Yesterday we reported on the largest ransomware attack using one of the NSA exploits recently leaked by the group Shadow Brokers, οι επιτιθέμενοι μπόρεσαν να προσβάλλουν υπολογιστές σε παγκόσμιο επίπεδο με το WannaCry (ένα exploit των Windows το οποίο ασπάστηκε από το εργαλείο EternalBlue της NSA). Η Microsoft έχει κυκλοφορήσει ήδη μια ενημέρωση για αυτήν την ευπάθεια, αλλά πολλοί users and organizations did not bother to update their systems.
Malware infects computers, exploiting a vulnerability for SMB file sharing. Older versions of Windows are more affected by this, especially because Microsoft no longer supports Windows XP or Windows 2003.
Installs Doublepulsar, one backdoor cuts which allows remote control of the infected machine. This is another stolen NSA tool that was leaked alongside Eternalblue. The malware is also controlled through the anonymous Tor network, to receive further commands from its creators.
However, as can be seen in the malware code, there was also an off switchactivationin the form of a kill switch domain.
What does this mean in simple words? When malware detects that there is a specific domain, it stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When registration was detected by malware, it immediately stopped distributing ransomware, and its worldwide spread.
Links to the magical domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com are routed to a server in California, and managers of infected systems that arrive at the domain will be alerted, the researcher says.
"IP addresses have been sent to the FBI and ShadowServer, so the affected organizations should receive an alert soon," said the researcher, who admitted he first registered the domain, and then realized it was a kill switch.
Here are some quick links to many more technical details that we have collected:
The Cisco Talos Team analyzed the malicious software, describing its components.
A decrypted sample of malicious software there is.
A exploit for MS17-010 written in Python with an example shellcode. It is based on NSA's stolen Eternalblue tool developed by infosec RiskSense. Reveals that the SMB server error is the result of a buffer overflow in Microsoft's code.
You can track infections in real time, from here. There are at least 104.000 recognized infected hosts worldwide.
