How did the bigger ransomware attack stop?

Yesterday we reported on the biggest one ransomware που χρησιμοποιώντας ένα από τα exploit της NSA που διέρρευσαν πρόσφατα από την Brokers, οι επιτιθέμενοι μπόρεσαν να προσβάλλουν υπολογιστές σε παγκόσμιο επίπεδο με το WannaCry (ένα exploit των Windows το οποίο ασπάστηκε από το εργαλείο EternalBlue της NSA). Η Microsoft έχει κυκλοφορήσει ήδη μια ενημέρωση για αυτήν την ευπάθεια, αλλά πολλοί χρήστες και οργανισμοί δεν έκαναν τον κόπο να ενημερώσουν τα συστήματά τους.

Malware infects computers, exploiting a vulnerability for SMB file sharing. Older versions of Windows are more affected by this, especially because Microsoft no longer supports Windows XP or Windows 2003.
Installs Doublepulsar, one which allows remote control of the infected machine. This is another stolen NSA tool that was leaked alongside Eternalblue. The malware is also controlled through the anonymous Tor network, to receive further commands from its creators.
ransomware

But as seen in the malicious code there was also a kill switch in the form of a kill switch domain.

What does this mean in simple words? When malware detects that there is a specific domain, it stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When registration was detected by malware, it immediately stopped distributing ransomware, and its worldwide spread.

Links to the magical domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com are routed to a server in California, and managers of infected systems that arrive at the domain will be alerted, the researcher says.

"IP addresses have been sent to the FBI and ShadowServer, so the affected organizations should receive an alert soon," said the researcher, who admitted he first registered the domain, and then realized it was a kill switch.

Here are some quick links to many more technical details that we have collected:

The Cisco Talos Team analyzed the malicious software, describing its components.
A decrypted sample of malicious software there is.
A exploit for MS17-010 written in Python with an example shellcode. It is based on NSA's stolen Eternalblue tool developed by infosec RiskSense. Reveals that the SMB server error is the result of a buffer overflow in Microsoft's code.

You can track infections in real time, from here. There are at least 104.000 recognized infected hosts worldwide.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).