Page 8 of 10 FirstFirst ... 678910 LastLast
  1.    30 Jun 2017 #71
    Join Date : Oct 2014
    Posts : 17,565
    Windows 10 Insider Preview Build 16281

    Quote Originally Posted by AndreTen View Post
    Microsoft posted very interesting article about Petya outbreak, including how Windows telemetry helped understand malware spreading.

    Attachment 141869
    Now, if you would just translate, please!?!?!?!?
      My ComputerSystem Spec
  2.    30 Jun 2017 #72
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by Wynona View Post
    Now, if you would just translate, please!?!?!?!?
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. In Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows Server 2003, you can retrieve a handle to any process in the system by enabling the SeDebugPrivilege in the calling process. The calling process can then call the OpenProcess() Win32 API to obtain a handle with PROCESS_ALL_ACCESS.More Information

      This functionality is provided for system-level debugging purposes. For debugging non-system processes, it is not necessary to grant or enable this privilege.


      This privilege allows the caller all access to the process, including the ability to call TerminateProcess(), CreateRemoteThread(), and other potentially dangerous Win32 APIs on the target process. https://support.microsoft.com/en-us/...debugprivilege
      This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
      My ComputerSystem Spec
  3.    30 Jun 2017 #73
    Join Date : Oct 2014
    Arnold, MD
    Posts : 28,956
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)

    Quote Originally Posted by Hydrate View Post
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
    Is this and issue:

    Click image for larger version. 

Name:	2017-06-30_15h07_57.png 
Views:	3 
Size:	85.5 KB 
ID:	141898
      My ComputersSystem Spec
  4.    30 Jun 2017 #74
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by f14tomcat View Post
    Is this and issue:

    Click image for larger version. 

Name:	2017-06-30_15h07_57.png 
Views:	3 
Size:	85.5 KB 
ID:	141898
    I'd think that this speaks for itself. Stop using SMB1 | Storage at Microsoft

    It's not a secure protocol and the only reasons you should be running it is for Windows XP, compatibility reasons across different devices such as old printers.

    So, disable it otherwise or patch your system from Petya's known attack vectors such as using WUSA for an update, MBAM, Perfmon, AppLocker, the list goes on.
      My ComputerSystem Spec
  5.    30 Jun 2017 #75
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,890
    Windows 10 (Pro and Insider Pro)
    Thread Starter

    Quote Originally Posted by Wynona View Post
    Now, if you would just translate, please!?!?!?!?
    What is the most fascinating @Wynona, malware did have strict policy to stay undisclosed. If certain AV solution was present on infected computer it went straight to destroying of file system, otherwise it went for compromising computer and checked the network for further vulnerabilities.

    In my opinion, main target was collecting of credentials, or just make as much mess as they could.
      My ComputerSystem Spec
  6.    30 Jun 2017 #76
    Join Date : Oct 2014
    Arnold, MD
    Posts : 28,956
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)

    Quote Originally Posted by Hydrate View Post
    I'd think that this speaks for itself. Stop using SMB1 | Storage at Microsoft

    It's not a secure protocol and the only reasons you should be running it is for Windows XP, compatibility reasons across different devices such as old printers.

    So, disable it otherwise or patch your system from Petya's known attack vectors such as using WUSA for an update, MBAM, Perfmon, AppLocker, the list goes on.
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
      My ComputersSystem Spec
  7.    30 Jun 2017 #77
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,890
    Windows 10 (Pro and Insider Pro)
    Thread Starter

    Quote Originally Posted by f14tomcat View Post
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
      My ComputerSystem Spec
  8.    30 Jun 2017 #78
    Join Date : Oct 2014
    Arnold, MD
    Posts : 28,956
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)

    Quote Originally Posted by AndreTen View Post
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
      My ComputersSystem Spec
  9.    30 Jun 2017 #79
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,890
    Windows 10 (Pro and Insider Pro)
    Thread Starter

    Quote Originally Posted by f14tomcat View Post
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
    Exactly.
    MS will disable it in the next builds, at least that is what they told..
      My ComputerSystem Spec
  10.    30 Jun 2017 #80
    Join Date : May 2015
    Central IL
    Posts : 4,221
    Mac OS Sierra

    AndreTen, I think that we can at least now state to enable Firewall protection full time on any system, whether it is running Linux, Mac OS or Windows. When troubleshooting problems, we are all going to have to remember to address the issue of if a person has a firewall enabled and make sure that everyone asks what security software they are running also. The fact that if someone blocks or disables Netbios and/or SMB ports, it will break the system.
      My ComputerSystem Spec

 
Page 8 of 10 FirstFirst ... 678910 LastLast


Similar Threads
Thread Forum
Prophetic BMJ letter - did this make NHS target for Ransomware attack?
It seems possible that this prophetic British Medical Journal letter from May 10 edition (online May 11, the day before the WannaCry Exploit hit the world) may have focussed the current ransomware attack on UK NHS hospitals: 135086 The...
Windows 10 News
Ransomware hits Chicago Med (TV drama series)
So tonight, on the American TV show Chicago Med, the show dealt with the issue of ransomware. In this episode, the hospitalís entire computer network was locked out by Ransomware thus crippling the entire hospital. For the record, Chicago Med...
Chillout Room
Watch Live from PAX EAST March 10-12th 2017
PAX (originally known as Penny Arcade Expo) is a series of gaming festivals held in Seattle, Boston, Melbourne, and San Antonio. PAX was created by Jerry Holkins and Mike Krahulik, the authors of the Penny Arcade webcomic, because they wanted to...
Windows 10 News
Solved Virus spreading over Wi-Fi!?
So, my Dad is going to purchase a new Windows Device for me (A bit late for XMas). My Dad also owns devices that have been infected be Viruses and other infections. If I connect to the Wi-Fi on my Windows Device, can Viruses and other infections...
AntiVirus, Firewalls and System Security
New Ransomware attack
Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:42.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums