Protecting Against Ransomware

[Wheels-Of-Fire]

Sorry user ACCOUNT control.

[Dave Rice]

The NSA created ExternalBlue: “(SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.” When they say”specially crafted” it’s not special at all. MS always use that wording, probably approved by the lawyers and total bollocks. I think it means not produced by MS themself.

That is what allowed Wannacry to spread once it got in. User permissions have nothing to do with it.

In my situation I am not too worried as SMB v1 is only running on Linux variants (printers and NAS) which are not under threat of infection. The Windows boxes can use SMB v2+ to access the shares for the scanners on the Synology NAS. Plus I have a robust security measures in place to prevent infection and mitigate it’s effects if not.

[Wheels-Of-Fire]

Yes Dave once it got in. The info on admin logins is really just for info but it dose show that just blindly ticking that UAC box is a bad idea. On a side note did you know that SMB v1.0 is also known as the common internet file system and it was submitted to the IETF in 1996 ? They must have been napping at the time.

[Dave Rice]

Yes it’s ancient. We don’t seem able to shake it though.

[Ed P]

According to Threatpost more of the NSA malware is on the loose and being used by the criminal fraternity. These SMB attack vectors in use are named as EternalChampion, EternalRomance and EternalSynergy, as well as ArchiTouch, SMBTouch working to install the DoublePulsar kernel exploit. The latter is a Ring 0 Trojan and is installed once the smb exploits do their dirty i.e. just because you manage to decrypt your Wannacry ransom your troubles are not over by a long chalk!

The Microsoft patches protect against all the SMB exploits so far publicised, but a script is available for network professionals to see if the DoublePulsar Trojan has been installed. (Ordinary users should of course have a good A/V installed to stop all this happening)

[Richard]

I see the Walrus* dance over who did or did not create and push out the worm continues.

It appears it was created by someone or some team but the rest is unknown – in public at least.

*So called after the walrus problem over will you won’t you join the dance from the children’s tale.

[Bob Williams]

As an aside, I received an Alert from Lincs. Police regarding an opportunist scam from what appears to be a Microsoft Antimalware team. They email victims with a “cure” for Wannacry. When the victim responds and sends money, the scammer sends them a link to download.

Hey-Ho, it’s the latest Windows Malicious Software Removal Tool – KB8908830. Maybe if the ‘victims’ carried out Update procedures occasionally….

GOOD NEWS though! Today there was an email in my Junk folder, awarding me first prize of $35,000 US in a Facebook competition. All I have to do, is send them the following details, blah blah and blah. Strangely, Facebook appears to know nothing about it, but they are “grateful” for the details I sent after “View Message Source” and sending it to FB. So, do I get a reward? Not.

Well, it makes a change from “Adult Dating” offers. I don’t bother responding to that, as SWMBO says I will never be an adult and no one else will have me anyway. :yahoo:

When the Thought Police arrive at your door, think -
I'm out.

[Author]

Posts