Help me understand the WannaCry threat

glenimp617

glenimp617

glenimp617

Soldato
Joined
30 Sep 2005
Posts
16,736
Hi All,

https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/

I'm struggling to understand the attack vectors regarding wannacry. Most sites simply say it's an smb exploit found in WinXP, 7, 2003, 2008 but not much else.

Could someone please help me understand how the virus would enter a network and do damage please.

If a network has a firewall blocking all major ports apart from say 80/443 and no NAT rules. How can the network become infected, even if it's full of XP machines. Via a website? What about if there's a web proxy with a white list?

Thanks!!
 
ok, so it seems it started from someone clicking on an email. It doesn't say how it spread from company to company. Unless there's millions of idiots clicking on random emails?

https://www.ft.com/content/82b01aca-38b7-11e7-821a-6027b8a20f23?mhq5j=e2


"EternalBlue exploits a security loophole in Windows operating systems that allows a malicious code to spread through structures set up to share files — such as dropboxes and shared drives for documents or databases — without permission from users. “The widespread use of filesharing between organisations is to some extent a dream come true for a cyber criminal,” says Darren Thomson, chief technology officer of Symantec, the anti-virus and web security company. “If you can exploit a filesharing vulnerability, then you can get to tens or even hundreds of thousands of users.”"

I can't believe out of all the companies that got hit, they all used shared drives between each other (domain trusts) or launched iffy emails. Now the article states "the structure set up to share files" which I assume means SMB. Still doesn't say how it spreads between companies.

Question: When the virus encrypts a document, does that document itself contain a self replicating virus?

edit: Well it does seem the spread between companies was through email

As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.
 
Last edited:
In my experience, a lot of these idiots are quite senior within the organisation; senior, but technically clueless. Also, think about the size of an organisation: the bigger the organisation, the more likely at least one idiot will click the necessary things to allow the infection to start, and once it's inside... Also, again, if it's a large organisation, there's more incentive for hackers to dedicate time to crafting highly personalised emails. Some of the emails that come through have very specific information. Or just think of all the crap we all get, how many times have you seen one of those emails, and had to pause briefly because you just did something that could have triggered a legitimate email (e.g. buy an app from Apple and 5 minutes later you coincidentally get a phishing email from "Apple" saying "thanks for your purchase, please click here for the invoice"). It's all sheer volume, and there are enough coincidences that people do end up clicking. I mean if you sent out a 100 million emails saying "Hi Bob, it's Jane here, just have a quick look at that document we were discussing", and how many Bobs would there be that know a Jane and have been working on a document together? It's a pretty much impossible-to-solve problem, everyone has a weak moment, we can't all be on our guard 24x7.

I never used to think it, but now I'm convinced that Apple's app store model is the way forward. People need to be protected from themselves, it's the sad reality of the world we live in now. That's why Windows is doomed, because it's just too insecure.
 
rotor said:
I never used to think it, but now I'm convinced that Apple's app store model is the way forward. People need to be protected from themselves, it's the sad reality of the world we live in now. That's why Windows is doomed, because it's just too insecure.
Click to expand...


Microsoft have tried this before unfortunately you always get that one very loud person who wants complete access to every single part of their windows installation. look at how many people disable UAC rather than let it do its jobs because they supposedly know better.
 
vintage-x said:
Microsoft have tried this before unfortunately you always get that one very loud person who wants complete access to every single part of their windows installation. look at how many people disable UAC rather than let it do its jobs because they supposedly know better.
Click to expand...
I prefer the linuxy approach, only start services the user sets up. Security through obscurity is not effective IMHO!
 
You must log in or register to reply here.
Back
Top Bottom