So did the kid who found the "kill switch" really find it, or did he know it was there because he put it there?

Fairly certain para predicted this. I believe in the homedepot hacked thread he said "one day we will wake up to find the whole worlds identity has been stolen." This seems close enough.

If there were a 'GoFundMe' for paying some shadow group to find the perps and provide them some percussive education, I'd be all over that.

Meanwhile, two tricks to avoid this sort of thing:

1) Windows Update is your friend

quote:

At the time, some cyber-security experts said some of the malware was real, but old. A patch for the vulnerability was released by Microsoft in March, but many systems may not have had the update installed.

2) Don't be like the DNC and click every email that comes in

quote:

Friday’s ransomware attack first spread through a massive email phishing campaign. At least some of those emails appeared to be messages from a bank about a money transfer, according to Cisco’s Talos group.

Along with the traditional advice, of course - use antimalware, configure your system, etc.

https://www.malwaretech.com/20...l-cyber-attacks.html


blog post from the dude that registered the domain

quote:

Originally posted by sdy:
A 'kill switch' is slowing the spread of WannaCry ransomware

http://www.pcworld.com/article...acry-ransomware.html

Friday’s unprecedented ransomware attack may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.

the ransomware also contains a kill switch that may have backfired on its developers, according to security researchers.

Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this:

If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.

A security researcher who goes by the name MalwareTech found that he could activate the kill switch by registering the web domain and posting a page on it.


MalwareTech's original intention was to track the ransomware's spread through the domain it was contacting. “It came to light that a side effect of us registering the domain stopped the spread of the infection,” he said in an email.

Security firm Malwarebytes and Cisco’s Talos security group reported the same findings and said new ransomware infections appear to have slowed since the kill switch was activated.

However, Malwarebytes researcher Jerome Segura said it’s too early to tell whether the kill switch will stop the Wana Decryptor attack for good. He warned that other versions of the same ransomware strain may be out there that have fixed the kill-switch problem or are configured to contact another web domain.

Unfortunately, computers already infected with Wana Decryptor will remain infected, he said.

Friday’s ransomware attack first spread through a massive email phishing campaign. At least some of those emails appeared to be messages from a bank about a money transfer, according to Cisco’s Talos group.

Security firm Avast said it had detected more than 75,000 attacks in 99 countries, with Russia, Ukraine and Taiwan among the hardest-hit countries. The U.K.’s National Health Service was one of the biggest organizations hit by the ransomware.

The ransomware was designed to work in numerous languages, including English, Chinese and Spanish, with ransom notes in each.

*********************

I always wonder if it wise to publicly report discoveries like this. (that the kill switch was found in the code)

Asking as an ignoramus...

Personally, if I don't click on stupid email links from {{~~DeBiELOvesHugeThiCK~~LallA`laLLa`D!ngDQng~~}} sent you pics!

Am I going to be immune from this type of attack?

Or can they sneak into my computer without me doing something dumb?

quote:

if I don't click

Some work by merely opening the email.

quote:

Originally posted by jehzsa:

quote:

if I don't click

Some work by merely opening the email.

I guess that's what I mean. If I get an email from someone I don't know and am not expecting, it gets deleted before being opened.

For whatever reason, there are a lot of hot locals that just want to screw in my area? Or at least I get three emails a day in my Hotmail account telling me that?

The young bloke who found the URL in the code told an interviewer " When I realized what it was and the domain wasn't registered, I said to myself 'I'll be having some of that if you please.'"

22, no college, self-taught, lives with his parents, kills a leviathan with $10.69.

Not bad, slacker.

Opening emails has become a new variable in the know-your-surroundings paradigm.

Situational awareness in a bright new light.

Give mailwasher free a try. It's another tool. If you have questions about it, let me know. It seems like I'm the only one in this forum using it. The least it does is to let you know what you have and where it comes from before it reaches your inbox.

https://sigforum.com/eve/forums...840062124#1840062124

I always run in "user" mode rather than "administrator" mode.

To do some things I want to do, I have to switch to administrator.

Don't know that being in user mode would protect against wannacry specifically, but it sure seems to help in general.

I posted slightly different versions of the following to FB and in an email to the employees of a corporation for which I'm an I.T. admin.

There are several very serious Microsoft Windows security threats currently active on the Internet. Major corporations have been paralyzed by these threats.

The primary way these threats are spread is believed to be by email and "malvertizing" on web sites.

Protect your PC and your data by practicing "safe computing":

• MAKE SURE YOUR PC SOFTWARE IS ALL UP-TO-DATE. All MS-Windows PCs *should* be auto-updating. The patches to address these vulnerabilities were issued by Microsoft on Monday and Tuesday (May 8 and 9).
  
• NEVER OPEN AN EMAIL ATTACHMENT unless you were expecting an email with an attachment, the attachment is of the type you were expecting, and it's from somebody you were expecting to send you an email with an attachment.
  
  Caution: Just because it claims to come from somebody you know doesn't necessarily make it true. If in doubt: Don't.
  
  
• DO NOT EVER CLICK ON LINKS IN EMAIL. If it looks bogus, simply discard the email. If it *appears* to be from a friend, colleague, vendor or customer, and you did not expect such an email: Call and ask them. If it does appear safe: Copy the link and manually paste it into your browser, then look closely at the URL before hitting <Return>, to make sure it's really sending your browser where you think it is.
  
• Back up your PC regularly. Or, at least, the files that cannot be easily replaced. (E.g.: Financial data, correspondence, photos.) Keep your backup off-line (not connected) when not actively in use, otherwise the malware can get to it, too.
  
• Be particularly careful of web sites in Eastern Europe, Southeast Asia, the Mideast and Africa.
  
• Run effective anti-virus and anti-malware software, and keep it up-to-date
  

You'll notice anti-virus/-malware sofware comes last. That's because it is, in my opinion, the least effective of the defenses I listed.

We need to pursue these people and identity thieves like we do terrorist, then break every bone in their hands.

The second thing I posted to FB, regarding the latest incident.

An Internet friend and colleague noted that one problem with the current exploit that's running around the Internet is that hospitals and other companies use products with embedded systems that use various 3rd-party core operating systems. These are difficult, or even impossible, to update.
This is true.
Thing is: Manufacturers of these devices long ago started taking the easy way out in product design and implementation. Rather than use purpose-designed kernels, they're re-purposing something that tries to be everything: General purpose operating systems. And one of the worst, if not *the* worst, examples in computing history, IMO: Microsoft Windows.
Back when I was doing embedded systems we would have never *considered* doing such a thing.
While the fault lies with the makers of the things that exploit vulnerabilities, some of the blame has to go with the product makers and consumers, themselves. It's not as if the core product's history has been any great secret.
If somebody's car is stolen because they left it running at the gas pump, keys in the ignition, doors unlocked, in a bad neighbourhood, while they went inside to pay, you'd of course blame the thief, but, you'd also ask "What kind of id10t would do that?"
Well, same thing, more or less.
Years ago the USAF had their drone command and control systems compromised by a virus/worm/trojan. Their response: They replaced the MS-Windows computers running that stuff with hardened Linux. That is a reasonable response to such a thing.
More recently: I've long been mildly distrustful of Google's Android ecosystem. Lately it's been proven, to *my* satisfaction, that it cannot be trusted. Thus: Out with Android, in with iOS. (This is going to be an expensive, PITA, transition, but, it Must Be Done.)
Conversely: I watched a Major U.S. Auto Manufacturer's email system get 0wn3d twice w/in a year or two. Do you think either incident caused them to re-think they system they were using? Nah.
So, while I don't blame the (direct) victims, per se, please forgive me if I express little sympathy for them. They didn't "bring it on themselves," but, they certainly didn't do all they could to mitigate against the known dangers. And that *is* on them, IMO.

If you have a Windows PC, you should make sure it is updated immediately, and have everyone you know do the same.

My office PC was hit by a ransomware virus last year (via an e-mail that got through) and I caught it early. It still took 2 days to clean my system and recover the damaged files. Thankfully, I had sufficient backups.

I was at work until 7 updating servers and then on the phone with people until after 11 last night helping them get their PCs updated.

quote:

Originally posted by henryaz:
 
This Windows vulnerability is so dangerous and exploitable, that Microsoft even relented and issued a patch for XP, which is past its support deadline.
  
Ars Technica article.
 

Thanks, I have two XPs
A direct link to to this update:
http://www.catalog.update.micr...rch.aspx?q=KB4012598

https://haveibeenpwned.com/

Another tool. Check your email addresses/username.

Ensigmatic:

With the recent discovery of a keylogger buried in a Conexant HD Audio Driver Package version 1.0.0.46 and earlier, is there any history of a malwaremotherfucker using either a spoofed software update or a real from the software producer update to distribute malware?

quote:

Originally posted by Sig2340:
... is there any history of a malwaremotherfucker using either a spoofed software update or a real from the software producer update to distribute malware?

You mean across all platforms?

<scratches head...> I have seen warnings of typical spoofed email type things, not unlike the spoofed "your account password has been..." things. The normal update channels? Not to my recollection. For that to work they'd have to compromise th update channel notification mechanism and, I presume, hijack DNS. Except for a very narrowly-focused attack (e.g.: Say, somebody's missile c2 system...), I'm not certain such a thing would be successful long enough to make the effort worthwhile.

As for malware-infested legitimate distributions and malware masquerading as similarly-named legitimate packages: Most definitely. One of the reasons I lost faith in the Android ecosystem is Google's apparent inability to keep the Play Store safe. Several years ago Microsoft sent out a bunch of infected CDs. Some open source sites have been 0wn3d, and, I think, some malware made it into legitimate distros on a limited basis.

Theoretically, somebody could compromise, say, the BIND9 package, get that compromised code into one of the major distros' chain, and reams of systems could just download and install it as a matter-of-course.

I don't know of that happening. Yet.

I too use MailwasherPro I have been using it for years. It allows me to dump spam without ever loading it on my computer. Further, I can checkout suspicious stuff with no chance of it infecting my computer.

I am suspicious by nature.

quote:

Originally posted by ensigmatic:
< snip >
I don't know of that happening. Yet.

As always, we have the knowledgeable "guy."

I've asked that of several admins who didn't even understand the question.