Shulou(Shulou.com)06/02 Report--

The article is from Jiangxi Ruidu Intelligent Technology Co., Ltd.

Interpretation of "Wannacry"

Nearly 100 countries around the world were hit by large-scale networks on the evening of May 12, Beijing time. A malicious ransomware called WannaCry spread wildly around the world, locking a large number of files and encrypting them, and blackmailing high bitcoin for data recovery ransom. As of press time, the software has affected hundreds of countries, tens of thousands of enterprises and organizations, nearly one million computer hosts. Users in many industries in China, including education, energy and government agencies, are not immune, resulting in a large number of important data can not be accessed, resulting in serious social harm and impact.

The biggest difference between this blackmail incident and the past is that the blackmail virus spreads in combination with worms, using the MS17-010loophole that was leaked by NSA not long ago. In the documents leaked by NSA, the exploit code of WannaCry transmission is called "EternalBlue", so there are reports that this time is "Eternal Blue".

Virus combined with worms to spread in the local area network, each poisoned windows terminal will become a communicator, a spread of ten, ten hundred will lead to a large number of terminal infection.

The way of transmission of blackmail software

Spread through phishing and email attachments on the Internet. Once a user connects to a phishing site or clicks on an email attachment that carries a virus, the user may be infected with the virus.

Once the blackmail virus file enters the local area, it will run automatically, and the blackmail software sample will be deleted to avoid detection and analysis. Next, the blackmail virus uses the local Internet access rights to connect to the * ClearC server, then uploads local information and downloads the encrypted private key and public key, and encrypts the file with the private key and public key. Apart from the virus developer himself, it is almost impossible for others to decrypt it. After the encryption is completed, the wallpaper will be modified to generate blackmail reminders in obvious locations such as the desktop to guide users to pay the ransom. And the type of variant is very fast, and it is immune to conventional antivirus software. The main types of samples are exe, js, WSf, vbe and so on, which is a great challenge to security products that rely on feature detection.

The poisoned host attempts to connect to the Windows host with interface 445 open in the local area network and spread the virus through vulnerabilities.

Jiangxi Ruidu Network Security solution

The way to solve the problem-the network level

Firewalls and detection systems are also deployed at the border.

1. TCP port (139445) is open. It is recommended to close access to this port.

two。 The * rule base is enabled and updated to the latest version

3. AMP malicious code protection and updates are enabled

4. Check and intercept internal hosts to reduce the possibility that blackmail software will be implanted

5. Check the ClearC connection in the intranet and cut off the access to the existing blackmail software to update the key.

The way to solve it: e-mail.

Deploy email Security Gateway

1. Enable Senderbase message camp filtering to filter email sending organizations with low trust camp

two。 Enable anti-virus and anti-malware features and update to the latest

3. In-depth analysis and protection of incoming spam

The way to solve the problem-the code of conduct on the Internet

Deploy online behavior management

1. Enable the low trust camp filtering technology of the website

two。 Enable malware protection

3. Check access to URL and filter URL where phishing may be present

4. Check the abnormal connection of the terminal and the blocked record of access

The way to solve the problem is the host side.

1. Install the MS17-010 vulnerability patch

Microsoft Security Bulletin MS17-010: https://technet.microsoft.com/zh-cn/library/security/MS17-010

For XP, 2003 and other Microsoft machines that no longer provide security updates, it is recommended to use NSA armory immunity tools to detect vulnerabilities in the system and close the ports affected by the vulnerabilities, so as to avoid being attacked by viruses such as blackmail software.

Download address of immunization tool: http://dl.360safe.com/nsa/nsatool.exe

two。 Turn on the host firewall, enter advanced settings, disable file and printer sharing, or enable personal firewall to close ports 445, 135, 137, 138, 139

3. Install antivirus software and update to the latest

The way to solve the problem-user security awareness

Train users in security awareness and recommend the following points:

1. Do not open e-mail from strangers or unknown sources to prevent email attachments.

two。 Try to click the office macro run prompt to avoid virus infection from office components

3. Download the required software from the official website. Do not double-click to open files with suffixes such as ".js" and ".vbs".

4. Upgrade virus software to the latest antivirus library to block existing virus samples

5. Back up the important data and files in the computer regularly, in case the virus can be restored.

"Eternal Blue" blackmail worm vulnerability repair tool

360 Enterprise Security Sky engine team provides a tool to fix vulnerabilities exploited by the "Eternal Blue" blackmail worm. After running the tool, the system is automatically detected for vulnerabilities and fixes are provided. The repair tool integrates immunity, SMB service shutdown and vulnerability detection and repair of MS17-010under each system. The MS17-010loophole in the system can be repaired with one click in the offline network environment, and the security hidden danger caused by the MS17-010loophole exploited by the blackmail worm can be solved fundamentally.

download

Updated: 2017-05-15 02:50:00

MD5:3b6d7cefd1aacafd2de96d484df570bf

Sha1:a93cddfc03341ec84b6a293f8a3caf6d01163b6a

Sha256:6c4a68bc28dbff9b98ac119581b11fb41a5ae989426800eb92cc7da5997607ba

Note: the following version of the operating system needs to be manually upgraded. Restart the computer and run this repair tool again for repair. If you cannot upgrade the operating system for the time being, you can turn off the relevant services according to the tooltips to avoid the risk temporarily.

Current system version upgrade target version system upgrade package download link Windows XPWindows XP x86Windows XP x86 SP3 (first upgrade to SP2, then upgrade to SP3) SP2

SP3Windows XP x86 SP1Windows XP x86 SP3SP3Windows XP x86 SP2Windows XP x86 SP3SP3Windows Server 2003 x86Windows Server 2003 x86Windows Server 2003 x86 SP2SP2Windows Server 2003 x86 SP1Windows Server 2003 x86 SP2SP2Windows VistaWindows Vista x86Windows Vista x86 SP2 (upgrade to SP1 and then to SP2) SP1

SP2Windows Vista x86 SP1Windows Vista x86 SP2SP2Windows 7Windows 7 x86Windows 7 x86 SP1SP1Windows 7 x64Windows 7 x64 SP1SP1Windows Server 2008Windows Server 2008 x86Windows Server 2008 x86 SP2SP2Windows Server 2008 x86 SP1Windows Server 2008 x86 SP2SP2Windows Server 2008 R2Windows Server 2008 R2 x64Windows Server 2008 R2 x64 SP1SP1

Other tools:

"Eternal Blue" blackmails worm killing tools

Eternal Blue blackmails worm immunity tool

Restore Port 445 tool

Jiangxi Ruidu Intelligent Technology Co., Ltd.

To provide you with professional information security solutions

Contact: 0791-88699625

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.