PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

How does it work?

[Caesar Tjalbo]

How does it work? I've installed Windows 7 last week, my first Windows install in more than a decade and I'm not infected yet. I've been on-line for hours!

Re:

[Anonymous Coward]

It's been a good practice to not expose SMB ports (445, 139 etc.) to the open Internet for two decades at least, IMHO. I remember than in 1996 (if I remember correctly) I accidentally exposed a NT3.51 machine and my ISP called to warn me.

Re:

[TWX]

I like to take it a step further, I disallow all outgoing connections except to those destination ports that are legitimate Internet services that I use, and obviously unsolicited incoming traffic is dropped at the firewall. My goal is not only to try to prevent infections from being brought in to my network, but should an infection somehow end up on a node on my network, to deny it the ability to communicate with command and control servers should it try to use nonstandard ports.

Obviously if a piece of

Re:How does it work?

[The MAZZTer]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

Re:How does it work?

[benjymouse]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.

Re:

[roc97007]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

I was somewhat shocked to find that some ISPs just install a cable modem and plug the victim's... sorry, customer's PC directly into the raw internet. Happened to my mother-in-law. Fortunately, she was on the phone to me when he was doing the install, because she didn't fully trust him, and was giving me a running description of what he was doing. When I heard that it was a modem not a router, (she had asked about wifi and he said she'd need to buy a router for that) I yelled "Unplug it! Unplug it now!"

Ports 445 exposed to the internet

[Okian Warrior]

You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

...it's a good idea to patch the system, though. Get the patch here [microsoft.com].

Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

Re:

[dreamchaser]

It is not a default. File sharing needs to be turned on manually.

Re:

[Jody Bruchon]

Windows 7 (and 2008 R2) patches aren't listed there, they'll be here [slashdot.org] instead.

Re:

[benjymouse]

Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.

The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.

So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.

The worm capabilities i

Re:

[Anonymous Coward]

> $38K that he'll never be able to touch because every intelligence and law enforcement agency is watching those wallets

Until the 38k goes out from Wallet A1 to Wallet B1. Meanwhile, Wallets B2....200 send 89.21% of that 38k to wallets A2....200. There's a possibility that will be pieced together, and now the initial criminal A has about 90% of what he extorted, and subsequent money laundering criminal B has accepted the risk for those more closely monitored bitcoins (presumably he believes he can fool

It was only 15 years ago or so

[future assassin]

when you couldn't connect a new XP install to the internet to get updates unless you installed firewall and virus software before hand. It was pretty cool, tested it a few times on my then 1mbit ADSL line. Install XP, connect to internet and within minutes you'd get infected. I can't remember the name of the virus off hand.

Re:

[someoneOtherThanMe]

Blaster?

Re: It was only 15 years ago or so

[npetrov]

There was another big one 15 years ago - NIMDA

Re:

[AmiMoJo]

It was only 13 years ago that the problem was fixed. Service Pack 2 for Windows XP enabled the firewall by default, and made it safe to connect to update.microsoft.com for initial patches.

Of course, if you had a router with NAT based firewall you were safe anyway unless there were already infected machines on your LAN. A lot of the crapware provided by ISPs to set up and dial in your modem did enable the firewall too, and of course PC manufacturers loved to include a shovelware firewall in the base install.

TFA slightly overblown

[Anonymous Coward]

SMB not allowed thru windows firewall by default
Most users behind NAT/SPI
All rational ISPs block SMB

SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.

Pretty much DOA elsewhere where your just whacking clueless outliers.

Re:

[Luckyo]

Pretty much this. The hysteria has been laughable. This hits the organisations with large intranets where some idiot gets infected, and functions as an initial infection source, while intranet that actually has SMB enabled to mount network disks and printers is an excellent vector. Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over.

Re:TFA slightly overblown

[Tetch]

Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html [networkworld.com]:

the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

Re:

[David_Hart]

Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html [networkworld.com]:

the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

Exactly. Having a firewall component on the ISP router will take the place of the basic security that NAT provides (i.e. deny inbound sessions by default). Yes, Windows Firewall does have some protections. The problem with it is that if you open up file sharing internally between other home PCs and devices, it would also open it up to internet traffic.

Re:

[knorthern knight]

> ... although .. after we've all finally moved onto IPv6 networking, and
> all our home systems (not just well-run geek systems but also all Joe Public's
> PCs running Windows 17) are sitting on publically routable real addresses and
> *not* behind NATs, the situation won't be as comfortable any more.

That effing stupid setup is the brainchild of some braindead internet hippies...

1) If your ISP goes down for maintenace or a "backhoe incident", two machines at home won't be able to communicate.

2) I

Re:

[Anonymous Coward]

NAT was never actually meant to be a security feature - it was meant to overcome / limit the impact of address space exhaustion.

While there are many individuals and even organizations that rely on it as a "security feature" - it is not one. It is not a replacement for a packet filter.

Re:

[AvitarX]

Except now adays it will be easier to share via the cloud than learn about firewalls and computer addresses.

Especially with drop box, google, one drive, facebook (for photos) being established ways to share files with people.

IPv6 : *firewall*

[DrYak]

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem.
The modem runs some sort of firewall - i.e.: packets are inspected and filtered.
The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake.
The core of the cake is that the router *does filter*...

It would work just as well if publicly addressable addresses where used behind the router.
(NAT just makes the router function man

Re:

[ceoyoyo]

NAT routers don't filter.* Any incoming traffic
is addressed to the router. If you happen to have instructed the router to pass particular types of traffic to a specific machine, it does this. Otherwise it responds, or doesn't, to traffic addressed to it, just like any other machine would.

* some also filter, but that's not really part of NAT

NAT filtering

[DrYak]

NAT routers don't filter.* Any incoming traffic
* some also filter, but that's not really part of NAT

(Note: I was using "filter" in a very liberal way. Basically: they don't just pass blindly ethernet packets around as a hub/switch would.
Technically, yes, NAT router don't pay as much attention to the source IP as they pay to the destination port, so the applied rules are a bit unusual).

But most modem with NAT I've seen have their router set to drop most their inbound connection, unless addressed to a port that was white-listed :
- ...manually by the modem webinterface (forward port "6992" to the machine run

Re:

[ceoyoyo]

I guess you can look at it that way. Really what happens is that a NAT router drops any packet that it can't figure out a destination for. It's kind of like the post office... they don't deliver mail for which they can't figure out the destination address.

It seems like a pedantic point, but it becomes important when you talk about IPv6. Computers behind NAT are protected because they don't actually exist on the Internet. They can only be reached via special tricks, and those tricks have to be implemente

Most modem run Linux

[DrYak]

Really what happens is that a NAT router drops any packet that it can't figure out a destination for.

Nope.
They drop any packet, because that's the default rule in the iptables (sidenote: anyone with a modern modem that uses netfilter ?)
loaded into the linux kernel that runs on the MIPS (mostlikely) inside your modem/router.
The rest are exceptions.
On a NAT router the rules will be in the form 'if destination port is "6992", then replace destination ip with "192.168.2.13" and keep the packet'.
On a regular IPv6 router the rules will be in the fromo 'if destination IP is ":81a6:3d0f:5025:9243:5660" and destiti

Re:

[WaffleMonster]

although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

Nothing changes with deployment of IPv6.

- All customer IPv6 capable routers on the market provide SPI making them more secure than existing packet mangling IPv4 NAT routers... The baseline requirement for SPI isn't going away.

- Windows firewall works just the same over also IPv6 blocking SMB by default.

- ISPs block SMB over IPv6 the same as they do over IPv4.

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

The reality is only thing that changes for end users is ease at which connections between peers can be primed using IPv6 SPI vs IPv4 NAT.

For example i

Re:

[tepples]

An ISP has no business blocking ANYTHING (other than excessive traffic) without an explicit request from the recipient.

An ISP would claim that blocking "excessive traffic" includes blocking traffic meeting patterns that closely resemble those associated with propagation of malware that causes "excessive traffic".

Re: TFA slightly overblown

[Brockmire]

Were you born yesterday? That is some real junior stupidity. Or just inexperienced. It is the ISP's responsibility to prevent shares from being accessed by my neighbour and vice versa. This was settled 20 years ago.

See?

[Anonymous Coward]

3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

It's bad customer service. The finest, bestest, top-self ransomware have good customer service. After paying, rate them low because of it.

Re:See?

[gnasher719]

Actually, if they have only three wallets and therefore cannot know who has paid and who hasn't paid, that means clearly that they are not going to unlock anything, no matter whether someone pays a ransom or not.

I suggest a million dollar reward to find the bastards, and then send the SAS around.

pr0n?

[Hognoxious]

While the SMB worm is top-shelf code

It's full of porn and adverts for premium rate phone lines?

Re:

[Anonymous Coward]

Must've been Linus.

Re: Did (s)he really talk like that?

[Brockmire]

Have you met ANY developer, ever?

Cannot Reproduce Claim

[Anonymous Coward]

I put a Windows 7 PC directly on the Internet last night after reading this story and it still has not been infected.

So, this morning, I replicated 16 Windows 7 VMs and placed them all on the Internet, and not one of them has been infected in the 3 or so hours they have been connected.

I call this claim bullshit.

Re: Cannot Reproduce Claim

[Brockmire]

16+ public IPV4 addresses just for testing? Nice.

How the fuck do I safely update Windows?

[ShamblerBishop]

I'm a sitting duck here, running a Windows 7 install that hasn't been updated in ages, on a LAN that I can reasonably assume will eventually be infected - how do I update Windows 7 safely, without risking an install of Microsoft's latest malware (Windows 10), or other privacy invading updates from Microsoft? Is there any safe way for me to install only necessary updates, without all of the above shite installing as well?

Re:

[e432776]

you can try this: http://download.wsusoffline.ne... [wsusoffline.net] its worked for me before. Good luck!

Re:

[tepples]

The best code for malware is code that when disassembled sends the researcher (copyright violator) mad.

What copyright violator? Intermediate copies created in the course of reverse engineering to discover a computer program's method of operation are not infringing. Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992).

The U.S. DMCA has explicit exceptions for law enforcement and security testing. Title 17, United States Code, section 1201, subsections (e) and (j).

You mean to write that WINDOWS PCs will...

[chaoskitty]

PCs are personal computers. There are plenty of PCs which don't run Windows. The original article doesn't have this glaring mistake, and a Slashdot poster should know better.

No shit?

[ilsaloving]

At this point, anyone who connects a PC directly to the internet is begging to be hacked. This has been shockingly bad practise for literally *decades* now, and people absolutely should know better. This isn't even a Windows-specific thing, even though Windows machines are overwhelmingly affected.

Important things about the internet today:
-Keep your machine behind a router
-Don't open attachments that you weren't expecting, especially if it's from someone you don't recognize.
-Don't share your passwords with

Re:

[rahvin112]

I have all kinds of direct internet connected PC's, they are not running windows and have adequate software firewall's running that protect them. I'm neither begging to be hacked nor doing anything stupid. I would be foolish to make blanket assumptions about things you have no experience with, your windows experience does not translate to my FreeBSD and Linux machines.

Re:

[ilsaloving]

Wow, that's a lovely bunch of assumptions you're making.

If you honestly think that people arn't trying to hack you... if you think that Linux and FreeBSD are completely perfect and exploit free... then you as inexperienced and foolish as you're accusing me of being, so maybe you should learn a little humility, hmmm?

Security isn't an on-off/yes-no concept. Security has nothing to do with what operating system you use. Security is a *mindset*. Best practise security means using several defences in conjunct

Re:

[ilsaloving]

Does it now? Then I guess you'll have no difficulty finding someone to refute what I said.

After all, the Appeal to Authority fallacy only means that you should not assume what I said is true just because I claim authority. It says nothing about the validity of the argument itself.

So please, if I'm wrong, correct me. Having correct information is critical when managing infrastructure, and I want to do the best job I can.

If, on the other hand, your *only* argument is "You made a logical fallacy so therefor

Re:

[chaoskitty]

You know, you're not contributing to the discussion by trying to assert that Windows and any other OS are equivalent. Microsoft is the outlier. Mac OS X, the BSDs, and most GNU/Linuxes (I say most because many distros are sprinting towards being as Windows-like as possible) do not launch daemons that listen on public interfaces by default, nor do BeOS (Haiku), AmigaOS, QNX or others.

Windows comes insecure out of the box, and that's without turning on any services. Updates are painful and confusing. Do you k

Re:

[ilsaloving]

If you think I don't understand security, then you obviously didn't read my post, nor do *you* understand security.

Yes, Windows is far more problematic than Mac, which is more problematic than Linux, than BSD, etc etc blah blah blah. That is well known and not even a matter for discussion. The horse is so dead that it's already decomposed. Would you stop flogging it already?

That does NOT mean that *BSD is completely impervious. It just means that they've done a better job keeping their default attack su

Progress

[McFortner]

F.U.D. (fear, uncertainty, doubt) isn't just for IBM anymore.