
Cisco's Talos team analysis of WannaCry worm - f2f
http://blog.talosintelligence.com/2017/05/wannacry.html
======
maksimum
> .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max,
> .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3,
> .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm,
> .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav,
> .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv,
> .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp,
> .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi,
> .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg,
> .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc,
> .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc

Phewww! Good thing I'm using .tex to write my thesis and write most of my code
in .py... lol

~~~
semi-extrinsic
I recently tried to email someone a .tar.gz of some .py files, and their
academic email (large US university, hosted gmail) refused to let it pass. I
was left to wonder what kind of research they do there.

~~~
mattnewton
Research with modern tooling like git?

~~~
themihai
I still believe you should be able to send files through email. Why should I
setup a git server( static ip + domain name) to share a piece of code? What's
next? "Modern tooling" like Google Docs instead of local apps?

~~~
jlg23
> I still believe you should be able to send files through email.

Refusing to listen to what people have been telling you since the inception of
email does not make you right, though.

------
averagewall
Apart from the invididual victims, ransomware seems like it should have a good
effect on computer security overall since it actually harms the people who get
infected and motivates them to do security better. Most viruses keep quiet so
people don't know or care if they're infected and contributing to DDOSs or
spreading to others. I sometimes use computers that have obvious viruses on
them, and it the people running them just let it happen because it doesn't
stop their work.

~~~
mtgx
Yes. I can't wait until self-driving car ransomware appears.

The amount of rage the customers will feel towards the makers of whatever non-
secure self-driving or "connected" cars receive the ransomware should give
those car makers a nice kick in the behind to get their act together.

Then we'll see how quick the car makers will be about implementing features
such as "unlocking your car remotely from the beach."

~~~
wungsten
I wouldn't say I "can't wait" for car viruses, but I do worry about all the
stupid remote/automated features being advertised these days. You just _know_
it's going to be exploited, and cars are at the top of my list of things that
should be as safe and secure as possible.

~~~
problems
That mostly boils down to lowering the attack surface.

Individual cars doing their own thing, no problem. Cars talking to cloud, big
privacy problem, potential security problem. Cars talking to each other
locally, smaller privacy problem, but bigger security problem.

------
Dolores12
There are some bitcoins flowing in into their wallet

[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)

------
neom
"it is simply scanning accessible servers for the presence of the DOUBLEPULSAR
backdoor. In cases where it identifies a host that has been implanted with
this backdoor, it simply leverages the existing backdoor functionality
available and uses it to infect the system with WannaCry." \- Not a security
person but that seems pretty clever, and incredibly worrying. I presume we'll
see more of this type of attack in the future - but curious if this has been a
popular vector of compromising in the past? Also curious about what a / how a
killswitch domain works?

~~~
rwbhn
> Also curious about what a / how a killswitch domain works?

From the article:

The above subroutine attempts an HTTP GET to this domain, and if it fails,
continues to carry out the infection. However if it succeeds, the subroutine
exits. The domain is registered to a well known sinkhole, effectively causing
this sample to terminate its malicious activity.

~~~
neom
But why??

~~~
toeveret
Why does it do it? To avoid triggering in many sandbox environments, as they
often are not connected to the internet and track and respond with generic
yes/"correct data" formats

------
cheeze
I've seen a few mentions of something along the lines of "The malware then
checks for files with a file extension as listed in the appendix and encrypts
these using 2048-bit RSA encryption."

I'm not super well versed in crypto, but is this possible? I assume they use
symmetric encryption and then RSA encrypt the symmetric keys?

~~~
pja
Probably. They could use RSA to encrypt the entire file, but that would be
much slower.

------
mctx
Unreadable on Chrome on iOS
[https://i.imgur.com/j13tqGn.png](https://i.imgur.com/j13tqGn.png)

~~~
kyrra
Seems they fixed it. (Did a refresh and alls good now)

------
vecplane
Is there a domain we can connect to with https?

Seems strange that an article as important as this wouldn't be served
securely.

