NHS computer systems hacked!?

CHokKA said:
I'm aware I keep saying it because I said it. I was explaining my initial thinking because it made me wonder why there's a kill switch in the first place. Don't you question why it's there? If not using it as a trigger, what use is it to the creators? And how do you know what I'm saying is incorrect? Do you have some intimate knowledge of this malware that we aren't being told about? Nobody discussing it seems to know an awful lot about how it got started so who can say anything for sure? We're all just speculating here and I'm providing my thought process for others to see here. You just keep posting back saying how wrong I am when, to be fair, how can you honestly know one way or the other? As I said, so far we're just speculating, and to a large degree from the reporting and coverage I've seen so far, so are the experts.
Click to expand...

I mentioned why its incorrect - get a full domain whois - it shows only 2 entries both after the infection appeared and both connected to the malwaretech guy.

While that kind of technique could be used as a trigger short of them having someone inside the domain registry service who erased the history (which is exceedingly unlikely) its easy to prove it wasn't used this time.
 
It's been picked apart and the bit of code that checks the domain has been analysed so that people understand what it does. It makes an HTTP request to the domain - it doesn't perform a WHOIS lookup. Cisco weren't seeing DNS requests for that domain until Friday, therefore it can be concluded that the malware wasn't sitting around checking and waiting for the domain to become unregistered before activating.

I don't know why it seemingly came alive on the morning of the 12th May, but I'm not making speculations about domains expiring that aren't backed up by any of the analysis so far. Regarding why there would be a way to stop the malware - maybe the person who was paid to put it together wanted a way of stopping it if they didn't get paid? This is one of the conclusions drawn by the author of the MalwareTech article.
 
CHokKA said:
I'm aware I keep saying it because I said it. I was explaining my initial thinking because it made me wonder why there's a kill switch in the first place. Don't you question why it's there? If not using it as a trigger, what use is it to the creators? And how do you know what I'm saying is incorrect? Do you have some intimate knowledge of this malware that we aren't being told about? Nobody discussing it seems to know an awful lot about how it got started so who can say anything for sure? We're all just speculating here and I'm providing my thought process for others to see here. You just keep posting back saying how wrong I am when, to be fair, how can you honestly know one way or the other? As I said, so far we're just speculating, and to a large degree from the reporting and coverage I've seen so far, so are the experts.
Click to expand...

As far as I'm aware the "killswitch" was a rookie attempt to defeat analysis.

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).
Click to expand...

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Killswitches aren't common unless it's a botnet (at least as far as I know).

For such a dumb mistake mixed with a rather advanced attack it seems really weird almost as though the authors were a mix of fairly advanced programmers and a guy with google and stackoverflow.

Nothing to do with a triggering system. I haven't read anything to suggest someone's found why it picked that day to set off.
 
Caged said:
maybe the person who was paid to put it together wanted a way of stopping it if they didn't get paid? This is one of the conclusions drawn by the author of the MalwareTech article.
Click to expand...

An interesting possibility. I suspect it was just a failsafe to stop them accidentally infecting themselves though (probably have their local DNS/host setup to respond to it) - it seems so obviously easy to defeat if it was an analysis countermeasure that I can't imagine anyone with even mediocre programming skills thinking it would work.
 
Rroff said:
I mentioned why its incorrect - get a full domain whois - it shows only 2 entries both after the infection appeared and both connected to the malwaretech guy.

While that kind of technique could be used as a trigger short of them having someone inside the domain registry service who erased the history (which is exceedingly unlikely) its easy to prove it wasn't used this time.
Click to expand...

Thanks for posting this. My apologies then. I totally missed your initial posting of this because I've been out and about today following this thread whilst I've been busy :) I still question why there's a kill switch though. It seems a rather odd addition to something that's meant to be so destructive. It takes a while for a domain registration to become active so it's not exactly a quick way to stop the malware from spreading, given the impact that it's seemed to have had within a few hours on Friday.
 
Personally I think they faked up the domain as being active locally in their development environment so as to avoid being infected by it themselves accidentally either by doing something dumb in development or getting hit by their own malware as it spread heh.
 
Rroff said:
An interesting possibility. I suspect it was just a failsafe to stop them accidentally infecting themselves though (probably have their local DNS/host setup to respond to it) - it seems so obviously easy to defeat if it was an analysis countermeasure that I can't imagine anyone with even mediocre programming skills thinking it would work.
Click to expand...

If that was the case, you'd then have to think that there's no possibility of recovering in the case of being encrypted if the original author was worried about this. Certainly my experience with the CryptoLocker variants is that usually after someone has paid, they still don't get their data decrypted. I'd suspect it's the same with this new variant.
 
CHokKA said:
If that was the case, you'd then have to think that there's no possibility of recovering in the case of being encrypted if the original author was worried about this. Certainly my experience with the CryptoLocker variants is that usually after someone has paid, they still don't get their data decrypted. I'd suspect it's the same with this new variant.
Click to expand...

In the middle of development its possible it might not be 100% working and if accidentally escaped the testing environment (probably sandbox/VM) in that state might encrypt stuff irrecoverably hard to say whether the version in the wild can be successfully decrypted from or not unless someone pays and those that do pay probably will keep it quiet.
 
Mynight said:
I wonder if any of the whois websites have searches for the domains existence prior to the malwaretech guy. I imagine they log them.
Click to expand...

If they got caught due to that it would be kind of hilarious - though there a good chance the people responsible for it aren't living in somewhere like the UK where the law can get to them easily.
 
So Fallon says only 5% of NHS still running windows xp yet

Kingsley Manning, a former chairman of NHS Digital, - which provides the health service's IT systems - told the BBC on Saturday that several hundred thousand computers were still running on Windows XP
Click to expand...
 
Greebo said:
So Fallon says only 5% of NHS still running windows xp yet
Click to expand...

It is possible the maths works - the NHS has over 1 million employees so if each had a personal company supplied device alone that is half way there just assuming the figure was 100,000 XP machines. (Obviously that is a really crude way of looking at the figures).
 
Rroff said:
It is possible the maths works - the NHS has over 1 million employees so if each had a personal company supplied device alone that is half way there just assuming the figure was 100,000 XP machines. (Obviously that is a really crude way of looking at the figures).
Click to expand...

Manning said several hundred thousand machines so thats got to be more than 200,000, probably more like 500,000 is you say "several". Even at 200,000, the nhs would need 4 million machines in total for Fallon's 5% claim to be correct.
 
neil_g said:
The NHS themselves put out a statement before Fallons comment saying it was 4,7%
Click to expand...

Well at Xmas it was 90% so they have done well to get it from 90% to 4.7% in 5 months. You got a link to the NHS statement please?

http://www.theinquirer.net/inquirer...-trusts-are-still-running-windows-xp-machines

EDIT: Goggle search only brings up Amanda Rudd saying 4.7%

Ms Rudd said: “We’ve talked about how we can make sure the NHS can remain robust, that patients come first, and I’d like to commend the work that NHS staff have done to ensure that hospitals and patient surgeries are going to continue to run smoothly”.

“While the vast majority are running contemporary systems, we can confirm that the number of devices within the NHS that reportedly use XP has fallen to 4.7%, with this figure continuing to decrease”
Click to expand...

So obviously Fallon is using the same info. Will be interesting to see how many it really is.
 
You must log in or register to reply here.
Back
Top Bottom