How did the bigger ransomware attack stop?

Yesterday we reported on the largest ransomware attack using one of the of the NSA that were recently leaked by the Shadow Brokers group, attackers were able to attack computers globally with WannaCry (a Windows exploit embraced by EternalBlue της NSA). Η Microsoft έχει κυκλοφορήσει ήδη μια ενημέρωση για αυτήν την , but many users and organizations did not bother updating their systems.

Malware infects computers, exploiting a vulnerability for SMB file sharing. Older versions of Windows are more affected by this, especially because Microsoft no longer supports Windows XP or Windows 2003.
It installs Doublepulsar, a backdoor that allows remote control of the infected machine. This is another stolen NSA tool that leaked alongside Eternalblue. Malicious software is also controlled through the anonymous Tor network to receive further instructions from its creators.
ransomware

However, as can be seen in the code of the malicious software there was also a deactivation switch in the form of a kill switch .

What does this mean in simple words? When malware detects that there is a specific domain, it stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When registration was detected by malware, it immediately stopped distributing ransomware, and its worldwide spread.

Links to the magical domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com are routed to a server in California, and managers of infected systems that arrive at the domain will be alerted, the researcher says.

"IP addresses have been sent to the FBI and ShadowServer, so the affected organizations should receive an alert soon," said the researcher, who admitted he first registered the domain, and then realized it was a kill switch.

Here are some quick links to many more technical details that we have collected:

The Cisco Talos Team analyzed the malicious software, describing its components.
A decrypted sample of malicious software there is.
A exploit for MS17-010 written in Python with an example shellcode. It is based on NSA's stolen Eternalblue tool developed by infosec RiskSense. Reveals that the SMB server error is the result of a buffer overflow in Microsoft's code.

You can track infections in real time, from here. There are at least 104.000 recognized infected hosts worldwide.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).