mercoledì 17 maggio 2017

Le informazioni più utili sul ransomware WannaCry

tratto dal sito dell'ente di sicurezza US.

In particolare queste sono le indicazioni utile per capire se si è infettati:

If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
When executed, the malware is designed to run as a service with the parameters “-m security”. During runtime, the malware determines the
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the
following service:
--Begin service--
ServiceName = "mssecsvc2.0"
DisplayName = "Microsoft Security Center (2.0) Service"
BinaryPathName = "%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security"
--End service--
Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional
thread to propigate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010. The malware then extracts &
installs a PE32 binary from it's resource section named "R". This binary has been identified as the ransomware component of WannaCrypt.
The dropper installs this binary into "C:\WINDOWS\tasksche.exe." The dropper executes tasksche.exe with the following command:
--Begin command--
"C:\WINDOWS\tasksche.exe /i"
--End command—

E' fondamentale applicare le patch Microsoft per evitare che il ransomware si diffonda in rete.

Nessun commento:

Posta un commento