
New SMB Worm Uses Seven NSA Hacking Tools, whilst WannaCry Used Just Two - rbanffy
https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/
======
arca_vorago
As a sysadmin I have always hated SMB. I loved samba for their attempts to
opensource it so I could at least use samba4 in prod and feel confident in
it's stability, but I always felt like it was a bad protocol without many good
alternatives. NFS is about the same, even worse when trying to serve to
windows clients.

For those on linux or not aware, if you see 'cifs' it is the same thing
(mostly).

One thing I always did was require connections to use latest smb (mitigates
many old version attacks), ensure auth is using highest available methods, but
more than anything is running the SMB server behind a well monitored and
maintained firewall. That's the thing that gets lots of companies.

Also, this:
[https://wiki.archlinux.org/index.php/Samba#Block_certain_fil...](https://wiki.archlinux.org/index.php/Samba#Block_certain_file_extensions_on_Samba_share)

Finally, segment your damn networks with vlans/subnets!

~~~
chii
so what would be the choice of tech to share files between computers on a
private network?

~~~
simcop2387
SFTP/SSH (many IFS and fuse implementations) is an option. But it's not always
a good alternative.

~~~
piyush_soni
Not being knowledgeable enough about these protocols and their relative
advantage/disadvantages, can the people who downvoted this comment also write
down _why_ to help others? That always makes more sense when it's not obvious.

~~~
drvdevd
I think this is downvoted because it's considered slow and/or hacky and having
a fair amount of overhead (especially for SSH -- e.g. User and Key
management).

That being said, I think the explanation is not available because ... people
aren't really sure about a better option!

If we take the common (IMO complex) Network filesystem protocol
implementations as having irredeemable flaws (so SMB and NFS, all versions),
the only viable contenders I can think of are block level network device
protocols. E.g.: iSCSI, NBD, DRBD, and probably quite a few others. These of
course have the disadvantage of exposing _block level_ protocols to clients,
leaving the actual filesystem management up to the client.

Summary: it's always a tradeoff and most of the options suck in one way or
another. I personally wouldn't downvote this comment. But maybe someone could
enlighten me.

~~~
hollander
What about webdav?

~~~
johansch
WebDav didn't take off because no-one really felt like giving away a high
quality implementation in kernel-space for Windows. And Microsoft viewed it as
competition against SMB and their licensing model.

------
swsieber
Question - wouldn't it be feasible to write a worm that uses the vulnerability
to deliver a patch for the vulnerability... and then maybe deactivate itself
after several days (the worm / spreading portion)?

Or is there something I'm missing?

~~~
nebula
Reminds me of a tricky situation I got myself into :

When I was in college, I wrote a simple worm to display a new year greeting on
all computers it infects. Once it infects a computer, it did the following:
1\. it replicated itself to as many computers as possible 2\. Displayed the
greeting (till user acknowledges it through a key press) 3\. self delete (in
the hope that it will quickly die by itself)

I seeded it in one of the computers in our college network. I didn't expect it
to be so effective; It spread itself very quickly in the entire network. With
self-delete, I thought it would die on its own. I was wrong. Machines kept
infecting each other in a perpetual loop. The only way I could stop it was to
write a new version that replicated, and cleaned the first version. This new
version kept replicating in the network even after a year. This new version
was not doing anything visible to the user, and I was saved :)

~~~
hexrcs
You should have included another functionality to check the current date,
like, it should stop spreading and just delete itself if it's already in
April. ;)

~~~
nebula
Good thought :) When I put out the first version, I haven't really understood
the consequences or its effectiveness; In fact it had my code name in the
greeting :( When it first appeared, people found it amusing; but it quickly
went out of control and kept appearing again and again. This annoyed people. I
was in trouble. I had to quickly find a solution in that panic.

------
Animats
Waiting for the first Intel Management Engine based ransomware.

------
vmp
I've been wondering since this began, is there any reason as to why someone
would open up their file server/shares to the internet? I remember reading
somewhere that SMB wasn't designed for WANs and seems like a terrible choice
to put on the internet (even without the security risk).

~~~
isostatic
You have a corporate network which has SMB everywhere (as it's windows based).
You have 1 of your 10,000 users run "funnyscreensaver.exe", and before you
know it you're entire network is infected -- doesn't matter that your firewall
blocks incoming or outgoing 137/139/445 - or even if it's an isolated network
without even nat capability.

------
ge0rg
Primary source:
[https://github.com/stamparm/EternalRocks/blob/master/README....](https://github.com/stamparm/EternalRocks/blob/master/README.md)

------
greggh
It's obvious that 7 is bigger than 2. So we should be more scared this time.

------
gchokov
Time to switch to something different than Windows.

~~~
borplk
or keep Windows up to date

~~~
qrbLPHiKpiux
And don't random-click things.

~~~
nthcolumn
May I point out that probably nothing was clicked with wcry2.0 that the worm
access via smb from internet facing 445 and then internally on lan. Although
yes random clicking not advisable ever...

------
bjd2385
Just two, like that's nothing at all now.

~~~
robschia
This may be only the beginning.

------
RichardHeart
"Once infected, he can weaponize any time he wants, no matter the late patch."

~~~
sliken
Right, like any compromise. You can't be sure it's fixed unless you reinstall
from scratch.

~~~
tonmoy
Even then you can only hope that it has not infected your BIOS/Other HW
firmware

~~~
isostatic
Nuke it from orbit, only way to be sure

~~~
permadefroster
Uh oh, time for the humorless hackernews downvote.

