Shulou(Shulou.com)06/02 Report--

The last explanation of the Ransom:Win32.WannaCrypt solution for blackmail virus

On the evening of 2017-5-12, the blackmail software Ransom:Win32.WannaCrypt broke out in a large area. What is more popular than the outbreak of the virus is the outbreak of all kinds of news and solutions on social media such as moments.

Among them, there are subjectively well-intentioned but objective guidance, as well as advertising campaigns for security software vendors carrying all kinds of tools with contraband goods, as well as publicity made by IT companies of all sizes.

For a time, many people were at a loss and trembling; they did not hesitate to carry out all the tricks of various posts in their own network, resulting in business interruption.

I have posted many posts in moments to discuss and guide the response. But I still see that everyone is at a loss.

To this end, I would like to sort out my thoughts and explain for the last time.

I am Feng Lichao, 2004-2017 Microsoft most valuable expert MVP, Microsoft certified systems engineer MCSE since 1998, Microsoft certified lecturer MCT since 2000. In 2003-2004 Microsoft trusted Computing National Tour Lecturer signed. This article does not include private goods, because my current business is not here. It was only when the phone calls exploded on Saturday that I had to stop my work and be forced to fight here.

The purpose of this article is to give some suggestions to confused Windows users to correct their eyes and ears.

Purport:

This paper mainly includes the following parts:

Just patch, patch, patch.

There is no need to use smart tools and software such as 360.

Do not close the port at will.

If you listen to me and don't care about the technical details, you can stop there and get to work.

Technical discussion

Here are some related technical issues:

1. Just patch it!

Patch Overview

This time the virus takes advantage of a vulnerability in Microsoft Windows SMB v1 to spread and remotely execute code to encrypt documents on the computer.

The virus broke out in a large area on 2017-5-12.

Microsoft issued a security announcement and security update on 2017-3-14. Link address:

Microsoft Security Bulletin MS17-010-critical

MS17-010:Windows SMB server security update

In addition, Microsoft has also provided patches for XP and Win2003 that have been out of service, and the link is https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Patch interpretation

Because people usually do not read such Microsoft official technical documents, so some may not understand. Don't worry, just choose the appropriate patch according to your operating system version.

Let's use the first document security bulletin linked above:

Under each operating system in the document table, there are several links divided into the following aspects:

Small version of the operating system: for example, whether sp1 / sp2, etc.

System platform: 32-bit or 64-bit, or rare Itanium and so on.

Updates or monthly summary updates for this vulnerability.

The first two above should be chosen correctly. The third one depends on the circumstances. Select "Security updates only" if you want to be quick, and "monthly Summary updates" if you want to be comprehensive.

This page alone is enough. A friend called to say that the patch could not be installed because he did not choose the right one.

Enterprise patch management

Of course, enterprises can't patch one by one like individuals.

You need a patch server. It is recommended to deploy Microsoft's WSUS service.

The basic principle is that all clients within the enterprise point the update source to the WSUS server, and the WSUS server points the update source to the Microsoft patch server.

According to the size of the enterprise and the IT management mode, the WSUS server can be configured as a hierarchical structure, patch distribution policies can be configured, patches can be approved, and so on.

Please refer to the overview of Windows Server Update Services for details, which will not be repeated here. Oh, by the way, this service is free, but it's free to hire a professional Microsoft solution partner to implement the service.

Of course, you can also use the patch services of third-party professional companies. It can be a truly professional product or a product designated by a superior.

Do not shut down the port at will

Don't shut down the port unless you know what's going to happen. The following is an excerpt from the article of my friend MVP Hu Hao, who is more experienced than I boasted above, the correct posture to resist the blackmail virus-don't block the port on the top! The key points in:

This past weekend, moments must have been scrubbed by blackmail virus.

Seeing a bunch of people tell others to block ports 135-139445, as an old driver who has fixed numerous AD replication problems, the client cannot log in or uses domain resources, I would like to ask, do you really know what these ports are for?

The official web page for port use can be found here: Port Assignments for Well-Known Ports

Please carefully read and confirm the role of the 135136137138139445 port. If you are not sure whether these ports are required to complete normal domain login, access domain resources, detect replication between DC, etc., please carefully block the port!

The biggest harm is not an immediate failure, but a large number of AD replication errors that occur 90 or 180 days later, which are more complicated than you think.

two。 You don't have to use smart tools and software like 360.

Keep the computer clean

Please don't be bewitched by 360 and other so-called security companies to install a bunch of rogue software.

It was clear that Microsoft knew about the loophole and immediately released a patch. Two months later, malicious * * exploited this vulnerability to develop the WannaCry virus.

We just need to patch as suggested by Microsoft. Because you are using Microsoft Windows.

If you use Zhou Hongyi's operating system, of course you use their 360, but not now.

360 is not useless, they are roughly doing two things:

No. 0: seize the event to booing and expand the popularity! The so-called fear that the world will not be chaotic is also.

Item 1: help you scan for vulnerabilities and help you download patches from Microsoft's website. This is something Microsoft will do on its own. But somehow too many people think this is 360's specialty. Let's meet the Xialiba people in the spring snow.

Item 2: in case it is hacked, they will help you get it back.

How is that possible?! With the development of computer technology, encryption technology is proved mathematically rather than fooling fools. As I said in another article, hide the money in the safe instead of in the socks under the bed. I won't repeat it here.

So, if you really want to be * and encrypted, 360 can't be unlocked.

But there is also a glimmer of hope that 360 has come up with a possible solution:

The virus encrypts your document and saves it to your computer and deletes the source file. Then using the 360 variant delete file recovery tool, it is possible to retrieve deleted and unencrypted files. But there's no guarantee that we'll find them all.

So, in case you get hit, the best way is not to move and find professional tools such as 360 or any other data recovery tool to fix it. Don't call me, I won't take the job.

If you like 360, I didn't say you must uninstall it. I just don't like it personally. A friend just told me that I couldn't find a patch, and I found that he was XP SP2, and Microsoft only supported WinXP sp3 32-bit and WinXP sp2 64-bit even if it urgently released a patch for WinXP, which was no longer supported. In this case, there may be a XP SP3 installation package stored in 360. you can try it. I don't know.

The evils of some so-called security software

We believe that international professional network security companies are excellent and great.

But we also see a bunch of grandstanding and shouting companies acting recklessly. They launched the so-called PC manager and other tools, in the name of optimizing performance and improving security, shutting down some services and ports that they do not understand, leading to many inexplicable problems in the system.

If they hadn't arbitrarily advised users to turn off the automatic update service, if they hadn't arbitrarily taken over MSE or Defender, the antivirus software that comes with Windows, if they hadn't wantonly taken over Windows Firewall, why would it have happened?!

If Eternal Blue is the initiator, then these so-called security software are accomplices.

Then what should I use to kill the virus?

Microsoft launched its own antivirus software a long time ago.

So, all you have to do is turn on automatic updates and use Microsoft's own antivirus software.

If you are a Windows 7 user, please install Microsoft Security Essentials.

Download address:

Windows Vista/Windows 7 32-bit

Windows Vista/Windows 7 64-bit

Since Windows 8, Windows Defender has been included in the operating system, so you can use it directly.

There is nothing in the world to worry about.

Windows comes with antivirus software Defender, its own firewall, and its own Windows Update, which are turned on by default and run normally.

So, everything was fine until you installed rogue software like 360, and he intercepted everything and disrupted it. Alas! Who is to blame if you want to draw hooligans into your home?

3. Do not shut down the port at will

On this issue, Hu Hao's article on the correct posture to resist the blackmail virus-do not come up and seal the port! It has been clearly stated, so I will not repeat it.

I just want to tell a few stories:

About port 135

Many people know that RPC uses 135port, so in order to realize RPC communication across firewalls, 135port is opened on the firewall, and it is found that RPC communication is still a problem. Why? Because RPC communication is not the 135port used, but when the communication is initiated, the two parties negotiate a random unused port between 1024 and 65535 to communicate.

Therefore, whether it is opening or closing the port, it is necessary to figure out what the port is for and what the principle is. Instead of a simple pass, just unplug the network cable.

About DHCP Servic

Many G companies are not allowed to use dynamic IP, so they stop the DHCP Client service through group policy. He doesn't know that the service registers and updates DNS clients in addition to automatically getting IP. As a result, client records on the DNS server are stale or automatically cleaned.

About Sharin

Some units are not allowed to use sharing, including forcibly shutting down Admin$, IPC$, but do not know the essential meaning of these management shares, resulting in a series of problems such as replication failure with security policies.

So, if there is something wrong with your active directory, don't call me first, ask yourself what security software you have installed these days and what ports or services you have installed. Do you really understand the principle of what this security software does?

Supplementary explanation

There are a few more questions I would like to say:

About loopholes

This vulnerability belongs to Microsoft Windows and is Microsoft's fault. But I really don't blame Microsoft.

The loophole is not the back door. The back door was left on purpose. The loophole is inadvertently created, or it is a defect of the protocol standard itself.

It didn't happen unintentionally, to give you an inappropriate example.

The security door in the house is strong, isn't it? But who would have thought that a quack would stick a steel bar through the cat's eye and press the door handle to open the door? All right, put a patch on the cat's eye.

Does this blame the guy who designed the security door? Weird. Who told you not to think of it first? But he wants to think of all the possibilities, and he will never launch an anti-theft door in his life.

There is another situation, that is, the shortcomings of the standards and protocols themselves.

For example, the current TCP/IT v4 protocol has many security flaws. For example, the protocol DHCP, which automatically obtains IP addresses, you have no way to limit which server the client gets the IP address from. This means that if I install my laptop with DHCP service and plug it into your organization's network, your company's clients will be able to get IP from me.

Another example is the mail protocol MIME, in which there can be pictures and other contents, and the picture can be displayed directly by opening the email. But if this is a fake image, it is actually a malware or a link, and the announcement that displays the image directly becomes the direct execution of the fake image, which will lead to your being hit.

These problems, various software manufacturers are trying to solve, these patches, not the product problem, but the agreement and standard problem, but the software manufacturer must spend energy to face.

About the Microsoft patch

Microsoft has a comprehensive mechanism for managing security patches. Since 2003, when Microsoft proposed trusted computing, it has established a special security team responsible for security response and patch release.

So far, all security incidents have occurred after Microsoft released patches.

In most cases, security professionals or vendors find vulnerabilities and report them to Microsoft (undisclosed), and Microsoft immediately develops and releases patches (hot fixes may be released urgently, and then complete patches are provided).

On the other hand, malicious users develop malware through the public information of these patches.

Here are some of the more serious viruses of that year:

Nimda: broke out 331 days after Microsoft released the patch

SQL Slammer: broke out 180 days after Microsoft released the patch

Blaster shockwave: 25 days after Microsoft released the patch

Sasser shockwave: 14 days after Microsoft released the patch

This time, Microsoft released the patch on 2017-3-14, and WannaCry broke out on 2017-5-12, 59 days.

The particularity of this incident is that the imperialist ambitions will not die.

Of course, this time is more frightening because there has been no outbreak of such a big virus for a long time, and because of the development of social media, the impact of the event has been magnified.

What is even more frightening is that this loophole is not discovered by conscientious security manufacturers and reported to Microsoft on their own initiative, but the NSA has already discovered the loophole and developed a strategic arsenal based on the loophole, while some weapons, that is, tools that use vulnerabilities to carry out crimes, have been leaked. And was maliciously exploited. All of us onlookers have finally really felt what cyber warfare looks like.

This will be worthy of reflection of all mankind.

Blockchain, Bitcoin and anarchism

Another interesting thing about this incident is that the blackmail software asked you to pay in bitcoin.

An important feature of Bitcoin is centralization, which is the most exciting feature of those who emphasize individualism / anarchism. Bitcoin, which is based on blockchain technology, does not require central bank supervision, accounts are untraceable, and you can mathematically prove that you cannot track other account-related information. This is another topic, so I won't repeat it for the time being.

This has to make people rethink the impact of scientism on human society.

Patching and IT Operation and maintenance Management

From the philosophical meaning to reality, we have been talking about patching since more than a decade ago, and have given a large number of guidance documents and best practices. But why can't we do it.

Our concept of IT operation and maintenance, from the earliest spontaneous operation and maintenance, to the concept of ITIL, to ISO20000, to DevOps, emerge one after another.

But why don't we even make the most basic patches? If you talk too much, it's all wordy. Think about it.

Conclusion

The above are just opinions and speeches that were hastily written after work was interrupted by phone Wechat. Mistakes are inevitable. Please correct my friends in the field of Microsoft network security.

IT operation and maintenance is no small matter, network security is no small matter. Come on, everybody.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.