WannaCry question about windows operation systems

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
hi
i 'm reading Kaspersky Lab’ comment on WannaCry attack Kaspersky Lab’ comment on WannaCry attack
The ransomware infects victims by exploiting a Microsoft Windows vulnerability described and fixed in Microsoft Security Bulletin MS17-010. The exploit used, “Eternal Blue” was revealed in the Shadowbrokers dump on April 14.

may I know which operation sytems have this vulnerability ? according to the link w7-w8-w8.1 and w10

my native language is not english , so i haven't understand how this little bastard does infect windows machine, in many newspaper i have read it infects machines via emails

if it doesn't spread only via email

1) is enough disable in windows features SMB1.0/CIFS File Sharing Support

2)with SMB1.0/CIFS File Sharing Support Enabled
but is enough to keep the computer online to be infected?

thanks
 
Last edited:

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
The patch stops the file to spread for itself through the network - if you run it on an updated Windows 10, it will still encrypt your files.
No reason to worry, you dont even need to disable that feature if you are running an anti-exe.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
The patch stops the file to spread for itself through the network - if you run it on an updated Windows 10, it will still encrypt your files.
No reason to worry, you dont even need to disable that feature if you are running an anti-exe.
hi
i use only eset smart security 10 updated , but i remember in xp era ,it was enough to be online to be infected

this ramsome doesn't infect an home computer connected to internet ,do it?
thanks
 
  • Like
Reactions: AtlBo

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
hi
i use only eset smart security 10 updated , but i remember in xp era ,it was enough to be online to be infected

this ramsome doesn't infect an home computer connected to internet ,do it?
thanks

ESET signatures already detect the file. Dont worry :D
Have you already posted your full security configuration on the forum so that we can help you improve it?
 
  • Like
Reactions: AtlBo and giulia
5

509322

hi
i 'm reading Kaspersky Lab’ comment on WannaCry attack Kaspersky Lab’ comment on WannaCry attack


may I know which operation sytems have this vulnerability ? according to the link w7-w8-w8.1 and w10

my native language is not english , so i haven't understand how this little bastard does infect windows machine, in many newspaper i have read it infects machines via emails

if it doesn't spread only via email

1) is enough disable in windows features SMB1.0/CIFS File Sharing Support

2)with SMB1.0/CIFS File Sharing Support Enabled
but is enough to keep the computer online to be infected?

thanks

If the WannaCry ransomware gets onto your system and you execute it\it executes, then there is no "patch" for any version of Windows that will prevent it from encrypting your files. The "patch" stops the lateral spreading of the infection across a network; it does not prevent file encryption.

Some people are tooting "A signature for it (the ransomware executable) is out and AV so-and-so now detects it." The problem with that mentality is that the malc0ders aren't stupid and will probably craft new variants that are not detected by scan engines.

From the SecureList report:

It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.
 
Last edited by a moderator:

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
If the WannaCry ransomware gets onto your system and you execute it\it executes, then there is no "patch" for any version of Windows that will prevent it from encrypting your files. The "patch" stops the lateral spreading of the infection across a network; it does not prevent file encryption.
hi
thanks for the answer

If the WannaCry ransomware gets onto your system and you execute it\it executes
to gets onto my system the i have to downloaded files (inflected)from internet ,from emails and so on
i was scarry because in the past ,windows xp (the first release and i don't remember which xp version) got inflected just keeping it online , a virus used a bug of xp to spread it

this is not the ransomware case ,isn't it?
thanks
 
  • Like
Reactions: AtlBo and shmu26
5

509322

i was scarry because in the past ,windows xp (the first release and i don't remember which xp version) got inflected just keeping it online , a virus used a bug of xp to spread it

If you are still using XP, then it is no longer receiving security patches from Microsoft. That means that the possibility that your system can be exploited is always present. Yes... a successful exploit of something on your XP system can lead to ransomware executing on it and encrypting your files.

However, in the case of WannaCry, Microsoft did release a patch even for XP. Look for it on the web and read more about it.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Some people are tooting "A signature for it (the ransomware executable) is out and AV so-and-so now detects it." The problem with that mentality is that the malc0ders aren't stupid and will probably craft new variants that are not detected by scan engines.
Exactly! And relying on signatures for the captured malware is fine for limited variants only.

Though AVs will fail quite a few times on this due to known reasons, their behavior monitors should lead the preventive detection of the new crypto-patterns faced. If not, it's wasted.
Talking about the home product, Sophos Home Beta detected the WannaCry Ransomware by signatures (at MalwareHub) but on disabling the real-time engine, it's HMPA Cryptoguard couldn't protect the user files from encryption. Now, protection from advanced variants is probably less likely unless the signatures are able to catch the malware early via heuristics or so.
Sophos InterceptX and EXP were apparently able to protect in this instance though, as per the news. No idea why the difference.
Anti-exes and SRPs are a different talk.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
If you are still using XP, then it is no longer receiving security patches from Microsoft. That means that the possibility that your system can be exploited is always present. Yes... a successful exploit of something on your XP system can lead to ransomware executing on it and encrypting your files.

However, in the case of WannaCry, Microsoft did release a patch even for XP. Look for it on the web and read more about it.
hi
no , i remember that a virus was able to infect an xp machine only keeping online , this happen after some month after microsft present to the public windows xp

i use w10 pro 64bit and sometime w7 64bit
i guess my english is really very bad:mad:
thanks
 
  • Like
Reactions: AtlBo and shmu26
5

509322

Exactly! And relying on signatures for the captured malware is fine for limited variants only.

Though AVs will fail quite a few times on this due to known reasons, their behavior monitors should lead the preventive detection of the new crypto-patterns faced. If not, it's wasted.
Talking about the home product, Sophos Home Beta detected the WannaCry Ransomware by signatures (at MalwareHub) but on disabling the real-time engine, it's HMPA Cryptoguard couldn't protect the user files from encryption. Now, protection from advanced variants is probably less likely unless the signatures are able to catch the malware early via heuristics or so.
Sophos InterceptX and EXP were apparently able to protect in this instance though, as per the news.
Anti-exes and SRPs are a different talk.

WannaCry is not even a blip on my radar. It's just another malicious file that our product blocks - regardless of the Windows vulnerability being present. In fact, I didn't even know about the reports until late last night.
 
5

509322

hi
no , i remember that a virus was able to infect an xp machine only keeping online , this happen after some month after microsft present to the public windows xp

i use w10 pro 64bit and sometime w7 64bit
i guess my english is really very bad:mad:
thanks

I haven't used XP in over 10 years. So I do not recall. That being said, any online activity comes with risk even using the most up-to-date OS and software. There is always a risk, for example, of a true zero day exploit hitting a browser(s) - but it is a very remote possibility.

Your English is good enough.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Hi Parsh
may i know your security layers ?
thanks
I'm having different setups on two systems and I would first say that what suits the needs of one may not be the best for the other.
So I'll explain in short what I use and why, so that you can get an idea of what would suit your needs (if)..

System 1:
Windows Defender (basic signature protection for different situations) + VoodooShield (to catch any file before executing, it provides AI recommendation regarding file safety, provides Multi-engine score that is occasionally reliable) + Hemidal Pro (trial, to capture potential malicious connections and for automatic software patching) + Private Firewall (in addition to Firewall features, it provides process control to catch and decide for any new processes with details, system anomaly detection).
Screenshot (109)older.png Screenshot (136).png Screenshot (135).png Screenshot (134).png
FYI, Private Firewall is discontinued and I'm just testing this. Some paid firewalls or a free one like ZoneAlarm FW provide basic process monitor too.

System 2:
Kaspersky IS (one of the best engines and behavior blocker) + Temasoft Ranstop (protection against ransomware, with mitigation and restore features).
I use Kaspersky mainly for its Application Control feature. It will automatically categorize applications, based on its popularity in KSN (Kaspersky Security Network) and the file's signature status. based on that, an app is allowed, denied or restricted with respect to access and control over the system. Its System Watcher and potential for rolling back malware actions is appreciable too. A standalone anti-RW tool like Ranstop ain't needed, it's just that I'm testing this giveaway.

Basically, I've implemented a scaled down version of system lockdown, with mixed layers for prevention and detection. I allow things here and there based on security tools' indications but follow most of the safe practices. Whenever unsure, I use Shadow Defender (a kind of virtualization) so that I can reverse things if needed. You can use a sandboxing tool like sandboxie or test in a VM if not sure about some apparently important applications/files.

If you're a home user with no mission critical data, you don't need to hassle much about the best security or go for total lockdown of your system.
Implement important layers well, keep backups of system as well as your data (as per MT's unofficial safety policy) on external HDDs or Cloud, install software and OS updates always, and control and limit what you browse or allow to run on your machine. You're good to go :)
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
hi
no , i remember that a virus was able to infect an xp machine only keeping online , this happen after some month after microsft present to the public windows xp

i use w10 pro 64bit and sometime w7 64bit
i guess my english is really very bad:mad:
thanks
Xp might have exploits that require no user interaction. Xp is an ancient OS that none should use in general. With win10 you shouldn't have to worry about such things as an everyday user.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
hi
sometime i would like to have a dual boot ,windows & mac osx (can't use linux because i bought some software they work only under windows and osx)

may i know how did the attact spread & start ? via emails?
thanks
 
  • Like
Reactions: AtlBo and frogboy

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
may i know how did the attact spread & start ? via emails?
thanks
Primarily via phishing emails.
Simply out, when someone opens the malicious mail attachment, the WanaCryptor will begin encrypting your files (unless your security product makes some noise), and via RDP/SMB (that you know) spread to the connected workstations (if your device is connected in a network) and infect them too.

EDIT: You can find how it spread, nicely explained here in detail.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top