WannaCry ransomware hit Windows computers worldwide HACKERSCHINA NEWS 4黑色星期五:大规模的勒索攻击以打击全球系统的想哭计算机病毒,“勒索者永恒之蓝”

一个巨大的恶意勒索攻击星期五的头条,首先针对英国医院和西班牙银行在世界范围内迅速蔓延。这个消息是由西班牙电信公司Telefónicaó及时确认,其中的勒索攻击的众多受害者。报纸El Pais报道大量的攻击而在西班牙,ó电信专家确认在其内部的系统已经被病毒感染,增加的情况下的控制。固定和移动电话服务的电话óNICA不被攻击勒索的影响。

西班牙CERT发出一种警告的组织和确认的恶意软件正在迅速蔓延。

《勒索、巴克什想哭(aka Wcry,WanaCrypt,wannacrypt),有针对性的其他许多公司在西班牙和世界各地,包括沃达丰,联邦,和其他关键基础设施。

El Reg报道6 NHS健康信托在英国被恶意软件了。根据Theresa May总理“勒索”削弱了“英国医院、政府代表也证实,情况是由情报机构GCHQ的监控。

NHS面临由于其IT基础设施的陈旧性,还包括大量的运行Windows XP系统的严重问题。

“电脑被锁在Aintree、布莱克浦、埃塞克斯郡布鲁姆菲尔德医院,科尔切斯特总医院,在Derbyshire,大雅茅斯所有的医院系统,东、北赫特福德郡,James Paget Hospital在Norfolk,Lanarkshire,和莱斯特。”报道,埃尔条。

图1–计算机的勒索软件感染想哭

专家从Avast检测安全公司更多超过75000的攻击在99个国家中,大多数的感染的观察在俄罗斯,乌克兰,台湾。

一个实时地图的感染可在以下地址:

https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

图2–实时感染地图

来源ArsTechnica

一个勒索,利用国家安全局eternalblue和doublepulsar战功

想哭的勒索,利用两NSA利用eternalbluedoublepulsar感染计算机和传播到任何另一个连接Windows系统的威胁,在同一个网络。

从卡巴斯基实验室的研究人员已经证实,想哭”攻击是通过一个smbv2远程执行代码在微软Windows启动。

“重要的是要明白,而未打补丁的Windows计算机暴露他们的SMB服务可以远程攻击的“eternalblue”开发的勒索软件感染的想哭,这个漏洞也存在不足不能防止勒索软件组件的工作。不过,这个漏洞的存在是引起爆发的最重要因素,”卡巴斯基的分析报告

专家强调,网络温暖的能力,允许恶意代码传播迅速。

“这项运动的特殊性是通过利用漏洞公告ms17-010使用描述引起的eternalblue/doublepulsar,可感染其他连接的Windows系统上是不正确的更新相同的网络。一台计算机感染最终会影响整个企业的网络。”国家的西班牙语证书发出安全警报

“勒索,想哭的一个变种,感染机通过加密所有文件,使用前一段允许执行远程命令通过Samba提到的漏洞(SMB),在相同的网络分布到其他Windows机器。”

的doublepulsar后门,允许攻击者注入并执行在目标系统上安装恶意代码;它是利用eternalblue,一个smbv1(服务器消息块1)开发这可能导致在旧版本的Windows的RCE(Windows XP Server 2008 R2)。

想哭的勒索利差通过SMB,它加密的文件在被感染的机器和收费300美元或600美元的比特币恢复。

勒索软件可以加密各种文件在受感染的机器,它也攻击存储在任何附加存储的文件,并把远程桌面访问任何键。恶意软件删除卷快照和禁用修复工具系统将不可能恢复文件。

专家观察恶意软件确定受害者的语言在正确的语言显示赎金要求

在思科塔洛斯团队安全专家已经在想哭勒索公布详细的分析。

在分析出版的专家在该研究小组描述了完整的感染过程如下:

“初始文件和执行文件tasksche.exe mssecsvc.exe滴。杀死开关领域进行检查。其次,服务mssecsvc2.0创建。该服务执行文件mssecsvc.exe比初始执行不同的切入点。本次执法检查被感染的机器,并试图连接到同一子网中的每个IP地址的445端口的TCP IP地址。当恶意软件成功地连接到机器上,启动连接和数据传输。我们相信这是一个利用网络流量负载。它已被广泛报道这是利用最近披露的解决微软在公告的漏洞ms17 – 010。我们目前没有一个完整的理解的SMB流量,到底需要什么条件是它使用这种方法传播。”状态的分析。

“磁盘驱动器上的文件tasksche.exe检查,包括网络共享和移动存储设备映射到一个字母,如“C:”,“/”D:等恶意软件然后检查一个文件扩展名为附录中所列的文件加密使用2048位RSA加密。当文件被加密,恶意软件创建一个新文件目录“Tor”到它下降的tor.exe九DLL文件使用的tor.exe。此外,它滴两个文件:taskdl.exe和taskse.exe。前者删除临时文件,后者推出“wanadecryptor @。exe桌面上向最终用户显示的赎金。“wanadecryptor @ .exe的本身并不是勒索赎金,只。加密是通过tasksche在后台进行。exe”。

专家分析,希望能找到想哭勒索样品在GitHub库:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

该页包含有用的信息,如恶意软件的比特币钱包地址。

勒索指导受害者到一个页面,在btcfrog显示一个QR码,它链接到攻击者的主要的比特币钱包13am4vw2dhxygxeqepohkhsquy6ngaeb94

图3–支付页面显示的QR码

下面的威胁的关键发现:

  • 病毒名称:wannacrypt,想哭,wanacrypt0r,WCrypt,wcry
  • 矢量:如果不打补丁ms-17-010所有Windows版本的Windows 10之前是脆弱的。它采用eternalblue ms17-010传播。
  • 赎金:300美元到600美元之间。有码RM(删除)在病毒文件。似乎复位如果病毒崩溃。
  • 留后门:蠕虫的循环通过系统上的每个RDP会话运行勒索用户。它还安装了doublepulsar后门。它被阴影使回收难。(来源:Malwarebytes)
  • 杀死开关:如果网站www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com是病毒的存在而感染宿主。(来源:Malwarebytes)。这一领域已sinkholed,阻止蠕虫的传播。

解密样品的想哭勒索是可用的在这里

HTTPS:/ / / / cyber1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.exe zhnxr transfer.sh

杀死开关

在大规模攻击的安全专家开始他们的恶意代码分析的野外恶意软件样本的逆向工程几小时后。好消息是,从第一次调查的恶意软件研究人员已经发现了一种杀死开关的勒索软件代码,条件可以阻止代码的执行,当匹配。

道德黑客培训–资源(信息安全)

图4–Kevin Beaumont Tweet杀死开关

英国专家malwaretechblog已经注册了域名后,他们做了一个代码的逆向工程。

杀死开关领域iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com;域名sinkholed执法。在加利福尼亚的一个服务器,和管理员的受感染的系统达到了.com将会收到通知,告诉我们。“从我们的天坑的IP地址已被送往联邦调查局。

图5–杀死开关领域

下面显示当机器试图连接它的消息:

“从我们的天坑的IP地址已被送往联邦调查局和Shadowserver因此受影响的组织应该很快就会得到一个通知,”研究者。信息安全体承认他们注册了域名,然后意识到这是一个总开关。不过,工作了。”

从思科战专家的想哭勒索一个有趣的分析。

“想哭似乎并不只是利用这种攻击框架相关的eternalblue模块;它仅仅是对doublepulsar存在后门扫描服务器。在情况下,它标识一个主机,已经与这个后门植入,它只是利用现有的后门功能,用它来感染系统的想哭”读分析来自Talos。“如果系统尚未被植入doublepulsar,恶意软件将使用eternalblue的SMB漏洞的初步开发。这是蠕虫样活性,已被广泛观察到整个互联网的原因。”

微软已经发布了一个安全顾问对威胁和急救补丁WindowsXP

IT巨头发布急救安全补丁的Windows Server 2003(SP2 x64和x86);Windows XP(SP2 SP3 x64,x86);Windows XP Embedded(SP3,x86);以及Windows 8位和64位版本。

结论

以下几个方面对大规模的勒索攻击必须仔细考虑:

  • 这种攻击演示相关的风险militarization的网络空间。恶意软件,利用代码和黑客工具的情报机构和政府发展是很危险的,失去控制。
  • 该恶意软件的成功是由于那些没有意识到威胁的受害者错误的安全态势,并没有应用安全补丁,微软发布的。
  • 现代的关键基础设施的网络攻击是没有弹性的。
  • WannaCry ransomware hit Windows computers worldwide

    A massive malicious ransomware-based attack made the headlines on Friday, first targeting UK hospitals and Spanish banks before rapidly spreading worldwide. The news was promptly confirmed by the Spanish Telco companies Telefónica, one of the numerous victims of the ransomware attack. The newspaper El Pais also reportedthe massive attack, while experts at Telefónicaconfirmedthe systems in its intranet had been infected, adding that the situation was under control. The fixed and mobile telephone services provided by Telefónica were not been affected by the ransomware-based attack.

    The Spanish CERT issued an alert warning the organizations and confirmed that the malware was rapidly spreading.

    The ransomware, dubbedWannaCry(aka Wcry, WanaCrypt, WannaCrypt), targeted many other companies in Spain and across the world, including Vodafone, FedEx, and other critical infrastructure.

    El Reg reported that 6 NHS health trusts in the UK were taken out by the malware. According to Prime Minister Theresa May, the ransomware “has crippled” UK hospitals, the Government representative also confirmed that the situation was monitored by the intelligence agency GCHQ.

    The NHS faced serious problems due to the antiquated nature of its IT infrastructure that still includes a large number of systems running Windows XP systems.

    “Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget Hospital in Norfolk, Lanarkshire, and Leicester.” Reported El Reg.

    Figure 1 – A computer infected by the WannaCry ransomware

    Experts from the security firm Avast detected morethan 75,000 attacksin 99 countries, most of the infections were observed in Russia, Ukraine, and Taiwan.

    A real-time map of the infections is available at the following address:

    https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

    Figure 2 – Real Time Infections Map

    SourceArstechnica

    A Ransomware that leverages the NSA EternalBlue and DoublePulsar exploits

    The WannaCry ransomware exploits the two NSA exploitsEternalBlueandDoublePulsarto infect computers and propagate the threat to any another connected Windows systems on the same network.

    Researchers from Kaspersky Lab have confirmed that the WannaCry” attack is initiated through an SMBv2 remote code execution in Microsoft Windows.

    “It is important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak,” reported the analysis from Kaspersky

    Experts highlighted the network warm capabilities that allow the malicious code to spread rapidly.

    “The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 usingEternalBlue/DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network.” states the security alert issued by the Spanish CERT.

    “The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network.”

    The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system; it is installed by leveraging theETERNALBLUE, an SMBv1 (Server Message Block 1.0)exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

    The WannaCry ransomware spreads via SMB, it encrypts the files on the infected machines and charges $300 or $600 in Bitcoin to restore them.

    The ransomware can encrypt a wide variety of documents on the infected machines, it also attacks documents stored on any attached storage, and snatches any keys for remote desktop access. The malware deletes volume snapshots and disables system repair tools to make impossible recovery files.

    Experts observed the malware determine the victim’s language to display a ransom demand in the correct language

    Security experts at CISCO Talos team have published a detailed analysis on the WannaCry ransomware.

    Below the complete infection process described in the analysis published by the experts at the Talos team:

    “An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated, and data is transferred. We believe this network traffic is an exploit payload. It has been widelyreportedthis is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.” states the analysis.

    “The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.”

    Experts that want to analyze the WannaCry ransomware can findsampleson the following GitHub repository:

    https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

    the page includes useful information such as the addresses of Bitcoin wallets for the malware.

    The ransomwaredirectsvictims to a page with displaying a QR code at btcfrog, which links to attacker main bitcoin wallet13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.

    Figure 3 – Payment Page displays QR code

    Below Key findings of the threat:

    • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
    • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
    • Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
    • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: Malwarebytes)
    • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: Malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

    A decrypted sample of the WannaCry ransomware is availablehere:

    https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE

    The Kill Switch

    A few hours after the massive attacks security experts started their analysis of the malicious code after a reverse engineering of the samples of the malware available in the wild. The good news emerged from the first investigation is that malware researchers have discovered a kill switch in the ransomware code, a condition that could halt the execution of the code when matched.

    ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)

    Figure 4 – Kevin Beaumont Tweet about the kill switch

    The UK experts atMalwareTechBloghave registered the domain after they made a reverse engineering of the code.

    The Kill Switch domain is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com; the domain was sinkholed by law enforcement. To a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we are told. “IP addresses from our sinkhole have been sent to FBI.

    Figure 5 – Kill Switch domain

    Below the messages displayed when a machine tries to connect it:

    “IP addresses from our sinkhole have been sent to FBI andShadowServerso affected organizations should get a notification soon,”saidthe researcher. The InfoSec bodyadmittedthey registered the domain first, then realized it was a kill switch. Still, job done.”

    Experts from CISCO Talos group made an interesting analysis of the WannaCry ransomware.

    “WannaCry does not appear to only be leveraging the ETERNALBLUE modules associated with this attack framework; it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry.” reads theanalysisfrom Talos. ” In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.”

    Microsoft has published asecurity advisoryfor the threat and an emergency patch forWindows XP.

    The IT giant released emergency security patches for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

    Conclusions

    The following aspects of the massive ransomware attack must be carefully considered:

    • This attack demonstrates the risks related to themilitarization of the cyberspace. Malware, exploits code and hacking tools developed by intelligence agencies and governments could be very dangerous when out of control.
    • The success of the malware is due to the wrong security posture of the victims that have no awareness of the threat, and that did not apply security patches released by Microsoft.
    • Modern critical infrastructure is not resilient to cyber-attacks