Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch

Remember that "kill switch" which shut down the WannCry ransomware? An anonymous reader quotes Motherboard: Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave. "I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday... Another researcher confirmed they have seen samples of the malware without the killswitch.

Well that didn't last long

Time to patch those XP boxes...

It was only a matter of time...

[toonces33]

The person who found the previous "kill switch" believes that it was actually an anti-sandboxing feature, not a kill switch.

Re:It was only a matter of time...

[Highdude702]

can i have a link to where you saw this please?

Re:It was only a matter of time...

[toonces33]

https://www.malwaretech.com/20...

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exitthus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

Re:It was only a matter of time...

So all they have to do is replace it with an unregistered domain?

How many trillions of unregistered domains are there?

Re:It was only a matter of time...

None, if your ISP hijacks your DNS and serves up advertising when it receives a request for a bad domain name. See Cox Communications for an example. That, however, usually only happens on residential DNS, while the ransomware fliating around now is mainly in corporate environments, due to the nature of SMB.

Re:It was only a matter of time...

[ArylAkamov]

Pretty freakin' neato

Re: It was only a matter of time...

It was one specific hardcover url that the thing was looking for.

Re:It was only a matter of time...

[Xenna]

OK, note to self: Use a random URL in the next version.

Re:It was only a matter of time...

[Calydor]

Cox and Verizon only hijacked the lookup to protect you from ransomware!

Re:It was only a matter of time...

[Highdude702]

Thank you! Awesome read. Anybody who hasnt should.

Re:It was only a matter of time...

[Highdude702]

They are very efficient at it also. Used to get mine within hours. Hard to fight that kind of mitigation unless you use raw ip, which sometimes can become a problem to hide then. unless you have deep pockets for china.

Re:It was only a matter of time...

[Highdude702]

Even if you use a randomizing URL it can be caught, and algorithm figured out to register the next years worth of domains. it was very bad implantation of a sandbox check.

Re:It was only a matter of time...

Even if you use a randomizing URL it can be caught, and algorithm figured out to register the next years worth of domains.

Not if it's truly random each time, which isn't hard to do. The only real way to fix this technique is for sandboxes to stop responding to bogus url requests with the ip address of the sandbox. The hackers are using the URL trick to exploit a flaw in the sandboxing protocols for purposes of detecting the sandbox. It's a clever trick. One possible fix might be for the sandbox to pass the URL request to the parent process for verification on DNS lookup before responding in the sandbox with the IP address of the sandbox.

Re:It was only a matter of time...

[Highdude702]

That is a possibility however, adding more interaction between sandbox and host leads to more potential ways to break out of the sandbox and truly be malicious. It's almost like a double edged sword. The more you try to prevent by passing to the host the more you possibly weaken your whole secure environment.

We can only hope!

[Highdude702]

Lets hope that this person is doing this for awareness. and hopefully he makes his point. or else sorry you put a critical on the internet without knowledge of how the internet works.

Re:We can only hope!

[ColdWetDog]

I suspect that the perps are doing it for money.

Always follow the money.

Re:We can only hope!

FUCK YOU! I hope this motherfucker DIES!!! Find him, and zero-day exploit his ass with a motherfuckin bullet to the head!

Re:We can only hope!

There is a secondary culprit here which is obviously Wikileaks aka JA. And this is why you should not leak cyberwarefare weapons onto the internet. I mean is there even a thought of "Maybe this is dangerous in the wrong hands" problem is, it is already the wrong hand. A person who steals these secrets in order to "do good" is in a total dream world. Yes they might have gone too far but still. What is the next leak from Wikileaks. Maps containing all vital military assets and their weaknesses.

Re:We can only hope!

[Highdude702]

im sure he is. but i can hope that hes not.

Re: We can only hope!

I agree, the NSA should have never sat on this exploit. They should have disclosed it to the vendors behind closed doors so they could patch it without anyone knowing. Then when the patch is live let everyone know. Too bad the NSA isn't an agency tasked in protecting us against cyber threats.

This wave...

[malkavian]

Is really going to hurt then.. I doubt the world has had time to patch everything...

Re:This wave...

[toonces33]

Maybe some are patched. Some are taken offline or air-gapped until patched. Some might have SMB turned off or blocked by the firewall. IT departments will be specifically watching for TOR connections, and might actually try blocking them. Yeah, there will be some new infections. But the first wave gave people a wake-up-call that this one was serious.

Re:This wave...

[freeze128]

The object lesson here is: Don't rely on patches. Instead, have a strong backup strategy.

This attack *WILL* really hurt, but it will be good in the long run because it will teach people to back up data.

Re: This wave...

And what happens after you're forced to restore from backups?? You're going to have to patch eventually from getting reinfected.

I agree, if you don't already have backups, start ASAP! But, if the backup solution is working, get going on patching!

"Attackers"?

"Attackers"? LOL, it's one guy.

Re:"Attackers"?

[ozduo]

anyone considered that this might be an attempt by an un-named company to sell its latest software

Re:"Attackers"?

So you're saying Apple is attacking Microsoft? That's nasty.

Re: "Attackers"?

It doesn't make sense MS would do that. They would attack something that's not so easy to block or disable. They have all the keys, they don't need a back door.

God damnit

[JustAnotherOldGuy]

I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

Re:God damnit

I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

Surely you are familiar with stuff not working on a Linux box ?

It's part of the hobby to experience such things, n'est ce pas ?

Re:God damnit

I WannaTry(TM) it too. Genuinely curious to see what it would do to my network.

Re:God damnit

[rrohbeck]

Clearly you need a VM to experience the full goodness of Microsoft's SMB implementation..

Re:God damnit

[Barlo_Mung_42]

Same here but it doesn't work on Win10 either.

Re:God damnit

[DeBaas]

If you send me two bitcoins within 6 hours I will provide an installer. If you wait longer the price will go up!

Re:God damnit

[thegarbz]

If more than 5 people ran something important on a Linux Mint desktop that is worth holding for ransom then we would consider a port. Until then your target market is just too small and you will need to run a compatible copy of Microsoft Windows to use our software.

Sincerely,
Dev Team.

Re:God damnit

[JustAnotherOldGuy]

If more than 5 people ran something important on a Linux Mint desktop that is worth holding for ransom then we would consider a port. Until then your target market is just too small and you will need to run a compatible copy of Microsoft Windows to use our software.

Thank you! I installed Windows 10 and was able to get it to encrypt my files properly on the first try.

By the way, what does "Error connecting to NSA Data Collection Server" mean? I get that notification whenever my internet goes down.

Re:God damnit

[thegarbz]

Error connecting to NSA Data Collection Server

The error you are experiencing means that the automated email and password database backup systems aren't working as intended. If you intend to work without an internet connection for long periods of time it may be worth while to print hard copies of everything important and mail it directly to the NSA for archiving.

Re:God damnit

I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

Where is the like button slashdot ?

Re:God damnit

By the way, what does "Error connecting to NSA Data Collection Server" mean? I get that notification whenever my internet goes down.

NSA means Naughty Sex Act.

What hath thou abandoned me, Microsoft??

I've got an internet-facing server running Server 2000. Where is our patch!?! My boss is going to freak out if anything bad happens!

Re:What hath thou abandoned me, Microsoft??

[jellomizer]

Write up a "told you so" as in a root cause analysis.

Re:What hath thou abandoned me, Microsoft??

Dammit creimer, do you ever stop posting to Slashdot?

Re: What hath thou abandoned me, Microsoft??

Isn't the fix to disable smb1 protocol?

Re: What hath thou abandoned me, Microsoft??

[DogonYàrò]

Wow...

Re: What hath thou abandoned me, Microsoft??

The easier fix is to not be an idiot. This vulnerability relies upon social engineering and won't work unless you're the kind of person who downloads and runs everything they come across.

Re: What hath thou abandoned me, Microsoft??

good luck with that...

Re: What hath thou abandoned me, Microsoft??

The easier fix is to not be an idiot. This vulnerability relies upon social engineering and won't work unless you're the kind of person who downloads and runs everything they come across.

And you just told us that you're not involved in IT in any significant way, else you would not have said something so stupid.

Re: What hath thou abandoned me, Microsoft??

Our servers got patched. Check again.

Re: What hath thou abandoned me, Microsoft??

No, worms do not rely on the user doing anything other than putting the device online.

Re: What hath thou abandoned me, Microsoft??

How is it executed?

Re: What hath thou abandoned me, Microsoft??

If your users are able to access anything that doesn't have to do with their job, then you fail as an administrator.

Never Run Windows on Bare Metal

1) Get ransomware
2) Read warning about losing data
3) Chuckle with a smirk on your face
4) Revert to this morning's snapshot
5) Carry on

Re:Never Run Windows on Bare Metal

Yes, that works really well for a hospital where you can drop all the information you recorded today on the floor. There's definitely not going to be any critical notes in there.

Re:Never Run Windows on Bare Metal

It works better than dropping all the information you recorded EVER on the floor. Why hospitals are even ON the Internet is beyond me...

Oh right..

Obama.

Thank you very much, asswipe.

Re:Never Run Windows on Bare Metal

[mikael]

Hospitals moved to computer because it saved space storing data on a server rather than rack and racks of shelves with paper notes with scribbly doctors writing. These would have to be thrown out after three years if the patient never returned. Then when someone is referred to another doctor, clinic, practise, specialist, consultant, those paper notes would have to be transferred across as well. Needless to say, they would end up being lost. Medical notes weren't the right size to store X-ray plates let alone modern digital data like Ultrasounds or NMR/MRI/CAT scan volumetric data (1024^3 cubes of pixels at HD resolution). Once medical data is digitized, the next problem is transferring the data across from department to department. So they need an intra-net. It's not connected to the Internet, but since there are university hospitals and wif-i services, there's always the risk.

Re:Never Run Windows on Bare Metal

[GerryHattrick]

No real 'Doctor' I have ever known ever relied on anyone else's tests and notes. New Doc? they'll run the tests again (which is OK in the UK, as it costs the patient nothing but delay). I suspect the English NHS is remarkably resilient

Re:Never Run Windows on Bare Metal

[eneville]

I was not aware Obama had anything to do with the UK's NHS.

Re:Never Run Windows on Bare Metal

[HiThere]

This is assuming that it's a rapidly acting ransomware. Some have acted more slowly, and you could lose a week's worth of data, or a month's worth. And...unnh... how long do you keep your backups before recycling?

I am diabling SMB v1

[williamyf]

Even though my main machine is mac, and my bootcamp and windows secondary machine are on Win10 and Fully patched, and my synology NAS has SMB v1 disabled, I may as well disable SMBv1 across the whole fleet.

God have mercy on all morons who are still running unpatched machines...

Re:I am diabling SMB v1

[techno-vampire]

God have mercy on all morons who are still running unpatched machines...

Because I certainly won't. Either this will be a good object lesson, or they'll get what they deserve for not learning from experience.

Re:I am diabling SMB v1

[Atryn]

God have mercy on all morons who are still running unpatched machines...

I wonder if you could draw a parallel to the anti-vax movement. There is a sort of herd immunity if all machines are patched as malware has a harder time replicating and spreading with less compromised machines to do so. But there are people who persistently refuse to patch because of some perception that the patch itself or the patching process is more troublesome than the likelihood they will be part of an infection.

Re:I am diabling SMB v1

I have win 8.1, and it kept failing updates. I did a fresh install. WinUpdate worked again. For awhile. Then I found my machine running its guts out all the time. I tracked it to WU. I'd shut it off, and fans/temp would go back to normal. Then start up again, and I'd find WU running again. I shut it off permanently, but now can't update Win Defender either, except about once a week when it decides it needs to, and it works then.
I tried two third party patchers. One didn't work at all. The other seems like it works, but not sure.

Re:I am diabling SMB v1

[RandomFactor]

To be fair, that perception is rather well founded in the windows world. I tried going down that road myself back in WGA introduction time frame, but gave up soon enough.

Re:I am diabling SMB v1

Just a quick reminder: SMB v2 was only introduced in Windows Vista.

That means that no pre-Vista Windowses can disable it without disabling SMB altogether.

sometimes i think worse must precede better...

I've seen security-aware people being widely ignored by technically illiterate managers and decision makers for decades. Sometimes they aren't given the tools they ask for, or their advice is ignored, or sometimes they are both ignored and still blamed when things go wrong. That's not even getting into all the ordinary folks buying low-security or pre-backdoored IoT devices, and the intrusion of the internet into everyday things like cars and televisions.

Sometimes I think something really nasty has to happen before people will wake up. But then when I think about it some more, I don't believe that would help either. The wrong message would be taken. Instead of adopting good security practices, it would instead be a series of laws that managed to be both misguided, harmful, and utterly useless for solving the real problem. It would be "magical thinking" instead of really paying attention to digital security.

Then I go have a couple beers, because fuck it.

Re:sometimes i think worse must precede better...

IT specialists tend to be at the upper-end of the IQ spectrum. Middle and even executive management tends not to be (very high "dark triad" traits to make up for mediocre intelligence).

So, it makes perfect sense that good advice will be given but not taken, especially when there is a price tag associated with it.

There isn't much anyone can do about this, really.

Re:sometimes i think worse must precede better...

So HOW do we explain to these tech nincumpoops that *THEY'RE* doomng their companies? That is the question.

Re:sometimes i think worse must precede better...

The thing is: managers are used to being "warned" about this, that and the other by everyone who reports to them. To them, "we need better sandboxing to protect our data" sounds a lot like "we need a barrier to the car park" or "we need to replace the windows on the third floor". They hear dozens of demands like these every frickin' day, and to choose between them they spend their lives demanding properly costed business cases for each one.

If you can't put together at the very least a detailed cost-benefit analysis, explaining not only how much you will save the company over five years but also how little impact your proposal will have on operations, then you're not a "security-aware person", you're just playing one on /..

It's All About ROI

[Frosty+Piss]

It's not like most IT departments don't know these vulnerabilities exist, and there are many common reasons, some common ones being:

A) Code written under a very tight schedule, where getting working code operational is the number one target, and the team expects to tighten up the security later but never does.

B) Legacy code written before this type of security was much of a concern.

The main problem with preventing this kind of thing is the Bean Counters. Generally, they will do a calculus of the possibility that they specifically will be hack, and what it will cost to tighten up the code to prevent the hack. In other words, they gamble that they will not be hacked, thus saving them the money it will cost to have their inside team or a contractor fix things. It's all about their bonus.

Of course the Bean Counters will not admit this, but it's important to understand that the people who sign off on allocating the funds to accomplish tightening up security simply have no understanding about the actual threat verses cost, nor do they really care because it's all about ROI.

Re:It's All About ROI

[phantomfive]

You might add that it's very rare that any software company cares about security from corporate perspective. You can tell that they care when they give you extra time in a sprint to make sure things are secure.

Re:It's All About ROI

[Tom]

The main issue with the bean counters is that they (often intentionally) underestimate the probability of a flaw being exploited.

If exploiting the flaw will give the attacker some kind of financial or otherwise interesting profit, even indirectly (like exploiting a OS flaw to deploy ransomware) then given a sufficient timeframe, the probability that the flaw will be found and exploited is close to 100%.

I know this is a bit of "hire me" since I'm an IS Architect, but IT is going to become a lot more expensive. As a company, you can decide if it becomes more expensive because you spend money on security, or because you keep getting hacked.
You can also bugger your vendors to finally invest serious money into seriously secure systems, but we all know that the likes of MS, Oracle, etc. won't be forced by some companies saying "or else" because there isn't much else.

Re:It's All About ROI

[StormReaver]

Neither (A) nor (B) apply in this case, but rather:

C) Organizations insist on using an operating system that has been known for decades to have more severe security holes than Swiss cheese, but which the (only!) vendor refuses to fix until its too late (if even then).

Re:It's All About ROI

considering Linux has had more holes than windows for the past decade or so that is hardly a good argument to make. Regardless this is exploiting an old vulnerability that was patched prior to the exploit being in the wild, just lazy IT people, this sadly is a problem for all OS's

Re:It's All About ROI

That's basic risk analysis and any "Bean Counter" worth talking to will quite happily admit to it and explain why it is used.

Some things are not worth protecting at the cost it will take to protect them. It's that simple. Just because the corporation's assessment of your private data's value is far less than your own doesn't make this less true.

Shocking!

[Gravis+Zero]

It's almost as if someone saw this coming.

Well duh, RTFM

You need to make sure you have the *correct* version of gettext, libiconv, openssl, gnu-crypto, and gnucash (not the one your distro ships with of course) and you need the correct version of GCC (4.9.4 it will refuse to compile if you use 4.9.3 or 4.9.5). Also if you are on Mint you will need to patch the ransomware.h header file but not Debian. If using CentOS you need to make sure you load the x86 compatibility libraries or it won't work. Make sure to pass the correct flags to ./configure

This is all obvious to everyone who read the manual so stop wasting our time.

Re:Well duh, RTFM

See? It's stuff like this that explains why the Linux desktop just isn't ready for most malware.

Re:Well duh, RTFM

[WallyL]

Ooh, I have a malware that's ready for prime-time! Please paste this into a terminal, and then share to all your friends:
sudo rm -rf /

Why couldn't the NSA find/activate kill switch???

[divec]

What does it say about the NSA, if lone security researcher finds and activates a kill switch before they do?

So they can snoop on and store an entire nation's web traffic and email, but they can't analyse a small piece of malware, notice it queries some domain name, and then discover (in a test environment) that the existence of the domain stops the malware from propagating? And then activate the domain to give the world a few hours respite?

Sure, now there's a new version without a kill switch, but the brief respite will have given millions of people the opportunity to secure their machines. It seems a pretty pathetic state of affairs when the NSA pours vast sums of money into nefarious snooping, yet can't keep pace with a single security researcher when it comes to *actually* helping keeping the nation secure.

Same goes for other countries' intelligence agencies, e.g. GCHQ.

Re:Why couldn't the NSA find/activate kill switch?

But they don't want to disable it...

Re:Why couldn't the NSA find/activate kill switch?

What? you want them to violate the DMCA to reverse engineer the code.

Re:Why couldn't the NSA find/activate kill switch?

That's not their job Ivan.

What about your own boys the KGB - why don't they disable it? After all, they're letting your Mafiya fraudsters release it into the wild hmmm?

Re:Why couldn't the NSA find/activate kill switch?

[vtcodger]

The kill switch is in the malware, not in the underlying Windows code. It's probably not exploitable for intelligence activity. Why would the NSA/CIA/FBI/whatever care about it as long as it doesn't infect their computers? (Which they probably back up regularly and, one suspects, probably don't run on Windows)

Hashes....

[campuscodi]

Hashes or GTFO. This is as fake news as fake can get.

Re:Hashes....

[rat7307]

Here you go, I've got tons of them: #######

Re:Why couldn't the NSA find/activate kill switch?

Why in gods name would they ever want to disable such a huge gaping hole in most of Windows?
This was prime exploit material for accessing machines as a primary infection vector.
Identify target via other means, infect and monitor via this.

To shutdown bitcoins from ramsonware?

Why? Because bitcoins may be used for profitting by criminals, terrorists, destroyers, etc.

Re:Why couldn't the NSA find/activate kill switch?

Why would the NSA/CIA/FBI/whatever care about it as long as it doesn't infect their computers?

Maybe because it's their fucking job to protect 'Merkuh from (all but their) nasty haxx0rs?

Re:Why couldn't the NSA find/activate kill switch?

After Heartbleed, and some crypto protocol extension flaws,I decided all protocols are suspect (Except SNA on IBM's or maybe Novell) because the new IT people are not taught correctly. Back in the 80's and Motorola days, quality was king, training was good. OpenBSD appears to be clued in and audited by way of comparison.

I recall MS admitted it had at least 2 holes it could not patch as some stage. We know memory allocation must be bad, because why else randomly muck with predictable locations and vectors/pointers on startup. Unlike BSD, MS has not globally replaced poor string handing routines - or better planted an out of bounds logger to detect unknown string overloading abuses as some kind of honeypot.

Law enforcement will be after the jokers big time, that's for sure. I can guess how this might go. They should have just stuck to ATM machines using SMB.

So recap. NSA has not broken the things encryption. MS came up some patches in record time for SMB1 - but we don't know if 2 and 3 are also vulnerable - or if we call an email fixing/check module - might it have a like flaw. .
We know the Brits paid a heavy price as GCHQ kept the secret if they knew.

Re:Why couldn't the NSA find/activate kill switch?

that the "lone researcher" works for the NSA?

Re:Why couldn't the NSA find/activate kill switch?

This is probably the first and last time I will defend the NSA, but...

Are they legally empowered to pro-actively and unilaterally interfere with other people's programs? I don't think so. Yes, this malware is awful and must die, but I'd imagine that they would have to get authorisation to do something about it (maybe even - gasp - a warrant). That's not really their scene* any more, so I wouldn't be surprised if someone had a look, found the vulnerability in the malware, made a note and carried on with their higher-priority tasks. That's assuming that they didn't just leak it to a "security researcher" for the lulz.

* Protecting citizens be in their mission statement somewhere, but we all know now what their real mission is: spying on everyone and passing on the details of anyone who might upset the establishment to legal/financial/political/military hit squads.

Re:Why couldn't the NSA find/activate kill switch?

Yeah... Ummm... Didn't the NSA write this malware in the first place?

Re:Why couldn't the NSA find/activate kill switch?

Why would the NSA/CIA/FBI/whatever care about it as long as it doesn't infect their computers?

Because they exist to protect you?

Or at least that was the original (purported) reason for creating the agencies in the first place.