Slashdot Mirror
PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes (bleepingcomputer.com)
An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."
The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.
The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.
when you couldn't connect a new XP install to the internet to get updates unless you installed firewall and virus software before hand. It was pretty cool, tested it a few times on my then 1mbit ADSL line. Install XP, connect to internet and within minutes you'd get infected. I can't remember the name of the virus off hand.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.
You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.
If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.
Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.
SMB not allowed thru windows firewall by default
Most users behind NAT/SPI
All rational ISPs block SMB
SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.
Pretty much DOA elsewhere where your just whacking clueless outliers.
It's been a good practice to not expose SMB ports (445, 139 etc.) to the open Internet for two decades at least, IMHO. I remember than in 1996 (if I remember correctly) I accidentally exposed a NT3.51 machine and my ISP called to warn me.
Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.
The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.
So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.
The worm capabilities is really only effective on corporate networks. First the virus needs to get inside via email+social engineering+other exploits. Once it has taken over one computer on a corporate (domain controlled) network, it can use the SMB attack vector to spread to unpatched computers.
Only pre-sp2 XP computers are vulnerable to infection across the Internet. And only if they are not behind some other form of firewall.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.
Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.
For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem.
The modem runs some sort of firewall - i.e.: packets are inspected and filtered.
The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake.
The core of the cake is that the router *does filter*...
It would work just as well if publicly addressable addresses where used behind the router.
(NAT just makes the router function mandatory, because you could not achieve the same simply with a network hub/switch and a dumb-modem).
So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence.
Again, NAT isn't necessary per se. You don't need to remap all the addresses into some fdxx:: prefix to make the network secure. What you need is actually DOING filtering, even if the in-network IPv6 addresses are publicly routable.
And in practice that's exactly what I'm seeing in all local ISP IPv6 deployement : their stantard modem is a modem/router combo. It has filtering capabilities.
By default, there's no inbound access. It *happens* that they also do NAT on IPv4 because they only get a single IP.
But it's mainly functioning as a firewall, on both IPv4 and IPv6.
In 2017, nobody sane is using dumb-modems+switches, so stop agitating this IPv6 strawman.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Actually, if they have only three wallets and therefore cannot know who has paid and who hasn't paid, that means clearly that they are not going to unlock anything, no matter whether someone pays a ransom or not.
I suggest a million dollar reward to find the bastards, and then send the SAS around.
You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.
I was somewhat shocked to find that some ISPs just install a cable modem and plug the victim's... sorry, customer's PC directly into the raw internet. Happened to my mother-in-law. Fortunately, she was on the phone to me when he was doing the install, because she didn't fully trust him, and was giving me a running description of what he was doing. When I heard that it was a modem not a router, (she had asked about wifi and he said she'd need to buy a router for that) I yelled "Unplug it! Unplug it now!" and drove over there with a spare router and did the rest of the install myself. I mean geeze, it's like some ISPs are in collusion with the ransomware people.
Back in the days of DSL, before cable modem or fiber were available in my area, I happily plugged my computer into the DSL modem, ran the included Verizon CD, and got pwned in the first half hour. Reformat, reinstall, try it again, and was pwned inside of 15 minutes. I thought at first that there was a virus on the CD. A little investigation led me to software firewalls... (what was it called, firedoor?) and later to hardware routers.
But, I'm a geek. What do regular people do?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.