Welcome to Smokey's Security Forums.
As a guest you only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

TeamViewer issues emergency fix for desktop access vulnerability

The dangerous bug allowed attackers to seize control of PCs through desktop sessions.

TeamViewer issues emergency fix for desktop access vulnerability

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: WannaCry FAQ: What you need to know today  (Read 319 times)

0 Members and 1 Guest are viewing this topic.

ChubbTopic starter

  • Freebies and Good Deals Mod
  • Administrator
  • *
  • Offline Offline
  • Posts: 66569
  • .: Freebie King
WannaCry FAQ: What you need to know today
« Reply #1 on: May 15, 2017, 08:15:19 PM »
WannaCry FAQ: What you need to know today
15 May 2017, 7:06 pm



Friday May 12th marked the start of the dizzying madness that has been ‘WannaCry’, the largest ransomware infection in history. Defenders have been running around with their heads on fire trying to get ahead of the infection and to understand the malware’s capabilities. In the process, a lot of wires have gotten crossed and we figured it’s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.

In the interest of standing by our stated mission, ‘We’re Here to Save the World’, we’re also sharing IOCs and Yara rules below.

Please remember: Patch, Patch, Patch!

For a refresher on the weekend of madness, please see our original blog.

How did it all start? Was there an e-mail attack vector? Phishing link?

To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DoublePulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack.

Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening. The uptick in Port 445 traffic is also confirmed by the SANS DShield project’s graphics.



Port 445 connections per day

I’ve seen conflicting reports about the exploit. Is it targeting SMBv1 or SMBv2?

The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.

What is the killswitch? Can we rely on it?

The worm-spreading part of the Wannacry – which is designed to infect other computers — has a special check at the beginning. It tries to connect to a hardcoded website on the Internet and if the connection FAILS, it continues with the attack. If the connection WORKS, it exits. Thus, by registering this domain and pointing it to a sinkhole server, a researcher from the U.K. successfully slowed the spread of the worm.

Can we ultimately rely on this? Well, there has been a lot of speculation about the effectiveness of this killswitch. On the one hand, it does stop further spread of the infection. However, only if the worm is able to connect to the Internet. Many corporate networks have firewalls blocking internet connections unless a proxy is used. For these, the worm will continue to spread in the local network. On the other hand, there is nothing stopping the attackers from releasing a new variant that does not implement a killswitch.

Why did the attackers add a killswitch in the first place?

This is a very good question. Some possible explanations:

They were afraid the attack might get out of control and wanted a way to stop the propagation.

They coded it as an anti-sandbox check (some sandboxes emulate all internet connections and make them appear to work even if they do not exist)

Has this attack been contained?

We started tracking the attack early today to determine if it’s spiking again. Since 06.00 UTC/GMT Monday 15th May, we observed a sixfold decrease in attacks across our customer base than during the first hours on Friday May 12th.

This suggests infections based on current variants may be under control.

Wait, what do you mean by “current variants”? Is there a second wave of attacks?

Over the weekend two notable variants emerged.  Kaspersky Lab does not believe any of these variants were created by the original authors –they were most likely patched by others keen to exploit the attack separately and independently.

The first one started spreading on Sunday morning, at around 02.00 UTC/GMT and was patched to connect to a different domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com). Kaspersky Lab has so far noted three victims for this variant, located in Russia and Brazil.



Code patch from d724d8cc6420f06e8a48752f0da11c66

The second variation that appeared during the weekend appears to have been patched to remove the killswitch.  This variant does not appear to be spreading, possibly due to a bug.

Sample MD5

In the wild

Killswitch present?

Domain killswitch

d5dcd28612f4d6ffca0cfeaefd606bcf

Yes

Yes

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

d724d8cc6420f06e8a48752f0da11c66

No

No

n/a

Does the second wave contain the killswitch?

The d5dcd28612f4d6ffca0cfeaefd606bcf sample distributed on Sunday night (first reports around 02:00am UTC) contains a killswitch domain. This domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is only two bytes different from the original:

Sample MD5

Killswitch domain

Old

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

New (see above)

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The second domain was sinkholed by Matt Suiche of Comae Technologies, who reported stopping about 10,000 infections from spreading further:



How much money has been paid by victims so far?



WannaCry Wallet Tracker as of Monday May 15th.

Multiple attempts have been made at tracking transactions to known bitcoin wallets used by WannaCry. The tracker ‘howmuchwannacrypaidthehacker.com’ has the latest count (at the time of writing) at upwards of 31BTC, or close to $55,000 USD.

What will the attackers do with the money?



An Evil Lair?

We believe it’s unlikely the attackers will be able to do anything with the bitcoins, considering the current high level of interest in this story. Even though the wallet owners are anonymous, the transactions are visible to everybody and can be tracked. Once the bitcoins reach a payment point, where the attackers use them to purchase something in the real world, that payment can be tracked to shipment details, services, or other IPs, effectively, increasing the chances of getting caught.

Does payment guarantee the recovery of files?

We don’t know.  Since we are dealing with criminals, there is no reason to expect them to honor the deal, especially in a situation where all the world is closely tracking this campaign and disrupting it as much as possible. Paying the ransom amounts to funding the next wave.

Do not pay the ransom.

How does the worm spread inside a local corporate network?

The malware includes a worm functionality that tries to infect other unpatched Windows machines inside the local network, generating large SMB traffic. Basically it scans LAN IPS for SMB/445 port open. Where it finds any, it delivers the EternalBlue exploit.

Have any other exploits been used?

The only exploit observed so far being used in this campaign is the EternalBlue exploit leaked by Shadow Brokers.

Interestingly, once the malware infects a computer, it runs shellcode to drop and execute its payload. The payload code is available for both 32- and 64-bit systems, runs in ring-0, and seems to be based on the DoublePulsar backdoor leaked by Shadow Brokers in their ‘Lost in Translation‘ blog post .

Can you explain what happens for victims behind a proxy?

The killswitch prevented the main strain of the malware from encrypting the files in the infected computers, basically by checking if a given domain was registered or not. However WannaCry does not check for the presence of any proxy, so it is likely that samples running inside of an organization will not be able to reach the killswitch domain, even if it’s already registered. That means their files will continue to be encrypted.

Who is behind the attack?  Is it just one group or multiple groups of attackers?

The attackers didn’t leave many clues about their identities or whereabouts. We are still investigating several possible leads and we’re sharing all relevant information with law enforcement.

At the moment, we haven’t seen any indicators that point towards any known groups. Some early variants of the Wannacry ransomware seem to have been used in March 2017, maybe some as early as February 2017. We are still researching these early variants, scraping them for clues.

Is this primarily targeting Russians?

The spread of the worm does not target a specific geolocation.  The distribution is random, selecting IPs from the internet and affected local networks. Nevertheless, a large amount of the infections are in Russia, about 66% of the total attacks we have seen. The skew in distribution is likely due a combination of our increased visibility into Russia as well as a likely prevalence of unpatched systems.

Are you working with law enforcement to help contain this attack?

Yes, we are working with several law enforcement agencies and have provided them with information to help mitigate the attack.



Microsoft is warning against governments stockpiling cyberweapons and called for a Digital Geneva Convention. Will this help?

Kaspersky Lab  supports Brad Smith’s call-to-action for governments and industries around the world to take critically important steps to help make a better digital future for all. We strongly believe the world needs an international digital convention and support with the creation of a neutral international cyber organization and firmly supports a pledge from companies to not conduct offensive cyber activities and protect their users from all cyberattacks. For more details please see: https://www.forbes.com/sites/eugenekaspersky/2017/02/15/a-digital-geneva-convention-a-great-idea/#abeff891e6e1

What should I do right now to make sure my organization is protected?

Our recommendations:

Install the MS Security Bulletin patches for MS17-010. Please note that Microsoft also released an emergency patch for Windows XP, which is out of support!

Disable SMBv1.

Backup your data on a regular basis and be sure to store the backups offline.

Limit administrative privileges in the network.

Segment your network.

Make sure all nodes have security software installed and updated.

Kaspersky users: make sure System Watcher is enabled and the software updated. System watcher will ensure rollback of any encrypted files.

For those who do not use Kaspersky Lab solutions, we suggest installing the free Kaspersky Anti-Ransomware Tool for business (KART).

WannaCry is also targeting embedded systems. We recommend ensuring that dedicated security solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.

Did Kaspersky block the attack for every target that had the software installed?

Our recent products include a module named System Watcher, which is designed to stop ransomware attacks. It was successful in blocking the damage from Wannacry, proving once again its effectiveness. Additionally, our products include specific detection subroutines which stopped the spreading of the attacks inside local networks. Since Saturday, our products also blocked the network level attacks through IDS components.

I’m running Windows XP – how can I protect myself?

First of all, stop running Windows XP. It is a 16-year-old operating system which is no longer officially supported by Microsoft. We recommend you upgrade to Windows 8.1 or 10. If you absolutely need to run Windows XP, you can download the emergency patch from Microsoft here:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

However, prepare for a rough ride ahead, as other vulnerabilities will most likely remain open and leave you vulnerable in the future to other attacks.

Do you have YARA rules and IOCs for everything we know so far?

Multiple YARA rules have been released so far, with varying degrees of accuracy. Florian Roth has published a good Wannacry YARA set on his GitHub. Another set of YARA rules has been published by US-CERT, however, they produce false positives and are not recommended at this time. Our own YARA rules can be found below.

Indicators of Compromise

Network traffic to the following hosts:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Filenames on disk:

mssecsvc.exe

taskdl.exe

taskse.exe

wannacry.exe

tasksche.exe

Hashes for the variants with different kill switches:

d5dcd28612f4d6ffca0cfeaefd606bcf

d724d8cc6420f06e8a48752f0da11c66

For more malware hashes, please see our previous blogpost.

Yara rules

rule crimeware_Wannacry_worm {

meta:

description = "Find Wannacry worm carrier samples"

date = "2017-05-14"

version = "1.0"

author = "Kaspersky Lab"

tlp = "GREEN"

strings:

$a0="__TREEID__PLACEHOLDER__" ascii wide fullword

$a1="__USERID__PLACEHOLDER__" ascii wide fullword

$a2="userid" ascii wide fullword

$a3="treeid" ascii wide fullword

$a4="__TREEPATH_REPLACE__" ascii wide fullword

$a5="\\\\%s\\IPC$" ascii wide fullword

$a6="Microsoft Base Cryptographic Provider v1.0" ascii wide fullword

$a7="mssecsvc2.0" ascii wide fullword

$a8="Microsoft Security Center (2.0) Service" ascii wide fullword

$a9="%s -m security" ascii wide fullword

$a10="C:\\%s\\qeriuwjhrf" ascii wide fullword

$a11="tasksche.exe" ascii wide fullword

condition:

((uint16(0) == 0x5A4D)) and (filesize < 15000000) and

(8 of ($a*))

}

rule crimeware_Wannacry_ransomware {

meta:

description = "Find Wannacry ransomware module"

date = "2017-05-14"

version = "1.1"

author = "Kaspersky Lab"

tlp = "GREEN"

strings:

//list of extensions targeted by the ransomware module

$a1={

2E 00 64 00 65 00 72 00 00 00 00 00 2E 00 70 00

66 00 78 00 00 00 00 00 2E 00 6B 00 65 00 79 00

00 00 00 00 2E 00 63 00 72 00 74 00 00 00 00 00

2E 00 63 00 73 00 72 00 00 00 00 00 2E 00 70 00

31 00 32 00 00 00 00 00 2E 00 70 00 65 00 6D 00

00 00 00 00 2E 00 6F 00 64 00 74 00 00 00 00 00

2E 00 6F 00 74 00 74 00 00 00 00 00 2E 00 73 00

78 00 77 00 00 00 00 00 2E 00 73 00 74 00 77 00

00 00 00 00 2E 00 75 00 6F 00 74 00 00 00 00 00

2E 00 33 00 64 00 73 00 00 00 00 00 2E 00 6D 00

61 00 78 00 00 00 00 00 2E 00 33 00 64 00 6D 00

00 00 00 00 2E 00 6F 00 64 00 73 00 00 00 00 00

2E 00 6F 00 74 00 73 00 00 00 00 00 2E 00 73 00

78 00 63 00 00 00 00 00 2E 00 73 00 74 00 63 00

00 00 00 00 2E 00 64 00 69 00 66 00 00 00 00 00

2E 00 73 00 6C 00 6B 00 00 00 00 00 2E 00 77 00

62 00 32 00 00 00 00 00 2E 00 6F 00 64 00 70 00

00 00 00 00 2E 00 6F 00 74 00 70 00 00 00 00 00

2E 00 73 00 78 00 64 00 00 00 00 00 2E 00 73 00

74 00 64 00 00 00 00 00 2E 00 75 00 6F 00 70 00

00 00 00 00 2E 00 6F 00 64 00 67 00 00 00 00 00

2E 00 6F 00 74 00 67 00 00 00 00 00 2E 00 73 00

78 00 6D 00 00 00 00 00 2E 00 6D 00 6D 00 6C 00

00 00 00 00 2E 00 6C 00 61 00 79 00 00 00 00 00

2E 00 6C 00 61 00 79 00 36 00 00 00 2E 00 61 00

73 00 63 00 00 00 00 00 2E 00 73 00 71 00 6C 00

69 00 74 00 65 00 33 00 00 00 00 00 2E 00 73 00

71 00 6C 00 69 00 74 00 65 00 64 00 62 00 00 00

2E 00 73 00 71 00 6C 00 00 00 00 00 2E 00 61 00

63 00 63 00 64 00 62 00 00 00 00 00 2E 00 6D 00

64 00 62 00 00 00 00 00 2E 00 64 00 62 00 00 00

2E 00 64 00 62 00 66 00 00 00 00 00 2E 00 6F 00

64 00 62 00 00 00 00 00 2E 00 66 00 72 00 6D 00

00 00 00 00 2E 00 6D 00 79 00 64 00 00 00 00 00

2E 00 6D 00 79 00 69 00 00 00 00 00 2E 00 69 00

62 00 64 00 00 00 00 00 2E 00 6D 00 64 00 66 00

00 00 00 00 2E 00 6C 00 64 00 66 00 00 00 00 00

2E 00 73 00 6C 00 6E 00 00 00 00 00 2E 00 73 00

75 00 6F 00 00 00 00 00 2E 00 63 00 73 00 00 00

2E 00 63 00 00 00 00 00 2E 00 63 00 70 00 70 00

00 00 00 00 2E 00 70 00 61 00 73 00 00 00 00 00

2E 00 68 00 00 00 00 00 2E 00 61 00 73 00 6D 00

00 00 00 00 2E 00 6A 00 73 00 00 00 2E 00 63 00

6D 00 64 00 00 00 00 00 2E 00 62 00 61 00 74 00

00 00 00 00 2E 00 70 00 73 00 31 00 00 00 00 00

2E 00 76 00 62 00 73 00 00 00 00 00 2E 00 76 00

62 00 00 00 2E 00 70 00 6C 00 00 00 2E 00 64 00

69 00 70 00 00 00 00 00 2E 00 64 00 63 00 68 00

00 00 00 00 2E 00 73 00 63 00 68 00 00 00 00 00

2E 00 62 00 72 00 64 00 00 00 00 00 2E 00 6A 00

73 00 70 00 00 00 00 00 2E 00 70 00 68 00 70 00

00 00 00 00 2E 00 61 00 73 00 70 00 00 00 00 00

2E 00 72 00 62 00 00 00 2E 00 6A 00 61 00 76 00

61 00 00 00 2E 00 6A 00 61 00 72 00 00 00 00 00

2E 00 63 00 6C 00 61 00 73 00 73 00 00 00 00 00

2E 00 73 00 68 00 00 00 2E 00 6D 00 70 00 33 00

00 00 00 00 2E 00 77 00 61 00 76 00 00 00 00 00

2E 00 73 00 77 00 66 00 00 00 00 00 2E 00 66 00

6C 00 61 00 00 00 00 00 2E 00 77 00 6D 00 76 00

00 00 00 00 2E 00 6D 00 70 00 67 00 00 00 00 00

2E 00 76 00 6F 00 62 00 00 00 00 00 2E 00 6D 00

70 00 65 00 67 00 00 00 2E 00 61 00 73 00 66 00

00 00 00 00 2E 00 61 00 76 00 69 00 00 00 00 00

2E 00 6D 00 6F 00 76 00 00 00 00 00 2E 00 6D 00

70 00 34 00 00 00 00 00 2E 00 33 00 67 00 70 00

00 00 00 00 2E 00 6D 00 6B 00 76 00 00 00 00 00

2E 00 33 00 67 00 32 00 00 00 00 00 2E 00 66 00

6C 00 76 00 00 00 00 00 2E 00 77 00 6D 00 61 00

00 00 00 00 2E 00 6D 00 69 00 64 00 00 00 00 00

2E 00 6D 00 33 00 75 00 00 00 00 00 2E 00 6D 00

34 00 75 00 00 00 00 00 2E 00 64 00 6A 00 76 00

75 00 00 00 2E 00 73 00 76 00 67 00 00 00 00 00

2E 00 61 00 69 00 00 00 2E 00 70 00 73 00 64 00

00 00 00 00 2E 00 6E 00 65 00 66 00 00 00 00 00

2E 00 74 00 69 00 66 00 66 00 00 00 2E 00 74 00

69 00 66 00 00 00 00 00 2E 00 63 00 67 00 6D 00

00 00 00 00 2E 00 72 00 61 00 77 00 00 00 00 00

2E 00 67 00 69 00 66 00 00 00 00 00 2E 00 70 00

}

condition:

((uint16(0) == 0x5A4D)) and (filesize < 15000000) and

any of them

}



Source: Securelist - Information about Viruses, Hackers and Spam

>> To obtain the full Kaspersky Lab Securelist article, click the link in the first post line <<
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle