 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : WannaCry worm...
Page 1 of 3   |
|||||
| Author | Message | ||||
Grogster Admin Group  Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
Hi folks. This has been all over the news in the last few days.  It would seem to be very destructive. Microsoft have released patches to fix this in Windoze, so make sure you apply all recent updates from Microsoft, and check your anti-virus softwares. Anyone here been bitten by this? I have multiple backups including one other Windoze machine(which technically could be compromised by this gunk if it got into my LAN), and other backups on Linux machines and Cloud Storage, which should be reasonably immune to this latest filth. I expect that all members here have solid and logical backup regimes, correct?  IE: Many people don't have any kind of backup other then the local copy. If this is you, this latest slime making the rounds on the net, is a good chance for you to get some storage in the cloud, or on a NAS drive or something. Smoke makes things work. When the smoke gets out, it stops! |
||||
MicroBlocks Guru  Joined: 12/05/2012 Location: ThailandPosts: 2209 |
Also not forget to restore the backups on another disk from time to time. Don't want to find out that your backups can not be restored as you thought it would. :) My most valuable files are on multiple removable harddisks. No good to have them attached when a ransom ware like this happens. Microblocks. Build with logic. |
||||
| Boppa Guru Joined: 08/11/2016 Location: AustraliaPosts: 814 |
So far it only seems to be affecting windows versions 8 and earlier,so far 10 isnt affected, neither is any other O/S Ive patched the netbook, but left the laptop unpatched atm, mostly because I dont trust rushed microsoft patches, they have a history of breaking things and Ive got ghosts of both of their hdds anyway Mostly I surf on either the netbook or the ubuntus systems, so fingers x'd good so far It does reinforce the old adage- backup, backup and backup..... with tb external hdds so cheap- just copy the important stuff to an external hdd and disconnect it when not in use- better still, have several, and take one offsite! another handy thing to have is a usb stick with ubuntu or other flavour linux on it, should your o/s be corrupted, simply plug in the stick and use it to fix or format |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
Completely agree. I work on a triple-redundant backup concept. Three separate copies of important data on three different mediums, with at least one of those mediums being off-site such as cloud storage so that you can still suck a copy of that data off the cloud, should you have a fire or flood or something horrible like that - God forbid. QUESTION: If this worm encrypts your HDD, I wonder if that follows that it would try to encrypt your DropBox content too? The content stored on the Dropbox servers, that is. It would probably encrypt the local Dropbox content on your HDD, but could it encrypt the Dropbox copy itself I wonder? I expect not, but when something like this comes along, who knows. Smoke makes things work. When the smoke gets out, it stops! |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3678 |
Does it need SMB enabled so it can spread? If so, is SMB any use anyway on a typical desktop/laptop PC? To put it another way, why is it even enabled? But also... wouldn't routers block it? Apparently not, judging by the spread - any more info please? What's going on? Is there a good list somewhere, preferably with scripts, that disables lots of the things MS leave enabled but which is realistically unused by home users? John |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
I have not researched this in depth, but as far as I know, SMB is a very common Windows file-sharing protocol. Most Linux distros use SAMBA to talk to Windows machines for file-sharing, using that SMB/CIFS network protocol. You can read about SMB here. By default, SMB is enabled as far as I know, to allow any other Windows machines to be discoverable by the network. There are some posts on the web suggesting that you should disable SMB1, SMB2 and SMB3 on Windows machines. I would expect that disabling SMB on any Windows machine, will instantly kill any attempts to share files on the Windows network via CIFS.(see link) The idea being, that this would instantly stop any infected machine, from spreading it's crud around the LAN it found itself on. The problem with this would also mean that all your file-sharing between Windows machines that use standard Windows file-sharing, would probably also cease to function, as you have then disabled the protocol. The patch released by Microsoft would seem to fix the vulnerability so long as you apply it right now, BEFORE you get bitten. If you have your machine set to automatically install important updates, this has probably already happened. If you manually update, you should check for and install any updates right now so that the patch is applied, and you can't be bitten by this. I would wish this on no-one. It appears to use 2048-bit encryption keys, and deletes the reference key after having sent it to the ransom-ware slime-balls, so there is no key to find and use to decrypt the files, and with 2048-bit encryption, you'd never be able to work out what the key was without access to a super-computer. Smoke makes things work. When the smoke gets out, it stops! |
||||
| MicroBlocks Guru Joined: 12/05/2012 Location: ThailandPosts: 2209 |
It would encrypt all your files on dropbox also as these are constantly synced with the ones on your disk. However dropbox keeps revisions of files, so you could go back to a previous one. Doing that for hundreds of files would still be a disaster though. Backing up to the cloud is fine for small files and when you do not need them all at once. For databases it does not works so well. If you do a restore it can take hours or days before all data is transfered. Some offer a 'harddisk' service so that you can come get a disk instead of downloading all via internet. Comes at a cost of course. Currently i have a copy on a virtual machine that can be disconnected from internet. Just accesible through a KVM. I connect it to a local network, copy all the files and then disconnect. So both the virtual network cards are disabled preventing it being accessed from the internet. Microblocks. Build with logic. |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
Oh. That sounds perfectly delightful. I have a 1TB Dropbox account too. I might look at backing that up to a spare 1TB external drive - I have several. I really hope that Interpol(or whoever) can find these scum-bags and throw them in the clink. The damage this has already done across the world is remarkable. Many NHS servers and systems in England have been infected with this crud so I see on the news tonight and last night. I can never understand virus-writers. They are obviously extremely talented at writing complex code to circumvent security and/or take advantage of vulnerabilities, so why not put that talent to more ethical use. I suppose it is all about ill-gotten-gain. I guess I will never understand that mentality. ...but I digress. Smoke makes things work. When the smoke gets out, it stops! |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
No. As it is a worm, it is just network packets. The routers don't care, they just forward the packet to the machine requesting it. The fact it may contain a nasty virus code means nothing to the router controller chip, unfortunately. This is why worms can be much worse then your standard "Virus" - even though a worm IS a virus. But it's the way in which a worm can replicate itself which is what makes them so nasty. Wikipedia has information on it, but as this is a very new virus, information on it will change almost daily at the moment as more and more is found out about it. Wikipedia link about the virus. Computer worm description. Smoke makes things work. When the smoke gets out, it stops! |
||||
CaptainBoing Guru Joined: 07/09/2016 Location: United KingdomPosts: 1995 |
I read the attack has been traced to USA, so there's a good chance you may get your wish. It also seems the worm is based on the leaked NSA infiltration work. "hard work pays off in time, crime pays off now" ... as blocks pointed out, it is just the evolution in crime - bank robberies are too risky so we get this menace... and they only have to spend the rest of their lives looking over their shoulder - no problem for cretins with no conscience. |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3678 |
As I gather, SMB over TCP/IP must be what's involved or it would not spread across the net. Apparently it uses port 445. Desktop/laptop PCs in homes and the like should not be going out (let alone allowing in) packets over port 445 and in addition why would routers allow in packets via that port? (They are deliberately malformed packets but why would the router allow them to arrive unasked-for?) In addition, most PCs running Windows are in homes and the like so do not need SMB at all, do they? If most do, what for? John |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
Hi John.  Where did you find the the port 445 reference? I have not read anything about that yet, so would like to read that. If this crud does indeed use port 445, and most private routers won't shouldn't use port 445, then that means - as you say - we private users SHOULD be reasonably well protected by the very fact that we don't use that port. I seem to recall the news reports saying that this worm is designed to target businesses, so perhaps that is why we are only hearing of companies being bitten at this stage, and so far, no reports of private PC users at home. Yet. Smoke makes things work. When the smoke gets out, it stops! |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3678 |
It's in the wikipedia details here I would have hoped that not only would routers refuse incoming attempts to open connections (as opposed to replies) but also that home users (*) would have nothing willing to look at such packets (malformed or otherwise). (*) of Windows, in this case, as other things like Linux won't have anything by default on such ports (I hope!) John |
||||
| MicroBlocks Guru Joined: 12/05/2012 Location: ThailandPosts: 2209 |
The blame can be put on the shoulders of the developers. They wrote the software that needed file sharing and did not update it. File sharing should be off all the time unless it is in a DMZ, but even then it is a risk. I remember writing software that used that (windows machines on a Novell Network), but then there was no internet. Then it was ok to do it. There are other ways to share files (as google, amazon,dropbox, etc proof) so the need for the file/printer sharing is just out of laziness. In the days of XP it was more difficult for sure, so then at least there should be protection against the outer world. If that is also not done then you get this problem. That large organizations get into trouble with this is a good signal to replace parts of their IT department as this is just basic knowledge in that field. Microblocks. Build with logic. |
||||
BobD Guru Joined: 07/12/2011 Location: AustraliaPosts: 935 |
Here is a headline that I just read. If you're still using Windows XP, you're a menace to society. Strong stuff. You can read the whole story here. |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3678 |
Rather unfair. If MS had not kept making unjustifiable changes to the Windows APIs and to the device drivers it would be much fairer - bu they did those things and caused lots of apps to not work on Windows after XP plus lots of hardware to be orphaned. Not funny. The real menaces are: 1. the virus writers 2. the NSA et al for not revealing the flaws 3. Mickeysoft for the above unethical behaviours I actually did well by buying some of the hardware and using it with Linux :) A lot more went to landfill :( And some is needed in hospitals etc so they had the unenviable choice of huge expenditure or limp along with the problems MS caused. Some of the systems are not networked so will be OK. (Well, until some moron plugs in an infected USB drive or the like.) Ideally organisations will learn from all this and dump Windows. Nahhhh... If only! John |
||||
| Phil23 Guru Joined: 27/03/2016 Location: AustraliaPosts: 1664 |
I'd really like to know about their intended primary targets. Quite some years back I made the observation that all Supercheap Auto outlets ran Win2000 Pro, at a time when XP was well & truly accepted & a couple of service packs down the road. At the time my thoughts were, yes it's VERY stable, but getting a bit long in the tooth, haven't seem major updates for a while; but it seemed to be still the main platform company wide. These attackers must have had similar knowledge of their primary targets. Phil. |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3678 |
Supposedly it's based on leaked (USA) NSA code. They won't be saying. John |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9082 |
Re. the XP menace thing - kinda agree with JohnS - perhaps a little unfair IN SOME RESPECTS. Although, the guy does say "Brutal? You betcha." kinda insinuating that this is a somewhat deliberate over-reaction on his part to make a point. I still have an XP machine that runs the MP3 playback for my radio station. It is on the network, but it has no gateway so cannot see the Internet at all. This would not stop it from being compromised if that slime of a worm got into my LAN though. As of today, I have unplugged it from the network. It does not NEED network to play the music, as it is all stored on a local HDD. So, it's "Offline" for now, just to play it safe. I would still love to read any information about if this worm will actually go after any private PC's as has now been suggested in this thread - perhaps it won't. It will if you give it half a chance and it gets into your LAN, but if it does not target private networks, then it is businesses connected to the web that will be most at risk I would think, yes? Still pays not to be too complacent with this kind of level of threat though. Reading more about this today, it would seem that people like the NHS in England, were warned about this threat years ago, but did nothing to protect themselves by way of system upgrades or suitable security measures. If that is indeed the case, then I loose quite a bit of my sympathy for them. Not that I would ever wish that on anyone regardless. Smoke makes things work. When the smoke gets out, it stops! |
||||
| Boppa Guru Joined: 08/11/2016 Location: AustraliaPosts: 814 |
If you read down the comments, the writer is copping it bigtime from his readers LOL I know I still use XP, simply because it works and is stable, oh and I have literally thousands tied up in equipment I have 0% of being able to replace unless I win lotto, and some even if I had bill gates fortune still would be running XP, simply because it is the last stable dos supporting O/S (I have been looking at the micromite stuff, simply as a possible replacement for that gears computer is getting flacky with age- it still has a full height 5 1/4 floppydrive in it, altho I dont actually have any floppys that still work for it- the ones I have all fail to read for some reason lol) but even then, the computer I am on atm, doesnt even have windows on it anymore, was vista originally, shudders, is now ubuntu and has been for a long time (vista the child kept locked in the basement,I shudder even typing that name, the horrors it caused....) Not to mention the literally thousands of unpaid hours I have spent fixing other peoples computers up as they blindly followed the incredible trek of O/S's since XP Vista 2 major versions of, win 7 three major versions of win 8- 2 versions of, and now win 10 in every version dozens if not 100's of patches, all of which break some function that someone was using and wants back..... In fact it's writers like the one in that article that insist on blindly following microsofts lead that cause the issues, its good for technogeeks (and I am one) to want the latest and greatest all the time- but most people simply want it work, and to KEEP working, without having to learn where the hell bill hid the menu items THIS time- microsoft insists on moving and renaming menu items, so the users have to keep relearning how to do the same thing AAARRRGGGHHH!!!!!!!! calm blue ocean, calm blue ocean, calm blue ocean......... |
||||
| Page 1 of 3 |
|||||
 Print this page |
