Recent malware news

[ITSec]

I'm sure by now you've all heard the news reports on the malware scare regarding the so-called 'WannaCrypt' attack. If you have any of the current versions of Windows, and have been keeping your system updated, you're largely protected. If you haven't been keeping up to date, this is the time to get back on board using Windows Update.

I know many of you have been sticking with older versions of Windows - XP and Vista. If so, there is now an emergency patch for the older systems available from Microsoft, and you should apply it immediately. It is located at https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

For Linux and Mac users, don't feel too safe - there's an underlying flaw in the Server Message Block (SMB) protocol used by Samba (for Linux) and by OS X (when communicating with Windows machines) that will likely need to be patched or disabled in the days to come. Fortunately, it's used primarily in older systems, and in most cases (Windows 7 and up, and recent versions of Samba and OS X networking) can be completely disabled without losing functionality. Instructions on how to disable the flawed version (SMBv1) in Windows are at https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 - note that this is a bit technical and not immediately necessary, but is recommended.

PLEASE NOTE - most anti-malware products will provide only limited protection against this malware and against the variations that are likely on the way. This fixes mentioned above are the best and most complete protection.

[lti_57]

Good reminder
even if you run embedded XP there is a patch
I spent about 12 hours last Friday taking care of our servers making sure they were up to date

[ITSec]

Good reminder
even if you run embedded XP there is a patch
I spent about 12 hours last Friday taking care of our servers making sure they were up to date

I know of a few industries where embedded Windows XP is still widely deployed, and the only saving grace against this attack has been their isolation from other parts of the networks they communicate with.

This will continue to simmer for some time yet.

BTW, for Linux users, a quick adjustment to your SMB.CONF file will make a start on closing that hole. If you are comfortable making direct changes, make sure there is a line in that file that reads something like "min protocol = SMB2" or "protocol = SMB2" (or any SMB 2 or higher). The exact syntax might have minor variations depending on the version of Linux, the distribution, and the version of Samba installed. All relatively current versions of Samba should support this means of disabling SMBv1 and using later, more secure versions. However, some versions of Linux and Samba default to using the oldest version to maximize compatibility and ease of use.

For Windows 10 users who are wondering, Windows 10 by default disables SMB v1 and it must be purposefully enabled. If you haven't done that (usually only if you had to link to Windows XP machines, for example), then you aren't exposed on this front.

[rodekyll]

Just to be clear -- are you saying tht windows 7 and newer with current updates are properly protected from the ransomware as we know it, and that your basic antivirus is probably more limited?

Is the SMB issue a vulerability for mac and unix only when initiated by an infected windows network, or can these other opsys be infected directly?

What about tablet os such as android?

[ITSec]

Just to be clear -- are you saying that windows 7 and newer with current updates are properly protected from the ransomware as we know it, and that your basic antivirus is probably more limited?

Is the SMB issue a vulnerability for mac and unix only when initiated by an infected windows network, or can these other opsys be infected directly?

What about tablet os such as android?

Windows 7 and newer are protected if they are up to date - the patch for the flaw being exploited by the malware was part of the March updates and should have been applied by now.

Windows XP and Vista are protected ONLY if they go to the page I linked and manually update using a patch listed on that page. Since they are out of support, this is an exceptional thing done by Microsoft due to the severity of the threat. It's also particularly important since disabling SMB on these machines is more involved, and (since they are used widely by non-technical users) is less likely to happen.

The anti-malware vendors have been dealing with the actual encrypting malware itself, but have done less to deal with how it transports itself. Also, the malware has had a number of variations come out over the past 3 days and they're not always recognized right away. Thus, the importance of eliminating the target of the attack rather than dodging arrows.

The SMB issue is a problem for ALL versions of Windows, Linux and OS X - it is NOT the flaw exploited by the malware, but is used by the malware to spread to other systems once it has reached a first vulnerable machine on a given LAN. So far, the malware package delivered to the machines is Windows specific, but the same SMB vector could be used to distribute malware for Linux or OS X systems. Windows 10 is not susceptible by default, and the most recent versions of Linux and OS X are likely not, but all of them still have this flawed version of SMB installed and it can be triggered to turn on under certain conditions. Better to explicitly disable it. Note that this is a 'recommended' step to close off a means of malware spread, rather than getting rid of something the malware actually uses to infect the machine. It's like putting on protective gear before dealing with contagious patients.

As for Android and iOS, there is no clear evidence that they are subject to the SMB flaw - testing is going on now. It's a bit messy on these devices, since SMB code can be packaged with apps as an add-on rather than being a system-level protocol/service.

BTW, this old version of SMB goes back to the 1980s - it actually first appeared in such products as Windows for Workgroups v3.11. It has been hanging on for compatibility's sake, and because it is so simple it has been popular as a way to make Windows and non-Windows machines talk to each other. Nobody has wanted to cut it off, even though it has numerous security flaws and can easily be hijacked to do things like this malware does. It is an inherently insecure protocol in terms of the modern world and should be eliminated or at least disabled.

[rodekyll]

Thanks for elaborating.  Yes, it is very unusual for MS to write XP/VISTA (and server 2003) updates.

I had a March patch choke on my old DELL W7 computer.  By the time I isolated the offender I didn't have time to install the others before shipping it back to Seattle.  I'll be unpcaking it mid-June.  Will this be over by then, or will it be just begining?

[ITSec]

I had a March patch choke on my old DELL W7 computer.  By the time I isolated the offender I didn't have time to install the others before shipping it back to Seattle.  I'll be unpcaking it mid-June.  Will this be over by then, or will it be just begining?

It will still be ongoing. So long as you update the system before starting to do any work with it, you'll be fine though. The initial attack is through things like emails with links, etc. The SMB kicks in once the malware has a toe-hold in your LAN, since SMB won't travel over the Internet (just LANs and VPNs).

[chuck peterson]

 

Ah, come on man...I just got used to fuel injection....

 

Thanks Itsec, that's great advice, thanks.

[azguzzirep]

No worries for me, I haven't got a computer ☺

[Arizona Wayne]

My Windows 7 was corrected a few days ago and with PC Matic ($50) I don't have any issues. 

[fossil]

My Windows 7 was corrected a few days ago and with PC Matic ($50) I don't have any issues. 

Uh oh... you should consider leaving a recently fixed computer alone and invest into a respectable antivir product (GDATA, Kasperski, McAfee, Bitdefender,....) if the Microsoft onboard solution is not enough for you. And please observe: the best computer protection system should be placed in front of the keyboard.

[Penderic]

Digital surveillance is everywhere now. 

It's about time to bring back the analog anti-spy devices.


 

[normzone]

I had a March patch choke on my old DELL W7 computer.  By the time I isolated the offender I didn't have time to install the others before shipping it back to Seattle.  I'll be unpcaking it mid-June.  Will this be over by then, or will it be just begining?

Wow, that's cool - you just taught me something new about computers I'll have to go research - I've never upcaked yet.

[rodekyll]

Wow, that's cool - you just taught me something new about computers I'll have to go research - I've never upcaked yet.

Check to be sure it's legal in your state. 

[screamday]

Wow, that's cool - you just taught me something new about computers I'll have to go research - I've never upcaked yet.

Check to be sure it's legal in your state.

It's legal in SC.

[rodekyll]

Check to be sure it's legal in your state.


It's legal in SC.

Then go for it!  It can be a lot of fun between consenting parties.   

[Arizona Wayne]

Uh oh... you should consider leaving a recently fixed computer alone and invest into a respectable antivir product (GDATA, Kasperski, McAfee, Bitdefender,....) if the Microsoft onboard solution is not enough for you. And please observe: the best computer protection system should be placed in front of the keyboard.

Good try on attempting to scare me, fossil.  You failed. 

[nc43bsa]

Any word on if it affects Ubuntu?

[ITSec]

Any word on if it affects Ubuntu?

The malware doesn't, but the Samba implementation on all distributions of Linux (Ubuntu is a variation of the Debian distribution of Linux) needs to be configured and/or patched to prevent the SMBv1 protocol from being used. Since the exact method varies from one version to another, I provided the basics in an earlier message and leave it to you to check the exact method for your own version.