Shulou(Shulou.com)06/02 Report--

Virus background

Since May 12, two kinds of blackmail virus variants of Onion and WNCRY have broken out throughout the country and even around the world, and a large number of Chinese mainland users and corporate users have been recruited.

Unlike in the past, this new variant adds the "Eternal Blue" 0day vulnerability in the NSA toolkit, which spreads through the intranet through port 445 (file sharing).

Microsoft released patch MS17-010 on March 10 this year to fix the system vulnerability in Eternal Blue. Please install this security patch as soon as possible at https://technet.microsoft.com/zh-cn/library/security/MS17-010.

Other intranet users who do not install security software or timely update system patches are very likely to be passively infected, so at present, infected users are mainly concentrated in enterprises, universities and other intranet environment.

Once infected with the worm variant, important data files of the system will be encrypted and extorted a high bitcoin ransom, equivalent to 2000-50000 yuan.

From the current monitoring of the situation, tens of thousands of users have been infected, QQ, Weibo and other social platforms are also everywhere, the follow-up threat should not be underestimated.

Virus infection phenomenon

Documents, pictures, compressions, videos and other common files in the poisoning system will be encrypted by viruses and then extort a high bitcoin ransom from the user.

WNCRY variants generally extort bitcoins worth $300 to $600. the Onion variants even require users to pay three bitcoins, which is equivalent to about 30, 000 yuan at current bitcoin prices.

Such viruses generally use asymmetric algorithms such as RSA, and files cannot be decrypted without a private key. The WNCRY blackmail virus requires users to pay within 3 days, otherwise the cost of decryption doubles, and failure to pay within a week will delete the key and make it impossible to recover.

In a sense, this kind of blackmailer virus is "preventable and inexplicable", which requires security manufacturers and users to strengthen security defense measures and awareness.

Tips for blackmail after poisoning

Some system desktop changes

For missed virus PC and server

1. To install the latest security patch for your computer, Microsoft has released patch MS17-010 to fix the system vulnerability in "Eternal Blue". Please install this patch as soon as possible. Please refer to the section "Security Patch download" in this document to download and install it.

two。 Turn on the Windows firewall. Please refer to the chapter "turn on Windows Firewall" to enable Windows Firewall.

3. The soft home security product has been upgraded to kill worms WannaCrypt:

Windows Defender

System Center Endpoint Protection

Forefront Endpoint Protection

This kind of virus was identified as Ransom:Win32/WannaCrypt.

Microsoft provides free scanning tools, which should be downloaded, installed and killed if conditions permit:

Microsoft Safety Scanner

Http://www.microsoft.com/security/scanner/

4. For computer systems that are temporarily unable to install patches, you can avoid virus damage by closing port 445 (monitoring other associated ports such as 135, 137, 139). Note: ports such as 445135 are required for the normal operation of Windows system services, which can not be easily blocked under normal circumstances, which can easily cause serious secondary failures. There is no need to shut down these ports after the patch is installed.

Log in to the computer as an administrator (or run as an administrator), open the start-run start run window, enter cmd and execute, open the command line operation window, enter the command: netstat-an

* used to detect whether port 445 is open

The picture above shows that port 445 is not closed

b. If port 445 is open (as shown above), enter the following command to close it:

Net stop rdr / net stop srv / net stop netbt

The results are as follows:

c. After installing the patch, you need to reopen port 445 to ensure that the Windows service is running properly, enter the following command on the command line to open it:

Net start rdr / net start srv / net start netbt

5. Strengthen the awareness of network security: do not click on unknown links, do not download unknown files, and do not open unknown emails.

6. Back up the important files in your computer to the removable hard disk and U disk as soon as possible (regularly in the future), and save the disk offline after the backup.

7. It is recommended that users who are still using the Windows XP,Windows Server 2003 operating system upgrade to Window 7/Windows 10 or Windows 2008 Universe 2012 2016 operating system as soon as possible.

8. If the operating systems above Windows 7, Windows 8amp 8.1, Windows 10 (excluding LTSB) are immune to this virus with automatic updates enabled.

9. Install genuine operating system, Office software, etc.

For PC and server of infected virus

In the absence of a decryption key, the recovery of files in a virus computer is very expensive and difficult. If it is determined that the computer has been poisoned, the computer should be isolated or disconnected (unplug the network cable) to avoid the spread of the virus. If there is a backup of the computer, start the backup recovery program. If there are no important files, you can reinstall the system and resume use by formatting the disk as a whole.

Security patch download

According to the different patches installed on different systems, please update the system strictly according to the corresponding security patches downloaded by the system version.

The following system versions:

Windows XP 32 bit / 64 bit / embedded

Windows Vista 32 + 64-bit

Windows Server 2003 SP2 32 bit / 64 bit

Windows 8 32 bit / 64 bit

Windows Server 2008 32-bit / 64-bit / Anton

Download address of the corresponding patch:

Http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

The following system versions:

Windows 7 32-bit / 64-bit / embedded (need to install Windows 7 SP1 and service stack update first)

Windows Server 2008 R2 32-bit / 64-bit (need to install Windows Server 2008 R2 SP1 and service stack update first)

Windows Server 2008 R2 SP1 and Windows 7 SP1 download address: https://www.microsoft.com/zh-cn/download/details.aspx?id=5842

Service stack update download address: https://support.microsoft.com/zh-cn/help/3020369/april-2015-servicing-stack-update-for-windows-7-and-windows-server-2008-r2

Download address of the corresponding patch:

Http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Please install this patch before trying:

Http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb3125574

The following system versions:

Windows 8.1 32 bit / 64 bit

Windows Server 2012 R2 32 bit / 64 bit

Download address of the corresponding patch:

Http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012213

The following system versions:

Windows 8 embedded system

Windows Server 2012

Download address of the corresponding patch:

Http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012214

The following system versions:

Windows 10 RTM 32 bit / 64 bit / LTSB

Download address of the corresponding patch:

Http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012606

The following system versions:

Windows 10 November 1511 update 32 Universe 64-bit

Download address of the corresponding patch:

Http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013198

The following system versions:

Windows 10 1607 Anniversary Update 32 Universe 64-bit

Windows Server 2016 32ax 64-bit

Download address of the corresponding patch:

Http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429

Open Windows Firewall

Different systems have different steps to open the Windows firewall, please follow the appropriate system.

The following systems:

Windows XP

Windows Server 2003

The steps to enable Windows Firewall are as follows:

Open the control panel

Locate the Windows Firewall in the Control Panel

Change Windows Firewall from off to enabled

The following systems:

WindowsVista

Windows7

Windows8/8.1

WindowsServer 2008/2008 R2

WindowsServer 2012/2012 R2

The steps to enable Windows Firewall are as follows:

Open the control panel at the beginning

Locate the Windows Firewall in the Control Panel

Click the left side of the Windows Firewall Control Panel to turn Windows Firewall on or off

Enable Windows Firewall

The following systems:

Windows10

WindowsServer 2016

The steps to enable Windows Firewall are as follows:

Click start to open the settings

Open the network and Internet in the settings

Find Windows Firewall in status

Click on the left side of the Windows Firewall Control Panel to enable or disable Windows Firewall

Enable Windows Firewall

Emergency disposal operation of core network equipment

Due to the large number of devices, in order to avoid the widespread spread of infected devices, it is recommended to use the ACL policy configuration of network devices to achieve temporary blocking.

The worm mainly uses port 445 of TCP to spread, which has a great impact on major enterprises and institutions. In order to block the rapid spread of the virus, it is recommended to configure ACL rules to block the communication of TCP port 445 from the network level at the interface location of the core network equipment.

The following content is based on the more popular network equipment, an example of how to configure ACL rules to prohibit TCP 445network port transmission, for your reference only. In practice, please coordinate the network management personnel or network equipment vendor service personnel to configure the core network equipment according to the actual network environment.

Recommended configuration for Juniper devices (example):

Set firewall family inet filter deny-wannacry term deny445 fromprotocol tcp

Set firewall family inet filter deny-wannacry term deny445 fromdestination-port 445 set firewall family inet filter deny-wannacry term deny445then discard

Set firewall family inet filter deny-wannacry term default thenaccept

# apply rules globally

Setforwarding-options family inet filter output deny-wannacry setforwarding-options family inet filter input deny-wannacry

# apply rules to layer 3 interfaces

Set interfaces [layer 3 port name to be mounted] unit 0 family inet filter output deny-wannacry

Set interfaces [layer 3 port name to be mounted] unit 0 family inet filter input deny-wannacry

Recommended configuration of Huasan (H3C) equipment (example):

New version: acl number 3050

Rule deny tcp destination-port 445 rule permit ip

Interface [layer 3 port name to be mounted] packet-filter 3050 inbound packet-filter 3050 outbound

Previous version: acl number 3050

Rule permit tcp destination-port 445

Traffic classifier deny-wannacry if-match acl 3050

Traffic behavior deny-wannacry filter deny

Qos policy deny-wannacry

Classifier deny-wannacry behavior deny-wannacry

# apply globally

Qos apply policydeny-wannacry global inbound qos apply policydeny-wannacry global outbound

# apply rules to layer 3 interfaces

Interface [layer 3 port name to be mounted]

Qos apply policy deny-wannacry inbound

Qos apply policy deny-wannacry outbound

Recommended configuration of Huawei equipment (example):

Acl number 3050

Rule deny tcp destination-port eq 445 rule permit ip

Traffic classifier deny-wannacry type and if-match acl 3050

Traffic behavior deny-wannacry

Traffic policy deny-wannacry

Classifier deny-wannacry behavior deny-wannacry precedence 5

Interface [layer 3 port name to be mounted] traffic-policy deny-wannacry inbound traffic-policy deny-wannacryoutbound

Recommended configuration for Cisco devices (example):

Older version:

Ip access-list extended deny-wannacry

Deny tcp any any eq 445

Permit ip any any

Interface [layer 3 port name to be mounted] ip access-group deny-wannacry in

Ip access-group deny-wannacry out

New version:

Ip access-list deny-wannacry deny tcp anyany eq 445 permit ip anyany

Interface [layer 3 port name to be mounted] ip access-group deny-wannacry in

Ip access-group deny-wannacry out

Recommended configuration for Ruijie equipment (example):

Ip access-list extended deny-wannacry deny tcp any any eq 445

Permit ip any any

Interface [layer 3 port name to be mounted] ip access-group deny-wannacry in

Ip access-groupdeny-wannacry out

References:

Fast science and technology

three hundred and sixty

Baidu Experience

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.