Page 4 of 10 FirstFirst ... 23456 ... LastLast
  1.    28 Jun 2017 #31
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,890
    Windows 10 (Pro and Insider Pro)
    Thread Starter

    Quote Originally Posted by Smiley1 View Post
    Forgive me if this is a silly question, but how does the malware get into one's computer? Infected executable attachment, drive-by download, download via malicious link in an email..?
    Think it was document file (rtf) pretending that came from government office. Dencal is right... file pretending to be software update...

    After the first computer in your local network is infected, there is no need to open anything, if computers are not updated, malicious code will infect any vulnerable system without user interfering. This code is more advanced - it would detect any saved passwords and propagate through network shares, etc.
    Last edited by AndreTen; 28 Jun 2017 at 12:29.
      My ComputerSystem Spec
  2.    28 Jun 2017 #32
    Join Date : Nov 2013
    Chicagoland
    Posts : 33,724
    Dual boot Windows 10 FCU Pro x 64 & Insider 10 Pro

    Quote Originally Posted by dencal View Post
    In this particular case it appears to have infiltrated a software update.
    Thanks for that, dencal. I was wondering the same. In researching, I see somewhat as to how itís spreading. Via the Malwarebytes article sited above:

    UPDATE 6/27/2017 1653 PST: Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update at around 10:30 GMT this morning, which installed the malware on the ďvictim zeroĒ system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. Me Doc has claimed that this isnít the case; however, so we cannot fully confirm that this was the source of the original infection vector.
    Petya-esque ransomware is spreading across the world - Malwarebytes Labs | Malwarebytes Labs

    Also linked in that article:

    A little-known Ukrainian software firm is facing allegations it's one major source of Tuesday's ransomware explosion. Security experts say accounting program provider MeDoc was breached and the NotPetya ransomware was spread via updates, before proliferating further thanks to some neat tricks in the malware itself.
    https://www.forbes.com/sites/thomasb.../#5b40a4b73c8b

    Hmm. George Soros area/territory.

    Of course EternalBlue is donated by our lovely NSA via getting hacked. Shouldnít be creating such software in the first place.

    Responsibility

    According to Microsoft, it was USA's NSA that was responsible, by dint of its controversial strategy of "stockpiling of vulnerabilities", for at the least preventing Microsoft from timely public patching of this, and presumably other, hidden bugs.
    EternalBlue - Wikipedia

    Quote Originally Posted by dencal View Post
    This was not ransomware....more than likely industrial espionage....why would the perpetrator leave an easily traceable calling address?
    This has already been shut down.....so financial gain was not the motive.
    Itís good to see you seek the motive. Thatís the key.

    Quote Originally Posted by dencal View Post
    Either some curious kid in a back room seeing how clever he is.....or more worryingly a nation seeking superiority by paralysing vital industries, bringing countries to a standstill......most modern warfare is conducted using computerised technology, ie- aeroplanes, ships, missiles, orbiting space satellites etc.....all could be rendered completely ineffective......frightening isn't it.
    Yes, it is scary. War Games flic coming to past perhaps?

    Perhaps the ultra-rich globalists crippling economies and/or creating scare tactics to ultimately gain control over the free Internet. And no, I donít wear a tinfoil hat. Globalization is a real movement and has been for quite some time. In fact since towards the end of the Industrial Age.

    Here's the start of it in the US. Then onto the World Bank. Control your money via debt = Control all.

    Several banking leaders including Jekyll Island Club members George F. Baker, president of the First National Bank, and James Stillman, president of National City Bank, met with financier J. Pierpont Morgan and began examining the assets of the troubled institutions. A decision was made to offer loans to any of the banks that were solvent. The secretary of the treasury George B. Cortelyou was eager to divert the situation and offered the New York bankers use of government funds to help prevent an economic disaster. President Theodore Roosevelt, while the panic of 1907 transpired, was on a hunting trip in Louisiana.
    http://www.jekyllislandhistory.com/federalreserve.shtml

    Itís suspicious Malwarebytes caught this ďin the zero hourĒ? Then be the first to report it to promote their product? IMO rather coincidental.

    Then I see some of the fanboyz come on to promote the product.
    Last edited by HippsieGypsie; 29 Jun 2017 at 12:14.
      My ComputersSystem Spec
  3.    28 Jun 2017 #33
    Join Date : Oct 2013
    NW Florida
    Posts : 9,447
    Windows 10 Enterprise and Pro/Windows 7 Enterprise/Linux Mint

    Tony, I guess you should add me to your 'Fanboyz' list. Your insinuation about Malwarebytes, is nothing more than speculation. I am not sure why you would suspect a company that is well thought of on this forum and in the industry without any evidence, other than they found it first. For them to use it as a selling point is nothing new. I am sure if Norton or Kaspersky had found it first they would have used it as well. That's what businesses do, isn't it? Give you a reason to buy your product rather than a competitor's product. I can't sit here and tell you Malwarebytes was not involved in some way, because there is no evidence. Just as there is no evidence at all that they were.

    This thread is about an attack, most likely by some foreign actor, for some reason we don't know for sure. Maybe just flexing their muscles, or maybe targeted at some specific business/country and done in a way to hide who the target actually was. I'm sure it doesn't surprise anyone that it started in Russia.
      My ComputersSystem Spec
  4.    28 Jun 2017 #34
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by Steve C View Post
    Does anyone know why that batch file inserts 3 perfc files whereas the manual fix just creates the file perfc (read only)? I've used a manual fix since Kaspersky Antivirus deletes perfc.dat created by the batch file.

    I just ran Notepad as Admin, saved the empty file as c:\windows\perfc, then made two further copies of perfc and renamed them perfc.dll and perfc.dat. Finally I set them to be read only. Kaspersky antivirus doesn't object when you do it this way.
    Quote Originally Posted by f14tomcat View Post
    Muscle flexing and diversion.....what's the real target?
    Have you run a scan after creating those files to ensure Kaspersky does not remove them if created manually?

    The reason behind the batch files being detected by Kaspersky may have something to do with the fact the batch file comes from a foreign source. Try creating your own batch file and testing it.

    Personally I believe the target includes nations' computers who use outdated software and misconfigured machines running the SMB v1 protocol, mostly civilians and poorly operated IT in businesses.... and this is clearly a wake up call to all IT organizations among those affected. The attack has by far been more successful than anticipated I am certain, and there are various more boxes to infect that are still vulnerable. Use computer savvy individuals are in a tight-nit community that remains aware of the cyber world and it's news.

    Industrial espionage? Perhaps. It's hard to draw any conclusions as of yet other than the fact it originated in a Ukraine Account Firm accountable for XData ransomware distribution. The malware seems ambiguous without naming any companies to infect, but originated here.

    It has affected super markets, to government and country infrastructure.
      My ComputerSystem Spec
  5.    28 Jun 2017 #35
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,890
    Windows 10 (Pro and Insider Pro)
    Thread Starter

    Petya analysis shows, that it wasn't designed as Ransomware, but wiper. Posted on Blog by Anton Ivanov

    After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have confirmed that the threat actor cannot decrypt victimsí disk, even if a payment was made.
      My ComputerSystem Spec
  6.    28 Jun 2017 #36
    Join Date : May 2015
    Central IL
    Posts : 4,221
    Mac OS Sierra

    Quote Originally Posted by Kol12 View Post
    I'm curious, how are these hackers able to get hold of NSA exploits?
    @bro67 Can you tell me what Norse tracking map is?
    The exploits were pushed out on the dark web by who, who knows. Now they have a github that people can pull and look at the products they have created. Norse corp. tracks active attacks. It is on their website about what they do and the map gives you insight into what is going on in real time. The majority of attacks I am seeing today are smtp. Port 23, 25, 4444 and 8080 are the main ports. 4444 is how they are getting into Port 135.
      My ComputerSystem Spec
  7.    28 Jun 2017 #37
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by AndreTen View Post
    Petya analysis shows, that it wasn't designed as Ransomware, but wiper. Posted on Blog by Anton Ivanov
    Fascinating interactive dissassembly analysis, I appreciate you sharing that.

    This is horrible, simply the key for each person is randomly generated using Base and then never to be found and used for decryption. Normally the article explains the installation ID will be sent to the command and control center for decryption by the threat actor (attackers and creators of the malware). However, it uses Base algorithms using the WindowsCryptGenRandom function.

    This function uses a seed, the numbers to use to formulate a random number and add to the seed by finding random bits generated by hardware from process IDs to keyboard hooks and other statistics. This result is used to seed the pseudorandom number generator and find a truly random number, never to be used to decrypt the files attacked by the wiper.

    Amazing find!
      My ComputerSystem Spec
  8.    28 Jun 2017 #38
    Join Date : May 2015
    Central IL
    Posts : 4,221
    Mac OS Sierra

    Quote Originally Posted by lx07 View Post
    but only if you don't use it to connect to you NAS or whatever of course...
    It was patched in march so if you run Windows update you should be OK.
    https://www.us-cert.gov/ncas/current...-Vulnerability
    No NAS should be using SMBv1, since Samba no longer allows you to set anyhting lower than SMBv2. You can only choose SMBv2, SMBv2 Large MTU, SMBv3. SMBv4 still has issues, so you do not see it widely used on commercial NAS's.
      My ComputerSystem Spec
  9.    28 Jun 2017 #39
    Join Date : May 2015
    Central IL
    Posts : 4,221
    Mac OS Sierra

    Quote Originally Posted by Hydrate View Post
    Fascinating interactive dissassembly analysis, I appreciate you sharing that.
    This is horrible, simply the key for each person is randomly generated using Base and then never to be found and used for decryption. Normally the article explains the installation ID will be sent to the command and control center for decryption by the threat actor (attackers and creators of the malware). However, it uses Base algorithms using the WindowsCryptGenRandom function.
    This function uses a seed, the numbers to use to formulate a random number and add to the seed by finding random bits generated by hardware from process IDs to keyboard hooks and other statistics. This result is used to seed the pseudorandom number generator and find a truly random number, never to be used to decrypt the files attacked by the wiper.
    Amazing find!
    This should be enough for people to start making system backups. Drives are cheap these days. I find that the two questions we see on here is a system screwed up because of a messed up system upgrade, or someone needing to recover a drive image when their hard drive goes bad. If something using embedded or Windows 10 iOT got infected, that is a part of Microsoft's fault for not implementing a basic protection engine, along with a way to back up files to a protected storage medium.

    This whole mess will teach organizations to now use standard across the board backups for all workstations, start locking down port rules and not allowing programs to be downloaded through emails. Pretty bad that we manage our home systems better than employers, banks and hospitals do. Worse part is that they now allow all users an across the board administrator access, because the IT/LAN coordinators do not know or understand basic security logic and only do what the person on the Helpdesk is reading from a script for the most part.
      My ComputerSystem Spec
  10.    28 Jun 2017 #40
    Join Date : Oct 2013
    England
    Posts : 14,058
    Windows 10 Professional x64

    Quote Originally Posted by AndreTen View Post
    Another massive attack is going on at the moment. It started in Ukraine and Russia and is already all over Europe and US too.



    Read more on bitdefender.com | massive-goldeneye-ransomware-campaign-slams-worldwide-users/

    Independent is reporting about Patya (Kaspersky identification of the same..)



    A lot of news around. thehackernews.com | 2017/06/petya-ransomware-attack
    Interesting thanks for posting Andre
      My ComputerSystem Spec

 
Page 4 of 10 FirstFirst ... 23456 ... LastLast


Similar Threads
Thread Forum
Prophetic BMJ letter - did this make NHS target for Ransomware attack?
It seems possible that this prophetic British Medical Journal letter from May 10 edition (online May 11, the day before the WannaCry Exploit hit the world) may have focussed the current ransomware attack on UK NHS hospitals: 135086 The...
Windows 10 News
Ransomware hits Chicago Med (TV drama series)
So tonight, on the American TV show Chicago Med, the show dealt with the issue of ransomware. In this episode, the hospitalís entire computer network was locked out by Ransomware thus crippling the entire hospital. For the record, Chicago Med...
Chillout Room
Watch Live from PAX EAST March 10-12th 2017
PAX (originally known as Penny Arcade Expo) is a series of gaming festivals held in Seattle, Boston, Melbourne, and San Antonio. PAX was created by Jerry Holkins and Mike Krahulik, the authors of the Penny Arcade webcomic, because they wanted to...
Windows 10 News
Solved Virus spreading over Wi-Fi!?
So, my Dad is going to purchase a new Windows Device for me (A bit late for XMas). My Dad also owns devices that have been infected be Viruses and other infections. If I connect to the Wi-Fi on my Windows Device, can Viruses and other infections...
AntiVirus, Firewalls and System Security
New Ransomware attack
Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:43.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums