OT: worldwide worm

you need to run the netstat -an command from within an existing command window, i.e. start vmd.exe first, but don't invoke netstat from the start menu, or it runs and then immediately closes

but port 445 will still show as open with the patches installed and/or SMBv1 disabled, because SMBv2 and v3 use the same port

Thanks for that. It works OK now. Dozens of them! Now how can I find out what they all mean and how important they are?

Well, within cmd.exe window you can type

netstat -an | find ":445"

which will show you that you *are* listening on port 445, which is one port that SMB uses, you can do the same for 139, which is an older way of doing SMB over NETBIOS

but as you say, a typical windows PC has many ports open, and needs them even for talking to itself.

you can use

netstat -an | find /i "listen" to see which are listening, or the same with "estab" or "close" to see connections coming and going

but it's a bit of a geeks sport knowing what the all do ...

Chris Hogg posted

I had a look in the registry, but there doesn't seem to be anything in it about SMB, of any flavour.

(128f40c208390c34d5cb3e860f54defd)(256380)(2459594)(TnL5HPStwNw-7AHF69bVaEU5oWGmUfsQGA)()

I just remembered ... I actually installed it on a Netbook for him. ;-)

And have, and booted it ... can you install the detector on a LiveDVD instance do you know please (I understand it would only be for that session etc).

Cheers, T i m

as long as it has a writeable file system ...

assuming you're running as root under /root/.msf4 create the folder tree modules/auxiliary/scanner/smb copy the smb_ms17_101.rb file into the folder (or wget it from the web)

then run it ...

msfconsole

use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 192.168.0.0/24 (or use a file if you have many subnets) run

then when it's completed dump your results to a csv for reading into a spreadsheet or whatever

hosts -c name,address,os_flavor,vuln_count -o wanacrypt.csv

^^^^^ watch the missing slashes if your email client shows them as italics like thunderbird just has

Thanks. I think I'll leave well alone; way, way beyond my experience and capability!

Sid posted

Thanks. I've already installed that update, but I have no idea what it actually did. Does it turn off SMBv1?

Well that you consider an opinion unsupported by any evidence from any professionals is evidence explains even more.

Did you read the article?

The ransomware uses a feature of a particular implementation of SMB V1 found only in Microsoft code.

i.e. its absolutely specific to Microsoft. And almost certainly to V1 SMB.

SMB V1 ceased to be the default post XP.

Additionally all later versions of windows had been issued with security patches to cover this vulnerability which has been known for some time since it hit the public domain.

XP, being out of support, did not receive any fixes.

Microsoft has, now its becoming a matter for worldwide concern, issued fixes for XP.

Ergo although it is POSSIBLE that later versions of windows have remained unpatched for months, and are now infected, its unlikely. The main bulk of the problem is the vast community of unpatched XP machines.

The malware is specific to Windows, SMB V1, it is not an issue for Linux, Mac or any other operating system.

That is not strictly the fault of Linux, but simply of whomsoever's apps you are using to do vehicle diagnostics and/or audio.

For general purpose work I have found Linux to have everything I need.

Special purpose apps that need windows run in a virtual machine that is normally disconnected from the internet.

Its not even a solution either.

This particular piece of malware spreads along INTERNAL networks.

And its possible to infect - as STUXNET did, a secure network simply by getting someone to use a USB drive internally.

for more updates.

It seems to show up fine here (Agent).

Thanks for the replies and info Andy and if I get a chance to install a 64bit Linux on something I might give it a try, but apart from not being confident about the Linux / CLI side (possibly for no reason etc), I'm not actually sure what the 'bigger picture' is here. Are we looking for open ports or specific vulnerabilities via SMB shares etc.

As you have already mentioned elsewhere that it may take a guru to be able to translate the results (not an old ex hardware guy). ;-)

Cheers, T i m

The smb_ms17_010 script uses the same technique that the malware does, to see if one or more machines are already infected, vulnerable to infection, or protected (by being patched, or having SMBv1 disabled),

You can't tell just by seeing the port open, whether you are vulnerable.

That detection script doesn't carry a payload, however there are already metasploit exploit scripts out there that use the vulnerabiity to open backdoors etc, but I won't link to those!

'Of course', I (for one) isn't and never have blamed 'Linux' directly (whatever that actually is) but indirectly via the lack of real-world understanding by some people involved in it's advancement re ordinary user expectation.

Given that 'most people' don't install their own OS's so they either come pre installed (so very unlikely if someone was buying from most PC shops) or installed (and therefore maintained) by a geek at work or a mate etc.

So, for a software supplier / writer to bother with Linux, even if they were selling their product, they would either need to have spare capacity on their software creation team (from those not writing stuff for 80% of the desktop market (Windows) or 10% (OSX)) or someone who happens to 'like' Linux and to bother to include it in the std schedule. And then there is the 'what Linux' question as you either create simple packages that are compatible (and tested?) with all the key Linux distribution systems or put more effort into make a more complete installer that would cover greater versions (inc 32 / 64 bit). All for ~5% of the desktop market.

Of course. If you install say Mint and only need the basic stuff it comes with and find it supports all your hardware OOTB, then it could be considered a cheap, 'more secure'? and perfectly functional solution, especially if you don't have to fully interface with say MS Word users or anyone using any other app that isn't supported on Linux.

So it's a catch 22. Linux (or OSX for that matter) isn't going to reach the desktop penetration of Windows until it can complete directly with Windows and that means across the board. So, it might only need the lack of support for iDevices / iTunes store or Photoshop for that not to happen.

And so you are 'still running Windows'.

And how do you define 'special purpose apps'? I would consider 'any app' that I want to be 'just an app'. So, given that most are available for Windows, I consider those to be the benchmark and the test is to also see if they are available on OSX then Linux. There are instances of software or hardware that are only supported on Linux of course but as yet I'm not away or any that would make me have to run Linux (or OSX) for anything.

I am a utilitarian so I 'prefer' any solution that is the best of as many worlds as possible. So, that's why I like my Leatherman PST II (but not all Leatherman offerings), estate cars (but not hatchbacks, MPVs or vans) and Windows, not because they are particularly good or the best at any one thing.

I'm also just a hardware guy and so have rarely written any software nor played much with the CLI in any OS (other than MSDOS ), preferring something you can generally use / manage though an explorable GUI.

I think you will find most people are similar re OS's. They may not even consider there would be any restrictions on any software or hardware, till they actually try something that isn't Windows. [1]

Cheers, T i m

[1] In installed Linux as the primary OS for my BIL and he only needs to reboot into Windows for some accounting package and a game. Whenever I've gone there and checked out his machine for some reason I *always* find a string of Windows apps he had downloaded because he still doesn't remember / understand that Linux isn't Windows.

(The real funny thing is when you get the Linux fans arguing with you that (for example) 'they do a Teamviewer for Linux' when it's just the std Windows version running under WINE). ;-)

This might help - tells how to remove/disable SM1 on various Windows versions:

Just on a point of fact, not taking sides in the current argument, yes, senior NHS managers are all micromanaged from Whitehall. (Or Cardiff if applicable.) They have at least weekly meetings with civil servants where they are given clear instructions. The salary is for carrying the can if the mandarins get it wrong. And they usually pop up in an equally senior job elsewhere if they have to resign. Which is only fair in the circumstances. Trusts are necessary for putting the NHS in privatisable form, but they are not allowed to act independently while they are in public ownership.

This is a bold statement.

Whilst the code may have been written by Microsoft and replaced in newer Microsoft code that doesn't mean it doesn't necessarily appear in other SMB implementations of which there appear to many, 40 listed on wiki.

Programmers steal code and lie about it, obfuscate it. Managers claim code has characteristics divorced from any code base reality. I don't know if all versions have been audited to check this particular bug, do you?