Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch

Remember that "kill switch" which shut down the WannCry ransomware? An anonymous reader quotes Motherboard: Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave. "I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday... Another researcher confirmed they have seen samples of the malware without the killswitch.

What hath thou abandoned me, Microsoft??

[Anonymous Coward]

I've got an internet-facing server running Server 2000. Where is our patch!?! My boss is going to freak out if anything bad happens!

Re:

[jellomizer]

Write up a "told you so" as in a root cause analysis.

Re: What hath thou abandoned me, Microsoft??

[Dogon Yàrò]

Wow...

It was only a matter of time...

[toonces33]

The person who found the previous "kill switch" believes that it was actually an anti-sandboxing feature, not a kill switch.

Re:

[Highdude702]

can i have a link to where you saw this please?

Re:It was only a matter of time...

[toonces33]

https://www.malwaretech.com/20... [malwaretech.com]

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exitthus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

Re:

[Anonymous Coward]

None, if your ISP hijacks your DNS and serves up advertising when it receives a request for a bad domain name. See Cox Communications for an example. That, however, usually only happens on residential DNS, while the ransomware fliating around now is mainly in corporate environments, due to the nature of SMB.

Re:

[Calydor]

Cox and Verizon only hijacked the lookup to protect you from ransomware!

Re:

[Highdude702]

They are very efficient at it also. Used to get mine within hours. Hard to fight that kind of mitigation unless you use raw ip, which sometimes can become a problem to hide then. unless you have deep pockets for china.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Xenna]

OK, note to self: Use a random URL in the next version.

Re:

[Highdude702]

Even if you use a randomizing URL it can be caught, and algorithm figured out to register the next years worth of domains. it was very bad implantation of a sandbox check.

Re:

[Highdude702]

That is a possibility however, adding more interaction between sandbox and host leads to more potential ways to break out of the sandbox and truly be malicious. It's almost like a double edged sword. The more you try to prevent by passing to the host the more you possibly weaken your whole secure environment.

Re:

[Highdude702]

Thank you! Awesome read. Anybody who hasnt should.

We can only hope!

[Highdude702]

Lets hope that this person is doing this for awareness. and hopefully he makes his point. or else sorry you put a critical on the internet without knowledge of how the internet works.

Re:

[ColdWetDog]

I suspect that the perps are doing it for money.

Always follow the money.

Re:

[Highdude702]

im sure he is. but i can hope that hes not.

This wave...

[malkavian]

Is really going to hurt then.. I doubt the world has had time to patch everything...

Re:

[toonces33]

Maybe some are patched. Some are taken offline or air-gapped until patched. Some might have SMB turned off or blocked by the firewall. IT departments will be specifically watching for TOR connections, and might actually try blocking them. Yeah, there will be some new infections. But the first wave gave people a wake-up-call that this one was serious.

Re:

[freeze128]

The object lesson here is: Don't rely on patches. Instead, have a strong backup strategy.

This attack *WILL* really hurt, but it will be good in the long run because it will teach people to back up data.

Re:

[ozduo]

anyone considered that this might be an attempt by an un-named company to sell its latest software

God damnit

[JustAnotherOldGuy]

I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

Re:

[Anonymous Coward]

I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

Surely you are familiar with stuff not working on a Linux box ?

It's part of the hobby to experience such things, n'est ce pas ?

Re:

[rrohbeck]

Clearly you need a VM to experience the full goodness of Microsoft's SMB implementation..

Re:

[Barlo_Mung_42]

Same here but it doesn't work on Win10 either.

Well duh, RTFM

[Anonymous Coward]

You need to make sure you have the *correct* version of gettext, libiconv, openssl, gnu-crypto, and gnucash (not the one your distro ships with of course) and you need the correct version of GCC (4.9.4 it will refuse to compile if you use 4.9.3 or 4.9.5). Also if you are on Mint you will need to patch the ransomware.h header file but not Debian. If using CentOS you need to make sure you load the x86 compatibility libraries or it won't work. Make sure to pass the correct flags to ./configure

This is all obvious to everyone who read the manual so stop wasting our time.

Re:

[WallyL]

Ooh, I have a malware that's ready for prime-time! Please paste this into a terminal, and then share to all your friends:
sudo rm -rf /

Re:

[DeBaas]

If you send me two bitcoins within 6 hours I will provide an installer. If you wait longer the price will go up!

Re:

[thegarbz]

If more than 5 people ran something important on a Linux Mint desktop that is worth holding for ransom then we would consider a port. Until then your target market is just too small and you will need to run a compatible copy of Microsoft Windows to use our software.

Sincerely,
Dev Team.

Re:

[JustAnotherOldGuy]

If more than 5 people ran something important on a Linux Mint desktop that is worth holding for ransom then we would consider a port. Until then your target market is just too small and you will need to run a compatible copy of Microsoft Windows to use our software.

Thank you! I installed Windows 10 and was able to get it to encrypt my files properly on the first try.

By the way, what does "Error connecting to NSA Data Collection Server" mean? I get that notification whenever my internet goes down.

Re:

[thegarbz]

Error connecting to NSA Data Collection Server

The error you are experiencing means that the automated email and password database backup systems aren't working as intended. If you intend to work without an internet connection for long periods of time it may be worth while to print hard copies of everything important and mail it directly to the NSA for archiving.

Never Run Windows on Bare Metal

[Anonymous Coward]

1) Get ransomware
2) Read warning about losing data
3) Chuckle with a smirk on your face
4) Revert to this morning's snapshot
5) Carry on

Re:

[Anonymous Coward]

It works better than dropping all the information you recorded EVER on the floor. Why hospitals are even ON the Internet is beyond me...

Oh right..

Obama.

Thank you very much, asswipe.

Re:

[mikael]

Hospitals moved to computer because it saved space storing data on a server rather than rack and racks of shelves with paper notes with scribbly doctors writing. These would have to be thrown out after three years if the patient never returned. Then when someone is referred to another doctor, clinic, practise, specialist, consultant, those paper notes would have to be transferred across as well. Needless to say, they would end up being lost. Medical notes weren't the right size to store X-ray plates let alo

Re:

[GerryHattrick]

No real 'Doctor' I have ever known ever relied on anyone else's tests and notes. New Doc? they'll run the tests again (which is OK in the UK, as it costs the patient nothing but delay). I suspect the English NHS is remarkably resilient

Re:

[eneville]

I was not aware Obama had anything to do with the UK's NHS.

Re:

[HiThere]

This is assuming that it's a rapidly acting ransomware. Some have acted more slowly, and you could lose a week's worth of data, or a month's worth. And...unnh... how long do you keep your backups before recycling?

I am diabling SMB v1

[williamyf]

Even though my main machine is mac, and my bootcamp and windows secondary machine are on Win10 and Fully patched, and my synology NAS has SMB v1 disabled, I may as well disable SMBv1 across the whole fleet.

God have mercy on all morons who are still running unpatched machines...

Re:

[techno-vampire]

God have mercy on all morons who are still running unpatched machines...

Because I certainly won't. Either this will be a good object lesson, or they'll get what they deserve for not learning from experience.

Re:

[Atryn]

God have mercy on all morons who are still running unpatched machines...

I wonder if you could draw a parallel to the anti-vax movement. There is a sort of herd immunity if all machines are patched as malware has a harder time replicating and spreading with less compromised machines to do so. But there are people who persistently refuse to patch because of some perception that the patch itself or the patching process is more troublesome than the likelihood they will be part of an infection.

Re:

[RandomFactor]

To be fair, that perception is rather well founded in the windows world. I tried going down that road myself back in WGA introduction time frame, but gave up soon enough.

sometimes i think worse must precede better...

[Anonymous Coward]

I've seen security-aware people being widely ignored by technically illiterate managers and decision makers for decades. Sometimes they aren't given the tools they ask for, or their advice is ignored, or sometimes they are both ignored and still blamed when things go wrong. That's not even getting into all the ordinary folks buying low-security or pre-backdoored IoT devices, and the intrusion of the internet into everyday things like cars and televisions.

Sometimes I think something really nasty has to happen before people will wake up. But then when I think about it some more, I don't believe that would help either. The wrong message would be taken. Instead of adopting good security practices, it would instead be a series of laws that managed to be both misguided, harmful, and utterly useless for solving the real problem. It would be "magical thinking" instead of really paying attention to digital security.

Then I go have a couple beers, because fuck it.

It's All About ROI

[Frosty Piss]

It's not like most IT departments don't know these vulnerabilities exist, and there are many common reasons, some common ones being:

A) Code written under a very tight schedule, where getting working code operational is the number one target, and the team expects to tighten up the security later but never does.

B) Legacy code written before this type of security was much of a concern.

The main problem with preventing this kind of thing is the Bean Counters. Generally, they will do a calculus of the possibility that they specifically will be hack, and what it will cost to tighten up the code to prevent the hack. In other words, they gamble that they will not be hacked, thus saving them the money it will cost to have their inside team or a contractor fix things. It's all about their bonus.

Of course the Bean Counters will not admit this, but it's important to understand that the people who sign off on allocating the funds to accomplish tightening up security simply have no understanding about the actual threat verses cost, nor do they really care because it's all about ROI.

Re:

[phantomfive]

You might add that it's very rare that any software company cares about security from corporate perspective. You can tell that they care when they give you extra time in a sprint to make sure things are secure.

Re:

[Tom]

The main issue with the bean counters is that they (often intentionally) underestimate the probability of a flaw being exploited.

If exploiting the flaw will give the attacker some kind of financial or otherwise interesting profit, even indirectly (like exploiting a OS flaw to deploy ransomware) then given a sufficient timeframe, the probability that the flaw will be found and exploited is close to 100%.

I know this is a bit of "hire me" since I'm an IS Architect, but IT is going to become a lot more expensiv

Re:It's All About ROI

[StormReaver]

Neither (A) nor (B) apply in this case, but rather:

C) Organizations insist on using an operating system that has been known for decades to have more severe security holes than Swiss cheese, but which the (only!) vendor refuses to fix until its too late (if even then).

Shocking!

[Gravis Zero]

It's almost as if someone saw this coming. [slashdot.org]

Why couldn't the NSA find/activate kill switch???

[divec]

What does it say about the NSA, if lone security researcher finds and activates a kill switch before they do?

So they can snoop on and store an entire nation's web traffic and email, but they can't analyse a small piece of malware, notice it queries some domain name, and then discover (in a test environment) that the existence of the domain stops the malware from propagating? And then activate the domain to give the world a few hours respite?

Sure, now there's a new version without a kill switch, but the brief respite will have given millions of people the opportunity to secure their machines. It seems a pretty pathetic state of affairs when the NSA pours vast sums of money into nefarious snooping, yet can't keep pace with a single security researcher when it comes to *actually* helping keeping the nation secure.

Same goes for other countries' intelligence agencies, e.g. GCHQ.

Re:

[Anonymous Coward]

What? you want them to violate the DMCA to reverse engineer the code.

Re:

[vtcodger]

The kill switch is in the malware, not in the underlying Windows code. It's probably not exploitable for intelligence activity. Why would the NSA/CIA/FBI/whatever care about it as long as it doesn't infect their computers? (Which they probably back up regularly and, one suspects, probably don't run on Windows)

Hashes....

[campuscodi]

Hashes or GTFO. This is as fake news as fake can get.

Re:

[rat7307]

Here you go, I've got tons of them: #######