Shulou(Shulou.com)06/03 Report--

Jiangxi Ruidu Intelligent Technology Co., Ltd.

To provide you with professional information security solutions, in view of the ferocious coming of the blackmail virus and the possibility of virus mutation in the later stage, Ruidu Intelligence will continue to provide technical support services to ensure the normal operation of the business system. We will update the tool version and patch pack as soon as possible.

Contact: 0791-88699625

Information update:

"Eternal Blue" blackmail worm vulnerability repair tool

360 Enterprise Security Sky engine team provides a tool to fix vulnerabilities exploited by the "Eternal Blue" blackmail worm. After running the tool, the system is automatically detected for vulnerabilities and fixes are provided. The repair tool integrates immunity, SMB service shutdown and vulnerability detection and repair of MS17-010under each system. The MS17-010loophole in the system can be repaired with one click in the offline network environment, and the security hidden danger caused by the MS17-010loophole exploited by the blackmail worm can be solved fundamentally.

For operating systems that do not support automatic patching, you can turn off the risk service according to the tooltip (closing port 445 and disabling the smb protocol will affect the printing business and file sharing business); after manually installing the patch, use the service recovery tool to restore the shut-down service.

download

Version number: 6.0.0.1004

Md5: 1A921E54954EED60091B3084E5835442

Sha1: C9CA82659D4E75B706C9646380ECD0B78DBA238D

Sha256: 8FB07B188C17AE8807BD25BDF30E8D56D56BB1FD2E3EEB7DCCE22892A5AF0E64

Some operating system installation patches need to meet certain prerequisites, please refer to the instructions in the table below to manually install before running this tool. The tools do not support XP Embedded, Windiws 7 Embedded, Windows 8 Embeded, Windows 10 and Windows Server 2016 operating systems. Please download and install them manually as described in the following table.

System version patch number and download link to install the patch prerequisites remarks Windows XPKB4012598

X86Service Pack 3; has not played the version of SP, so you need to upgrade to SP2 before upgrading to SP3x86 SP2

X86 SP3Windows XP SP3 for XPeKB4012598

X86 is not supported by verification tools. Download and install Windows XP Embedded (WES09 and POSReady 2009) KB4012598 manually.

X86 is not supported by verification tools. Download and install Windows Server 2003KB4012598 manually.

X86

X64Service Pack 2x86 SP2Windows Server 2003 R2KB4012598

X86

X64Service Pack 2x86 SP2Windows VistaKB4012598

X86

X64Service Pack 2; versions that have not played SP need to be upgraded to SP1 before upgrading to SP2x86 SP1

X86 SP2

X64 SP1

X64 SP2Windows 7KB4012212

X86

X64Service Pack 1x86 SP1

X64 SP1Windows Embedded Standard 7KB4012212

X86

X64 is not supported by the verification tool. Download and install Windows Server 2008KB4012598 manually.

X86

X64

IA64Service Pack 2; versions that have not played SP need to be upgraded to SP1 before upgrading to SP2x86 SP1

X86 SP2

X64 SP2Windows Server 2008 R2KB4012212

X64

IA64Service Pack 1x64 SP1Windows 8KB4012598

X86

X64 none

Windows Embedded 8 StandardKB4012214

X86

X64 is not supported by the verification tool. Download and install Windows Server 2012KB4012214 manually.

X64 none

Windows 8.1KB4012213

X86

X64 need to install KB3021910 and KB2919355 in sequence first. If the installation fails, please refer to the https://support.microsoft.com/zh-cn/help/2919355/windows-rt-8.1,-windows-8.1,-and-windows-server-2012-r2-update-april-2014 instructions.

KB3021910

X86 x64

KB2919355

X86 x64Windows Server 2012 R2KB4012213

X64 need to install KB3021910 and KB2919355 in sequence first. If the installation fails, please refer to the https://support.microsoft.com/zh-cn/help/2919355/windows-rt-8.1,-windows-8.1,-and-windows-server-2012-r2-update-april-2014 instructions.

KB3021910

X64

KB2919355

X64Windows 10 RTM (build 10240) KB4012606

X86

The download link not provided by x64 is the security cumulative patch for May.

The tool is not supported at this time. Please download and install it manually.

(run winver to check the system version number) Windows 10 1511KB4013198

X86

The download link not provided by x64 is the security cumulative patch for May.

The tool is not supported at this time. Please download and install it manually.

(run winver to check the system version number) Windows 10 1607KB4013429

X86

The download link not provided by x64 is the security cumulative patch for May.

The tool is not supported at this time. Please download and install it manually.

(run winver to check the system version number) Windows Server 2016KB4013429

The download link not provided by x64 is the security cumulative patch for May.

The tool is not supported at this time. Please download and install it manually.

Update log:

6.0.0.1004

Release time: 2017 5amp 15 / 23:45

Update content:

1. Support for versions of win10,win2016 systems affected by MS17-010 vulnerabilities

two。 Fix some bug

6.0.0.1003

Issue time: 2:50 on 2017-5-15

Changes:

1. Fix the problem of repeated prompts caused by monthly cumulative updates in the patch repair configuration

two。 Fix some bug

6.0.0.1002

Issue time: 6:30 on 2017-5-14

1. The first edition provides detection and repair capabilities for vulnerabilities exploited by the Eternal Blue blackmail worm

"Eternal Blue" blackmails worm killing tools

The "Eternal Blue" blackmail worm killing tool can quickly detect whether the host is infected with the blackmail worm (WannaCry), in order to find the infected host and remove the virus, so as to avoid spreading and infecting other terminals in the intranet.

download

Updated: 2017-05-15 21:20:00

MD5: 041EB0981E7BF3B01DCDE47AFC970B7A

SHA-1: 20ABFD425BD36CD749A540A2B3B7378C3EC5C026

SHA-256: C3B27B2B04E7AA415D0CEB1D280FA9027237E801683DB03CD82E538849A1DD6A

Eternal Blue blackmails worm immunity tool

360 Enterprise Security Sky engine team provides the system immunity tool; after running on the computer, the existing worm will not infect the system.

download

Version: 1.0.0.1017

MD5:a66f4a128e906ab9f4384f60b2dc6307

SHA1:9e49a7c37fee83d7a27f089bd3576c9c276500e1

SHA256:e51858116f22522e2379d858719d6c9f664bd5d9db9dd44d34ce1df528b00f35

There are two ways to immunize this tool:

Basic immunity

By preempting WannaCry to extort kernel objects created by the worm at run time, it is forced to fail to run properly so as to achieve the effect of immunity. Basic immune function can be achieved by running this tool directly on the terminal.

Enhance immunity

In addition to the basic immune function, according to the complete Analysis report of the WanaCrypt0r blackmail worm, the immune effect can be further enhanced by hijacking the domain names www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

The method of operation is as follows:

1. Deploy http server in the intranet server, download and run http server in http://nginx.org/en/download.html

two。 Check the ip of the server where the http server is located, make sure that the ip of the http:// server can be accessed in the terminal browser, and then change the file name of the immunization tool to "OnionWormImmune (xxx.xxx.xxx.xxx) .exe", where "xxx.xxx.xxx.xxx" is the http server IP address.

3. The immune effect can be enhanced by running the renamed immunization tool OnionWormImmune (xxx.xxx.xxx.xxx) .exe.

Emergency disposal scheme of core network equipment

Large organizations due to a large number of devices, in order to avoid the widespread spread of infected devices, it is recommended to use the ACL policy configuration of network devices to achieve temporary blocking.

The worm mainly uses port 445 of TCP to spread, which has a great impact on major enterprises and institutions. In order to block the rapid spread of the virus, it is recommended to configure ACL rules to block the communication of TCP port 445 from the network level at the interface location of the core network equipment.

The following content is based on the more popular network equipment, an example of how to configure ACL rules to prohibit TCP 445network port transmission, for your reference only. In practice, please coordinate the network management personnel or network equipment vendor service personnel to configure the core network equipment according to the actual network environment.

The network equipment used by the government, enterprises and other units may have an earlier version. You can refer to the following configuration:

Such as Huawei S5600, S2000 and other earlier equipment (example)

Acl number 3445

Rule 1 deny UDP destination-port eq 445

Rule 2 deny TCP destination-port eq 135

Rule 3 deny TCP destination-port eq 137

Rule 4 deny TCP destination-porteq 138

Rule 5 deny TCP destination-port eq 139

Rule 7 deny UDP destination-port eq 135

Rule 8 deny UDP destination-port eq netbios-ns

Rule 9 deny UDP destination-port eq netbios-dgm

Rule 10 deny UDP destination-port eq netbios-ssn

Rule 100 permit IP

In the switch interface, use packet-filter for application

Packet-filter inbound ip-group 3445

Recommended configuration for Juniper devices (example):

Set firewall family inet filter deny-wannacry term deny445 from protocol tcp

Set firewall family inet filter deny-wannacry term deny445 from destination-port 445 set firewall family inet filter deny-wannacry term deny445 then discard

Set firewall family inet filter deny-wannacry term default then accept

# apply rules globally

Set forwarding-options family inet filter output deny-wannacry set forwarding-options family inet filter input deny-wannacry

# apply rules to layer 3 interfaces

Set interfaces [layer 3 port name to be mounted] unit 0 family inet filter output deny-wannacry

Set interfaces [layer 3 port name to be mounted] unit 0 family inet filter input deny-wannacry

Recommended configuration of Huasan (H3C) equipment (example):

New version: acl number 3050

Rule deny tcp destination-port 445 rule permit ip

Interface [layer 3 port name to be mounted] packet-filter 3050 inbound packet-filter 3050 outbound

Previous version: acl number 3050

Rule permit tcp destination-port 445

Traffic classifier deny-wannacry if-match acl 3050

Traffic behavior deny-wannacry filter deny

Qos policy deny-wannacry

Classifier deny-wannacry behavior deny-wannacry

# apply globally

Qos apply policy deny-wannacry global inbound qos apply policy deny-wannacry global outbound

# apply rules to layer 3 interfaces

Interface [layer 3 port name to be mounted]

Qos apply policy deny-wannacry inbound

Qos apply policy deny-wannacry outbound

Recommended configuration of Huawei equipment (example):

Acl number 3050

Rule deny tcp destination-port eq 445 rule permit ip

Traffic classifier deny-wannacry type and if-match acl 3050

Traffic behavior deny-wannacry

Traffic policy deny-wannacry

Classifier deny-wannacry behavior deny-wannacry precedence 5

Interface [layer 3 port name to be mounted] traffic-policy deny-wannacry inbound traffic-policy deny-wannacry outbound

Recommended configuration for Cisco devices (example):

Older version:

Ip access-list extended deny-wannacry

Deny tcp any any eq 445

Permit ip any any

Interface [layer 3 port name to be mounted] ip access-group deny-wannacry in

Ip access-group deny-wannacry out

New version:

Ip access-list deny-wannacry deny tcp any any eq 445 permit ip any any

Interface [layer 3 port name to be mounted] ip access-group deny-wannacry in

Ip access-group deny-wannacry out

Recommended configuration for Ruijie equipment (example):

Ip access-list extended deny-wannacry deny tcp any any eq 445

Permit ip any any

Interface [layer 3 port name to be mounted] ip access-group deny-wannacry in

Ip access-group deny-wannacry out

Product Prevention Scheme of Huawei S-Series switch

Note: before configuration, please confirm whether there are services using ports 135, 137, 139, 445 to avoid affecting normal business.

Product Family Enterprise Network area Product Model S switch Series release time

The importance is related to the version V100R006 and later versions related to the scope of application S switch series vulnerabilities external coding CVE-2017-0143jcvery2017-0144jcvery2017-0144meme cveme 2017-0145last cveme 2017-0146mcvery2017-0147PowerCvetel 2017-0148

[s switch series network side defense configuration case]

1. Establish ACL rules for high-risk ports

ACL that is not used between acl number 3000 / / 3000 and 4000 can be used.

Rule 5 permit tcp destination-port eq 445

Rule 10 permit tcp destination-port eq 135

Rule 15 permit tcp destination-port eq 137

Rule 20 permit tcp destination-port eq 139

Rule 25 permit udp destination-port eq 445

Rule 30 permit udp destination-port eq 135

Rule 35 permit udp destination-port eq 137

Rule 40 permit udp destination-port eq 139

two。 Establish flow strategy

Traffic classifier deny-bingdu operator and

If-match acl 3000 / / Note corresponds to the previous ACL

Traffic behavior deny-bingdu

Deny

Traffic policy deny-bingdu

Classifier deny-bingdu behavior deny-bingdu

3. Application flow strategy

/ / Application example under the interface, and run the script in the system view

Interface GigabitEthernet0/0/1

Traffic-policy deny-bingdu inbound

Traffic-policy deny-bingdu outbound

/ / Global application example, run the script in the system view

Traffic-policy deny-bingdu global inbound

Traffic-policy deny-bingdu global outbound

/ / Application example under port group. Run the script in the system view to avoid repeated configuration under multiple ports.

Port-group deny-bingdu

Group-member GigabitEthernet 0swap 1 to GigabitEthernet 0Accord 10 / / pay attention to port selection

Traffic-policy deny-bingdu inbound

Traffic-policy deny-bingdu outbound

[description]

It is recommended to configure this script in the core and aggregation switch. If a computer has been poisoned in the intranet, you need to configure the script in its access switch.

It is best to configure under all ports, and secondary configuration on global and upstream ports.

Traffic-policy can only be applied once globally and on the same port. If the flow policy has been applied before, the configuration will fail. You can add classifier deny-bingdu behavior deny-bingdu to its flow policy.

S2700SI series switches do not support acl,S2700/S3700, do not support outbound flow strategy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.