Yesterday we reported on the biggest one attack ransomware που χρησιμοποιώντας ένα από τα exploit της NSA που διέρρευσαν πρόσφατα από την ομάδα Shadow Brokers, οι επιτιθέμενοι μπόρεσαν να προσβάλλουν υπολογιστές σε παγκόσμιο επίπεδο με το WannaCry (a Windows exploit embraced by the NSA's EternalBlue tool). Microsoft has already released an update for this vulnerability, but many users and organizations have not bothered to update their systems.
Malware infects computers, exploiting a vulnerability for SMB file sharing. Older versions of Windows are more affected by this, especially because Microsoft no longer supports Windows XP or Windows 2003.
It installs Doublepulsar, a backdoor that allows remote control of the infected machine. This is another stolen NSA tool that leaked alongside Eternalblue. Malicious software is also controlled through the anonymous Tor network to receive further instructions from its creators.
However, as can be seen in the code of the malicious software there was also a deactivation switch in the form of a kill switch domain.
What does this mean in simple words? When malware detects that there is a specific domain, it stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When registration was detected by malware, it immediately stopped distributing ransomware, and its worldwide spread.
Links to the magical domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com are routed to a server in California, and managers of infected systems that arrive at the domain will be alerted, the researcher says.
"IP addresses have been sent to the FBI and ShadowServer, so the affected organizations should receive an alert soon," said the researcher, who admitted he first registered the domain, and then realized it was a kill switch.
Here are some quick links to many more technical details that we have collected:
The Cisco Talos Team analyzed the malicious software, describing its components.
A decrypted sample of malicious software there is.
A exploit for MS17-010 written in Python with an example shellcode. It is based on NSA's stolen Eternalblue tool developed by infosec RiskSense. Reveals that the SMB server error is the result of a buffer overflow in Microsoft's code.
You can track infections in real time, from here. There are at least 104.000 recognized infected hosts worldwide.
