Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes (bleepingcomputer.com) 82

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

This discussion has been archived. No new comments can be posted.

PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes

Comments Filter:
  • How does it work? I've installed Windows 7 last week, my first Windows install in more than a decade and I'm not infected yet. I've been on-line for hours!
    • Re:How does it work? (Score:4, Informative)

      by The MAZZTer ( 911996 ) <megazzt AT gmail DOT com> on Sunday May 14, 2017 @11:37PM (#54416643) Homepage
      You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.
      • Re:How does it work? (Score:4, Informative)

        by benjymouse ( 756774 ) on Monday May 15, 2017 @03:19AM (#54417117)

        You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

        Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.

      • You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

        I was somewhat shocked to find that some ISPs just install a cable modem and plug the victim's... sorry, customer's PC directly into the raw internet. Happened to my mother-in-law. Fortunately, she was on the phone to me when he was doing the install, because she didn't fully trust him, and was giving me a running description of what he was doing. When I heard that it was a modem not a router, (she had asked about wifi and he said she'd need to buy a router for that) I yelled "Unplug it! Unplug it now!"

    • by Okian Warrior ( 537106 ) on Sunday May 14, 2017 @11:48PM (#54416665) Homepage Journal

      You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

      If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

      ...it's a good idea to patch the system, though. Get the patch here [microsoft.com].

      Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

    • Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.

      The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.

      So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.

      The worm capabilities i

  • by future assassin ( 639396 ) on Sunday May 14, 2017 @11:35PM (#54416639)

    when you couldn't connect a new XP install to the internet to get updates unless you installed firewall and virus software before hand. It was pretty cool, tested it a few times on my then 1mbit ADSL line. Install XP, connect to internet and within minutes you'd get infected. I can't remember the name of the virus off hand.

    • Blaster?

    • There was another big one 15 years ago - NIMDA
    • by AmiMoJo ( 196126 )

      It was only 13 years ago that the problem was fixed. Service Pack 2 for Windows XP enabled the firewall by default, and made it safe to connect to update.microsoft.com for initial patches.

      Of course, if you had a router with NAT based firewall you were safe anyway unless there were already infected machines on your LAN. A lot of the crapware provided by ISPs to set up and dial in your modem did enable the firewall too, and of course PC manufacturers loved to include a shovelware firewall in the base install.

  • by Anonymous Coward on Sunday May 14, 2017 @11:48PM (#54416667)

    SMB not allowed thru windows firewall by default
    Most users behind NAT/SPI
    All rational ISPs block SMB

    SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.

    Pretty much DOA elsewhere where your just whacking clueless outliers.

    • Re: (Score:3, Informative)

      by Luckyo ( 1726890 )

      Pretty much this. The hysteria has been laughable. This hits the organisations with large intranets where some idiot gets infected, and functions as an initial infection source, while intranet that actually has SMB enabled to mount network disks and printers is an excellent vector. Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over.

      • by Tetch ( 534754 ) on Monday May 15, 2017 @01:05AM (#54416815) Journal

        Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

        ... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

        http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html [networkworld.com]:

        the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

        So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

        • Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

          ... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

          http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html [networkworld.com]:

          the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

          So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

          Exactly. Having a firewall component on the ISP router will take the place of the basic security that NAT provides (i.e. deny inbound sessions by default). Yes, Windows Firewall does have some protections. The problem with it is that if you open up file sharing internally between other home PCs and devices, it would also open it up to internet traffic.

        • Re: (Score:3, Funny)

          > ... although .. after we've all finally moved onto IPv6 networking, and
          > all our home systems (not just well-run geek systems but also all Joe Public's
          > PCs running Windows 17) are sitting on publically routable real addresses and
          > *not* behind NATs, the situation won't be as comfortable any more.

          That effing stupid setup is the brainchild of some braindead internet hippies...

          1) If your ISP goes down for maintenace or a "backhoe incident", two machines at home won't be able to communicate.

          2) I

        • by Anonymous Coward

          NAT was never actually meant to be a security feature - it was meant to overcome / limit the impact of address space exhaustion.

          While there are many individuals and even organizations that rely on it as a "security feature" - it is not one. It is not a replacement for a packet filter.

        • by AvitarX ( 172628 )

          Except now adays it will be easier to share via the cloud than learn about firewalls and computer addresses.

          Especially with drop box, google, one drive, facebook (for photos) being established ways to share files with people.

        • ... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

          For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem.
          The modem runs some sort of firewall - i.e.: packets are inspected and filtered.
          The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake.
          The core of the cake is that the router *does filter*...

          It would work just as well if publicly addressable addresses where used behind the router.
          (NAT just makes the router function man

          • by ceoyoyo ( 59147 )

            NAT routers don't filter.* Any incoming traffic
            is addressed to the router. If you happen to have instructed the router to pass particular types of traffic to a specific machine, it does this. Otherwise it responds, or doesn't, to traffic addressed to it, just like any other machine would.

            * some also filter, but that's not really part of NAT

            • NAT routers don't filter.* Any incoming traffic
              * some also filter, but that's not really part of NAT

              (Note: I was using "filter" in a very liberal way. Basically: they don't just pass blindly ethernet packets around as a hub/switch would.
              Technically, yes, NAT router don't pay as much attention to the source IP as they pay to the destination port, so the applied rules are a bit unusual).

              But most modem with NAT I've seen have their router set to drop most their inbound connection, unless addressed to a port that was white-listed :
              - ...manually by the modem webinterface (forward port "6992" to the machine run

              • by ceoyoyo ( 59147 )

                I guess you can look at it that way. Really what happens is that a NAT router drops any packet that it can't figure out a destination for. It's kind of like the post office... they don't deliver mail for which they can't figure out the destination address.

                It seems like a pedantic point, but it becomes important when you talk about IPv6. Computers behind NAT are protected because they don't actually exist on the Internet. They can only be reached via special tricks, and those tricks have to be implemente

                • Really what happens is that a NAT router drops any packet that it can't figure out a destination for.

                  Nope.
                  They drop any packet, because that's the default rule in the iptables (sidenote: anyone with a modern modem that uses netfilter ?)
                  loaded into the linux kernel that runs on the MIPS (mostlikely) inside your modem/router.
                  The rest are exceptions.
                  On a NAT router the rules will be in the form 'if destination port is "6992", then replace destination ip with "192.168.2.13" and keep the packet'.
                  On a regular IPv6 router the rules will be in the fromo 'if destination IP is ":81a6:3d0f:5025:9243:5660" and destiti

        • although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

          Nothing changes with deployment of IPv6.

          - All customer IPv6 capable routers on the market provide SPI making them more secure than existing packet mangling IPv4 NAT routers... The baseline requirement for SPI isn't going away.

          - Windows firewall works just the same over also IPv6 blocking SMB by default.

          - ISPs block SMB over IPv6 the same as they do over IPv4.

          So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

          The reality is only thing that changes for end users is ease at which connections between peers can be primed using IPv6 SPI vs IPv4 NAT.

          For example i

  • by Anonymous Coward

    3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

    It's bad customer service. The finest, bestest, top-self ransomware have good customer service. After paying, rate them low because of it.

    • Re:See? (Score:5, Insightful)

      by gnasher719 ( 869701 ) on Monday May 15, 2017 @05:58AM (#54417519)
      Actually, if they have only three wallets and therefore cannot know who has paid and who hasn't paid, that means clearly that they are not going to unlock anything, no matter whether someone pays a ransom or not.

      I suggest a million dollar reward to find the bastards, and then send the SAS around.
  • While the SMB worm is top-shelf code

    It's full of porn and adverts for premium rate phone lines?

  • by Anonymous Coward

    I put a Windows 7 PC directly on the Internet last night after reading this story and it still has not been infected.

    So, this morning, I replicated 16 Windows 7 VMs and placed them all on the Internet, and not one of them has been infected in the 3 or so hours they have been connected.

    I call this claim bullshit.

  • I'm a sitting duck here, running a Windows 7 install that hasn't been updated in ages, on a LAN that I can reasonably assume will eventually be infected - how do I update Windows 7 safely, without risking an install of Microsoft's latest malware (Windows 10), or other privacy invading updates from Microsoft? Is there any safe way for me to install only necessary updates, without all of the above shite installing as well?
  • PCs are personal computers. There are plenty of PCs which don't run Windows. The original article doesn't have this glaring mistake, and a Slashdot poster should know better.

  • At this point, anyone who connects a PC directly to the internet is begging to be hacked. This has been shockingly bad practise for literally *decades* now, and people absolutely should know better. This isn't even a Windows-specific thing, even though Windows machines are overwhelmingly affected.

    Important things about the internet today:
    -Keep your machine behind a router
    -Don't open attachments that you weren't expecting, especially if it's from someone you don't recognize.
    -Don't share your passwords with

    • I have all kinds of direct internet connected PC's, they are not running windows and have adequate software firewall's running that protect them. I'm neither begging to be hacked nor doing anything stupid. I would be foolish to make blanket assumptions about things you have no experience with, your windows experience does not translate to my FreeBSD and Linux machines.

      • Wow, that's a lovely bunch of assumptions you're making.

        If you honestly think that people arn't trying to hack you... if you think that Linux and FreeBSD are completely perfect and exploit free... then you as inexperienced and foolish as you're accusing me of being, so maybe you should learn a little humility, hmmm?

        Security isn't an on-off/yes-no concept. Security has nothing to do with what operating system you use. Security is a *mindset*. Best practise security means using several defences in conjunct

        • You know, you're not contributing to the discussion by trying to assert that Windows and any other OS are equivalent. Microsoft is the outlier. Mac OS X, the BSDs, and most GNU/Linuxes (I say most because many distros are sprinting towards being as Windows-like as possible) do not launch daemons that listen on public interfaces by default, nor do BeOS (Haiku), AmigaOS, QNX or others.

          Windows comes insecure out of the box, and that's without turning on any services. Updates are painful and confusing. Do you k

          • If you think I don't understand security, then you obviously didn't read my post, nor do *you* understand security.

            Yes, Windows is far more problematic than Mac, which is more problematic than Linux, than BSD, etc etc blah blah blah. That is well known and not even a matter for discussion. The horse is so dead that it's already decomposed. Would you stop flogging it already?

            That does NOT mean that *BSD is completely impervious. It just means that they've done a better job keeping their default attack su

  • F.U.D. (fear, uncertainty, doubt) isn't just for IBM anymore.

He keeps differentiating, flying off on a tangent.

Working...