[dba-Tech] The latest worms

Jim Lawrence accessd at shaw.ca
Wed May 31 14:55:00 CDT 2017


Hi All:

Since the Wannacry malware and then the announcement of a potential "remote take-over" bug in Samba, I have did a bit of research. 

It appears that the whole problem relates around smb, the protocol created and used by Microsoft to navigate around a Windows network. A network tends to be a very secure environment unless the front door is left wide open, in this case, ports that were used for NetBios and SMB, TCP ports 137, 139, 445 and UDP ports 137, 138. Having these ports left open on a network's router harks back to a more innocent age when security was a topic or interest but not of concern....the trouble is that no firewall package or router ever bothered to close the doors automatically. It has been almost 20 years ago.

Samba was a package built so Linux and Unix computers could easily access any Microsoft computers, in their network. With the event of the Wannacry worm more attention has been placed on Linux/Windows protocol and a bug in the code was found. It has since been fixed and updates broadcast. Of course as long as the offending ports have been closed a network remains relatively safe.

Aside: There is another, mostly over-looked defence against a WannaCry type attack:

http://computerworld.com/article/3197421/networking/the-windows-firewall-is-the-overlooked-defense-against-wannacry-and-adylkuzz.html
http://bit.ly/2qBu77h

The problem is that the Wannacry/SMB type attack is not over, in fact it is just starting. A new and more powerful version is now being broadcast named EternalRocks. It is not build on just the two NSA developed exploits but on seven exploits, it does not start immediately but nestles into an affected network and waits, there is no kill switch, it is much more difficult to find once it is embedded in a system and it is more a malware launching platform worm than an actual destructive virus. Supposedly, when the worm gets hidden it is almost impossible to find as it can morph into looking exactly like the environment it is in. If you do a defensive update after the malware has established itself the effect is worthless. Being as this malware is a launching platform, then outside attackers can send any number of mal-code packets and run them remotely. Once this software becomes established, it simply opens and closes up ports on it own, from inside the network. It should be noted that it uses Tor for obscuring the attackers location. 

https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/
http://bit.ly/2rFB0EG

This new EternalRocks worm is the Wannacry worm on steroids and if people have not already done so, "Gird Your Loins"..."Close Those Ports".

Jim 



More information about the dba-Tech mailing list