Viry a Červi

Why Microsoft's Windows game plan makes us WannaCry

The Register - Anti-Virus - 16 Květen, 2017 - 12:56
Oh, 'collective responsibility' – that old chestnut

Analysis  In the circular firing squad of WannaCrypt, the world's largest recorded ransomware outbreak, nobody looks good.…

Kategorie: Viry a Červi

WikiLeaks Reveals Two CIA Malware Frameworks

VirusList.com - 16 Květen, 2017 - 12:39
WikiLeaks released details on what it claims are two frameworks for malware samples dubbed AfterMindnight and Assassin, both allegedly developed by the US Central Intelligence Agency.
Kategorie: Viry a Červi

Shadow Brokers resurface, offer to sell fresh 'wine of month' club exploits

The Register - Anti-Virus - 16 Květen, 2017 - 12:25
Data dump on monthly subscription model

The infamous Shadow Brokers hacking crew, central players in the release of the vulnerability that led to last week's WannaCrypt chaos, have returned online with a threat to release more exploits.…

Kategorie: Viry a Červi

DocuSign forged – crooks crack email system and send nasties

The Register - Anti-Virus - 16 Květen, 2017 - 05:56
Company couldn't school all the phish in the sea

Electronic signatures outfit DocuSign has warned world+dog that one of its email systems was cracked by phisherpholk.…

Kategorie: Viry a Červi

Romney tax return 'hacker' Dr Evil gets his sentence reviewed

The Register - Anti-Virus - 16 Květen, 2017 - 05:28
Appeal offers a laugh-a-minute how-not-to guide for would-be criminal masterminds

Michael Mancil Brown, aka Dr Evil, who tried to extort a million dollars from PricewaterhouseCoopers on the basis that he'd nicked Mitt Romney's tax returns, has had a win on appeal and will be sentenced anew.…

Kategorie: Viry a Červi

Good news, OpenVPN fans: Your software's only a little bit buggy

The Register - Anti-Virus - 16 Květen, 2017 - 05:01
Two code reviews give crypto client nearly clean bill of health

The venerable OpenVPN client has been given a mostly clean bill of health.…

Kategorie: Viry a Červi

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

The Register - Anti-Virus - 16 Květen, 2017 - 03:44
And it took three months to release despite Eternalblue leak

Exclusive  When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency. If the snoops hadn't stockpiled hacking tools and details of vulnerabilities, these instruments wouldn't have leaked into the wild, sparing us Friday's cyber assault, he said.…

Kategorie: Viry a Červi

Mimosa spiked! Wireless kit has multiple security holes

The Register - Anti-Virus - 16 Květen, 2017 - 03:30
Clients, access points and backhaul all need firmware patch before attacks ferment

5G wireless vendor Mimosa Wireless has patched against a bunch of remote code execution, denial-of-service and file disclosure vulnerabilities.…

Kategorie: Viry a Červi

It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

The Register - Anti-Virus - 16 Květen, 2017 - 02:02
Seven Apple updates, because it's not like you had anything else to patch today

Apple has released security updates for both of its main operating systems, along with iTunes, Apple Watch, and Apple TV. All should be installed as soon as possible before they are exploited by miscreants.…

Kategorie: Viry a Červi

China staggering under WannaCrypt outbreak

The Register - Anti-Virus - 16 Květen, 2017 - 00:38
Middle Kingdom's CERT puts infection rate in the thousands

If reports from China are accurate, the country's often-bootlegged and under-patched Windows installations are being hit hard by the WannaCrypt ransom-worm.…

Kategorie: Viry a Červi

OpenVPN Audits Yield Mixed Bag

VirusList.com - 15 Květen, 2017 - 23:12
The results of two audits of the open source software OpenVPN were shared late last week. One found two legitimate vulnerabilities, the other said the service is cryptographically "solid."
Kategorie: Viry a Červi

WannaCry and Lazarus Group – the missing link?

Kaspersky Securelist - 15 Květen, 2017 - 21:32

A few hours ago, Neel Mehta, a researcher at Google posted a mysterious message on Twitter with the #WannaCryptAttribution hashtag:

The cryptic message in fact refers to a similarity between two samples that have shared code. The two samples Neel refers to in the post are:

  • A WannaCry cryptor sample from February 2017 which looks like a very early variant
  • A Lazarus APT group sample from February 2015

The similarity can be observed in the screenshot below, taken between the two samples, with the shared code highlighted:

So, what does it all mean? Here’s a few questions and answers to think about.

I know about Wannacry, but what is Lazarus?

We wrote about the Lazarus group extensively and presented together with our colleagues from BAE and SWIFT at the Kaspersky Security Analyst Summit (SAS 2017). See:

Among other things, the Lazarus group was responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation.

We believe Lazarus is not just “yet another APT actor”. The scale of the Lazarus operations is shocking. The group has been very active since 2011 and was originally disclosed when Novetta published the results of its Operation Blockbuster research. During that research, which we also participated in, hundreds of samples were collected and show that Lazarus is operating a malware factory that produces new samples via multiple independent conveyors.

Is it possible this is a false flag?

In theory anything is possible, considering the 2015 backdoor code might have been copied by the Wannacry sample from February 2017. However, this code appears to have been removed from later versions. The February 2017 sample appears to be a very early variant of the Wannacry encryptor. We believe a theory a false flag although possible, is improbable.

What conclusions can we make?

For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry.

Are we sure the early February variant is the precursor to the later attacks?

Yes, it shares the same the list file extension targets for encryption but, in the May 2017 versions, more extensions were added:

> .accdb
> .asm
> .backup
> .bat
> .bz2
> .cmd
> .der
> .djvu
> .dwg
> .iso
> .onetoc2
> .pfx
> .ps1
> .sldm
> .sldx
> .snt
> .sti
> .svg
> .sxi
> .vbs
> .vcd

They also removed an older extension: “.tar.bz2” and replaced it with just “.bz2”
We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourcecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks.

So. Now what?

We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of Wannacry. Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots.

Has anyone else confirmed this?

Yes, Matt Suiche from Comae Technologies confirmed the same similarity based on Neel’s samples:

Can you share the YARA rule used to find this?

Yes, of course.

You can download the “lazaruswannacry” Yara rule here.

Also included below for easy reading:
rule lazaruswannacry {  meta: description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta" date = "2017-05-15" reference = "https://twitter.com/neelmehta/status/864164081116225536" author = "Kaspersky Lab" version = "1.0" hash = "9c7c7149387a1c79679a87dd1ba755bc" hash = "ac21c8ad899727137c4b94458d7aa8d8" strings: $a1={ 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75 04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46 56 E8 } $a2={ 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 2B C0 2C C0 FF FE } condition: ((uint16(0) == 0x5A4D)) and (filesize < 15000000) and all of them }

WannaCry Variants Pick Up Where Original Left Off

VirusList.com - 15 Květen, 2017 - 21:00
Exploits spreading WannaCry ransomware have surfaced after the discovery of a killswitch put a quick halt to the initial global outbreak.
Kategorie: Viry a Červi

Beaten passenger, check. Dead giant rabbit, check. Now United loses cockpit door codes

The Register - Anti-Virus - 15 Květen, 2017 - 20:08
Not a good month for the aviation giant

You get the feeling United's PR boss must be praying for death at this point, after his employer admitted to another serious cockup.…

Kategorie: Viry a Červi

News in brief: United cockpit codes leaked online; WhatsApp fined; Netflix pulled from rooted phones

Sophos Naked Security - 15 Květen, 2017 - 19:42
Your daily round-up of some of the other stories in the news

WannaCrypt outbreak contained as hunt for masterminds kicks in

The Register - Anti-Virus - 15 Květen, 2017 - 19:38
Kill switch ID'd in ransomware attempt to abuse MS17-010 patch

A feared second wave of WannaCrypt ransomware attacks has failed to materialize, but 16 UK National Health Service Trusts are still grappling with last week's infection.…

Kategorie: Viry a Červi

WannaCry FAQ: What you need to know today

Kaspersky Securelist - 15 Květen, 2017 - 19:06

Friday May 12th marked the start of the dizzying madness that has been ‘WannaCry’, the largest ransomware infection in history. Defenders have been running around with their heads on fire trying to get ahead of the infection and to understand the malware’s capabilities. In the process, a lot of wires have gotten crossed and we figured it’s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.

In the interest of standing by our stated mission, ‘We’re Here to Save the World’, we’re also sharing IOCs and Yara rules below.

Please remember: Patch, Patch, Patch!

For a refresher on the weekend of madness, please see our original blog.

How did it all start? Was there an e-mail attack vector? Phishing link?

To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DoublePulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack.

Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening. The uptick in Port 445 traffic is also confirmed by the SANS DShield project’s graphics.

Port 445 connections per day

I’ve seen conflicting reports about the exploit. Is it targeting SMBv1 or SMBv2?

The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.

What is the killswitch? Can we rely on it?

The worm-spreading part of the Wannacry – which is designed to infect other computers — has a special check at the beginning. It tries to connect to a hardcoded website on the Internet and if the connection FAILS, it continues with the attack. If the connection WORKS, it exits. Thus, by registering this domain and pointing it to a sinkhole server, a researcher from the U.K. successfully slowed the spread of the worm.

Can we ultimately rely on this? Well, there has been a lot of speculation about the effectiveness of this killswitch. On the one hand, it does stop further spread of the infection. However, only if the worm is able to connect to the Internet. Many corporate networks have firewalls blocking internet connections unless a proxy is used. For these, the worm will continue to spread in the local network. On the other hand, there is nothing stopping the attackers from releasing a new variant that does not implement a killswitch.

Why did the attackers add a killswitch in the first place?

This is a very good question. Some possible explanations:

  • They were afraid the attack might get out of control and wanted a way to stop the propagation.
  • They coded it as an anti-sandbox check (some sandboxes emulate all internet connections and make them appear to work even if they do not exist)
Has this attack been contained?

We started tracking the attack early today to determine if it’s spiking again. Since 06.00 UTC/GMT Monday 15th May, we observed a sixfold decrease in attacks across our customer base than during the first hours on Friday May 12th.

This suggests infections based on current variants may be under control.

Wait, what do you mean by “current variants”? Is there a second wave of attacks?

Over the weekend two notable variants emerged. Kaspersky Lab does not believe any of these variants were created by the original authors –they were most likely patched by others keen to exploit the attack separately and independently.

The first one started spreading on Sunday morning, at around 02.00 UTC/GMT and was patched to connect to a different domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com). Kaspersky Lab has so far noted three victims for this variant, located in Russia and Brazil.

Code patch from d724d8cc6420f06e8a48752f0da11c66

The second variation that appeared during the weekend appears to have been patched to remove the killswitch. This variant does not appear to be spreading, possibly due to a bug.

Sample MD5 In the wild Killswitch present? Domain killswitch d5dcd28612f4d6ffca0cfeaefd606bcf Yes Yes ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com d724d8cc6420f06e8a48752f0da11c66 No No n/a Does the second wave contain the killswitch?

The d5dcd28612f4d6ffca0cfeaefd606bcf sample distributed on Sunday night (first reports around 02:00am UTC) contains a killswitch domain. This domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is only two bytes different from the original:

Sample MD5 Killswitch domain Old iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com New (see above) ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The second domain was sinkholed by Matt Suiche of Comae Technologies, who reported stopping about 10,000 infections from spreading further:

How much money has been paid by victims so far?

WannaCry Wallet Tracker as of Monday May 15th.

Multiple attempts have been made at tracking transactions to known bitcoin wallets used by WannaCry. The tracker ‘howmuchwannacrypaidthehacker.com’ has the latest count (at the time of writing) at upwards of 31BTC, or close to $55,000 USD.

What will the attackers do with the money?

An Evil Lair?

We believe it’s unlikely the attackers will be able to do anything with the bitcoins, considering the current high level of interest in this story. Even though the wallet owners are anonymous, the transactions are visible to everybody and can be tracked. Once the bitcoins reach a payment point, where the attackers use them to purchase something in the real world, that payment can be tracked to shipment details, services, or other IPs, effectively, increasing the chances of getting caught.

Does payment guarantee the recovery of files?

We don’t know. Since we are dealing with criminals, there is no reason to expect them to honor the deal, especially in a situation where all the world is closely tracking this campaign and disrupting it as much as possible. Paying the ransom amounts to funding the next wave.

Do not pay the ransom.

How does the worm spread inside a local corporate network?

The malware includes a worm functionality that tries to infect other unpatched Windows machines inside the local network, generating large SMB traffic. Basically it scans LAN IPS for SMB/445 port open. Where it finds any, it delivers the EternalBlue exploit.

Have any other exploits been used?

The only exploit observed so far being used in this campaign is the EternalBlue exploit leaked by Shadow Brokers.

Interestingly, once the malware infects a computer, it runs shellcode to drop and execute its payload. The payload code is available for both 32- and 64-bit systems, runs in ring-0, and seems to be based on the DoublePulsar backdoor leaked by Shadow Brokers in their ‘Lost in Translation‘ blog post .

Can you explain what happens for victims behind a proxy?

The killswitch prevented the main strain of the malware from encrypting the files in the infected computers, basically by checking if a given domain was registered or not. However WannaCry does not check for the presence of any proxy, so it is likely that samples running inside of an organization will not be able to reach the killswitch domain, even if it’s already registered. That means their files will continue to be encrypted.

Who is behind the attack? Is it just one group or multiple groups of attackers?

The attackers didn’t leave many clues about their identities or whereabouts. We are still investigating several possible leads and we’re sharing all relevant information with law enforcement.
At the moment, we haven’t seen any indicators that point towards any known groups. Some early variants of the Wannacry ransomware seem to have been used in March 2017, maybe some as early as February 2017. We are still researching these early variants, scraping them for clues.

Is this primarily targeting Russians?

The spread of the worm does not target a specific geolocation. The distribution is random, selecting IPs from the internet and affected local networks. Nevertheless, a large amount of the infections are in Russia, about 66% of the total attacks we have seen. The skew in distribution is likely due a combination of our increased visibility into Russia as well as a likely prevalence of unpatched systems.

Are you working with law enforcement to help contain this attack?

Yes, we are working with several law enforcement agencies and have provided them with information to help mitigate the attack.

Microsoft is warning against governments stockpiling cyberweapons and called for a Digital Geneva Convention. Will this help?

Kaspersky Lab supports Brad Smith’s call-to-action for governments and industries around the world to take critically important steps to help make a better digital future for all. We strongly believe the world needs an international digital convention and support with the creation of a neutral international cyber organization and firmly supports a pledge from companies to not conduct offensive cyber activities and protect their users from all cyberattacks. For more details please see: https://www.forbes.com/sites/eugenekaspersky/2017/02/15/a-digital-geneva-convention-a-great-idea/#abeff891e6e1

What should I do right now to make sure my organization is protected?

Our recommendations:

  • Install the MS Security Bulletin patches for MS17-010. Please note that Microsoft also released an emergency patch for Windows XP, which is out of support!
  • Disable SMBv1.
  • Backup your data on a regular basis and be sure to store the backups offline.
  • Limit administrative privileges in the network.
  • Segment your network.
  • Make sure all nodes have security software installed and updated.
  • Kaspersky users: make sure System Watcher is enabled and the software updated. System watcher will ensure rollback of any encrypted files.
  • For those who do not use Kaspersky Lab solutions, we suggest installing the free Kaspersky Anti-Ransomware Tool for business (KART).
  • WannaCry is also targeting embedded systems. We recommend ensuring that dedicated security solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.
Did Kaspersky block the attack for every target that had the software installed?

Our recent products include a module named System Watcher, which is designed to stop ransomware attacks. It was successful in blocking the damage from Wannacry, proving once again its effectiveness. Additionally, our products include specific detection subroutines which stopped the spreading of the attacks inside local networks. Since Saturday, our products also blocked the network level attacks through IDS components.

I’m running Windows XP – how can I protect myself?

First of all, stop running Windows XP. It is a 16-year-old operating system which is no longer officially supported by Microsoft. We recommend you upgrade to Windows 8.1 or 10. If you absolutely need to run Windows XP, you can download the emergency patch from Microsoft here:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

However, prepare for a rough ride ahead, as other vulnerabilities will most likely remain open and leave you vulnerable in the future to other attacks.

Do you have YARA rules and IOCs for everything we know so far?

Multiple YARA rules have been released so far, with varying degrees of accuracy. Florian Roth has published a good Wannacry YARA set on his GitHub. Another set of YARA rules has been published by US-CERT, however, they produce false positives and are not recommended at this time. Our own YARA rules can be found below.

Indicators of Compromise

Network traffic to the following hosts:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Filenames on disk:

  • mssecsvc.exe
  • taskdl.exe
  • taskse.exe
  • wannacry.exe
  • tasksche.exe

Hashes for the variants with different kill switches:

  • d5dcd28612f4d6ffca0cfeaefd606bcf
  • d724d8cc6420f06e8a48752f0da11c66

For more malware hashes, please see our previous blogpost.

Yara rules

rule crimeware_Wannacry_worm {

meta:

description = "Find Wannacry worm carrier samples"
date = "2017-05-14"
version = "1.0"
author = "Kaspersky Lab"
tlp = "GREEN"

strings:

$a0="__TREEID__PLACEHOLDER__" ascii wide fullword
$a1="__USERID__PLACEHOLDER__" ascii wide fullword
$a2="userid" ascii wide fullword
$a3="treeid" ascii wide fullword
$a4="__TREEPATH_REPLACE__" ascii wide fullword
$a5="\\\\%s\\IPC$" ascii wide fullword
$a6="Microsoft Base Cryptographic Provider v1.0" ascii wide fullword
$a7="mssecsvc2.0" ascii wide fullword
$a8="Microsoft Security Center (2.0) Service" ascii wide fullword
$a9="%s -m security" ascii wide fullword
$a10="C:\\%s\\qeriuwjhrf" ascii wide fullword
$a11="tasksche.exe" ascii wide fullword

condition:

((uint16(0) == 0x5A4D)) and (filesize < 15000000) and (8 of ($a*)) }
rule crimeware_Wannacry_ransomware {

meta:

description = "Find Wannacry ransomware module"
date = "2017-05-14"
version = "1.1"
author = "Kaspersky Lab"
tlp = "GREEN"

strings:

//list of extensions targeted by the ransomware module
$a1={
2E 00 64 00 65 00 72 00 00 00 00 00 2E 00 70 00
66 00 78 00 00 00 00 00 2E 00 6B 00 65 00 79 00
00 00 00 00 2E 00 63 00 72 00 74 00 00 00 00 00
2E 00 63 00 73 00 72 00 00 00 00 00 2E 00 70 00
31 00 32 00 00 00 00 00 2E 00 70 00 65 00 6D 00
00 00 00 00 2E 00 6F 00 64 00 74 00 00 00 00 00
2E 00 6F 00 74 00 74 00 00 00 00 00 2E 00 73 00
78 00 77 00 00 00 00 00 2E 00 73 00 74 00 77 00
00 00 00 00 2E 00 75 00 6F 00 74 00 00 00 00 00
2E 00 33 00 64 00 73 00 00 00 00 00 2E 00 6D 00
61 00 78 00 00 00 00 00 2E 00 33 00 64 00 6D 00
00 00 00 00 2E 00 6F 00 64 00 73 00 00 00 00 00
2E 00 6F 00 74 00 73 00 00 00 00 00 2E 00 73 00
78 00 63 00 00 00 00 00 2E 00 73 00 74 00 63 00
00 00 00 00 2E 00 64 00 69 00 66 00 00 00 00 00
2E 00 73 00 6C 00 6B 00 00 00 00 00 2E 00 77 00
62 00 32 00 00 00 00 00 2E 00 6F 00 64 00 70 00
00 00 00 00 2E 00 6F 00 74 00 70 00 00 00 00 00
2E 00 73 00 78 00 64 00 00 00 00 00 2E 00 73 00
74 00 64 00 00 00 00 00 2E 00 75 00 6F 00 70 00
00 00 00 00 2E 00 6F 00 64 00 67 00 00 00 00 00
2E 00 6F 00 74 00 67 00 00 00 00 00 2E 00 73 00
78 00 6D 00 00 00 00 00 2E 00 6D 00 6D 00 6C 00
00 00 00 00 2E 00 6C 00 61 00 79 00 00 00 00 00
2E 00 6C 00 61 00 79 00 36 00 00 00 2E 00 61 00
73 00 63 00 00 00 00 00 2E 00 73 00 71 00 6C 00
69 00 74 00 65 00 33 00 00 00 00 00 2E 00 73 00
71 00 6C 00 69 00 74 00 65 00 64 00 62 00 00 00
2E 00 73 00 71 00 6C 00 00 00 00 00 2E 00 61 00
63 00 63 00 64 00 62 00 00 00 00 00 2E 00 6D 00
64 00 62 00 00 00 00 00 2E 00 64 00 62 00 00 00
2E 00 64 00 62 00 66 00 00 00 00 00 2E 00 6F 00
64 00 62 00 00 00 00 00 2E 00 66 00 72 00 6D 00
00 00 00 00 2E 00 6D 00 79 00 64 00 00 00 00 00
2E 00 6D 00 79 00 69 00 00 00 00 00 2E 00 69 00
62 00 64 00 00 00 00 00 2E 00 6D 00 64 00 66 00
00 00 00 00 2E 00 6C 00 64 00 66 00 00 00 00 00
2E 00 73 00 6C 00 6E 00 00 00 00 00 2E 00 73 00
75 00 6F 00 00 00 00 00 2E 00 63 00 73 00 00 00
2E 00 63 00 00 00 00 00 2E 00 63 00 70 00 70 00
00 00 00 00 2E 00 70 00 61 00 73 00 00 00 00 00
2E 00 68 00 00 00 00 00 2E 00 61 00 73 00 6D 00
00 00 00 00 2E 00 6A 00 73 00 00 00 2E 00 63 00
6D 00 64 00 00 00 00 00 2E 00 62 00 61 00 74 00
00 00 00 00 2E 00 70 00 73 00 31 00 00 00 00 00
2E 00 76 00 62 00 73 00 00 00 00 00 2E 00 76 00
62 00 00 00 2E 00 70 00 6C 00 00 00 2E 00 64 00
69 00 70 00 00 00 00 00 2E 00 64 00 63 00 68 00
00 00 00 00 2E 00 73 00 63 00 68 00 00 00 00 00
2E 00 62 00 72 00 64 00 00 00 00 00 2E 00 6A 00
73 00 70 00 00 00 00 00 2E 00 70 00 68 00 70 00
00 00 00 00 2E 00 61 00 73 00 70 00 00 00 00 00
2E 00 72 00 62 00 00 00 2E 00 6A 00 61 00 76 00
61 00 00 00 2E 00 6A 00 61 00 72 00 00 00 00 00
2E 00 63 00 6C 00 61 00 73 00 73 00 00 00 00 00
2E 00 73 00 68 00 00 00 2E 00 6D 00 70 00 33 00
00 00 00 00 2E 00 77 00 61 00 76 00 00 00 00 00
2E 00 73 00 77 00 66 00 00 00 00 00 2E 00 66 00
6C 00 61 00 00 00 00 00 2E 00 77 00 6D 00 76 00
00 00 00 00 2E 00 6D 00 70 00 67 00 00 00 00 00
2E 00 76 00 6F 00 62 00 00 00 00 00 2E 00 6D 00
70 00 65 00 67 00 00 00 2E 00 61 00 73 00 66 00
00 00 00 00 2E 00 61 00 76 00 69 00 00 00 00 00
2E 00 6D 00 6F 00 76 00 00 00 00 00 2E 00 6D 00
70 00 34 00 00 00 00 00 2E 00 33 00 67 00 70 00
00 00 00 00 2E 00 6D 00 6B 00 76 00 00 00 00 00
2E 00 33 00 67 00 32 00 00 00 00 00 2E 00 66 00
6C 00 76 00 00 00 00 00 2E 00 77 00 6D 00 61 00
00 00 00 00 2E 00 6D 00 69 00 64 00 00 00 00 00
2E 00 6D 00 33 00 75 00 00 00 00 00 2E 00 6D 00
34 00 75 00 00 00 00 00 2E 00 64 00 6A 00 76 00
75 00 00 00 2E 00 73 00 76 00 67 00 00 00 00 00
2E 00 61 00 69 00 00 00 2E 00 70 00 73 00 64 00
00 00 00 00 2E 00 6E 00 65 00 66 00 00 00 00 00
2E 00 74 00 69 00 66 00 66 00 00 00 2E 00 74 00
69 00 66 00 00 00 00 00 2E 00 63 00 67 00 6D 00
00 00 00 00 2E 00 72 00 61 00 77 00 00 00 00 00
2E 00 67 00 69 00 66 00 00 00 00 00 2E 00 70 00
}

condition:

((uint16(0) == 0x5A4D)) and (filesize < 15000000) and any of them }

WannaCry: here’s what we know now about the outbreak

Sophos Naked Security - 15 Květen, 2017 - 18:30
As the dust settles after Friday's outbreak, things are becoming clearer and it seems this was an unsophisticated use of a sophisticated tool

The Windows worm is back – and this time it’s serious

Sophos Naked Security - 15 Květen, 2017 - 17:54
Worms are a malware tactic from back in the day - but they still remain tricky to mitigate against

Matthew Hickey on WannaCry Ransomware Outbreak

VirusList.com - 15 Květen, 2017 - 16:27
Matthew Hickey, founder of HackerHouse and @hackerfantastic on Twitter, talks to Mike Mimoso about Friday’s WannaCry ransomware outbreak.
Kategorie: Viry a Červi
Syndikovat obsah