Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Turn off SMBv1 on Windows, but be aware of the consequences

    Posted on June 30th, 2017 at 18:01 woody Comment on the AskWoody Lounge

    Good series of articles from Barb Bowman, taking normal everyday users through the steps to disable SMBv1, the Windows system utility that put the “cry” in WannaCry.

    The first article explains how to turn it off.

    The second article gives workarounds for common problems with disabling the ancient protocol.

  • Evidence that PetyaWrap is from a Russia-linked hacking group “TeleBots”

    Posted on June 30th, 2017 at 17:51 woody Comment on the AskWoody Lounge

    Interesting tweet stream from Catalin Cimpanu.

    He connects the dots and, based on a report from ESET, deduces that PetyaWrap comes from a hacking organization known as TeleBots, which targeted the US before 2015, and the Ukraine after 2015.

    ESET now confirms Telebots hacked MEDoc and installed a backdoor

    which apparently was used to seed PetyaWrap.

    That doesn’t explain all of the PetyaWrap infections, but it does explain the best-known infection vector.

    In addition, Dan Goodin has more evidence on Ars Technica that the people behind PetyaWrap got the leaked NSA code weeks before Shadow Brokers released it to the world. Dan calls it an “unproven theory” but it’s a interesting one.

    Thx @Kirsty

  • Contrary opinion: PetraWrap is buggy, poorly constructed ransomware

    Posted on June 29th, 2017 at 20:15 woody Comment on the AskWoody Lounge

    Yesterday, I ran an article that says PetyaWrap (NyetPetya, Petya.2017, nPetya, pick your name) “was designed to make headlines, not to make money.” There’s convincing evidence for that conclusion, offered by highly regarded malware researchers.

    But there’s a second opinion which says, roughly, “PetyaWrap was (is) a buggy piece of real ransomware.” Vess Bontchev goes on to assert that it’s from an “idiot ransomware writer.”

    Rob Graham has an excellent expose of that assertion in his Errata Security blog, NonPetya: no evidence it was a “smokescreen”:

    Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.

    But these things aren’t evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.

    Three things I know for sure.

    First, it’s still a problem. According to Ian Thomson at The Reg, FedEx reportedly halted trading on the NYSE because its TNT subsidiary got infected – likely with PetyaWrap.

    Second, the antivirus companies are in hype overdrive mode, claiming this or that about their products and PetyaWrap. I don’t believe any of it.

    Third, the people who say “install all Windows patches right away to prevent PetyaWrap infections” don’t have a clue. The infection method for PetyaWrap is still unknown, and the subject of much conjecture. What we do know is that, if your Windows PC has all of the March patches installed, it won’t get infected by one method, but it may get infected by a different method. Having all of your Windows patches up to date won’t protect you, in spite of what the self-proclaimed “experts” say.

    As for the major network TV show that claimed you could improve protection against PetyaWrap by using strong passwords…. pffffffffffffffft.

    Welcome to the scary new world of Windows, folks.

  • PetyaWrap was designed to make headlines, not to make money

    Posted on June 28th, 2017 at 20:10 woody Comment on the AskWoody Lounge

    … and it certainly succeeded.

    Security researcher Matt Suiche has published more details about PetyaWrap (NyetPetya, Petya.2017, choose your favorite cute name) that show quite conclusively that the person/organization behind PetyaWrap wasn’t interested in making money — they just wanted to make a big splash. Suiche calls it a “wiper,” as opposed to ransomeware:

    The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.

    Dan Goodin at Ars Technica has a new analysis that strengthens Suiche’s conclusion: Tuesday’s massive ransomware outbreak was, in fact, something much worse:

    the payload delivered in Tuesday’s outbreak wasn’t ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected network…

    Tuesday’s malware was impressive. It used two exploits developed by and later stolen from the National Security Agency. It combined those exploits with custom code that stole network credentials so the malware could infect fully patched Windows computers. And it was seeded by compromising the update mechanism for M.E.Doc, a tax-filing application that is almost mandatory for companies that do business in Ukraine. The shortcomings in the ransomware functions aren’t likely to be mistakes, considering the overall quality of the malware.

    If the intent of the PetyaWrap author(s) was to sow fear of Windows, they certainly succeeded. Because of the way PetyaWrap infects, very few of you have been hit. The next version may not be so kind.

    Chromebooks are looking better every day.

  • ELSA: How the CIA tracked the location of an infected PC using WiFi signals

    Posted on June 28th, 2017 at 08:28 woody Comment on the AskWoody Lounge

    The latest WikiLeaks release talks about ELSA, reportedly a CIA project that allowed the government (and now, apparently, everybody) to snoop on the location of an infected PC.

    ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp.


  • Massive batch of bug fixes for Windows, Office – KB 4022716, 4022723, with known problems

    Posted on June 27th, 2017 at 23:06 woody Comment on the AskWoody Lounge

    The dust is still settling, but here’s what people are seeing right now:

    • Win10 version 1703 – KB 4022716 includes a long list of bug fixes, brings build up to 15063.447. Known problem with iSCSI targets.
      UPDATE: Neowin reports that, nine hours after announcing this patch, it’s now available via Windows Update. MS also pulled the warning about connecting to iSCSI targets. (Thx, @Kirsty)
    • Win10 version 1607 – KB 4022723 also includes lots and lots of fixes, build 14393.1378, also has a problem with iSCSI. The KB article states that you have to manually download and install this patch, if you want it. Confused yet?
    • Win10 version 1511 – KB 4032693 has a much shorter list of fixes, build 10586.965, no identified problems. You also have to manually download and install this one, if you want it. (Thx, @MrBrian.)
    • Win 8.1 – KB 4022720, the preview of next month’s (July’s) non-security patches, also has a massive list of bug fixes, with a known problem with iSCSI attachment.
    • Win 7 – KB 4022168, also a preview of next month’s patches, has a much shorter list of fixes. I have no idea why Microsoft released the Previews on this, the fourth Tuesday of the month. They’re supposed to come out on the third Tuesday.

    I believe the 1703, Win 8.1 and Win7 patches are currently available through Windows Update and WSUS – but please drop a line if you aren’t seeing yours.

    Just to make life a little more complicated, Microsoft has officially announced that it has released KB 4022716 — the 1703 patch, mentioned above — to the Insiders Program Slow ring. Yes, if the documentation is correct, that means this same patch is available to Insiders Slow Ring (currently at build 10563.413, the same as the “old” build of 1703), but is not available to Insiders Fast Ring — nor is it available to Insiders Release Preview Ring. I think somebody at Microsoft didn’t press the right red button.

    Please tell me if you can translate this paragraph from the announcement:

    When we release a new Windows 10 Fall Creators Update build to Insiders in the Slow ring, they can wait to be targeted to install the new build, or instead of waiting Insiders can manually check for updates via Windows Update to get the new build. We know this is different from our usual “everyone at once” model to the WIP rings, however this testing will provide invaluable insights to ensure this new targeting framework is functioning as expected.

    I’m seeing confused/confusing reports about the Outlook patches – do they fix all of the identified issues, or only some? What and where are they? According to the Outlook known issues in the June 2017 security updates page, these fixes are available:

    Microsoft also says it has fixed the Outlook Search problems, as well as the Internet Explorer printing problems… by the above-mentioned fixes to Windows.

    And of course MrBrian’s reports from the Internet Explorer bug trenches remain clouded.

    Can anybody remember back when patching Windows wasn’t so complicated? Yeah, me neither. It’s becoming increasingly difficult to put lipstick on the pig.

    Until we have some indication of the problems generated by this latest round of patches, I’m keeping us at MS-DEFCON 1:  Current Microsoft patches are causing havoc. Don’t patch.

  • The grugq: PetyaWrap causing lots of havoc, making little profit

    Posted on June 27th, 2017 at 20:56 woody Comment on the AskWoody Lounge

    Dan Goodin at Ars Technica has the definitive report on the latest ransomware outbreak:

    A new ransomware attack similar to last month’s self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

    If you haven’t seen the grugq’s technical analysis, it’s well worth a gander.

    Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline.

    Of course, you have nothing to worry about because you installed MS17-010 last month, right?

    Vess Bontchev nudged me about the spreading mechanisms. At this point, we don’t really know how PetyaWrap spread, but once it infects one machine on a system, the MS17-010 patch doesn’t block it from moving from machine to machine on that same network. I have no idea how it spread so rapidly.

    Microsoft has a security blog on the topic. It lists one of the spreading mechanisms and says that one is blocked by MS17-010 — but there are two other identified mechanisms.

    We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

    If you want to double down on your protection, you can also block PetyaWrap by creating a read-only file called c:\Windows\perfc. Full instructions on Bleeping Computer.

  • Update on Internet Explorer printing problems

    Posted on June 27th, 2017 at 18:54 PKCano Comment on the AskWoody Lounge

    @mrbrian reports these patches are available for printing problems in Internet Explorer.
    NOTE: there is a caveat. This update removes the protection from CVE-2017-8529.

    From CVE-2017-8529 | Microsoft Browser Information Disclosure Vulnerability:

    “Microsoft is announcing the release of the following updates to address a known issue customers may experience when printing from Internet Explorer or Microsoft Edge: 4032782 for Internet Explorer 11 on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2012; 4032695 for Internet Explorer 11 and Microsoft Edge on Windows 10; 4032693 for Internet Explorer 11 and Microsoft Edge on Windows 10 1511; 4022723 for Internet Explorer 11 and Microsoft Edge on Windows 10 1607; 4022716 for Internet Explorer 11 and Microsoft Edge on Windows 10 1703; 4022720 which is the monthly rollup preview for Windows 8.1 and Windows Server 2012 R2; 4022721 which is the monthly rollup preview for Windows Server 2012; 4022168 which is the monthly rollup preview for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1.  This update removes the protection from CVE-2017-8529. All updates are available only on the Microsoft Update Catalog, with the exceptions of 4022720, 4022721, 4022168, and 4022716, which are also available through Windows Update.”

    See @mrbrian ‘s post