Newsletter Archives

• The Shadow Brokers, in new taunt, threaten to release even more NSA sourced malware

  Posted on May 16, 2017 at 06:57 CDT by woody • Comment in the Forums

  If you thought WannaCry was bad, you ain’t seen nothin’ yet.

  Malware as a Service. Do they really have Win10 sploits, nuke details from Russia and North Korea? Their story lines up with what we know from the inside. Are their tales of bribery and double-crossing true, too?

  It’s a bombshell of a story.

  InfoWorld Woody on Windows

  Windows Patches/Security Shadow Brokers, WannaCry, WannaCrypt

• How to make sure you won’t get hit by WannaCry/WannaCrypt

  Posted on May 13, 2017 at 15:36 CDT by woody • Comment in the Forums

  UPDATES: You might imagine this is a hot topic. Here’s what I discovered on Sunday morning:

  • WannaCrypt does not infect XP machines – the problem appears entirely (or almost entirely) on unpatched Win7 machines. Kevin Beaumont reports that folks inside the UK NHS tell him their machines haven’t been patched since December.
  • The people behind WannaCrypt have collected a total of about $30,000.
  • People at Microsoft claim that “nobody running Windows 10 was infected.” I can’t confirm that. Clearly, those who have installed MS07-010 through Win10 cumulative updates are OK (see the list below). But if all Win10 machines are immune, I’d sure like to see an explanation.
  • There are lots of explanations about the inner workings of the worm. This one from Malwarebytes is particularly thorough. But I haven’t yet seen a definitive description of how the payload first gets into a network. Many believe that the first point of infection is via a rigged email — but I haven’t yet seen a copy of a bad email. If you have definitive evidence, I’d sure like to hear about it in the comments.
  • Last night (which is to say very early Sunday morning my time), @MalwareTechBlog put it best: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”
  • There are new variants, both with and without killswitches. I haven’t seen any widespread problems yet, but folks YOU HAVE TO GET PATCHED. Creating a new variant is easy.

  Back to Saturday’s advice…

  I’ll have a more detailed and up-to-date post on InfoWorld on Monday, but for now, here’s what you need to know if you’re concerned about the WannaCry/WannaCrypt worm and its enablers.

  We’re at MS-DEFCON 2, and that’s as it should be: you should not install any of this month’s patches. It’s still too early to tell if anything this month will cause problems — and there’s so much dust floating around it’s hard to see anything. But if you missed the March or April patches, if you’re running Windows XP, 8 or Server 2003, or  you aren’t sure if you got March and April patches installed, here’s what you need to do.

  IMPORTANT details about WannaCrypt:

  • It clobbered lots of sites and many computers, but it’s no longer a threat. The folks at Malwaretech.com enabled a sinkhole that’s blocking WannaCrypt. No more infections.
  • Rather than specifically rooting out WannaCrypt, you need to focus immediately on plugging the hole(s) that made WannaCrypt possible. The WannaCrypt code’s out in the wild, and a simple change would make it work again. More than that, other pieces of the Shadow Brokers trove can be used to make new, innovative malware. Get patched now.
  • As of this writing, nobody has any idea who made WannaCrypt, why they released a weapons-grade exploit to beg for chump change ($300 per infection), and how the first infection(s) appeared.
  • Microsoft released patches for Windows 10, 8.1 and 7 back in March (that’s MS17-010). Yesterday, they released patches for Windows XP, Win 8, and Server 2003 SP2.

  There’s an excellent overview by Elizabeth Dwoskin and Karla Adam published in the Washington Post on Saturday evening.

  Here’s how to see if you need patching, and how to get patched if need be.

  Windows XP, Windows 8

  You don’t have the patch, unless you downloaded and installed it already. Follow the links under “Further Resources” at the bottom of the Technet page to download and run the installer.

  (NOTE: I had a question in the earlier post about installing this patch on pirate copies of Windows XP. I’ve seen a lot of pirate copies of WinXP – living in Thailand for 13 years will do that to you – and I don’t trust any of them. If you install Microsoft’s patch on a pirate XP machine, you may well brick it. On the other hand, if you don’t install the patch, somebody else may come in and brick it for you. Wish I had a better response, but that’s the way the SMB crumbles. If I had to do it, I’d back up everything and roll the dice, but be ready to install Win7 from scratch if the XP pirate doesn’t come back up for air.)

  Vista

  See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Look for one marked “Security Update for Windows Vista (KB4012598).” If you don’t have it, download it from the Microsoft Update Catalog, and install it.

  Windows 7

  See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

  2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
  April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
  April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
  March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
  March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

  If you have any of those patches already installed, then you are good to go and you can sleep well at night. Don’t be confused. There’s no reason to download or install anything, unless you have absolutely none of those patches. No, I’m not recommending that you install something. Just look at the list and see if you have any of the patches.

  (Thx, Chris M)

  If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 7 (KB4012212) for 32-bit or 64-bit.

  (Note that the list is quite deliberate and, I think, exact. In particular, if you’re manually installing Security-only patches in the “Group B” style, you MUST have the March, 2017 Security Only Quality Update for Windows 7 (KB4012212). Other Security-only patches don’t include the MS17-010 fix.)

  Windows 8.1
  

  See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

  2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
  April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
  April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
  March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
  March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

  If you have any of those patches, you’re fine. Again, I’m not suggesting that you install anything unless all of those patches are missing.

  If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213) for 32-bit or 64-bit.

  See note above about Security-only patches. Again, this list is complete, I believe, and accurate.

  Windows 10

  Creators Update (version 1703) is OK.

  Anniversary Update (version 1607) – Check your build number. If you have Build 14393.953 or later, you’re fine. If you don’t, use Windows Update to install the latest build 14393.1198. Yes, I know that violates the current MS-DEFCON 2 setting, but you need to get up to or beyond 14393.953.

  Fall (er, November) Update (version 1511) – use the steps above to check your build number. You have to be at build 10586.839 or later. Abandon the MS-DEFCON rating system (and all hope — “Lasciate ogne speranza, voi ch’intrate”) if you must to get up to or beyond that build number.

  RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319. And remember that your system’s toast soon.

  ======================================

  Nice and easy, huh?

  Everybody needs to get their systems updated, at least to the point mentioned here. Yes, that includes your sainted Aunt Martha.

  Windows Patches/Security WannaCry, WannaCrypt

• If you didn’t get MS17-010 installed six weeks ago, you may be hurting now

  Posted on May 12, 2017 at 13:33 CDT by woody • Comment in the Forums

  On April 24, I warned everybody that y’all needed to install the March Windows patch MS17-010 right away.

  I sure hope you did. Even those among you who never install patches – the Group W contingent.

  There’s a huge wave of Ransomware attacks running through Europe, and it’s already been spotted in the US. Britain’s National Health Service and most of its broader healthcare system is on its knees, with medical caregivers greeted by ransomware demands.

  The culprit is a ransomware package called “Wanna Cry” that’s using the Shadow Brokers exploit known as EternalBlue to infect — all created by the US’s very own NSA. (Gratuitous comment about tax dollars delete.)

  Graham Cluley says:

  it would be wrong to think that the NHS was targeted. They weren’t. This plain old extortion – 21st century style. The bad guys release ransomware (in this carried by a worm which exploits a vulnerability), and their intention is to infect as many PCs as possible to make as much cash as possible.

  Hitting the NHS wasn’t necessarily their intention, but it is a soft target due to its poor defences. And, of course, the implications of a widespread NHS infection is felt by many people.

  If you haven’t installed MS17-010, drop everything and do it. Make a full, clean backup while you’re at it.

  UPDATE: Darien Huss reports that

  #WannaCry propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed

  Looks like the number of new infections has tapered off.

  Nonetheless, get patched, folks.

  PLEASE: If you’re going to manually install updates (“Group B” style), you have to keep up with the patching pace. Microsoft released this patch on March 14, without describing its genesis. On April 14, Shadow Brokers released the exploits. By April 24, it became apparent that the EternalBlue exploit was being used to infect normal machines. Prior to that, there was some doubt as to how many machines were infected, and whether the infections were geared toward non-military-grade targets.

  Those in Group A were much less likely to get hit because each of the March and April Monthly Rollups had the patch. I gave the go-ahead for March Monthly Rollup on March 30 and the April Monthly Rollup on April 25. If you had applied patches either time, you’d be all clear right now.

  If you’re in Group W and don’t install patches — well, now you know one reason why I don’t recommend Group W.

  Good technical summary here on Github.

  Into conspiracy theories? How about a weapons test that was intentionally disabled with a killswitch before the US woke up? Seems plausible. Cisco’s Talos blog has details.

  Or this one, where the worm was released inadvertently by Shadow Brokers and Russian gov.

  Windows Patches/Security MS17-010, WannaCry
• Newer Entries »