I'm an open source zealot, and you said something that gives Microsoft some kind of defence so I'm going to unthinkingly pounce on you!" wasn't it? because the first half of your argument agreed with me despite being written in a tone of disagreement, and the second part is just drivel that bitches at Microsoft for the sake of bitching at Microsoft regardless of rationality.
yes! as you can tell from my name. i may be a lil stoned.. and a cookie sounds great!
Easier to use a decent router, and not allow any incoming traffic to your computer. but in either situation... it doesnt stop you from infecting yourself with phishing emails, or bad ads. stuff like that. things like chrome,edge,IE,firefox exploits are normally used when you load a page. and the only way to protect against those is decent AV software, adblocks, and pure knowledge of what not to do.
Pay that researcher a well deserved bonus for saving lots of money and aggravation.
Yet, am I naive, or would the public notification that the "kill switch" has been found and activated - for this version - prompt the culprit to release another mod of this malware?!
Would it make sense to keep this info (publicly) hush for a while?
At least long enough to allow a more permanent solution to be distributed?
Self-importance and self-indulgence is the root of ALL evil.
Longer answer: A good proxy could help protect you from worms, but not from a stupid user downloading something bad, or clicking on something bad in email. Good deep-inspection proxies are also expensive. To protect against something like this, it would have to intercept the mail client protocol (probably IMAP or MAPI), unwrap any TLS encryption on it using MitM certificates, detect and decode the attachment (ie pdf), then decode it for embedded .docm files. That's a lot deeper than any cheap proxy can handle.
Another issue is many people confuse firewalls and proxies. Proxies are a subtype of firewall that actually intercepts and processes the connections. Most firewalls are not proxies, and operate at a shallower level where decisions are made based on packet header source and destination information. Some next-generation (expensive) firewalls can do both.
A home-style gateway is a low end firewall. It doesn't do deep inspection. Worse, they are normally configured to allow Universal Plug and Play (UPnP). This is a protocol that allows anything inside the firewall to request an inbound hole in the firewall. It's often used for games. So once one kind of malware is in (or many Internet of Things (IoT) devices), it opens the gates to other attacks.
The only way I know of to protect a system like this is to air-gap it. Information is carried to and from the protected system on removable storage drives, which are always virus checked before being connected to the internal system. That's very time consuming and annoying.
If you'd really cared about MalwareTech's privacy you wouldn't given this much attention to the fact he was doxxed. Now even more people will know about it. The journalists that wrote about MalwareTech being doxxed are as bad as the ones who first doxxed him.
https://yro.slashdot.org/comments.pl?sid=10613705&cid=54420419
Slashdot, fix the reply notifications... You won't get away with it...