Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
How WannaCry works (on an unpatched Windows system) and trying to avoid it.
Message
<blockquote data-quote="Winter Soldier" data-source="post: 631241" data-attributes="member: 59377"><p><strong>Here some basical steps about WCRY behavior and some tips.</strong></p><p></p><p>1) You get the malware via social engineering attack, phishing mails, etc.</p><p></p><p>2) The malware installs itself on the PC taking advantage of the well-known EternalBlue flaw and puts <em>mssecsvc.exe </em>in the C:\windows directory.</p><p></p><p>3) It installs itself as a service, by proceeding to execute two activities in parallel, using different executables.</p><p></p><p>4) The first task is to encrypt certain types of files:</p><p></p><p><a href="https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" target="_blank">Wannacrypt0r-FACTSHEET.md · GitHub</a>.</p><p></p><p>5) The second one will propagate the malware on any LAN by exploiting the vulnerability in the SMB protocol with the TCP ports 445 and 139.This second component also scans the network looking for new targets to infect via SMB port 445.</p><p></p><p>6) It runs in Ring 0, then it can potentially cause more damage compared just to the encryption activity.</p><p>When we refer to the level of privileges with which an application is executed, we use the term “Ring”. With “Ring 0” are identified the processes running in kernel-mode and with “Ring 3” the “user mode” applications (such as the browser).</p><p>When the CPU operates in kernel mode, it has access to all registers and the entire memory system.</p><p>In contrast, when the CPU operates in user mode, it is allowed to access only those memory areas that are usable in “user mode”.</p><p></p><p><em>The code that runs in kernel mode may have non-discriminatory access to all areas of the system, to be able to run programs.</em></p><p></p><p>7) It drops DoublePulsar backdoor.</p><p></p><p></p><p><strong><u>Trying to defend yourself.</u></strong></p><p><strong><u></u></strong></p><p></p><p><u><em>- Performing reliable backup to easily restore your systems and your data in case of encryption, is the essential step!</em></u></p><p></p><p>- Check for security Windows update released with security bulletin MS17-010, March 14, 2017</p><p></p><p><a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">Microsoft Security Bulletin MS17-010 - Critical</a></p><p></p><p>- Needless to say, use good antivirus/security apps, there are so many posts here on MT.</p><p></p><p>- The ransomware initial vector spreads via phishing, therefore, do not open links/attachments from suspicious emails and scan them on VirusTotal.</p><p></p><p>- The ransomware attacks also network share and cloud backups, then update the copy of the backups and keep sensitive data isolated and offline.</p><p></p><p>Stay Safe <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="Winter Soldier, post: 631241, member: 59377"] [B]Here some basical steps about WCRY behavior and some tips.[/B] 1) You get the malware via social engineering attack, phishing mails, etc. 2) The malware installs itself on the PC taking advantage of the well-known EternalBlue flaw and puts [I]mssecsvc.exe [/I]in the C:\windows directory. 3) It installs itself as a service, by proceeding to execute two activities in parallel, using different executables. 4) The first task is to encrypt certain types of files: [URL='https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168']Wannacrypt0r-FACTSHEET.md · GitHub[/URL]. 5) The second one will propagate the malware on any LAN by exploiting the vulnerability in the SMB protocol with the TCP ports 445 and 139.This second component also scans the network looking for new targets to infect via SMB port 445. 6) It runs in Ring 0, then it can potentially cause more damage compared just to the encryption activity. When we refer to the level of privileges with which an application is executed, we use the term “Ring”. With “Ring 0” are identified the processes running in kernel-mode and with “Ring 3” the “user mode” applications (such as the browser). When the CPU operates in kernel mode, it has access to all registers and the entire memory system. In contrast, when the CPU operates in user mode, it is allowed to access only those memory areas that are usable in “user mode”. [I]The code that runs in kernel mode may have non-discriminatory access to all areas of the system, to be able to run programs.[/I] 7) It drops DoublePulsar backdoor. [B][U]Trying to defend yourself. [/U][/B] [U][I]- Performing reliable backup to easily restore your systems and your data in case of encryption, is the essential step![/I][/U] - Check for security Windows update released with security bulletin MS17-010, March 14, 2017 [URL='https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']Microsoft Security Bulletin MS17-010 - Critical[/URL] - Needless to say, use good antivirus/security apps, there are so many posts here on MT. - The ransomware initial vector spreads via phishing, therefore, do not open links/attachments from suspicious emails and scan them on VirusTotal. - The ransomware attacks also network share and cloud backups, then update the copy of the backups and keep sensitive data isolated and offline. Stay Safe :) [/QUOTE]
Insert quotes…
Verification
Post reply
Top