Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware (theguardian.com) 182

"An 'accidental hero' has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations..." writes The Guardian. An anonymous reader quotes their report: A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."

UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
This discussion has been archived. No new comments can be posted.

'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware

Comments Filter:
  • by Anonymous Coward

    I suppose pre-registering the domain would effectively be adding a signature admitting liability

  • Factsheet (Score:5, Informative)

    by Anonymous Coward on Saturday May 13, 2017 @02:16AM (#54409625)

    Here is a factsheet: https://gist.github.com/slider23/bd617d0d376047c05d18980fde306840 [github.com]
    The domain in question is "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com".

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      So the malware author is someone using a western keyboard layout then.

      • by mikael ( 484 )

        At some time, they must have checked to see if it was possible to register, and was not already taken.

        • Re:Factsheet (Score:5, Insightful)

          by Anonymous Coward on Saturday May 13, 2017 @08:10AM (#54410267)

          Sadly not - with that long of a (presumably) randomly generated string, the odds that it is taken are so minuscule that you wouldn't bother checking, precisely because that might leave a trail. If I were doing the same thing, I'd generate a nice long random string and happily presume that it's still available.

          • by wbr1 ( 2538558 )
            And what trail would searching for a domain leave? Valid names are easily determinable with the RFC and other public information. Checking registration is as easy as a whois lookup from behind any obfuscation you desire. There would be no trail.
          • If the url existed, you'd find out about it when you rolled out your malware and it didn't work. ... or if you tested your product before deploying it, but who does that nowadays?

          • by mysidia ( 191772 )

            the odds that it is taken are so minuscule that you wouldn't bother checking

            Yep.... Odds are it was quick and dirty. If it wasn't, then they'd probably have used algorithmically-generated domain names, try 3 URLs at random from a list, and require the URL attempted to present a digitally-signed file for the switch to take affect. Badware authors have done things like that in the past, etc, etc.

    • Hey, that's the combination to my luggage!

  • For my education please - I mean step-by-step. I can see it's a phishing thing. I can see it could copy itself to SMB 1 shares. But...err...then what? How did it spread, or did it not spread and the impact is 'only' to the files visible on the original machine?

    Reminds me an awful lot of the old I Love You [wikipedia.org] virus, which was a vbs script and which copied itself to shares as well. This new one is more sophisticated obviously, but I was around for that particular piece of 'fun'.
    • Here's how it works (Score:5, Informative)

      by Okian Warrior ( 537106 ) on Saturday May 13, 2017 @02:56AM (#54409709) Homepage Journal

      There's a good sumamry over at github [github.com].

      Essentially, the malware looks for port 445 (SMB) on local computers and the internet. If you have this port open on the internet, and have older than Win10, and haven't updated with the Mar 2 patch, then you're vulnerable.

      Note that WinXP has about 8% market share and cannot be patched. You can get infected from another machine on the local subnet as well.

      Here [talosintelligence.com] is a good detailed description of how it works and what it does.

      Note that the propagation has halted for now, however the virus also installs a rootkit on the user's machine. If the virus writer realizes that the domain has been taken, he could remotely change the hard-coded domain name on every currently-infected machine, thus restarting the propagation process.

      • by Anonymous Coward on Saturday May 13, 2017 @04:10AM (#54409841)
      • by Anonymous Coward

        For those saying how terrible that people are running unpatched, some hospital equipment runs on XP and the only update possible is sometimes to buy a new scanner, which is not necessarily affordable. It can have knock on effects elsewhere in the infrastructure too.

        Even just verifying that a scanner produced the same output with a new operating system on the front end, where this is possible, is not necessarily cheap to do.

        • Then why is it on the network? Give the scanner a local net of just itself and a proxy. Let the proxy run something modern and patched. There's no reason to have the antiquated system directly exposed.
          • Comment removed based on user account deletion
            • by Anonymous Coward

              Most radiology scanner manufacturers require that the device be connected to the internet so that they can download system logs and troubleshoot problems. It is usually via a VPN. Some of the scanners that I know of have workstations as part of the device. The system is usually the physical scan device, an acquisition computer and a processing computer. They are configured so the technologist can be post processing one scan while another is being acquired. The national accreditation agencies require that ra

          • The NHS were paying for continued security updates for XP...until April 2015.... Then they decided it was too expensive to renew. They could have kept paying for patches - which would probably still be cheaper than migrating earlier than they were ready for.

            • whoa whoa whoa. So MS has the patches but only shares them if you pay? We need a national OS, big time. Windows has only been getting worse since XP, so the national OS would either start better than Windows or eventually become better--either way, it would be an improvement.

              • My recollection is that MS was doubling the price of the support every year - they really want to force people off of these old OSes.

                You have to wonder how many of them were really using any form of SMB - a band-aid would just be to turn it off for systems that don't use it.

                I had this thought that one could disable the Microsoft SMB and replace it with Samba ported to Windows. That would at least get you a relatively modern protocol version.

          • Then why is it on the network?

            Exactly! I don't see any problem with using XP, Windows 95, or MSDOS as an embedded controller OS provided they will do the job. But why would you not plug any RJ-45 sockets with chewing gum?

            Why, other than rampant masochism would you connect ANYTHING that doesn't absolutely need to be networked to a network -- local or remote?

        • by jabuzz ( 182671 )

          Simple solution is that any device sold to the NHS must be supplied with updates that work on a supported version of an OS for the lifetime of the equipment. Should such a manufacture try measures to get around that, then that equipment (say Siemens, Toshiba, GEC etc.) many not be purchased by the NHS until the situation is rectified.

          The NHS one of the biggest victims here has the clout to make this mandatory and make it stick. Just needs the political will to make it the law. Loosing the NHS market because

      • Comment removed based on user account deletion
    • Im not 100% sure as i havent looked into this. but if it was me writing it. heres how it would work. SMB is a filesharing server that windows uses to talk to linux mac and other windows machines. when there is a SMB exploit sometimes it just allows you to view files, and copy/write files(like an auth bypass) Then sometimes there is privilege escalation. meaning i give server this string which it unwittingly passes onto the windows OS to give me full admin rights. Then you get to overwrite system files(see w

  • by Gravis Zero ( 934156 ) on Saturday May 13, 2017 @03:31AM (#54409775)

    A new version of WannaCry ransomware is on the loose!

    This is a game of cat and mouse, so don't assume you have won.

    • by tomxor ( 2379126 )

      A new version of WannaCry ransomware is on the loose!

      This is a game of cat and mouse, so don't assume you have won.

      Those were my first thoughts too, but although this is part M$ being shit and part NSA harbouring vulnerabilities. It all only works if users are clueless...

      Hopefully this widespread incident was enough to inform more people without costing them in anyway. Then more can understand the importance of using secure systems and keeping backups, or just not storing anything important on a machine.

      • by mikael ( 484 )

        Online backups, shadow volumes can get encrypted as well.

      • Which is why i feel all Windows PC's need to be behind a NAT which UPNP disabled(hopefully your router really disables it).

    • by StormReaver ( 59959 ) on Saturday May 13, 2017 @06:53AM (#54410137)

      This is a game of cat and mouse, so don't assume you have won.

      The only way to win is to not play: get rid of Windows.

      • And switch to what? This attack self replicates via an exploit across a local network but it infiltrates via a user executing something.

        I suggest you tell as many people as possible to stay on Windows. If Linux becomes a popular desktop OS we'll just see the same thing happening on the desktops including more focus from the NSA on finding errr inserting holes.

  • Will they ever contemplate the idea of rewriting completely that OS? It's about time.
    • by Anonymous Coward

      Yeah, we need new bugs and new security issues!

    • And how would they get users to upgrade?

      Look at all the resistance to get rid of XP, and even (for Win7/8 users) getting people to do the free Win10 upgrade?
      • Re: (Score:3, Insightful)

        by slashrio ( 2584709 )

        And how would they get users to upgrade?

        That's not so difficult. Just keep the functionality and look-and-feel and people will be fine with an upgrade (not a down-grade to an OS that they actually don't want).

    • by Xest ( 935314 )

      I'm not really sure what it would achieve given that this attack was dependent on old versions of Windows, and people being dumb.

      A new version of Windows will fix neither of these things given that installing the latest version would've already prevented it.

      • Re:Windows (Score:5, Informative)

        by Highdude702 ( 4456913 ) on Saturday May 13, 2017 @09:05AM (#54410429)

        uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.

        • Re: Windows (Score:5, Insightful)

          by Aristos Mazer ( 181252 ) on Saturday May 13, 2017 @09:28AM (#54410491)
          It should be straightforward to hide those unpatched machines behind a proxy. Give them an Ethernet connection to only one other machine and let that other machine be fully patched and updatable. That's a fix, but, honestly, I'm confused why critical medical equipment is fully exposed to the network in the first place.
          • Re: Windows (Score:4, Insightful)

            by CaptainDork ( 3678879 ) on Saturday May 13, 2017 @11:04AM (#54410787)

            Or, you could hack the registry to make them self-identify as embedded and get security updates from Microsoft until 2019 [networkworld.com].

            Registry hack enables free Windows XP security updates until 2019

        • by Nkwe ( 604125 )

          uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.

          Why would you expect Microsoft to pay for the mistake the CAT scan and MRI makers made in designing their equipment? If the MRI machine used a plastic gear to move some of the mechanics of the machine and it turned out that the gear would wear out and needed to be replaced by a metal gear, you wouldn't blame the manufacturer that made the gear or attempt to get the manufacturer to pay for a different kind of gear, you would blame the MRI designer for using a part that was inappropriate for the task at hand.

        • uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.

          1.) When said CAT/MRI/CNC/'Whatevur' manufacturers decided to use XP for their equipment, they were well aware of the support lifecycle for the OS. If the support lifecycle of the OS was not enough to cover the lifecycle of the rest of the equipment, that's the manufacturer's mistake, not Microsoft's.

          2.) Said lifecycle should have ended on 2011, instead, it lasted until 2014. Again, if the lifetime of the equipment connected with that computer exceeded this extended support lifetime of the OS, that's the ma

          • 4.) "Windows POS Ready 2009" is the SKU you're referring to. As the name suggests it was intended for Point of sale devices, and was released in 2009.
            This Microsoft Lifecycle page [microsoft.com] shows the lifecycle of embedded products. POS Ready was based on the "Windows Embedded Standard 2009", which is the last revision of XP embedded, with a similar end of life date.

            A lot of these "embedded" XP systems were probably released between 2001- 2009 (the original hey day of XP) and didn't include a SKU that would be release

            • From the link you provided:

              Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.

              Windows Embedded POSReady 2009. This product for point of sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released on 2009, and extended support will end on April 9, 2019.

              Since these SKU's are still based on XP, It should have b

        • by Xest ( 935314 )

          Yes... so how would making a new version from scratch solve this problem exactly?

          I'm not sure what the relevance of the first part of your reply is - the GP said Microsoft should write a new version from scratch, I pointed out it wouldn't make much difference because only old versions were effected - you replied to me highlighting that point, so um, thanks for proving my point I guess? My comment on it relying on people being dumb is based on the fact the only infection vector is either machine sat facing t

    • They should turn the Windows UI into an x-windows overlay and do what everybody has been asking for years. turn windows into a Linux/Unix derivative.

    • Microsoft tried rewriting Windows in 2001 and the years following. It was a near total disaster. I think their enthusiasm for doing THAT again is nonexistent.

  • IMO it has bought them some time until the attackers figure out another way to continue the attack. Even when the Wikileaks announced that it will work with the tech giants to fix the vulnerabilities [slashdot.org] but it does not seem to be the case, but it falls on the hands of organizations and people alike to keep their systems updated all the time. NHS has now been hit by ransomware twice in a row.
    • In the case of NHS it's their own fault for continuing the bad practices. Typical for a government to want punishment of bad actors without any prevention.

      Microsoft knew about various vulnerabilities for years and the Wikileaks revelations have been online for quite some time, the NSA didn't want them to patch it and even now Microsoft is obfuscating the patch amongst various other fixes and forced installations of adware. Now it's too late for many people that still rely on Windows.

    • Not all systems are user updatable.

  • by DrXym ( 126579 ) on Saturday May 13, 2017 @03:49AM (#54409805)
    In the next malware it might be "delete everything" switch.
    • In the next malware it might be "delete everything" switch.

      Why not both? :D

      Bonus: It would also finally put some reality into that old trope of which wire to cut.

  • Why in hell... (Score:2, Insightful)

    by Anonymous Coward

    ... does any network expose SMB to the outside world?

    • Re:Why in hell... (Score:5, Informative)

      by OolimPhon ( 1120895 ) on Saturday May 13, 2017 @04:40AM (#54409879)

      It doesn't have to expose SMB to the outside world.

      The exploit arrives as a phishing email. Once clicked, it looks for SMB on that machine. By using SMB, it can then infect other machines on the same network - and, more importantly, behind the firewall you carefully set up to block SMB from the Internet.

      Moral: don't click on things you get randomly from the Internet. Also, don't click on things you get unexpectedly from colleagues in the same organization.

      • Thanks for the clarification.
      • Moral: don't click on things you get randomly from the Internet. Also, don't click on things you get unexpectedly from colleagues in the same organization.

        more importantly, don't run software that can still be infected by opening an email or document?

    • Re:Why in hell... (Score:4, Informative)

      by mikael ( 484 ) on Saturday May 13, 2017 @07:58AM (#54410251)

      It does if the router is not configured to block SMB. I have a consumer router provided by my ISP. I had to dig through an entire menu system and scroll down to the very bottom of one screen to find the configuration menu option that disables SMB file sharing pass-through.

      • Are you sure that wasnt just for local LAN filesharing? if what youre saying is the case port 445 would be in your forwarding section, as they wouldnt be able to send all traffic to all pc's as TCP routing doesnt work like that.

    • The number of people that plug the wire from their modem into their computer, or buy a switch thinking its a router.. and then your whole windows exploitbox is live for the internet to see. each with their own ip if you use a switch inline(i have seen it done many of times by customers)

      • I've seen it done by my ISP.
        Yes, they delivered a router for your internet access configured as a switch.
        Every computer you connected to it received a separate external IP address.
        Their customer helpdesk was clueless.
        Fortunately, this was easy to fix yourself, but a blunder of the first category nevertheless.

  • by Anonymous Coward on Saturday May 13, 2017 @04:25AM (#54409865)

    Can the EU and UK sue the US NSA for damages caused by the exploitation of their dangerous creation?

    The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security, undoubtedly costing many actual lives (as people cannot go to particular hospitals, or have surgeries disrupted) and a huge amount of money, which could have been avoided if the NSA had instead helped SECURE the affected operating systems rather than developing a dangerous and effective software weapon which could be easily leaked and used by anyone on the planet to wreak havoc.

    • by v1 ( 525388 )

      The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security,

      It's sort of how the Ministry of Peace and Ministry of Truth work. Everything is working exactly as designed, in spite of the name given to them.

    • The answer is no, The only people that i could see being liable would be Microsoft. you cant sue me because i found a major flaw in some software you use. now if i proceed to use it on you and you catch me. then i think there may be grounds. but since this isnt malware distributed by the NSA.. im going to say that they cant be sued for it. then again im only a jailhouse lawyer

  • Simply put the time served should be no less than the time they cost the rest of the world. Your virus costs 10 million man hours to clean up, have fun with a 10 million man hour sentence.

  • by jonwil ( 467024 ) on Saturday May 13, 2017 @05:09AM (#54409929)

    I am on Windows 7 Home Premium and have all the patches Windows Update offers me (including "Security Monthly Quality Rollup for Windows 7 for x64-based Systems" dated for May, April, March, January, December, November and October), am I patched?

    Also, given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

    • by Anonymous Coward

      Look in the update history log for KB4012215

      More info here

      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

      • Specifically,

        Windows 8.1 or Windows Server 2012 R2 and later

        For client operating systems:
        1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
        2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
        3. Restart the system.

        For server operating systems:
        1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
        2. In the Features window, clear the SMB1.0/CIFS File Sharing Support

    • by UnknownSoldier ( 67820 ) on Saturday May 13, 2017 @07:38AM (#54410219)

      > given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?

      MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here [microsoft.com]:

      * https://support.microsoft.com/... [microsoft.com]

      Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
      Windows PowerShell 2.0 or a later version of PowerShell

      To disable SMBv1 on the SMB server, run the following cmdlet:
      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
      To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force
      To enable SMBv1 on the SMB server, run the following cmdlet:
      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
      To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

      You can disable NetBIOS over TCP/IP:

      * https://technet.microsoft.com/... [microsoft.com]

      1. From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
      2. On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
      3. Click the Advanced button.
      4. Click the WINS tab. Click Disable NetBIOS over TCP/IP .

      --
      Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.

      • by jonwil ( 467024 )

        Thanks, I turned of SMB via the command lines given and I turned off NetBIOS over TCP/IP.

        Since I dont connect my Windows PC to other Windows PCs (or to Linux machines running Samba or the like) I dont need SMB or NetBIOS and turning them off prevents all the exploits that involve SMB/NetBIOS from working.

        • If you aren't directly exposed to the internet in the first place all you had to do was not fall for the phishing email.

  • What is the url of the kill switch?
  • "Accidental" Hero? (Score:5, Insightful)

    by gurps_npc ( 621217 ) on Saturday May 13, 2017 @08:21AM (#54410305) Homepage

    That sounds pejorative to me. Most discoveries involve accidents - just ask Alexander Fleming, Christopher Colombus, or Doctor Spencer Silver (post it notes).

    Like all of these men, this HERO, was investigating something not fully understood, stumbled by accident on something interesting, REALIZED that it was interesting and worked hard to understand exactly what it was. The realization and hard work are not common, they make the difference between a real discovery and a random day.

    This is no more accidental than 90% of scientific discoveries.

  • This brings up an interesting philosophical / moral issue. The release of this kind of source code, by Wikileaks and others, is literally giving military grade weapons to anyone with the modicum of technical knowledge required to wield it. Fortunately, in this case, the person setting it loose didn't have the technical aptitude (or couldn't even be bothered with) looking at the code and disabling or properly securing the "kill switch".

    It makes me wonder if those responsible for releasing and distributing

  • ... just put this in our hosts file?

    • by Dwedit ( 232252 )

      The domain is already registered. If your computers have no Internet connection, the hosts file might help there.

      • by PPH ( 736903 )

        Just thinking out loud: I wonder if this kill switch URL was distributed to gov't agencies, contractors and other insiders when the tools were originally written. Just to keep certain intranets 'clean'.

  • Not so fast... (Score:3, Informative)

    by Picodon ( 4937267 ) on Saturday May 13, 2017 @01:45PM (#54411343)

    Malwarebytes wrote [malwarebytes.com]: “This was probably some kind of kill switch... UPDATE: The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.”

  • If you'd really cared about MalwareTech's privacy you wouldn't given this much attention to the fact he was doxxed. Now even more people will know about it. The journalists that wrote about MalwareTech being doxxed are as bad as the ones who first doxxed him.

An adequate bootstrap is a contradiction in terms.

Working...