
WannaCry – New Variants Detected - remx
https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
======
yardstick
Anyone know someone at the Tor Project? Based on a breakdown I read, it
downloads the Tor client from
[https://dist.torproject.org/torbrowser/6.5.1/tor-
win32-0.2.9...](https://dist.torproject.org/torbrowser/6.5.1/tor-
win32-0.2.9.10.zip)

It would be simple to rename this link (or perform a referer check or
something else to stop automated downloads), at least temporarily.

Yes, the malware authors will release an update with the different URL (or
another hosting site entirely, or embedded), but at least it would provide
time for vulnerable users to install patches. Especially now that Microsoft
has released a patch for XP.

(I'm basing this URL info on the breakdown found at
[https://www.bleepingcomputer.com/news/security/wannacry-
wana...](https://www.bleepingcomputer.com/news/security/wannacry-wana-
decryptor-wanacrypt0r-technical-nose-dive/))

~~~
wcfields
I wondered that exact same thing on Friday; thanks for pointing it out.

------
rhubarbcustard
What's special about WannaCry that has made this such a widespread thing? I
presume there's has been plenty of malware for a while that can propagate
itself around a network of unpatched old Windows machines and people have been
trying to get users to clicks on emails to infect themselves for years.

So why now? What's so special now?

~~~
guscost
Basically, this is a successful old-fashioned computer worm, operating at a
scale we've not seen for more than 10 years. On modern operating systems most
attack surfaces that were easy to crack in the past have been locked down at
least to the point where it is nearly impossible to find an exploit in a
common protocol like this that doesn't require user interaction (hence the
popularity of phishing). Apart from that we've just gotten lucky, really. Many
of the most catastrophic bugs in recent years (Heartbleed, etc) were never
successfully turned into exploits of this nature. Instead they were discovered
and fixed quickly by researchers.

This worm targets older Windows versions that are installed (and use the
exploited protocol) in a lot of critical infrastructure, and the worm was
hoarded by the NSA all packaged up and ready to deploy (because it can
propagate through SMB and therefore would be perfect for a future Stuxnet-like
operation). So of course some criminals get their hands on it, and hey look it
works. It's an absolutely bonkers story.

~~~
gerdesj
"older Windows versions"

Win 10 is vulnerable without the patch that came out in march.

~~~
criley2
>Win 10 is vulnerable without the patch that came out in march

Microsoft clearly disputes this in their own posts on the subject.

[https://blogs.technet.microsoft.com/msrc/2017/05/12/customer...](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-
guidance-for-wannacrypt-attacks/)

"Customers running Windows 10 were not targeted by the attack today."

What's your source?

~~~
codehusker
From your source:

"Customers who are running supported versions of the operating system (Windows
Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1,
Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016)
will have received the security update MS17-010 in March. If customers have
automatic updates enabled or have installed the update, they are protected.
For other customers, we encourage them to install the update as soon as
possible."

If you don't have the update, you are not protected, you are vulnerable.

~~~
rjbwork
If you or your IT dept is not installing updates, especially security patches,
over 2 months after they come out, somethings horribly wrong.

~~~
dorian-graph
The reality is, this is very common.

~~~
rjbwork
Then what, realistically, can be done when nation-state knowledge of
vulnerable systems is hoarded for cyber-warfare purposes?

~~~
criley2
Frankly, there is only one solution I can see anymore:

Laws must be passed to:

* Force the US government to report vulnerabilities to vendors

* Create a regulatory body to monitor the use of vulnerabilities in clandestine operations and ensure that mandatory reporting is upheld

I cannot see anything less working.

Get that through US and EU governments, and you'll likely have the vast
majority of vulnerabilities being reported and patched.

Of course this is akin to asking the US and Russia to convert their nuclear
stockpile into reactor fuel.

------
rnhmjoj
I don't get it: why are the using using many fake but valid domains? Wouldn't
a non-existing TLD do exactly the same thing while being impossible to
register by anyone trying to stop the malware?

~~~
kuschku
Or even just sha256(unixtime().rand()).com

Or a domain in a TLD that allows only second level TLDs (such as some of the
commonwealth countries).

~~~
nathan_f77
> sha256(unixtime().rand()).com

Yep, that's the way to do it.

~~~
kijin
That gives you 64 characters to the left of the dot. The maximum number of
characters allowed in any single component of a domain name is 63. Some
systems might react in unexpected ways if you try to resolve an invalid domain
name, making your check unreliable. Better use md5 or sha1.

~~~
kuschku
Well, that'd be an implementation detail, but the general concept stays the
same.

And is superior to hardcoding.

------
sonium
I really am a bit puzzeled by the killswitches. Why does WannaCry have this
functionality in the first place? It sounds almost ironically like a hollywood
villain mistake.

~~~
Thrillington
They're more analysis defeaters than killswitches. Some testbeds will respond
to all dns lookups as valid. If this is the case the binary assumes its in a
testbed and exits to avoid analysis.

~~~
fian
Which makes me think there might be utility in always running Windows (or
other OSes) in a VM. If the malware assumes VMs are bad and self exit in
response, then it should be safer to run everthing in a VM. A side benefit
would be you can perform snapshot backups and easily migrate your main
environment to new hardware.

~~~
kchr
You might wanna take a look at Qubes OS, which tries to provide such workflow
in a nicely packaged distribution: [https://www.qubes-
os.org/](https://www.qubes-os.org/)

------
excalibur
> A new variant with no kill-switch recovered by Kaspersky as a virustotal.com
> upload — not detected in the Wild.

Uploaded to virustotal MEANS found in the wild. That's what admins do when
they discover things.

~~~
phaus
I don't know if this one was detected in the wild or not (99% chance it was),
however, malware authors occasionally use Virustotal too.

~~~
svens_
There are virustotal clones that don't send back results to the vendors. This
is specifically done to prevent that kind of problem.

------
btown
Could a grey hat create a self propagating but non-ransoming variant that
inoculated target machines against its more malicious brethren? Seems like
something a state actor might want to do.

~~~
ComodoHacker
You mean bundle and forcefully install MS patches? This would require reboot
which AFAIK can't be done without user's action (if not using undocumented
APIs).

~~~
gruturo
> You mean bundle and forcefully install MS patches? This would require reboot
> which AFAIK can't be done without user's action (if not using undocumented
> APIs).

Considering you're using a vulnerability to forcefully inoculate systems, and
you gained admin if not Ring0 privileges, you could trivially "reboot" the box
by just crashing it, no APIs required. You could even be nice and check if
there are applications with open files, or schedule it only when the user has
been idle for a while, and only do it during the usual hours of inactivity
(Windows 10 even has a control panel section to choose them).

Or, you could just open a dialog box, masquerade as a legitimate update and
ask for user consent. You _are_ an important security update after all, just a
fairly unconventional one.

------
acd
These systems would be better of security wise if they would use the latest
open source operating system including the embedded code. The damage this will
cause to embedded systems is distasteful.

~~~
eriknstr
I'm am very much in favor of open source always but let's not pretend that
embedded systems don't end up with out of date software just because it's open
source.

In the case of WannaCrypt0r, the vulnerability had already been fixed by
Microsoft but those who were hit hadn't patched because as discussed elsewhere
applying patches may break things so some postpone or ignore it. Same thing
could have happened to a system running Linux.

~~~
Aldo_MX
Thank you for your thoughtful comment... People who get drunk with the Linux
cool-aid are really tiresome. They believe they're safe by using Linux, and
completely disregard good security practices with their windows-bashing
speech.

------
nthcolumn
How does 'Patient A' get wcry2? Phishing? Via internet facing open 445/3389?

~~~
Scoundreller
My guess is this is why we're seeing multiple bitcoin addresses:

The original authors first released it with their own bitcoin address. It then
spreads p2p around the world wherever it can to front-facing PCs.

Then 3rd-party spearfishers are sending it to corporate networks with their
own bitcoin address so they can get the credit for getting past/through
firewalls.

~~~
ytpete
If the payment goes to them instead of the original authors, how could the new
hijackers of the virus offer to decrypt the data? I'd assume only the original
authors have access to the private keys needed for that.

If someone was really clever they could change the Tor addresses it talks to
for command & control and write their own complete replacement backend, but at
that point it seems like you'd be looking at people capable enough to just
write their own malware from scratch anyway...

~~~
Scoundreller
It could be one back-end, with the malware authors paying a cut to the
spearfishers. The spearfishers could monitor the bitcoin address to ensure
they get the right cut.

Some level of trust would be involved.

I think the spearfishing industry and the malware writing industry aren't one
and the same. The former is the marketing department, the latter is the tech
department.

------
daxfohl
Could the 51% "bug" in bitcoin actually be used to an advantage here? A 51%
vote to invalidate all these transactions? I assume it doesn't work like that
but figured I would ask.

~~~
Mandatum
It's a feat that _could_ be leveraged, but the likelihood and work to do so
would outweigh actually pulling it off.

If this attack occurred against, for example, the CN government, they may step
in and force miners to invalidate.

This scale is world-wide, there's no loss of public image and the amount of
BTC is very small in the scheme of things.

------
nathan_f77
I think it's hilarious how these "kill switches" are supposedly meant to
detect sandboxes, to make it harder for security researchers to analyze the
malware. While actually making it easy for security researchers to completely
disable all installations around the entire world.

That's just what I heard, but it makes sense. There are far more sane ways to
implement a kill switch without using unregistered domains. (For instance,
using a registered domain.)

~~~
bichiliad
The point of the killswitch is to detect if the worm is running inside a
sandbox. Some sandboxes will resolve any domain you try to ping, so an easy
way to detect this is to ping a non-existent domain name. I'm not totally sure
how pinging an existing domain would give you the same behavior, but doing
something like checking a handful of random non-existent domains from a large
list could do the trick.

From the sounds of it, it seems like the researchers didn't expect the
killswitch to disable the malware outside of the sandbox any more than the
author of the malware did[0].

[0]: [https://www.malwaretech.com/2017/05/how-to-accidentally-
stop...](https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-
global-cyber-attacks.html)

~~~
losteric
I wonder why there are multiple kill switches?

~~~
bichiliad
Precisely to prevent the registration of one domain from neutering your
malware.

------
MilnerRoute
Two researchers said they found a variant with a kill switch.

[https://motherboard.vice.com/en_us/article/round-two-
wannacr...](https://motherboard.vice.com/en_us/article/round-two-wannacry-
ransomware-that-struck-the-globe-is-back)

~~~
matthewbauer
*without

------
theincredulousk
Why would they keep releasing it, and release it in the first place, with such
a simple kill-switch. Doesn't make much sense.

Reminds me of the Archer episode where Cyril plants the computer virus and was
going to be the hero by "fixing" it.

~~~
celticninja
It's possible that people are taking the code, modifying it to add in a new
kill switch address, change the bitcoin address and leave every thing else as
it is. Usually because they don't understand the code but can do a ctrl+f,
delete and replace with the necessary info. Script kiddies of the malware
world.

------
nebula
I am trying to understand impact of crypto currency. Sorry for my ignorance,
and or impertinence. 1\. Is it possible to run such large scale ransom demands
without cryptocurrency? 2\. Do we know if the attacker is using a single BTC
wallet, or if ransoms are being collected in a distributed fashion. 3\. Is it
possible for BTC n/w to hijack BTCs going to the ransom wallet(s). That is to
say collectively overwrite/override the transactions and may be reroute the
coins to some non-profit wallet? I know it will be a very bad precedent, but I
am trying to understand if it is technically possible.

~~~
simcop2387
> 3\. Is it possible for BTC n/w to hijack BTCs going to the ransom wallet(s).

No, by design that's not allowed as part of the protocol for bitcoin. Every
transaction must be signed by the private key for that address in order to be
valid. You could in theory do it if you can get a majority of the miners to
agree to the change in the protocol but it wouldn't happen since it'd require
forking the whole blockchain to insert new transactions without the private
key. And then you'd have to get everyone to agree on where those would go.

~~~
nebula
Thanks for the response. I should have been more explicit, but when I said BTC
n/w I meant a consensus sort of thing from users/miners. Thanks for your
explanation regarding the need of a fork to achieve this even with consensus.

------
bubblethink
This makes me think of a different kind of a kill-switch. What if the OS
itself is required to have a kill-switch that triggers once it goes out of
support, and it prevents regular use unless the admin goes through some
serious hoops to override. It at least squarely puts the blame on 1) Orgs that
willfully override v/s passively ignoring to update 2) OS vendors who have
really short support cycles (~1 year for most android phones)

~~~
column
if you put a killswitch in Windows that can be triggered from Redmond, I
guarantee you it will be used by virus of sorts

------
blaqkangel
We were warned this would happen but it's interesting to me that we have
detected new variants that include the same type of naive kill switch. I'm not
well versed in information security, so my question is whether this means
attackers tried another wave by simply changing the kill switch domain or were
there several variants used for the initial attack?

------
sinaa
Are these new variants new compiles?

Is it possible that multiple variants with randomly-generated kill-switches
are being automatically generated?

------
kul_
Is there analysis on what encryption algorithm was being used? And how the
payment confirmation switch works on the malware.

Is it possible instead of patching the OS, to release a patch which patches
the malware binary to no-op the payment switch?

------
sengork
I would like to know whether the decrypted data can be trusted again in case
the contents have been somewhat changed. Then again it is much better than not
having any data at all in some cases...

------
Animats
If they attach this to a new exploit, instead of an old one that targets
Windows XP, there's going to be a real problem.

~~~
nthcolumn
Anyone got XP infections? It is being touted around as XP (for various
reasons) but wcry 2.0 affects newer versions of Windows.

------
alanfalcon
Just wait until this hits the files of a Russian mob who then take some
Americans hostage and fly to China and end up entangled in an islamic
terrorist plot. 'Cause then we're in for a very long and drawn out story
involving MI6, the CIA, Canadian smuggling routes, and Christian Isolationist
2nd Amendment fanatics.

~~~
huhtenberg
Psst, downvoters -
[https://en.wikipedia.org/wiki/Reamde](https://en.wikipedia.org/wiki/Reamde)

~~~
nagvx
Downvotes are appropriate. HN isn't the place for in-jokes or pop culture
references.

~~~
king_phil
"Don't tell me what I can't do!" \- John Locke, LOST

------
rurban
They will get them following the payments soon enough.

------
thewarrior
Who is doing this knowing fully well that GHCQ , FBI and possibly even the NSA
are hard at work trying to get them ?

These people are going down . No doubt about it.

~~~
nthcolumn
This is what happens when spambot skiddies accidentally acquire a treasure-
trove of NSA tools via a C2 server they have pwned. They failed to sell
('broker') them as nobody was stupid enough to touch them, they failed to
blackmail with them (omg what a bad move), then they failed to weaponise their
own gear with them (wcry 1.0 in February), and even though wcry 2.0 is
widespread and very disruptive, really they failed again only making 50k out
of how many infections? They have only 3 bitcoin addresses making it obvious
nobody is getting decrypted (how do they know who has paid?) or there is a
single master key which will be found soon, their sandbox detector is a
killswitch. Larry, Moh and Curly have invited a world of pain upon themselves
- as well as probably killing people on NHS - they also infected Moscow Police
- so FSB too.

Definitely, would not like to be them.

~~~
21
A bunch of articles, even Snowden, argued that it's very likely that the NSA
tools were stolen by the Russians.

[https://twitter.com/Snowden/status/765514891813945344](https://twitter.com/Snowden/status/765514891813945344)

~~~
ChuckMcM
And given the indications about how hard various Russian infrastructure was
hit, that would be ironic.

Of course, if you were a nation state and you _wanted_ to attack an adversary
but you knew that if you did you would get blowback, you _might_ "lose" some
tools that you knew some script kiddies would be able to weaponize.

Interesting times indeed.

------
Sir_Cmpwn
Maybe it would be better to wait until the attackers registered the domain,
then sopoeana the registrair for their account info.

~~~
SXX
Do you seriously expect criminals are dumb enough to leave any useful
information there?

~~~
21
Remember the guy which created Silk Road. People talked about him in mythical
terms, that he probably has the op-sec of God, but afterwards facts pointed to
major mistakes, like connecting identities to his real name, and suddenly
everybody was like "how can he be so stupid, doing this while being the owner
of a $100 mil criminal empire"

~~~
DougBTX
It's a classic asymmetry: the defender needs to defend all the time, the
hacker just needs to get in once. Ditto op-sec, the hacker needs to keep their
identity protected at all times, the security services only need to connect
the dots once.

~~~
MichaelGG
He kept his diary unlocked along with the rest of his operational assets.
That's a far cry from one slip.

Was it ever released how they found and imaged his server though?

