Home > News content

Tencent security anti - virus laboratory interpretation of "Wannacry" extortion software

via:博客园     time:2017/5/13 20:30:35     readed:1063

background

In response to yesterday's British hospital was attacked, and then ravaged the Wanna Cry blackmail event in Chinese universities, Tencent security anti-virus laboratory gave the first time the depth of the authority of the analysis. The blackmail event compared with the past is the biggest bright spot, the extortion virus combined with the way the worm to spread, the way the use of NSA recently leaked out of the MS17-010 vulnerability. In the file leaked by NSA, WannaCry spread the exploit code is called "EternalBlue & rdquo ;, so there are reports that the attack is & ldquo; eternal blue & rdquo ;.

MS17-010 vulnerability refers to the attacker to use the vulnerability, to the user's machine's 445 port to send well-designed network packet text, to achieve remote code execution. If the user computer to open the firewall, will prevent the computer to receive 445 port data. However, in the Chinese universities, students in order to play between the LAN games, and sometimes need to close the firewall, which is the event in the Chinese universities wantonly spread the reasons.

Attack process

After the loopholes are loosely executed, a compressed package will be released from the resource folder. The compressed package will decrypt and release the file in memory via WNcry @ 2ol7. These files contain the follow-up pop-up box exe, desktop background image bmp, including the language of the extortion font, as well as auxiliary attack two exe file. These files are released to the local directory and are set to hide.

Where u.wnry * is the subsequent pop-up blackmail window.

The upper right corner of the window language selection box, you can customize the display for users in different countries. The information of these fonts also exists in the compressed package with the previous resource file release.

By analyzing the virus, you can see that the following suffix file will be encrypted: docx.docb.docm.dot.dotm.dotx.xls.xlsx.xlsm.xlsb.xlw.xlt.xlm.xlc.xltx.xltm.ppt .pptx.pptm.pot.pps..pls.pps.pam.potx.potm.pst.ost.msg.eml.edb.vsd.vsdx.txt.csv.rtf.123.wks.wk1.pdf.dwg.onetoc2 .snt.hwp.602.sxi.sti.sldx.sldm.sldm.vdi.vmdk.vmx.gpg.aes.ARC.PAQ.bz2.tbk.bak.tar.tgz.gz.7z.rar.zip.backup .so.vcd.jpeg.jpg.bmp.png.gif.raw.cgm.tif.tiff.nef.psd.ai.svg.djvu.m4u.m3u.mid.wma.flv.3g2.mkv.3gp.mp4 .mov.avi.asf.mpeg.vob.mpg.wmv.fla.swf.wav.mp3.sh.class.jar.java.rb.asp.php.jsp.brd.sch.dch.dip.pl.vb .vbs.ps1.bat.cmd.js.asm.h.pas.cpp.c.cs.suo.sln.ldf.mdf.ibd.myi.myd.frm.odb.dbf.db.mdb.accdb.sql .sqlitedb.sqlite3.asc.lay6.lay.mml.sxm.otg.odg.uop.std.sxd.otp.odp.wb2.slk.dif.stc.sxc.ots.ods.3dm.max.3ds.uot .stw.sxw.ott.odt.pem.p12.csr.crt.key.pfx.der.

Take the picture as an example, view the picture in the computer, find the picture file has been blackmail software through the Windows Crypto API AES + RSA combination of encryption. And the suffix name changed to * .WNCRY

At this point if the click on the extro browser interface decrypt, will pop up the decryption box.

But must pay before they can decrypt

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.

The author is currently through the three accounts randomly selected as a wallet address, receive illegal money.

Precautionary advice

The use of Windows system remote vulnerability to spread, is a major feature of the blackmail software, but also the root causes of the outbreak of colleges and universities, so open the firewall is a simple and direct way. The following to Windows 7 through a simple example of how to close the 445 port.

1. Open the Control Panel and click on the firewall

2. Click & ldquo; Advanced Settings & rdquo;

3. Click on the "click rules" and click on the new rules & rdquo;

4. hook in the & ldquo; port & rdquo ;, click & ldquo; agreement with port & rdquo;

5. Check the "specific local port" and fill in the 445, click Next

6. click on the link to prevent the link, and then the next step, and give the rules named after it.

In addition, you can also upgrade the Microsoft patch to prevent attacks.

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments