Adlice forum

General Category => General Discussion => Topic started by: Johyn on May 13, 2017, 10:10:24 PM

Title: Global virus.
Post by: Johyn on May 13, 2017, 10:10:24 PM

Greets!

I was just wonderin if you had any coments or views about the global hackin atack governments are victims at the moment?

Title: Re: Global virus.
Post by: Curson on May 14, 2017, 01:42:54 PM

Hi Johyn,

Adlice Software released the following declarations :

Quote from: RogueKiller#facebook.com – 12/05/2017@21:55

This is happening right now! #WannaCry #Ransomware uses #CIA exploit to propagate inside corporate networks.
Spread by #Necurs spambot, it has infected more than 45000 machines worldwide in a few hours!
More than ever, don't open Office attachments from unknown senders, and don't activate macros.

Edit: the largest ransomware infection. Ever. In history.

Quote from: RogueKiller#facebook.com – 13/05/2017@09:11

In case you missed it, the malware is stills massively spreading, has hit train stations in Russia, and many companies are paralyzed because of it. Has infected 100k machines in 12 hours.

The malware is worm-like and uses a vulnerability in Windows SMBv1 protocol implementation to spread.
Ransomware WannaCry make use of a slightly modified version of ETERNALBLUE, an alleged NSA exploit.

Microsoft patched this vulnerability on March 2017 (KB4013389 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)) on Windows Vista operating system and later but Windows XP and Windows Server 2003 were left unpatched.
Due to the conviction that the malware uses these older systems as infection pools, Microsoft released emergency patches for these (KB4012598 (https://support.microsoft.com/en-us/help/4012598/title)) :

Quote from: Microsoft

"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download."
"This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind."

It is strongly advised to install these patches as soon as possible and, if is not possible, to disable SMBv1 support (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012) on concerned systems.

Regards.

Title: Re: Global virus.
Post by: Johyn on May 14, 2017, 02:16:13 PM

Thanks. No clues about the origin of that malware? Nation, organisation, individual?

Title: Re: Global virus.
Post by: Curson on May 14, 2017, 06:53:18 PM

Hi Johyn,

There is no official claims yet, but there is a high probability it's operated by a group of inexperienced malware authors.
WannaCry is pretty amateurish since it doesn't generate Bitcoins addresses per infected machine and currently make use of a kill-switch feature that was succesfully used by security researcher MalwareTech (https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html) to stop the malware spread for the time being.

Version 1.0 of the malware, which was spotted on the wild on April 25, were hosted on Dropbox Cloud architecture. This made the removal of the binaries very easy.

Regards.

Title: Re: Global virus.
Post by: Johyn on May 14, 2017, 07:18:58 PM

Ok, thxs for you!

Title: Re: Global virus.
Post by: Curson on May 14, 2017, 09:15:44 PM

Hi Johyn,

You are welcome.

Regards.