KhunBENQ Posted May 13, 2017 Share Posted May 13, 2017 There is a thread in the news section about this severe malware/ransom-ware attack: https://www.thaivisa.com/forum/topic/982861-global-cyberattack-disrupts-shipper-fedex-uk-health-system/ I open a thread here for technical details. How to check if my system is patched/protected? What to do if not? I am affected. Is there anything I can do? Link to comment Share on other sites More sharing options...
KhunBENQ Posted May 13, 2017 Author Share Posted May 13, 2017 Quote I don't get it. How it comes that companies, hospitals didn't install the security patch Some organizations prefer to keep update under manual control to ensure uninterrupted operation and being free from "surprises"/incompatibilities. They often do their own tests at the IT department before rolling out an update/patch to all their workplaces/devices. In the other hand: if there is professional IT management they will have fairly up-to-date backups which allow them to restore their systems quickly. Missing backups are the reason why private users are often heavy affected and loose their data. Link to comment Share on other sites More sharing options...
KhunBENQ Posted May 13, 2017 Author Share Posted May 13, 2017 I am currently fighting to find the reference information: How to find out on my Windows system (7 and up) whether the patch is installed and I am safe. Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 This is one of many Bitcoin wallets from the attackers; https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 56 minutes ago, KhunBENQ said: Missing backups are the reason why private users are often heavy affected and loose their data. A good reminder to do a backup. I use the free Microsoft tool SyncToy which works perfect for me. Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 (edited) 1 hour ago, KhunBENQ said: I am currently fighting to find the reference information: How to find out on my Windows system (7 and up) whether the patch is installed and I am safe. I just looked at my update history. That's for march: It must be this one. KB4012215 Edited May 13, 2017 by alocacoc Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 (edited) It was this patch; Microsoft Security Bulletin MS17-010 - Critical Security Update for Microsoft Windows SMB Server (4013389) https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-sqQhNApgA.Smv1cgQL3e5A&tduid=(197031599f8fe50d3b054eacc9bd784b)(256380)(2459594)(TnL5HPStwNw-sqQhNApgA.Smv1cgQL3e5A)() But I can't find this update in my update history. Edit: This patch was for my System. Windows 7 x64. It's the patch i marked on the previous post. Edited May 13, 2017 by alocacoc Link to comment Share on other sites More sharing options...
ukrules Posted May 13, 2017 Share Posted May 13, 2017 Does this SMB server come installed on all version of windows ? I can't find it on any of mine and the commands I tested with yesterday did not exist on the server and my home pc's. I suspect it's an enterprise function that's not enabled in Win 7 Pro. Link to comment Share on other sites More sharing options...
ukrules Posted May 13, 2017 Share Posted May 13, 2017 There appears to be instructions to disable all versions of SMB for older versions of Windows on this page : https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 I ran the disable commands on my Win 7 Pro installation and they seemed to work. Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 I guess it's not necessary to disable SMB if your OS is patched. Link to comment Share on other sites More sharing options...
ukrules Posted May 13, 2017 Share Posted May 13, 2017 Just now, alocacoc said: I guess it's not necessary to disable SMB if your OS is patched. Looks that way, however for various reasons some of us will be running older versions which have not been updated for years. Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 (edited) The attack is stopped for now. I guess the attackers will come back soon. This guy predicted it weeks ago; Edited May 13, 2017 by alocacoc Link to comment Share on other sites More sharing options...
ukrules Posted May 13, 2017 Share Posted May 13, 2017 2 hours ago, alocacoc said: The attack is stopped for now. I guess the attackers will come back soon. This guy predicted it weeks ago; A new variant has been detected already and this one doesn't have the sandbox detection killswitch inside it so everything's going to go nuts now. Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 A new variant has been detected already and this one doesn't have the sandbox detection killswitch inside it so everything's going to go nuts now.I just searched for a source. Found only this. This guy seems to have a deep insight into this. He also said, the worm is still spreading since the killswitch doesn't work on proxy and several ISP. He expect a big shock at Monday. That's all quite scarry. Sent from my SM-G900F using Tapatalk Link to comment Share on other sites More sharing options...
alocacoc Posted May 13, 2017 Share Posted May 13, 2017 https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/I don't know if this is visible. On Tapatalk it's not. Sent from my SM-G900F using Tapatalk Link to comment Share on other sites More sharing options...
Pib Posted May 13, 2017 Share Posted May 13, 2017 Below webpage says MS has also just released an emergency security update patch even for no longer supported OS's such as XP and a few others. Plus, Win 10 computer are not affected. Apparently the malware focuses most of its attention/hunting on unpatached Win 7 computers. See below link for more details. http://thehackernews.com/2017/05/wannacry-ransomware-windows.html Link to comment Share on other sites More sharing options...
ukrules Posted May 13, 2017 Share Posted May 13, 2017 (edited) This guy said he found it without the 'killswitch' which is like 2 lines of code so it would take a couple of minutes to rebuild it after the small modification, then start it all over again. https://twitter.com/JR0driguezB Specifically this tweet : Edited May 13, 2017 by ukrules Link to comment Share on other sites More sharing options...
KhunBENQ Posted May 14, 2017 Author Share Posted May 14, 2017 After reading today's newspaper reports it sounds that indeed mostly Windows XP (!) systems have been hit and probably some unpatched Windows 7 systems. Still 7% of Windows systems on the internet are Windows XP. As already described, MS has decided to supply another patch for old versions (Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008). http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 All from May 12 and May 13, 2017. Link to comment Share on other sites More sharing options...
JetsetBkk Posted May 15, 2017 Share Posted May 15, 2017 On Saturday, May 13, 2017 at 9:07 PM, Pib said: Below webpage says MS has also just released an emergency security update patch even for no longer supported OS's such as XP and a few others. Plus, Win 10 computer are not affected. Apparently the malware focuses most of its attention/hunting on unpatached Win 7 computers. See below link for more details. http://thehackernews.com/2017/05/wannacry-ransomware-windows.html I just downloaded the XP patch from two different sources: https://www.microsoft.com/en-us/download/details.aspx?id=55245 and http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe The first link downloaded "WindowsXP-KB4012598-x86-Embedded-Custom-ENU.exe" The second downloaded "windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe" The only differences are that the first one is 618,712 bytes and the second is 682,200 bytes. Oh, and the first has a build date of 2017/02/17 and the second of 2017/02/11. Thanks Microsoft. So you had it tucked away but didn't release it. Nice. Link to comment Share on other sites More sharing options...
ukrules Posted May 15, 2017 Share Posted May 15, 2017 1 minute ago, JetsetBkk said: I just downloaded the XP patch from two different sources: https://www.microsoft.com/en-us/download/details.aspx?id=55245 and http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe The first link downloaded "WindowsXP-KB4012598-x86-Embedded-Custom-ENU.exe" The second downloaded "windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe" The only differences are that the first one is 618,712 bytes and the second is 682,200 bytes. Oh, and the first has a build date of 2017/02/17 and the second of 2017/02/11. Thanks Microsoft. So you had it tucked away but didn't release it. Nice. They supplied it to customers who paid for extended support beyone the end of life date. Link to comment Share on other sites More sharing options...
JetsetBkk Posted May 15, 2017 Share Posted May 15, 2017 15 minutes ago, ukrules said: They supplied it to customers who paid for extended support beyone the end of life date. Yes, so it's all about the money. There is no problem in supplying security updates to old systems, they just don't want to encourage people to stay with them and to not pay for Windows 7, 8, 10, etc. Maybe I'll send this info to the press and see what they make of it. Link to comment Share on other sites More sharing options...
Pib Posted May 15, 2017 Share Posted May 15, 2017 Here's Microsoft Customer guidance weblink for description and download of their security patch for systems like XP....apologies if already posted in this tread. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Link to comment Share on other sites More sharing options...
ukrules Posted May 15, 2017 Share Posted May 15, 2017 1 minute ago, JetsetBkk said: Yes, so it's all about the money. There is no problem in supplying security updates to old systems, they just don't want to encourage people to stay with them and to not pay for Windows 7, 8, 10, etc. Maybe I'll send this info to the press and see what they make of it. Haha, they already know. Link to comment Share on other sites More sharing options...
Pib Posted May 15, 2017 Share Posted May 15, 2017 Heck, XP probably needs a LOT of security patches since lifecycle support ended in early 2014 unless you were some organization that pays for continued support...it's just this wannacry ramsonware has got so much media attention MS is offering up the patch to the masses for free. Link to comment Share on other sites More sharing options...
JetsetBkk Posted May 15, 2017 Share Posted May 15, 2017 5 minutes ago, Pib said: Heck, XP probably needs a LOT of security patches since lifecycle support ended in early 2014 unless you were some organization that pays for continued support...it's just this wannacry ramsonware has got so much media attention MS is offering up the patch to the masses for free. Guilty feelings? My feelings are that they should offer all security patches for all systems. If they want people to "upgrade" to Windows 10 they should make it so good that people would want to upgrade, not because they are scared of security holes. My laptop is Windows 10 and I hate it but am getting used to doing things MS's way. This desktop is XP. I'll install the patch tomorrow after I've done another system image. (I trust no one.) Link to comment Share on other sites More sharing options...
Pib Posted May 15, 2017 Share Posted May 15, 2017 Win 10 is great...gotta have it!!!...Win 8 is great...gotta have it(well, not really)!!!....Win 7 is great.....gotta have it!!!!....Win Visa is great...gotta have(well, not really)!!!....Win XP is great....gotta have!!!...etc...etc....etc. How do I know this? Microsoft told me so. Link to comment Share on other sites More sharing options...
Barder Posted May 16, 2017 Share Posted May 16, 2017 Guys, if you still have not patched your Windows, you should do this now. The WannaCry ransomware is still active. New variant of WannaCry ransomware is able to infect 3,600 computers per hour -https://malwareless.com/new-variant-wannacry-ransomware-able-infect-3600-computers-per-hour/. If your computer is infected with this virus, don't pay the ransom - many people who have paid Bitcoins don't receive the decryptor. All top security companies are currently working to develop a decryption solution Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now