OSDev.org

The Place to Start for Operating System Developers
It is currently Wed Jun 28, 2017 9:59 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Have you patched your Windows against EternalBlue?
PostPosted: Thu May 18, 2017 6:56 pm 
Offline
Member
Member
User avatar

Joined: Tue Mar 06, 2007 11:17 am
Posts: 920


It creates a service called "Microsoft Security Center (2.0) Service". Just run "services.msc" to find out if it's present and remove it with a good antivirus or manually with the disk as external.

I'm asking this because it seems to be an extremely dangerous exploit that allows the installation of cryptographic viruses against user files from Windows XP onwards, via an automated SMB 1/Samba 1 attack from the Internet.

The C:\WINDOWS\mssecsvc.exe and tasksche.exe ended up being installed in my Windows 7 server overnight today, but Avast stopped it. I can upload a 7-Zipped file with the worm if you want a sample of it.

Now I've put this information here so that the least amount of people get to lose extremely important files.


EternalBlue is an extremely dangerous vulnerability coming from the Internet that often causes blue screens of death and the installation of cryptographic file viruses that ask for money to rescue our files. It affects mainly Windows XP and newer versions.

Use the following tool to check if you have already applied the patch successfully:
[................]


Apply these 2 patches for your Windows version. Apply one by one. Install the first one and reboot Windows, install the second one and reboot again, and then use the tool above to check whether you patched the vulnerability:
http://www.catalog.update.microsoft.com ... =KB4012212

http://www.catalog.update.microsoft.com ... =KB4012215


Special patch version for Windows XP and other outdated versions:
http://www.catalog.update.microsoft.com ... =KB4012598

_________________
Image http://www.archefire.org/_PROJECTS_/

YouTube Development Videos:
http://www.youtube.com/user/AltComp126/videos

Current IP address for hosts file (all subdomains):
190.150.9.244 archefire.org


Last edited by ~ on Thu May 18, 2017 7:55 pm, edited 9 times in total.

Top
 Profile  
 
 Post subject: Re: Have you patched your Windows agains EternalBlue?
PostPosted: Thu May 18, 2017 7:00 pm 
Offline
Member
Member
User avatar

Joined: Sun Feb 09, 2014 7:11 pm
Posts: 70
Location: Within a meter of a computer
This one was patched a month or two ago, so for a technical group of people like osdevs, it hopefully isn't too big of a risk.

_________________
"If the truth is a cruel mistress, than a lie must be a nice girl"
Working on Cardinal
Find me at #Cardinal-OS on freenode!


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Thu May 18, 2017 7:20 pm 
Offline
Member
Member
User avatar

Joined: Sat Jan 15, 2005 12:00 am
Posts: 7979
Location: At his keyboard!
Hi,

"Download and execute random stuff from an unknown and untrusted web site, to protect yourself against things and stuff!" is a great way to get infected by malware.

I've edited the original post to remove links to the unknown and untrusted web site.


Cheers,

Brendan

_________________
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Thu May 18, 2017 7:23 pm 
Offline
Member
Member
User avatar

Joined: Tue Mar 06, 2007 11:17 am
Posts: 920
The tool from GitHub is from ESET Antivirus.

I also read it before running it. It's just a VB Script that checks that the patches against EternalBlue are installed.

Without it the user won't know for certain if the patch for the actual dangerous exploit is in place.

_________________
Image http://www.archefire.org/_PROJECTS_/

YouTube Development Videos:
http://www.youtube.com/user/AltComp126/videos

Current IP address for hosts file (all subdomains):
190.150.9.244 archefire.org


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 12:00 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 2861
Location: Chichester, UK
How many home users do you imagine expose SMB to the Internet?


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 12:17 am 
Offline
Member
Member
User avatar

Joined: Fri Feb 17, 2017 4:01 pm
Posts: 123
Location: Ukraine, Bachmut
ah, this. this is that Wannacrypt SMBv1 thing. yes i applied this kb. but the way i did it (the promptness), made me feel a little uncomfortable. i had always update enabled, but since last autumn, it got buggy, making 100% cpu usage for nothing. interestingly, right after a monthly update, when I logged as an administator and let it install updates, it calmed down and didn't loop, but with some time, it was gradually increasing in the looping again (the update service was starting shortly after the login and since I am not logged as an administrator, did nothing). definitely a bug in the update service. so, last autumn, when this has manifested, pissed off completely, I turned update off. and now this malware happenned. I guess, should my machine be a real target for this attack, it would get infected way before I noticed somewhere on the Internet about this patch and installed it.
on the other hand, i don't use any anti-virus software (for years) and thanks god, never had any infections.

_________________
Trying to write an NT-like OS (ANT). First target architecture is mips32r2.
Hopefully this is not only not NSFW, but rather opposite. and feasible as well.


Last edited by zaval on Fri May 19, 2017 2:15 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 1:55 am 
Offline
Member
Member
User avatar

Joined: Wed Dec 01, 2010 3:41 am
Posts: 1720
Location: Hong Kong
iansjack wrote:
How many home users do you imagine expose SMB to the Internet?


While it's probably blocked by firewall, there are still huge attack surface from local network, which can be exploited with other vector (eg. IoT, old NAS, or recent CVE from defender(*)).

Anyway, do not download security patch from random site, just use the Windows update.

REF: https://technet.microsoft.com/en-us/lib ... 22344.aspx


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 5:14 am 
Offline
Member
Member
User avatar

Joined: Tue Mar 06, 2007 11:17 am
Posts: 920
iansjack wrote:
How many home users do you imagine expose SMB to the Internet?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

The rest is done by a kernel level exploit to bugs in SMB, sent through the Internet, unless the patch is properly applied.

It seems that the hardest attack was activated this week and past week, so it can be dangerous if your network range is currently being scanned by this.

_________________
Image http://www.archefire.org/_PROJECTS_/

YouTube Development Videos:
http://www.youtube.com/user/AltComp126/videos

Current IP address for hosts file (all subdomains):
190.150.9.244 archefire.org


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 5:46 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 2861
Location: Chichester, UK
~ wrote:
iansjack wrote:
How many home users do you imagine expose SMB to the Internet?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.

Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 6:43 am 
Offline
Member
Member
User avatar

Joined: Wed Dec 01, 2010 3:41 am
Posts: 1720
Location: Hong Kong
iansjack wrote:
~ wrote:
iansjack wrote:
How many home users do you imagine expose SMB to the Internet?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.

Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.


Recently there is a new type of phishing email using unicode domain name(it looks exactly like http://www.apple.com and even get a https domain-verified certificate), even tech geek might get caught off guard.


Top
 Profile  
 
 Post subject: Re: Have you patched your Windows against EternalBlue?
PostPosted: Fri May 19, 2017 7:25 am 
Offline
Member
Member
User avatar

Joined: Tue Mar 06, 2007 11:17 am
Posts: 920
I got the WannaCry files installed in my server after a lot of BSODs for several weeks and a slow down. Fortunately Avast was installed and I realized that I needed a patch.

I first thought that it was because of the BenQ S6 drivers that failed after some hours of Apache serving files.

Then I thought that it was because it was an old version of Apache for Windows XP.

When the server crashed equally under an UMPC with Windows XP and under a laptop with Windows 7, then I realized that it was virus-related. If I didn't have a home web server and Avast, but mainly a server to check networking the whole day as a side effect, I wouldn't have realized the problem.

A network might be protected but if you use mobile machines you would be exposed, one only needs to see how many people, hospitals, businesses, governments and machines have been affected. It needed a patch that corrected the privileged memory leakage.

_________________
Image http://www.archefire.org/_PROJECTS_/

YouTube Development Videos:
http://www.youtube.com/user/AltComp126/videos

Current IP address for hosts file (all subdomains):
190.150.9.244 archefire.org


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group