Protect Yourself From WannaCry!

The latest ransomware attack, referred to as WannaCry was accidentally stopped in its tracks some days ago by an amateur researcher that tripped a kill switch by registering a domain name hard-coded in the hacker’s routines that was essentially a GUID.  The safeties have now been taken off and the latest and greatest instantiation of this malware has already gobsmacked the Ukraine. Here’s the D&D:
The bad guy(s) search the Internet for machines with the TCP port 445 open.  Server Message Blocks (SMB), a file sharing protocol used by printers, routers, scanners, and such use this port.  SMBv1.0 is the original protocol in Windows,  that has used the port, at least since the W2K days, has been deprecated since W7, but the code is still in all the OS’s, as well as v2.0 and v3.0.  The v1.0 code contains THE buffer overflow vulnerability, whereas a specifically formed packet rammed up port 445 trips the onerr routine, crashes the system stack, and gives the perp the ability to remotely execute code outside of the UAC(User Account Control); you know– that system modal box that asks if its OK for Windows to make changes to the system YES? or NO?.  The code then seeks out any workstations on the LAN and infects them as it encrypts all data files it can find.   BTW this general vulnerability has been around since before forever and if anyone is stupid enough to believe that Windows has been completely re-written since NT…well here’s exhibit Z.  I have lost count of the number of exploits known to  use the onerr goto system stack crash vulnerability.
So stop what you are doing–  Go to Control Panel -> Programs -> Windows Features —
uncheck the bloody SMB 1.0/CIFS File Sharing Support checkbox

Click OK
re-boot
bow your head
wait for the ricochet
think about LINUX
cause it ain’t gonna end here
My W7 machines didn’t have this feature but my W10s did.
It’s the W7 machines that caught most of the hell.
Most XP machines just crashed.
Special thanks to the NSA for not telling anyone about this.
M$ found out about it from a stolen NSA data dump to WikiLeaks
and issued a security patch in March.  Europe is getting hit hard
probably because no-one’s got good validation codes.  bad code – no update.
M$ has even issued a WannaCry security update for XP and W2003 servers.

Leave a Reply