Posts Tagged ‘Malware’

The WannaCry / Wcry / WannaCrypt attack

May 14th, 2017 Comments off

Six months ago I had a talk with Fabio Viggiani  about the development of ransomware and we made an educated guess about the next big type of ransomware attack to be CRYPTOWORMS!

The last few days many of us witnessed how a major ransomware attack affected many organizations across the world. Telefonica in Spain, theNational Health Service in the UK, and FedEx in the US are some tom mentions among many many more. The responsible for this attack was reported to be a ransomware variant known as ‘WannaCry’.

The malware has the ability to spread to other system by scanning a attacking the Server Message Block/SMB protocol resulting in a worm behavior. Once the malware has a foothold on a system it used different techniques to persist on that host.  The WannaCry malware appeared to primarily use the ETERNALBLUE modules for the initial exploitation of the SMB vulnerability addressed as part of Microsoft Security Bulletin MS17-010. If successful it then used the DOUBLEPULSAR backdoor to install the ransomware.

The domain – a “randomly” human-typed address primarily consists of keys in the top row of the keyboard, was observed in the malware code as a kill switch. If the malware could establish communication with the mentioned domain, it would stop but because the domain wasn’t registered, it continued to execute. A researcher worked out what was going on and simply registered the domain name and activated the kill switch!

In this particular case, the foremost reason for the success of “WannaCry” was because many didn’t upgrade or patch things. Reports started talking about the malware hitting machines as old as Windows XP and Windows 2003! Once infected other problems started to appear. Many affected individuals and organisations had no proper backups to recover from the ransomware.

At this point many affected entities are in the clean-up phase of the “WannaCry” story. Vendors and security professionals are helping out with patches, signatures, detection tools, removal tools, damage assessment and recommendations. The bigger lesson remains that we need to reinforce proper security focus and measures such as:

  • Keep systems current and supported
  • Apply and verify patches early
  • Establish robust backups and recovery procedures
  • Lock down and harden machines
  • Conduct least privilege and protect administrative provileges
  • Don’t open suspicious emails or attachments
  • Restrict access to network resources
  • Block unnecessary ports and implement host-based firewalls
  • Enhance you ability to detect attacks
  • Ensure you have the tools to perform incident response
  • Establish strategies to inform users

These recommendations and many more discussions and security features and strategies are discussed as part of my Windows Cyber Security Road Trip. The class offers a detailed description and demonstrations of current risks and how to mitigate these risks using modern tools, features and strategies in the most current versions of Windows 10 and Windows Server 2016.

To summarize some of the most important steps needed during an attack we made this poster
Play safe and make sure to get well prepared before the next time! 

Boston Marathon Spam

April 17th, 2013 Comments off

It didn’t take long time for spammers to start abusing the Boston Marathon bombing sending  emails with links to various Youtube videos of the explosions at the Boston Marathon, an automatic download of a malicious binary named “boston.avi_______.exe”, embedded malicious java code and other iframed pages with malicious content.

Sample email

Sample landing page with videos and Java 


Battling the Rustock Threat

July 10th, 2011 Comments off

Microsoft has published a document that provides an overview of the Win32/Rustock family of rootkit-enabled backdoor trojans.

The document examines the background of Win32/Rustock, its functionality, how it works, and provides threat telemetry data and analysis from calendar year 2010 through May 2011.

In addition, the document details the legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.