[3rd Update]WCry ransomwsre has possible links to Lazarus Group & PRNK

[vorticalbox]

3 hours ago, TOMPPIX said:

Password has been found WNcry@2ol7

  Hide contents

Warning! there are links to malware samples on this github page.

  Hide contents

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

 

 

 

it's also been sinkholed. the malware checked if a domain was active and if it was then it just ended. I guess the makers wanted a way to stop the worm should they been too.

 

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

[leadeater]

12 minutes ago, vorticalbox said:

it's also been sinkholed. the malware checked if a domain was active and if it was then it just ended. I guess the makers wanted a way to stop the worm should they been too.

 

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Haha amazing job right there, well done to that guy/team.

[JoeCoke]

18 hours ago, Tech_Dreamer said:

Having second thoughts about disabling updates now aren't you 

Nah, these attacks are usually aimed at important people.

[Master Disaster]

28 minutes ago, leadeater said:

Haha amazing job right there, well done to that guy/team.

Indeed, that's an incredible blog post right there. Imagine accidentally stopping something this big.

[vorticalbox]

46 minutes ago, leadeater said:

Haha amazing job right there, well done to that guy/team.

 

16 minutes ago, Master Disaster said:

Indeed, that's an incredible blog post right there. Imagine accidentally stopping something this big.

yeah, they register 100s of domains from this sort of thing.

 

This time it just happened to stop a massive worm. 

[mark_cameron]

1 hour ago, leadeater said:

Haha amazing job right there, well done to that guy/team.

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

Thats a really interesting read.

[TAHIRMIA]

4 hours ago, TOMPPIX said:

Password has been found WNcry@2ol7

  Reveal hidden contents

Warning! there are links to malware samples on this github page.

  Reveal hidden contents

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

 

 

 

 

Do you know where to get the source? I can't find it anywhere 

[vorticalbox]

3 minutes ago, TAHIRMIA said:

Do you know where to get the source? I can't find it anywhere 

it is credited in that link. 

 

https://mobile.twitter.com/the_ens/status/863055007842750465

 

[mark_cameron]

2 minutes ago, mark_cameron said:

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

Thats a really interesting read.

@leadeater basically, security professional researchers, government security agencies, software manufacturers all worked together to stop this causing further damage

[TAHIRMIA]

1 minute ago, vorticalbox said:

it is credited in that link. 

Under Malware Samples?

[vorticalbox]

Just now, TAHIRMIA said:

Under Malware Samples?

I edited my post to the twitter post of the person who found it. 

[leadeater]

2 minutes ago, mark_cameron said:

@leadeater basically, security professional researchers, government security agencies, software manufacturers all worked together to stop this causing further damage

Yea I did read it and there are many organisations that do this work but it's just very amusing that they found and implemented the disarm before they even knew it lol, that's a rare feat and likely not repeated any time soon.

[Commodus]

And this is why, as a home user, you shouldn't be holding on to old versions of Windows (at least, not without extensive anti-malware protection and a lot of caution).

 

Yeah, you may not be entirely comfortable with Windows 10's data sharing (although the concern over that feels overblown) or UI tweaks... but do you know what's worse?  Having all your local data held for ransom.  And it's one thing if it's just your personal system, but it's another if it's a family or work computer.  Be nice to others and don't leave their stuff vulnerable just because you think Microsoft reached OS perfection in 2009, folks.

[mark_cameron]

3 minutes ago, leadeater said:

Yea I did read it and there are many organisations that do this work but it's just very amusing that they found and implemented the disarm before they even knew it lol, that's a rare feat and likely not repeated any time soon.

Very very lucky. I would say.

 

Lucky that the right people in the security industry were in the right place and the right time and that had contact to security agencies 

 

Imagine someone actually stopping the attack getting SWATTED mistaken for the perpetrators. Because that was what could of happened as they intervened into the attack.

[TAHIRMIA]

6 minutes ago, vorticalbox said:

I edited my post to the twitter post of the person who found it. 

I meant the source code for Wanna?

[Foxxer]

'Murica.

[Andreas Lilja]

4 hours ago, LAwLz said:

 It uses an SMBv1 vulnerability, so I assume it is carried out over the network.

Yeah but how does it reach the networks, especially home users who are only connected to their own Wi-Fi.

[Foxxer]

1 minute ago, Raskolnikov said:

Yeah but how does it reach the networks, especially home users who are only connected to their own Wi-Fi.

It's a internet worm basically sniffs devices that are vulnerable, it is epidemic lel.

[vanished]

4 hours ago, LAwLz said:

 It uses an SMBv1 vulnerability, so I assume it is carried out over the network.

I know that much but how?  Is it like, you click an email link (don't think so) or something else?

5 hours ago, vorticalbox said:

it is using the NSA remote exploit, it scans ips and spreads with no user interaction.

So my theory was right, it just directly attacks any computer it can see on the network/internet.

5 hours ago, vorticalbox said:

if you're infection disconnect from the network, don't pay the ransom. I would count the data as lost of you don't have a back up and just fresh install. 

Couldn't agree more.  Not everyone does though...

5 hours ago, vorticalbox said:

if you're not infected clicky that start button and update. 

 yeah by now, if you haven't, idk what to say

4 hours ago, vorticalbox said:

It potentially could if you have wine installed.

I suppose in theory you're right it could execute, but since the vector by which it attacks the machine would not be present, wouldn't this require intentionally running the program?

[vorticalbox]

50 minutes ago, TAHIRMIA said:

I meant the source code for Wanna?

oh, maybe click one the links in the scanning part? 

[vorticalbox]

24 minutes ago, Ryan_Vickers said:

So my theory was right, it just directly attacks any computer it can see on the network/internet.

it uses the nsa SMB exploit from the information I can find. 

 

25 minutes ago, Ryan_Vickers said:

I suppose in theory you're right it could execute, but since the vector by which it attacks the machine would not be present, wouldn't this require intentionally running the program?

SMB is on Linux so the exploit might work and if wine works it could run. though wine created a fake c drive so it would encrypt that rather than your files. 

 

Whether it could be used against Linux in another form I don't know. These are the types of malware that I fear most people on Linux.

 

One does not need root to access ones data.

[vanished]

10 minutes ago, vorticalbox said:

it uses the nsa SMB exploit from the information I can find. 

Yeah I know, just nothing I've read goes into the details of how that actually works

10 minutes ago, vorticalbox said:

SMB is on Linux so the exploit might work and if wine works it could run. though wine created a fake c drive so it would encrypt that rather than your files. 

 

Whether it could be used against Linux in another form I don't know. These are the types of malware that I fear most people on Linux.

 

One does not need root to access ones data.

I thought Linux used its own thing (Samba) for interfacing with windows shares?  If so, would that not be completely different code that is in all likelihood not vulnerable?  Also, I don't know if this is still the default but Wine used to automount a "Z" drive as well which pointed to /, so though that could get everything

[LAwLz]

5 hours ago, TOMPPIX said:

Password has been found WNcry@2ol7

  Reveal hidden contents

Warning! there are links to malware samples on this github page.

  Reveal hidden contents

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

 

 

 

Just so that everyone knows, this is not the password you can use in case your files have been encrypted. It is just the password the used by the malware to unpack itself.

In fact, each file gets encrypted individually and they all use separate keys.

 

 

53 minutes ago, Commodus said:

And this is why, as a home user, you shouldn't be holding on to old versions of Windows (at least, not without extensive anti-malware protection and a lot of caution).

No... This has nothing to do with using Windows 7 or 10. Windows 10 was just as vulnerable as Windows 7 was.

Hell, even Windows XP was patched.

 

 

 

26 minutes ago, Raskolnikov said:

Yeah but how does it reach the networks, especially home users who are only connected to their own Wi-Fi.

24 minutes ago, Ryan_Vickers said:

I know that much but how?  Is it like, you click an email link (don't think so) or something else?

It uses several different methods and for different parts of the malicious code, but it heavily relies on an exploit in SMBv1.

It's not a Trojan though. From what I can tell, simply being connected to someone on the same network, or being reachable with SMB over the Internet can get you infected. No user input necessary.

 

Quote from Talos:

Quote

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with this attack framework, it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry. In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.

 

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

 

 

16 minutes ago, vorticalbox said:

it uses the nsa SMB exploit from the information I can find. 

 

SMB is on Linux so the exploit might work and if wine works it could run. though wine created a fake c drive so it would encrypt that rather than your files. 

 

Whether it could be used against Linux in another form I don't know. These are the types of malware that I fear most people on Linux.

 

One does not need root to access ones data.

I doubt it. The exploit is not in SMB by itself, but rather how SMBv1 is handled by Windows.

[Andreas Lilja]

Just now, LAwLz said:

It uses several different methods and for different parts of the malicious code, but it heavily relies on an exploit in SMBv1.

It's not a Trojan though. From what I can tell, simply being connected to someone on the same network, or being reachable with SMB over the Internet can get you infected. No user input necessary.

I understand that it can infect a whole network, but doesn't someone have to download it on one of the machines in the first place?

 

E-mail phishing, torrents, etc?

[vorticalbox]

2 minutes ago, Raskolnikov said:

I understand that it can infect a whole network, but doesn't someone have to download it on one of the machines in the first place?

 

E-mail phishing, torrents, etc?

no, its a remote exploit. That's how it spread so quickly.