Yesterday, I ran an article that says PetyaWrap (NyetPetya, Petya.2017, nPetya, pick your name) “was designed to make headlines, not to make money.” T
[See the full post at: Contrary opinion: PetraWrap is buggy, poorly constructed ransomware]
|
There are isolated problems with current patches, but they are well-known and documented on this site. |
-
Contrary opinion: PetraWrap is buggy, poorly constructed ransomware
- This topic has 21 replies, 13 voices, and was last updated 7 years, 11 months ago.
AuthorViewing 7 reply threadsAuthor-
I like your theory, Woody.
As a (legitimate) software developer of complex products, I can say a few things from exprerience:
Complex software – and make no mistake, something that integrates so many different technologies/exploits, not to mention networking, system operations, disk operations, etc. is REALLY complex – MUST be tested thoroughly.
This is not software using documented and well-tested APIs.
This is not software that can just be sent out to a large group of beta testers to help validate it.
And it can’t be tested for a long time with even a small private group of systems. Somehow evidence of its existence will be leaked. It will be discovered. Maybe an early build would leak out of the test network (hm, maybe one DID). Maybe it would screw up the developer’s test systems. The exploits it needs will be patched soon, so it’s a RUSH JOB that must be done with nearly no testing.
This IS software that to work as intended would have to run on a large number of different systems with disparate network setups and who knows what anti-malware software running. That implies all its building blocks would have to be robust, reliable, solid…
This IS software that is being developed by people who are, shall we say, not of normal minds. They are not folks who go through life doing good, reliable work, nor those who have built up their application over years and years of hard work. They’re not folks who have long-term goals, because those people understand that the world only really works if you avoid screwing it up.
There is a fundamental disparity between the smart, disciplined, clear-thinking mindset NEEDED to create a properly functioning complex software system and that which is NEEDED to write software quickly to screw as many people as you can.
And that is a Very Good Thing.
Just look at how many people Microsoft has to get to test their complex software on the up and up, and how long they’ve been developing Windows – and it STILL isn’t perfect!
-Noel
4 users thanked author for this post.
-
What I have failed to find is info regarding the possibilities of home users getting infected just by staying online, like WannaCry or even the DoublePulsar episode…
From what I have seen on PetyaWrap’s code it does not spread online, unlike WCry it will only run a local LAN scanning for other vulnerable systems and then makes use of trusted credentials to infect those systems, being this its worm capability.
That explains why patched systems got hit, they were infected by other, already compromised stations on the same network…
Also, there is the M.E.Doc theory, which could also explain why Ukraine felt the strike so bad, since it is a very popular software there, and hence the nature of this particular infecting mechanism, it did not rely on any TCP/IP vunerabilities, patched or not, which also corroborates with the reports of fully updated systems being affected…
Did anyone find anything indicating that put aside rigged third party software and its latteral LAN spread capabilities, it can hit someone with either Ports 445/139 closed to the web, and/or fully patched?
Also, what Windows versions are affected by this?
1 user thanked author for this post.
-
-
You’re right, and you’ve touched on something that bothers me more and more lately… All too few people are reporting on this issue for “the common good”.
Essentially, pretty much everyone today wants to use news for their benefit… The internet is all about monetizing information, even when the information content is thin to non-existent.
Anti-malware companies, of course, want to be the first to release juicy tidbits they’ve learned to earn “street cred” and presumably get more people to buy THEIR products because THEY look like they know what they’re doing. Think about all the products having come out lately touted specifically as “anti-ransomware”.
News people want to sell ad space, served up to those desperately looking for ways to avoid being victims. Making money from news is fine – news people gotta eat. But if journalistic integrity and getting the real story are just pushed aside for the sake of hype… That’s not so good.
Microsoft wants people to crave their latest, “most secure ever” operating system as well as to cede control of their computer systems, but – surprise – they’re not doing it entirely for users’ benefit. It’s their way to future riches.
It’s no coincidence that the term “fake news” has such mainstream exposure today.
While any particular malware package may be difficult and time consuming to analyze, details generally DO ultimately come out in time. Trouble is, all the sources of information don’t get very far toward their monetary goals if they immediately release a no-nonsense and effective “how to keep safe” guide. It sure seems to me they are hyping cyber crime news stories up as much as possible lately… Sigh.
-Noel
9 users thanked author for this post.
-
1 user thanked author for this post.
-
-
-
-
“Now, very few international corporations will wanna buy Ukrainian software like MeDoc.”
MeDoc makes accounting software to help people and businesses process taxes. Presumably in line with Ukrainian tax laws. I doubt there is much of an international market for their software anyway.
Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie
1 user thanked author for this post.
-
I think the quote is to be seen as referring to Ukrainian software in general, not this particular piece of software which is related to the local taxation laws.
The problem that we have today is that it is not only about Ukrainian software, but can be about Russian software, UK software, US software, any software in general.
Wasn’t recently proved that Windows had backdoors known only to few at least until the March 2017 updates?
I would pay a bit more attention to third-party antivirus software which has total control over any computer and in many cases backup software can be dangerous too.1 user thanked author for this post.
-
-
-
-
-
-
Attack attribution is always very hard. Compared with that, determining motivation is harder still. Nevertheless, I don’t buy the “plotched encryption and payment pipeline” theory for this one.
Someone who can write code with the lateral movement agility of this malware is seriously not going to make such a stupid mistake in the encryption portion of the package, unless:
1) The encryption code was written by someone other than the one(s) writing the exploit code AND the person(s) writing the encryption code were incompetent coders and/or testers AND the project leader didn’t notice.
2) The encryption code and payment pipeline was a mockup intended for testing purposes only, slated to be replaced later in the development cycle with a fully-functional encryptor and payment pipeline AND the malware was somehow released prematurely and/or accidentally with the prototype encryption and payment code still present.
Seems to me that both of these explanations require just as much, if not more, “special pleading” than does the original hypothesis that the ransomware aspect was intended merely to confuse and distract those trying to figure out how to defend against this threat.
But maybe I’m making an unintentional “straw man” argument, because I’m too tired tonight to think clearly enough to see it. If so, then I’m sure someone will tell me.
-
I suspect many of these things could be being pieced together from building blocks being passed around on the dark web. Thus someone who isn’t really a genius at software development but more like a child with Legos could be trying to get their “piece of the ransomware pie” by mixing and matching components with a relatively low effort, without a very good big picture understanding of how it’s going to play out. Put in a few days work, get a few thousand dollars, who cares who’s hurt by it… DID they actually get some payments before their infrastructure broke down? I have no idea.
-Noel
2 users thanked author for this post.
-
-
-
-
Danish.
Maersk is a danish company.
With that very important minor correction in place, carry on!
-
-
-
-
Ukraine was cyber bombed and that is the story. It is so bad that they have put out a distress call to several nations to come to their aid. If the attack(s) were state sponsored they will need independent parties to prove it one way or the other. If proven, hopefully reparations will follow. Organised crime, anarchists, scumbags, haters or useful idiots are also on the list of whodunnit.
It is unfortunate that most of the media reports are focusing on ransomware. The public is being fed a pile of inaccuracies. It is not fake news, it is Dumb-Down news.
Cyber War has not been mentioned. Why?
1 user thanked author for this post.
-
-
SLACK OPS?!
Thanks again to you and the crew for the reality view from The Bridge!
Just to lighten the mood…
Could the current round of crazy malware attacks be yet another attempt by The Microborg to get us all assimilated into the Win10 Hive Mind Upgrade?
Remember the old Klingon proverb:
“Just because you’re paranoid doesn’t mean they’re not out to get you.”
Keep beaming us up you guys and gals!
Live Long & Prosper!
sainty??
??
Viewing 7 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Windows Update orchestration platform to update all software
by 2 hours, 39 minutes ago
-
May preview updates
by 4 hours, 17 minutes ago
-
Microsoft releases KB5061977 Windows 11 24H2, Server 2025 emergency out of band
by 4 hours, 24 minutes ago
-
Just got this pop-up page while browsing
by 2 hours, 20 minutes ago
-
KB5058379 / KB 5061768 Failures
by 1 hour, 30 minutes ago
-
Windows 10 23H2 Good to Update to ?
by 17 hours, 26 minutes ago
-
At last – installation of 24H2
by 18 hours, 11 minutes ago
-
MS-DEFCON 4: As good as it gets
by 23 minutes ago
-
RyTuneX optimize Windows 10/11 tool
by 1 day, 6 hours ago
-
Can I just update from Win11 22H2 to 23H2?
by 23 hours, 42 minutes ago
-
Limited account permission error related to Windows Update
by 1 day, 19 hours ago
-
Another test post
by 1 day, 19 hours ago
-
Connect to someone else computer
by 1 day, 14 hours ago
-
Limit on User names?
by 1 day, 17 hours ago
-
Choose the right apps for traveling
by 1 day, 7 hours ago
-
BitLocker rears its head
by 15 hours, 23 minutes ago
-
Who are you? (2025 edition)
by 14 hours, 20 minutes ago
-
AskWoody at the computer museum, round two
by 1 day, 9 hours ago
-
A smarter, simpler Firefox address bar
by 2 days, 6 hours ago
-
Woody
by 2 days, 15 hours ago
-
24H2 has suppressed my favoured spider
by 15 hours ago
-
GeForce RTX 5060 in certain motherboards could experience blank screens
by 3 days, 5 hours ago
-
MS Office 365 Home on MAC
by 2 days, 23 hours ago
-
Google’s Veo3 video generator. Before you ask: yes, everything is AI here
by 3 days, 19 hours ago
-
Flash Drive Eject Error for Still In Use
by 14 hours, 44 minutes ago
-
Windows 11 Insider Preview build 27863 released to Canary
by 4 days, 14 hours ago
-
Windows 11 Insider Preview build 26120.4161 (24H2) released to BETA
by 4 days, 14 hours ago
-
AI model turns to blackmail when engineers try to take it offline
by 3 days, 18 hours ago
-
Migrate off MS365 to Apple Products
by 3 days, 19 hours ago
-
Login screen icon
by 3 days, 9 hours ago
Remembering Woody
