Saturday, May 13, 2017

Medidas contra o WannaCry


Atualmente, há nenhuma ferramenta de descriptografia de WannaCry ou qualquer outra solução disponível, portanto os usuários são fortemente aconselhados a seguir as medidas de prevenção a fim de se protegerem.

• Mantenha seu sistema atualizado: primeiro de tudo, se você estiver usando versões com suporte, mas mais antigas do sistema operacional Windows, mantenha seu sistema atualizado, ou simplesmente atualizar seu sistema para Windows 10.
• Sem suporte do sistema operacional Windows? Se você estiver usando versões sem suporte do Windows, incluindo Windows XP, Vista, Server 2003 ou 2008, aplica o patch de emergência lançado hoje pela Microsoft.
• Habilitar o Firewall: habilitar o firewall e se ele já estiver lá, modificar suas configurações de firewall para bloquear o acesso a portas SMB através da rede ou da Internet. O protocolo opera portas TCP 137, 139 e 445 e portas UDP 137 e 138.
• Desativar SMB: siga os passos descritos pela Microsoft para desativar Server Message Block (SMB). Nas referências abaixo.
• Manter seu software antivírus atualizado: definições de vírus já foram atualizadas para proteger-se contra esta ameaça mais recente.
• Backup regularmente: manter uma boa rotina de backup em dispositivo de armazenamento externo que não está sempre conectado ao seu PC.
• Cuidado com Phishing: sempre desconfie de documentos sem ser convidado, enviados um e-mail e nunca clique em links dentro desses documentos a menos verificar a fonte.
• Mohit Kumar
• Empreendedor, Hacker

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016


Windows Server: Server Manager method 


Server Manager - Dashboard method
 

Windows Server: PowerShell method (Remove-WindowsFeature FS-SMB1)


Server PowerShell method
 

 
Windows Client: Add or Remove Programs method


Add-Remove Programs client method
 

 
Windows Client: PowerShell method (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)


Windows Powershell as Administrator
 

For more information, see Server storage at Microsoft.


References:

https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-
smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

http://thehackernews.com/2017/05/wannacry-ransomware-windows.html







Fact Sheet: WannaCry Ransomware
1. About WannaCry
 Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
 Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It
uses EternalBlue MS17-010 to propagate.
 Ransom: Between $300 to $600.
 Backdoor: The worm loops through every RDP session on a system to run the ransomware as that
user. It also installs the DOUBLEPULSAR backdoor.
2. Prominent Infections
 NHS (UK) turning away patients, unable to perform x-rays.
 Telefonica (Spain)
 FedEx (USA)
 University of Waterloo (USA)
 Russia interior ministry & Megafon (Russia)
 Сбера bank (Russia)
 Shaheen Airlines (India, claimed on twitter)
 Train station in Frankfurt (Germany)
 Neustadt station (Germany)
 The entire network of German Rail seems to be affected (@farbenstau)
 Russian Railroads (RZD), VTB Russian bank
 Portugal Telecom
3. Informative Tweets
 Sample released by ens: hxxps[:]//twitter.com/the_ens/status/863055007842750465
 Onion C&Cs extracted: hxxps[:]//twitter.com/the_ens/status/863069021398339584
 EternalBlue confirmed: hxxps[:]//twitter.com/kafeine/status/863049739583016960
 Shell commands: hxxps[:]//twitter.com/laurilove/status/863065599919915010
 Maps/stats: hxxps[:]//twitter.com/laurilove/status/863066699888824322
 Core DLL: hxxps[:]//twitter.com/laurilove/status/863072240123949059
 Hybrid-analysis: hxxps[:]//twitter.com/PayloadSecurity/status/863024514933956608
 Impact assessment: hxxps[:]//twitter.com/CTIN_Global/status/863095852113571840
 Uses DoublePulsar: hxxps[:]//twitter.com/laurilove/status/863107992425779202
 Your machine is attacking others:
hxxps[:]//twitter.com/hackerfantastic/status/863105127196106757
 Tor hidden service C&C:
hxxps[:]//twitter.com/hackerfantastic/status/863105031167504385










www.paladion.net

Paladion | Confidential

 FedEx infection vector: hxxps[:]//twitter.com/jeancreed1/status/863089728253505539
 HOW TO AVOID INFECTION:
hxxps[:]//twitter.com/hackerfantastic/status/863070063536091137
 More of this to come:
hxxps[:]//twitter.com/hackerfantastic/status/863069142273929217
 C&C hosts: hxxps[:]//twitter.com/hackerfantastic/status/863115568181850113
 Crypted files will be deleted after countdown:
hxxps[:]//twitter.com/laurilove/status/863116900829724672
 Claim of attrib [take with salt]:
hxxps[:]//twitter.com/0xSpamTech/status/863058605473509378
 Track the bitcoins: hxxps[:]//twitter.com/bl4sty/status/863143484919828481
4. Cryptography Used
 Encrypted via AES-128-CBC (custom implementation in the binary)
 AES key generated with a CSPRNG, CryptGenRandom
 AES key is encrypted by RSA-2048 (windows RSA implementation)
 hxxps[:]//haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)
 hxxps[:]//haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob
dumped from the DLL by blasty.
5. Bitcoin ransom addresses
Three addresses found hard coded into the malware:
 hxxps[:]//blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
 hxxps[:]//blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

 hxxps[:]//blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

APIs - REST API