It would be simple to rename this link (or perform a referer check or something else to stop automated downloads), at least temporarily.
Yes, the malware authors will release an update with the different URL (or another hosting site entirely, or embedded), but at least it would provide time for vulnerable users to install patches. Especially now that Microsoft has released a patch for XP.
What's special about WannaCry that has made this such a widespread thing? I presume there's has been plenty of malware for a while that can propagate itself around a network of unpatched old Windows machines and people have been trying to get users to clicks on emails to infect themselves for years.
Basically, this is a successful old-fashioned computer worm, operating at a scale we've not seen for more than 10 years. On modern operating systems most attack surfaces that were easy to crack in the past have been locked down at least to the point where it is nearly impossible to find an exploit in a common protocol like this that doesn't require user interaction (hence the popularity of phishing). Apart from that we've just gotten lucky, really. Many of the most catastrophic bugs in recent years (Heartbleed, etc) were never successfully turned into exploits of this nature. Instead they were discovered and fixed quickly by researchers.
This worm targets older Windows versions that are installed (and use the exploited protocol) in a lot of critical infrastructure, and the worm was hoarded by the NSA all packaged up and ready to deploy (because it can propagate through SMB and therefore would be perfect for a future Stuxnet-like operation). So of course some criminals get their hands on it, and hey look it works. It's an absolutely bonkers story.
"Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible."
If you don't have the update, you are not protected, you are vulnerable.
Posting from a throwaway for obvious reasons, but the place where I work still hasn't applied these patches after I warned their IT dept about the NSA vulns a month ago... luckily I'm at least able to apply the patch to my own system manually. If it hits us I'm pretty sure we're screwed on the order of a few thousand systems.
WannaCry ("the attack") didn't target Windows 10 installations (probably since most Win10 users have updates enabled), but Windows 10 is still vulnerable without the patch.
Again, where is the source? I seriously doubt that the worm author would let go such a profitable target if they can infect Windows 10. According to this: https://www.netmarketshare.com/operating-system-market-share... Windows 10 has almost 4 times users than XP (and supposedly the gap is growing larger)
The difference would be that Win 10's forced updates mean nearly every Win 10 user is patched. It would be a much less successful target (though still a target > 0).
Actually, the latest news suggests this thing is a hybrid worm/phishing trojan which can use the SMB exploit where that works best (e.g. once it is inside a local network).
It's not "old Windows machines," it's XP to Server 2012. It also isn't clear that it came from e-mails yet. It's widespread, easy to propagate, and is hitting the places most affected by Windows 10's advanced telemetry and hidden update.
> It's not "old Windows machines," it's XP to Server 2012.
This is incorrect or at least misleading.
Any machine still running Windows XP, is by any reasonable definition, an "old Windows machine." Windows XP was first released in 2001, and actively supported with updates for 12 years. Windows XP hasn't been supported with critical security patches for over 3 years.
Windows Server 2012 is under active support until Oct. 10, 2023, and was patched against this vulnerability in MS17-010. See the middle of the page here: https://technet.microsoft.com/en-us/library/security/ms17-01... If your Windows Server 2012 machine fell victim to this ransomware, it was for the same reason as those running the newer Windows Server 2016 (also vulnerable to WannaCry): because someone didn't apply security patches in a timely manner.
This ransomware was particularly damaging because of it's unusually wormable nature. (Ring 0, commonly enabled networking protocol, no user interaction required.)
An XP computer is old, Windows 8.1 is one generation back. Both are vulnerable to this exploit. Yes, patches have been available for supported versions, I don't know how that makes anything I said wrong or misleading.
We agree about it being not JUST old Windows versions being affected.
I replied to your comment because the "old" Windows XP having no patch available was significant here, and I read your comment as saying "old" windows versions were not proportionally more responsible for WannaCry's rapid spread.
Windows XP is still the third largest version of Windows by current installed base (after Windows 10 and Windows 7).
The fact that Windows XP remained unpatched was significant, as there is notable overlap between Windows machines that aren't getting new security updates (at least within a month or two of their release) and Windows machines still running Windows XP.
This vulnerability was, in fact, unusually dangerous, relative to other Windows XP vulnerabilities that have come to light in the last 5 years, and the install base of the "older" Windows XP machines made a big difference in the ransomware's ability to spread.
The resources I see don't show XP as third, though I'm sceptical of anything based on user agent. And I can't find anything about how responsible they would be for the spread.
I addressed that it wasn't "old" Windows because there is a crazy belief out there that this only hit XP.
Places where uptime is vital were bothered by the 10 rollout and may have altered their patching method after. And places with serious privacy concerns must be wary of Windows updates. Enterprise is supposed to allow everyone to be shut off, but mistakes can be very expensive.
Most vulnerabilities are limited to old releases or new releases, whereas "EternalBlue" affected all Windows versions across the board. The patches are less than two months old, so there was a chance to exploit old machines and newer ones that slow IT might have left vulnerable. This is why someone invested a bit in making the exploit wormable and unleashed it, the potential pool of victims was bigger than usual.
I think it's because it's cool to use the word "cyber" now in the news. It makes news outlets appear edgy and with it. Infact these cyber attacks are nothing new, and have been an ongoing problem for organizations like the NHS, the only difference being there is a remarkable uptick in the scale of the attack. The reason it stands out is because it's a cluster, instead of a slow, trickling problem for the NHS and other organizations.
> What's so special now?
The sophistication and worm capabilities. Were it not for the Shadowbrokers leak, small time malware authors had to use tired old strains of malware to spread. Now they can draw upon the vast arsenal of the Shadowbrokers leak and appear like state actors, which they are not.
If anything, the leaks were a blessing, because now we can mitigate against such attacks. NSA's mantra 'NOBUS' (No-one-but-us) does not apply here.
The thing that scares me most is that while this has been a public facing issue, many of these computers at Telefonica, the NHS, and others, have been silently accesible via the exploit for a while.
Nobody seems to be talking about this, but we can only guess that a lot of stuff has been compromised and still is.
What really worries me is the huge amount of non-patched computers that have not fallen with this specific WannaCry issue and are sitting idly waiting for their glory day.
WannaCry is a worm. It does not require people to click on anything in emails to be infected. It scans for vulnerable computers and infects them directly over the network.
I don't get it: why are the using using many fake but valid domains? Wouldn't a non-existing TLD do exactly the same thing while being impossible to register by anyone trying to stop the malware?
Inexperience. These ransomwares aren't written by good programmers. They're put together like lego by people who have barely graduated from copy-paste script kiddie level. For example it's pretty common that botnet C&C systems have basic SQL injection vulnerabilities etc. These people aren't security gurus, they just wait until there's a proof of concept exploit of some public vulnerability posted on a hacking forum/chat and then plug that into their prepackaged ransomware kit.
It's testing to see if its C&C servers are being MITM for analysis. It does this by checking a bunch of random domains and seeing if they all resolve to the same IP. A completely random domain, rather than a hard-coded random domain, would do just as well, but that's not what was coded in.
That gives you 64 characters to the left of the dot. The maximum number of characters allowed in any single component of a domain name is 63. Some systems might react in unexpected ways if you try to resolve an invalid domain name, making your check unreliable. Better use md5 or sha1.
It's not supposed to be a kill switch. (Even though it works as one.)
The domain check is there to detect whether the infection is running in a sandbox environment. If the domain check succeeds, it assumes it's being analyzed and aborts.
Is there some fundamental reasons why the domain check would always succeed in a sandbox? Would this not be simple to workaround by security researchers?
I really am a bit puzzeled by the killswitches. Why does WannaCry have this functionality in the first place? It sounds almost ironically like a hollywood villain mistake.
<quote>
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).
I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit... thus we initially unintentionally prevented the spread and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
</quote>
>I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis.
On the face of it, that sounds like amateur hour. At the end of the day virtual environments can be configured to fool the malware in whatever fashion is required.
However, I can see that method buying small amounts of time for the worm to continue infecting targets, which I suppose has utility.
They're more analysis defeaters than killswitches. Some testbeds will respond to all dns lookups as valid. If this is the case the binary assumes its in a testbed and exits to avoid analysis.
Which makes me think there might be utility in always running Windows (or other OSes) in a VM. If the malware assumes VMs are bad and self exit in response, then it should be safer to run everthing in a VM. A side benefit would be you can perform snapshot backups and easily migrate your main environment to new hardware.
A lot of stuff is uploaded to VirusTotal by automated systems ("in the wild") so it is often a case of "If a tree falls in a forest and no one is around to hear it, does it make a sound?"
Could a grey hat create a self propagating but non-ransoming variant that inoculated target machines against its more malicious brethren? Seems like something a state actor might want to do.
When the vendor does that, everyone complains about forced updates. And the vendor's patch is likely to be better than a grey-hat hack, by virtue of having perfect knowledge of the systems they're patching.
Yeah then some bugs in your code or unplanned set of conditions amongst the bazillion xp computers out there lead your code to kill someone by failure of some critical NHS equipment, or worse, to lose a lot of money!
"but I meant good "is totally going to save you then.
You mean bundle and forcefully install MS patches? This would require reboot which AFAIK can't be done without user's action (if not using undocumented APIs).
> You mean bundle and forcefully install MS patches? This would require reboot which AFAIK can't be done without user's action (if not using undocumented APIs).
Considering you're using a vulnerability to forcefully inoculate systems, and you gained admin if not Ring0 privileges, you could trivially "reboot" the box by just crashing it, no APIs required. You could even be nice and check if there are applications with open files, or schedule it only when the user has been idle for a while, and only do it during the usual hours of inactivity (Windows 10 even has a control panel section to choose them).
Or, you could just open a dialog box, masquerade as a legitimate update and ask for user consent. You are an important security update after all, just a fairly unconventional one.
These systems would be better of security wise if they would use the latest open source operating system including the embedded code. The damage this will cause to embedded systems is distasteful.
I'm am very much in favor of open source always but let's not pretend that embedded systems don't end up with out of date software just because it's open source.
In the case of WannaCrypt0r, the vulnerability had already been fixed by Microsoft but those who were hit hadn't patched because as discussed elsewhere applying patches may break things so some postpone or ignore it. Same thing could have happened to a system running Linux.
Thank you for your thoughtful comment... People who get drunk with the Linux cool-aid are really tiresome. They believe they're safe by using Linux, and completely disregard good security practices with their windows-bashing speech.
If you're talking about an MRI machine, the proper drivers may not exist for a current operating system. The absolute last thing you want is for an image to show up differently on the new system due to changes to OpenGL or something.
I imagine the infection zigzagged to get there. Something like:
1. A doctor opens an email on an office computer. Infection entrypoint from the internet.
2. The office computer worms it to a patient record server.
3. The patient record computer worms it to an MRI tech computer.
4. The tech computer worms it to the MRI itself. (If it's even hitting MRIs and not just tech computers.)
Each of the machines has a reason it needs to share files/data with the two layers it connects to, and there's no "bad" direct link. The worm exploited the filesharing mechanism.
A high security situation would probably implement a one-way upload from the MRI subsystem (machine + tech computer), but c'mon, lots of us work on networks with filesharing zigzags to penetrate deep in to them.
You do not need to put it on the Internet. It only needs to be connected to local network and it will be infected by someone connecting their laptop to it.
From what I've read, initial attack vector is still not known for sure. Spear phishing seems to be the current best hypothesis. I don't think anyone's seen a mass phishing campaign.
> The initial attack vector is via an email attachment.
So far it seems an hypothesis and nobody has shown such an email attachment, which is strange considering all the systems out there which save and archive attachments. Especially hospitals and gov't sites saves it all.
The Jaff waves and the massive amount of threats make it really hard to identify. Wannacrytor may not be found directly attached in the mail, only a downloader for it (like office docs/pdfs/js) might be.
Given that the primary targets seem to be running unpatched Windows (at least to latest), I'd guess there's a substantial amount of internet-accessible SMB ports.
If so, you wouldn't need a very high phish:total infected hosts ratio to explain the numbers. And given that whoever was originally phished didn't know it was an illegitimate email... not betting we'll see many examples of the initial vector.
My guess is this is why we're seeing multiple bitcoin addresses:
The original authors first released it with their own bitcoin address. It then spreads p2p around the world wherever it can to front-facing PCs.
Then 3rd-party spearfishers are sending it to corporate networks with their own bitcoin address so they can get the credit for getting past/through firewalls.
If the payment goes to them instead of the original authors, how could the new hijackers of the virus offer to decrypt the data? I'd assume only the original authors have access to the private keys needed for that.
If someone was really clever they could change the Tor addresses it talks to for command & control and write their own complete replacement backend, but at that point it seems like you'd be looking at people capable enough to just write their own malware from scratch anyway...
It could be one back-end, with the malware authors paying a cut to the spearfishers. The spearfishers could monitor the bitcoin address to ensure they get the right cut.
Some level of trust would be involved.
I think the spearfishing industry and the malware writing industry aren't one and the same. The former is the marketing department, the latter is the tech department.
Could the 51% "bug" in bitcoin actually be used to an advantage here? A 51% vote to invalidate all these transactions? I assume it doesn't work like that but figured I would ask.
I think it's hilarious how these "kill switches" are supposedly meant to detect sandboxes, to make it harder for security researchers to analyze the malware. While actually making it easy for security researchers to completely disable all installations around the entire world.
That's just what I heard, but it makes sense. There are far more sane ways to implement a kill switch without using unregistered domains. (For instance, using a registered domain.)
The point of the killswitch is to detect if the worm is running inside a sandbox. Some sandboxes will resolve any domain you try to ping, so an easy way to detect this is to ping a non-existent domain name. I'm not totally sure how pinging an existing domain would give you the same behavior, but doing something like checking a handful of random non-existent domains from a large list could do the trick.
From the sounds of it, it seems like the researchers didn't expect the killswitch to disable the malware outside of the sandbox any more than the author of the malware did[0].
It's possible that people are taking the code, modifying it to add in a new kill switch address, change the bitcoin address and leave every thing else as it is. Usually because they don't understand the code but can do a ctrl+f, delete and replace with the necessary info. Script kiddies of the malware world.
I am trying to understand impact of crypto currency. Sorry for my ignorance, and or impertinence.
1. Is it possible to run such large scale ransom demands without cryptocurrency?
2. Do we know if the attacker is using a single BTC wallet, or if ransoms are being collected in a distributed fashion.
3. Is it possible for BTC n/w to hijack BTCs going to the ransom wallet(s). That is to say collectively overwrite/override the transactions and may be reroute the coins to some non-profit wallet? I know it will be a very bad precedent, but I am trying to understand if it is technically possible.
> 3. Is it possible for BTC n/w to hijack BTCs going to the ransom wallet(s).
No, by design that's not allowed as part of the protocol for bitcoin. Every transaction must be signed by the private key for that address in order to be valid. You could in theory do it if you can get a majority of the miners to agree to the change in the protocol but it wouldn't happen since it'd require forking the whole blockchain to insert new transactions without the private key. And then you'd have to get everyone to agree on where those would go.
Thanks for the response. I should have been more explicit, but when I said BTC n/w I meant a consensus sort of thing from users/miners.
Thanks for your explanation regarding the need of a fork to achieve this even with consensus.
This makes me think of a different kind of a kill-switch. What if the OS itself is required to have a kill-switch that triggers once it goes out of support, and it prevents regular use unless the admin goes through some serious hoops to override. It at least squarely puts the blame on 1) Orgs that willfully override v/s passively ignoring to update 2) OS vendors who have really short support cycles (~1 year for most android phones)
We were warned this would happen but it's interesting to me that we have detected new variants that include the same type of naive kill switch. I'm not well versed in information security, so my question is whether this means attackers tried another wave by simply changing the kill switch domain or were there several variants used for the initial attack?
I would like to know whether the decrypted data can be trusted again in case the contents have been somewhat changed. Then again it is much better than not having any data at all in some cases...
Just wait until this hits the files of a Russian mob who then take some Americans hostage and fly to China and end up entangled in an islamic terrorist plot. 'Cause then we're in for a very long and drawn out story involving MI6, the CIA, Canadian smuggling routes, and Christian Isolationist 2nd Amendment fanatics.
This is what happens when spambot skiddies accidentally acquire a treasure-trove of NSA tools via a C2 server they have pwned. They failed to sell ('broker') them as nobody was stupid enough to touch them, they failed to blackmail with them (omg what a bad move), then they failed to weaponise their own gear with them (wcry 1.0 in February), and even though wcry 2.0 is widespread and very disruptive, really they failed again only making 50k out of how many infections? They have only 3 bitcoin addresses making it obvious nobody is getting decrypted (how do they know who has paid?) or there is a single master key which will be found soon, their sandbox detector is a killswitch. Larry, Moh and Curly have invited a world of pain upon themselves - as well as probably killing people on NHS - they also infected Moscow Police - so FSB too.
And given the indications about how hard various Russian infrastructure was hit, that would be ironic.
Of course, if you were a nation state and you wanted to attack an adversary but you knew that if you did you would get blowback, you might "lose" some tools that you knew some script kiddies would be able to weaponize.
I think you vastly overstate this. While I can't speak to GHCQ, I really don't think NSA has a charter to pursue justice. The FBI may be, but I'm just not convinced they will move quick enough to matter (they do move, but only against a large established organization).
Just from my limited experience of "being alive in the USA for 30-something odd years".. I don't think anyone is hard at work trying to get anyone. If you actually ever get the attention of the NSA/CIA - you don't get "caught" or ever make it to the news(except in gaffe's like snowden/assange, we weren't supposed to find out about them). They want us to forget about you, while you either rot in a dungeon(forever) or are already buried in a shallow unmarked grave.
The reason is there is no good press to be gotten by announcing they caught these people...all that does is draw attention to the fact they were breached/bamboozled/whatever in the first place. In their eyes, this story and any public interest cannot die quickly enough.
Disagree: they will hang the idiots responsible for WCry high and publicly, just to make an example pour encourager les autres.
Seriously, this cat's already out of the ba. There's nothing to be gained by trying to bury it, and making the consequences clear might reduce the likelihood of a repeat.
Based on what I understand, those that test malware do it in a VM logging and redirecting all queries to external domains, in order to identify possible command and control hosts.
As a response, malware writers add checks for nonexistent domains. If, say, 5 domains known to be fake suddenly start replying, then the malware assumes that it's being executed inside a VM and stops doing anything, in order not to give researchers any clues. This malware just happened to check a single domain.
Oh right, I was under the impression it checked the domains as a kill switch, not as a VM check? I.e if this domain is up and responding don't do anything.
As I could easily run it in a VM and not redirect any traffic
Edit: just read this ...
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).
Remember the guy which created Silk Road. People talked about him in mythical terms, that he probably has the op-sec of God, but afterwards facts pointed to major mistakes, like connecting identities to his real name, and suddenly everybody was like "how can he be so stupid, doing this while being the owner of a $100 mil criminal empire"
It's a classic asymmetry: the defender needs to defend all the time, the hacker just needs to get in once. Ditto op-sec, the hacker needs to keep their identity protected at all times, the security services only need to connect the dots once.
Yet as far as I remember he leaked his identify long before anyone even knew Silk Road is even a thing. And someone behind this botnet certainly knew what scale it's going to have before they started it.
In this context criminals are a person or persons who have created ransomware which, in less than three days has infecting more than 230,000 computers in 150 countries, demanding ransom payments in bitcoin in 28 languages.
The meth dealer two houses down who serves people out his front window probably isn't thinking straight. What we're dealing with here is a different category of thinking.
not criminals who get caught, no. a good "criminal" is invisible and manages to get away with their crime. these aren't people you hear about, because then they'd be failures.
The whole point of this "kill switch" is that it’s NOT registered. The malware uses it to detect if it runs in the sandbox, as researchers often make all DNS requests succeed in their sandbox. Checking for an domain known to be unregistered is one way of checking that.
It's not about the registration status of the domain. It is about an HTTP request succeeding. The same functionality could be achieved by using a valid registered domain with server not listening on the desired port.
How trivial it would be to append a random number at the end, or otherwise randomise it just a little bit.. Quite lucky the programmer didn't think this one through.
Yes, in another thread someone mentionned a trojan that hit five randomly-generated hostnames and, if they all resolve to the same IP, assumes its running in a sandbox.
It would be simple to rename this link (or perform a referer check or something else to stop automated downloads), at least temporarily.
Yes, the malware authors will release an update with the different URL (or another hosting site entirely, or embedded), but at least it would provide time for vulnerable users to install patches. Especially now that Microsoft has released a patch for XP.
(I'm basing this URL info on the breakdown found at https://www.bleepingcomputer.com/news/security/wannacry-wana...)