Shulou(Shulou.com)06/03 Report--

A brief introduction to the current situation of blackmail virus-Eternal Blue

At around 20:00 on May 12, 2017, the National Network and Information Security Information Center urgently announced that the new virus has spread globally since May 12, affecting users in many countries, including Chinese users. The blackmail virus makes use of the loopholes in port 445 of Windows operating system to spread, and has the characteristics of self-replication and active transmission. After the blackmail virus infects the user's computer, the documents and pictures in the computer will be encrypted with high intensity, and the user will be extorted for ransom.

Many domestic universities and enterprises have ONION blackmail software infection, the disk files will be encrypted by the virus to the .onion suffix, only pay a high ransom to decrypt the recovery files, causing serious losses to learning materials and personal data.

The National Network is connected to the Center for Information Security:

Http://www.cert.org.cn/publish/main/9/2017/20170513170143329476057/20170513170143329476057_.html

2. Analysis of the causes of poisoning

1. The commonly used ports and shared services of 135Universe 137Universe 138Universe 139Universe 445 are not shut down.

Port introduction:

135Port: 135Port is the bridge in RPC communication. This port has been adopted a DCOM technology, which can directly control the DCOM programs of other workstations remotely. When the DCOM technology communicates with the other computer, it will automatically invoke the RPC service in the target host, while the RPC service will automatically ask the port 135in the target host and get which ports can be used for communication.

Port 137: the main function of Port 137 is to provide computer name or IP address query service in the local area network. Generally, after the NetBIOS protocol is installed, the port will be open automatically.

If the illegal person knows the IP address of the target host and sends a connection request to port 137of that address, he may get the relevant name information of the target host. For example, the computer name of the target host, the user information of registering the target host, the startup and shutdown time of the target host, etc.

Port 138all belong to UDP port, and its main function is to provide computer name browsing function in NetBIOS environment.

Illegal users can easily obtain the local area network name of the target host and the computer name of the target host if they establish a connection request with port 138 of the target host. With the computer name, its corresponding IP address can be easily obtained. In this way, it brings convenience to the system.

Port 139: Port 139 is a TCP port, which is mainly used to access shared files or printers in the local area network through network neighbors.

* if a connection is established with port 139 of the target host, it is very possible to browse all the shared information on all workstations in the specified network segment, and even edit and delete the shared folders in the target host. If the user also knows the IP address and login account of the target host, he or she can easily view the hidden shared information in the target host.

Port 445: it is a TCP port with almost the same function as port 139. it also provides file or printer sharing services in the local area network.

The difference is that the port is based on CIFS protocol (Universal Internet File system Protocol), while port 139 is based on SMB protocol (server protocol family) to provide sharing services, so to turn off file sharing, you need to close ports 139 and 445 at the same time.

2. Personal network security awareness is indifferent (do not click on unknown links, do not download unknown files, do not visit unknown websites)

3. There is no habit of backing up documents from other channels other than this machine regularly (such as removable hard disk, network disk and other backup channels)

Virus prevention and avoidance:

The company's technical protection level:

A. The exit firewall forbids 135ax 137ax 138max 139ax 445, isolating the opening of internal and external ports.

On the switch, 135Universe 137A138Universe 139Universe 445 ports are prohibited, isolating the internal interworking of these high-risk ports.

C. 135Universe 137Universe 138Universe 139Accord 445 ports are prohibited in behavior management, isolating the internal interworking of these high-risk ports.

D. The IT department formulates a script for the staff to close port 135ax 137max 138max 139max 445 to avoid infection and transmission.

E, IT department keeps windows core data across machine channels.

F. Strengthen the propaganda of employees' safety awareness.

3.2 employee protection level:

A, upgrade the Windows operating system in time. At present, Microsoft has released the relevant patch MS17-010, which can be upgraded through Microsoft's regular channels.

B. Install and update antivirus software in a timely manner.

C. Do not easily open emails from unknown sources.

D, shut down port 445 on the computer and network equipment in time.

E. Back up important files on your computer on different storage media on a regular basis.

F. Form a good habit of browsing the Internet. Do not easily download and run software on unknown web pages to reduce the possibility that the computer will be attacked.

G, use the NSA arsenal immunity tool to detect whether there are vulnerabilities in the system and close the ports affected by the vulnerabilities, so as to avoid being attacked by viruses such as blackmail software. Download address of immunization tool: http://dl.360safe.com/nsa/nsatool.exe

In view of the blackmail virus that has blown out the entire network at present, I see that there are a lot of people on the Internet pointing out how to defend, but many people still can't understand how to do it. I wrote two simple and rude one-click scripts to execute. If you need anything, you can come to me and use it for free.

Turn off hazardous ports and services with one click:

@ echo off

Color 0A

Title you are using one click to block dangerous ports and services

Echo you are using one click to block dangerous ports and services

Echo "Powered by emotion iT person-made by Gao GE, welcome to use, press any key to continue"

Pause

Echo "is shutting down these dangerous ports for you, please wait a moment"

Echo "starting firewall service"

Net startMpsSvc

Echo "is helping you turn on the firewall self-boot"

Sc configMpsSvc start= auto

Echo "enabling firewall"

Netshadvfirewall set allprofiles state on

Echo "is blocking the port for you, please wait a moment."

Netshadvfirewall firewall add rule name= "deny udp 135" dir=in protocol=udplocalport=135 action=block

Pause

Netshadvfirewall firewall add rule name= "deny tcp 135" dir=in protocol=tcplocalport=135 action=block

Netshadvfirewall firewall add rule name= "deny udp 137" dir=inprotocol=udp localport=137 action=block

Netshadvfirewall firewall add rule name= "deny tcp 137" dir=in protocol=tcplocalport=137 action=block

Netshadvfirewall firewall add rule name= "deny udp 138" dir=in protocol=udplocalport=138 action=block

Netshadvfirewall firewall add rule name= "deny tcp 138" dir=in protocol=tcplocalport=138 action=block

Netshadvfirewall firewall add rule name= "deny udp 139" dir=in protocol=udplocalport=139 action=block

Netshadvfirewall firewall add rule name= "deny tcp 139" dir=in protocol=tcplocalport=139 action=block

Netshadvfirewall firewall add rule name= "deny udp 445" dir=in protocol=udplocalport=445 action=block

Netshadvfirewall firewall add rule name= "deny tcp 445" dir=in protocol=tcplocalport=445 action=block

Echo "Congratulations, dangerous port has been blocked successfully"

Echo "the following will help you shut down the dangerous services related to blackmail virus, please wait a moment."

Echo "shutting down Computer Browser's service"

Netstop Browser

Echo "shutting down services for shared services"

Netstop LanmanServer

Echo "TCP/IP NetBIOS Helper sharing Service"

Net stoplmhosts

Echo "shutting down Workstation browsing service"

Net stopLanmanWorkstation

Echo "Congratulations, the dangerous port has been closed. Please use nsatool tools to close the loophole as soon as possible, and then execute the one-click service and port opening script."

Echo "Powered by emotion iT person-Gao GE production, thank you for your use, press any key to exit"

Pause

Open shared ports and services with one click:

@ echo off

Color 0A

Title is opening dangerous ports and services that were previously shut down

Echo title you are shutting down dangerous ports and services with one button

Echo "Powered by emotion iT person-made by Gao GE, welcome to use, press any key to continue"

Pause

Echo "is helping you open the dangerous port that was closed before, please wait a moment"

Echo "starting firewall service"

Net startMpsSvc

Echo "turn on firewall self-startup"

Sc configMpsSvc start= auto

Echo "enable Firewall"

Netshadvfirewall set allprofiles state on

Echo "is helping you break the firewall rules related to blackmail viruses"

Netshadvfirewall firewall delete rule name= "deny udp 135"

Netshadvfirewall firewall delete rule name= "deny tcp 135"

Netshadvfirewall firewall delete rule name= "deny udp 137"

Netshadvfirewall firewall delete rule name= "deny tcp 137"

Netshadvfirewall firewall delete rule name= "deny udp 138"

Netshadvfirewall firewall delete rule name= "deny tcp 138"

Netshadvfirewall firewall delete rule name= "deny udp 139"

Netshadvfirewall firewall delete rule name= "deny tcp 139"

Netshadvfirewall firewall delete rule name= "deny udp 445"

Netshadvfirewall firewall delete rule name= "deny tcp 445"

Echo "Congratulations, the port for shared services has been opened"

Echo "the following will help you open shared services"

Echo "starting Computer Browser's service"

Netstart Browser

Echo "opening shared services"

Netstart LanmanServer

Echo "TCP/IP NetBIOS Helper sharing Service"

Net startlmhosts

Echo "starting Workstation browsing service"

Net startLanmanWorkstation

Echo "Congratulations, all related services have been started"

Echo "Powered by emotion iT person-Gao GE production, thank you for your use, press any key to exit"

Echo press any key to exit

Pause > nul

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.