'Accidental Hero' Finds Kill Switch To Stop Wana Decrypt0r Ransomware (theguardian.com) 182
"An 'accidental hero' has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations..." writes The Guardian. An anonymous reader quotes their report:
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."
UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"
unregistered domain (Score:1)
I suppose pre-registering the domain would effectively be adding a signature admitting liability
Factsheet (Score:5, Informative)
Here is a factsheet: https://gist.github.com/slider23/bd617d0d376047c05d18980fde306840 [github.com]
The domain in question is "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com".
Re: (Score:3, Insightful)
So the malware author is someone using a western keyboard layout then.
Re: (Score:2)
At some time, they must have checked to see if it was possible to register, and was not already taken.
Re:Factsheet (Score:5, Insightful)
Sadly not - with that long of a (presumably) randomly generated string, the odds that it is taken are so minuscule that you wouldn't bother checking, precisely because that might leave a trail. If I were doing the same thing, I'd generate a nice long random string and happily presume that it's still available.
Re: (Score:2)
Re: (Score:3)
If the url existed, you'd find out about it when you rolled out your malware and it didn't work. ... or if you tested your product before deploying it, but who does that nowadays?
Re: (Score:2)
the odds that it is taken are so minuscule that you wouldn't bother checking
Yep.... Odds are it was quick and dirty. If it wasn't, then they'd probably have used algorithmically-generated domain names, try 3 URLs at random from a list, and require the URL attempted to present a digitally-signed file for the switch to take affect. Badware authors have done things like that in the past, etc, etc.
Re: (Score:2)
Hey, that's the combination to my luggage!
How did it actually work? (Score:2)
Reminds me an awful lot of the old I Love You [wikipedia.org] virus, which was a vbs script and which copied itself to shares as well. This new one is more sophisticated obviously, but I was around for that particular piece of 'fun'.
Here's how it works (Score:5, Informative)
There's a good sumamry over at github [github.com].
Essentially, the malware looks for port 445 (SMB) on local computers and the internet. If you have this port open on the internet, and have older than Win10, and haven't updated with the Mar 2 patch, then you're vulnerable.
Note that WinXP has about 8% market share and cannot be patched. You can get infected from another machine on the local subnet as well.
Here [talosintelligence.com] is a good detailed description of how it works and what it does.
Note that the propagation has halted for now, however the virus also installs a rootkit on the user's machine. If the virus writer realizes that the domain has been taken, he could remotely change the hard-coded domain name on every currently-infected machine, thus restarting the propagation process.
Re:Here's how it works (Score:4, Informative)
Microsoft.com released a fixes for EOLed Windows. [microsoft.com]
Re: Here's how it works (Score:2, Informative)
For those saying how terrible that people are running unpatched, some hospital equipment runs on XP and the only update possible is sometimes to buy a new scanner, which is not necessarily affordable. It can have knock on effects elsewhere in the infrastructure too.
Even just verifying that a scanner produced the same output with a new operating system on the front end, where this is possible, is not necessarily cheap to do.
Re: Here's how it works (Score:2)
Re: (Score:3)
Re: Here's how it works(in Radiology) (Score:3, Interesting)
Most radiology scanner manufacturers require that the device be connected to the internet so that they can download system logs and troubleshoot problems. It is usually via a VPN. Some of the scanners that I know of have workstations as part of the device. The system is usually the physical scan device, an acquisition computer and a processing computer. They are configured so the technologist can be post processing one scan while another is being acquired. The national accreditation agencies require that ra
Re: (Score:2)
The NHS were paying for continued security updates for XP...until April 2015.... Then they decided it was too expensive to renew. They could have kept paying for patches - which would probably still be cheaper than migrating earlier than they were ready for.
Re: (Score:2)
whoa whoa whoa. So MS has the patches but only shares them if you pay? We need a national OS, big time. Windows has only been getting worse since XP, so the national OS would either start better than Windows or eventually become better--either way, it would be an improvement.
Re: (Score:2)
My recollection is that MS was doubling the price of the support every year - they really want to force people off of these old OSes.
You have to wonder how many of them were really using any form of SMB - a band-aid would just be to turn it off for systems that don't use it.
I had this thought that one could disable the Microsoft SMB and replace it with Samba ported to Windows. That would at least get you a relatively modern protocol version.
Re: (Score:2)
Then why is it on the network?
Exactly! I don't see any problem with using XP, Windows 95, or MSDOS as an embedded controller OS provided they will do the job. But why would you not plug any RJ-45 sockets with chewing gum?
Why, other than rampant masochism would you connect ANYTHING that doesn't absolutely need to be networked to a network -- local or remote?
Re: (Score:2)
Simple solution is that any device sold to the NHS must be supplied with updates that work on a supported version of an OS for the lifetime of the equipment. Should such a manufacture try measures to get around that, then that equipment (say Siemens, Toshiba, GEC etc.) many not be purchased by the NHS until the situation is rectified.
The NHS one of the biggest victims here has the clout to make this mandatory and make it stick. Just needs the political will to make it the law. Loosing the NHS market because
Re: (Score:2)
Re: (Score:3)
In this particular exploit, no
Re: (Score:3)
Im not 100% sure as i havent looked into this. but if it was me writing it. heres how it would work. SMB is a filesharing server that windows uses to talk to linux mac and other windows machines. when there is a SMB exploit sometimes it just allows you to view files, and copy/write files(like an auth bypass) Then sometimes there is privilege escalation. meaning i give server this string which it unwittingly passes onto the windows OS to give me full admin rights. Then you get to overwrite system files(see w
Re: (Score:3)
Please read the post before mouthing off. The first three words "for my education please" are an admission of ignorance and a request for information.
Re: (Score:1, Troll)
Please read the post before mouthing off. The first three words "for my education please" are an admission of ignorance and a request for information.
"for my education please" is four words, no?
Just wait for tomorrow's news... (Score:5, Insightful)
A new version of WannaCry ransomware is on the loose!
This is a game of cat and mouse, so don't assume you have won.
Re: (Score:2)
A new version of WannaCry ransomware is on the loose!
This is a game of cat and mouse, so don't assume you have won.
Those were my first thoughts too, but although this is part M$ being shit and part NSA harbouring vulnerabilities. It all only works if users are clueless...
Hopefully this widespread incident was enough to inform more people without costing them in anyway. Then more can understand the importance of using secure systems and keeping backups, or just not storing anything important on a machine.
Re: (Score:2)
Online backups, shadow volumes can get encrypted as well.
Re: (Score:2)
Re: (Score:2)
Which is why i feel all Windows PC's need to be behind a NAT which UPNP disabled(hopefully your router really disables it).
Re:Just wait for tomorrow's news... (Score:5, Insightful)
This is a game of cat and mouse, so don't assume you have won.
The only way to win is to not play: get rid of Windows.
Re: (Score:2)
And switch to what? This attack self replicates via an exploit across a local network but it infiltrates via a user executing something.
I suggest you tell as many people as possible to stay on Windows. If Linux becomes a popular desktop OS we'll just see the same thing happening on the desktops including more focus from the NSA on finding errr inserting holes.
Re: (Score:2)
Windows (Score:1)
Re: Windows (Score:1)
Yeah, we need new bugs and new security issues!
Re: (Score:2)
Look at all the resistance to get rid of XP, and even (for Win7/8 users) getting people to do the free Win10 upgrade?
Re: (Score:3, Insightful)
And how would they get users to upgrade?
That's not so difficult. Just keep the functionality and look-and-feel and people will be fine with an upgrade (not a down-grade to an OS that they actually don't want).
Re: (Score:2)
i would a pie that didnt have piss on it.. but not if it has a Microsoft label on it.. think i would rather have the one with Piss on it that i know is an actual pie.
Re: (Score:3)
I'm not really sure what it would achieve given that this attack was dependent on old versions of Windows, and people being dumb.
A new version of Windows will fix neither of these things given that installing the latest version would've already prevented it.
Re:Windows (Score:5, Informative)
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
Re: Windows (Score:5, Insightful)
Re: Windows (Score:4, Insightful)
Or, you could hack the registry to make them self-identify as embedded and get security updates from Microsoft until 2019 [networkworld.com].
Registry hack enables free Windows XP security updates until 2019
Re: (Score:2)
Easier to use a decent router, and not allow any incoming traffic to your computer. but in either situation... it doesnt stop you from infecting yourself with phishing emails, or bad ads. stuff like that. things like chrome,edge,IE,firefox exploits are normally used when you load a page. and the only way to protect against those is decent AV software, adblocks, and pure knowledge of what not to do.
Re: (Score:2)
Longer answer: A good proxy could help protect you from worms, but not from a stupid user downloading something bad, or clicking on something bad in email. Good deep-inspection proxies are also expensive. To protect against something like this, it would have to intercept the mail client protocol (probably IMAP or MAPI), unwrap any TLS encryption on it using MitM certificates, detect and decode the attachment (ie pdf), then decode it for embedded .docm files. That's a lot deeper than a
Re: (Score:3)
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
Why would you expect Microsoft to pay for the mistake the CAT scan and MRI makers made in designing their equipment? If the MRI machine used a plastic gear to move some of the mechanics of the machine and it turned out that the gear would wear out and needed to be replaced by a metal gear, you wouldn't blame the manufacturer that made the gear or attempt to get the manufacturer to pay for a different kind of gear, you would blame the MRI designer for using a part that was inappropriate for the task at hand.
CAT & MRI & CNC & 'whatevur' Manufactu (Score:2)
uhh you realize last month this effected 90% of windows systems? new and old? microsoft decided that older versions of windows didnt matter anymore. even know in the 90's they convinced all kinds of Cat Scan and MRI makers to install windows XP or even worse windows SE on their machines for ease of use.. and now they refuse to give updates to people that paid $200,000-$5,000,000 for their computers. sounds like shitty business practice to me. Now i understand microsoft didnt sell the people the machines. but they did a damn good job of making sure their shitty OS was inside of them.
1.) When said CAT/MRI/CNC/'Whatevur' manufacturers decided to use XP for their equipment, they were well aware of the support lifecycle for the OS. If the support lifecycle of the OS was not enough to cover the lifecycle of the rest of the equipment, that's the manufacturer's mistake, not Microsoft's.
2.) Said lifecycle should have ended on 2011, instead, it lasted until 2014. Again, if the lifetime of the equipment connected with that computer exceeded this extended support lifetime of the OS, that's the ma
Re: (Score:2)
4.) "Windows POS Ready 2009" is the SKU you're referring to. As the name suggests it was intended for Point of sale devices, and was released in 2009.
This Microsoft Lifecycle page [microsoft.com] shows the lifecycle of embedded products. POS Ready was based on the "Windows Embedded Standard 2009", which is the last revision of XP embedded, with a similar end of life date.
A lot of these "embedded" XP systems were probably released between 2001- 2009 (the original hey day of XP) and didn't include a SKU that would be release
Re: (Score:2)
From the link you provided:
Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.
Windows Embedded POSReady 2009. This product for point of sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released on 2009, and extended support will end on April 9, 2019.
Since these SKU's are still based on XP, It should have b
Re: (Score:3)
Yes... so how would making a new version from scratch solve this problem exactly?
I'm not sure what the relevance of the first part of your reply is - the GP said Microsoft should write a new version from scratch, I pointed out it wouldn't make much difference because only old versions were effected - you replied to me highlighting that point, so um, thanks for proving my point I guess? My comment on it relying on people being dumb is based on the fact the only infection vector is either machine sat facing t
Re: (Score:2)
They should turn the Windows UI into an x-windows overlay and do what everybody has been asking for years. turn windows into a Linux/Unix derivative.
Re: (Score:2)
Microsoft tried rewriting Windows in 2001 and the years following. It was a near total disaster. I think their enthusiasm for doing THAT again is nonexistent.
Researchers bought some time (Score:2)
Re: Researchers bought some time (Score:2)
In the case of NHS it's their own fault for continuing the bad practices. Typical for a government to want punishment of bad actors without any prevention.
Microsoft knew about various vulnerabilities for years and the Wikileaks revelations have been online for quite some time, the NSA didn't want them to patch it and even now Microsoft is obfuscating the patch amongst various other fixes and forced installations of adware. Now it's too late for many people that still rely on Windows.
Re: (Score:2)
Not all systems are user updatable.
Lucky it was a kill switch (Score:3)
Re: (Score:3)
In the next malware it might be "delete everything" switch.
Why not both? :D
Bonus: It would also finally put some reality into that old trope of which wire to cut.
Re: (Score:2)
Why not both? :D
Why not Zoidberg?
Re: (Score:2)
because he will just try eating the malware and then be infected himself. What good is an encrypted Zoidberg without the key?
Why in hell... (Score:2, Insightful)
... does any network expose SMB to the outside world?
Re:Why in hell... (Score:5, Informative)
It doesn't have to expose SMB to the outside world.
The exploit arrives as a phishing email. Once clicked, it looks for SMB on that machine. By using SMB, it can then infect other machines on the same network - and, more importantly, behind the firewall you carefully set up to block SMB from the Internet.
Moral: don't click on things you get randomly from the Internet. Also, don't click on things you get unexpectedly from colleagues in the same organization.
Re: (Score:2)
Re: (Score:3)
more importantly, don't run software that can still be infected by opening an email or document?
Re:Why in hell... (Score:4, Informative)
It does if the router is not configured to block SMB. I have a consumer router provided by my ISP. I had to dig through an entire menu system and scroll down to the very bottom of one screen to find the configuration menu option that disables SMB file sharing pass-through.
Re: (Score:2)
Are you sure that wasnt just for local LAN filesharing? if what youre saying is the case port 445 would be in your forwarding section, as they wouldnt be able to send all traffic to all pc's as TCP routing doesnt work like that.
Re: (Score:2)
The number of people that plug the wire from their modem into their computer, or buy a switch thinking its a router.. and then your whole windows exploitbox is live for the internet to see. each with their own ip if you use a switch inline(i have seen it done many of times by customers)
Re: (Score:2)
I've seen it done by my ISP.
Yes, they delivered a router for your internet access configured as a switch.
Every computer you connected to it received a separate external IP address.
Their customer helpdesk was clueless.
Fortunately, this was easy to fix yourself, but a blunder of the first category nevertheless.
NSA LIABILITY = $1 BILLION ? (Score:5, Insightful)
Can the EU and UK sue the US NSA for damages caused by the exploitation of their dangerous creation?
The "S" in NSA stands for "Security" -- but what happened here is the exact opposite of security, undoubtedly costing many actual lives (as people cannot go to particular hospitals, or have surgeries disrupted) and a huge amount of money, which could have been avoided if the NSA had instead helped SECURE the affected operating systems rather than developing a dangerous and effective software weapon which could be easily leaked and used by anyone on the planet to wreak havoc.
Re: (Score:2)
It's sort of how the Ministry of Peace and Ministry of Truth work. Everything is working exactly as designed, in spite of the name given to them.
Re: (Score:2)
The answer is no, The only people that i could see being liable would be Microsoft. you cant sue me because i found a major flaw in some software you use. now if i proceed to use it on you and you catch me. then i think there may be grounds. but since this isnt malware distributed by the NSA.. im going to say that they cant be sued for it. then again im only a jailhouse lawyer
Re: (Score:2)
Obligatory: Change sentencing for these Aholes (Score:2)
Simply put the time served should be no less than the time they cost the rest of the world. Your virus costs 10 million man hours to clean up, have fun with a 10 million man hour sentence.
Re: Obligatory: Change sentencing for these Aholes (Score:3)
I agree that Microsoft and the NSA should pay for it and their execs should get that sort of sentence.
How can I tell if I am fully patched? (Score:4, Interesting)
I am on Windows 7 Home Premium and have all the patches Windows Update offers me (including "Security Monthly Quality Rollup for Windows 7 for x64-based Systems" dated for May, April, March, January, December, November and October), am I patched?
Also, given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?
Re: How can I tell if I am fully patched? (Score:2, Informative)
Look in the update history log for KB4012215
More info here
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Re: (Score:2)
Specifically,
Re:How can I tell if I am fully patched? (Score:4, Informative)
> given how many exploits target these Microsoft networking protocols (NetBIOS, SMB etc) and given that I dont actually need to use these protocols for anything, is there a way to turn them off so they aren't exposed to the outside world?
MS has instructions on how to disable SMBv1, SMBv2, and SMBv3 here [microsoft.com]:
* https://support.microsoft.com/... [microsoft.com]
You can disable NetBIOS over TCP/IP:
* https://technet.microsoft.com/... [microsoft.com]
--
Fuck You Red Cross for hijacking the + operator and the color red in a video game hundreds of years AFTER the Templars first used red crosses.
Re: (Score:2)
Thanks, I turned of SMB via the command lines given and I turned off NetBIOS over TCP/IP.
Since I dont connect my Windows PC to other Windows PCs (or to Linux machines running Samba or the like) I dont need SMB or NetBIOS and turning them off prevents all the exploits that involve SMB/NetBIOS from working.
Re: (Score:2)
If you aren't directly exposed to the internet in the first place all you had to do was not fall for the phishing email.
URL? (Score:1)
"Accidental" Hero? (Score:5, Insightful)
That sounds pejorative to me. Most discoveries involve accidents - just ask Alexander Fleming, Christopher Colombus, or Doctor Spencer Silver (post it notes).
Like all of these men, this HERO, was investigating something not fully understood, stumbled by accident on something interesting, REALIZED that it was interesting and worked hard to understand exactly what it was. The realization and hard work are not common, they make the difference between a real discovery and a random day.
This is no more accidental than 90% of scientific discoveries.
Interesting situation (Score:2)
This brings up an interesting philosophical / moral issue. The release of this kind of source code, by Wikileaks and others, is literally giving military grade weapons to anyone with the modicum of technical knowledge required to wield it. Fortunately, in this case, the person setting it loose didn't have the technical aptitude (or couldn't even be bothered with) looking at the code and disabling or properly securing the "kill switch".
It makes me wonder if those responsible for releasing and distributing
Can we ... (Score:2)
Re: (Score:2)
The domain is already registered. If your computers have no Internet connection, the hosts file might help there.
Re: (Score:2)
Just thinking out loud: I wonder if this kill switch URL was distributed to gov't agencies, contractors and other insiders when the tools were originally written. Just to keep certain intranets 'clean'.
Not so fast... (Score:3, Informative)
Malwarebytes wrote [malwarebytes.com]: “This was probably some kind of kill switch... UPDATE: The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.”
Great (Score:2)
Re: (Score:2, Flamebait)
Re: (Score:2, Insightful)
I am also in two minds about this. Having it spread further could make more people realize that computer security is important, but due to the affected hospitals, people can die. This would probably be the first time that people die from a computer virus.
We needed to destroy the Web (Score:2)
in order to save it?
Re: (Score:2)
Re: But (Score:5, Funny)
Damn script kiddies, get off my LAN!
Re: (Score:2)
Damn script kiddies, get off my LAN!
That's appropriate. Younger people do not know what's a LAN!
Re: (Score:2)
They are not as safe as people think..
While it seems the need urgency level is lower than for windows, Macs are good at updating the system efficiently in a less obtrusive way
Re: Patch your macs now! (Score:2)
Re: (Score:3)
With the way software is written today, And i was told there was a security patch for an OS component that didnt require a restart, I would still fear that the issue in question was not completely patched. and maybe just had a bandaid attached to it with a little bit of bubblegum. as ive seen too many times that one security patch turns into a new 0day the very next day. The white hat hackers are smart. and they do alot of good. and the black hats just try to stay a step ahead of the whitehat. the real wi
Re: (Score:2)
yes! as you can tell from my name. i may be a lil stoned.. and a cookie sounds great!
Re: (Score:2)
Re: (Score:2)
This won't accomplish what you intend - the .onion addresses are looked up within Tor, bypassing your standard DNS infrastructure.
Re: (Score:2)