Tagged: Malware

How to disable SMB to stop WannaCry Ransomware. Also links to Microsoft Patches for Windows to stop WannaCry Ransomware

UPDATE May 14 at 3:00pm – added more ways to disable SMB

Some Cyber Weapons which were apparently developed by a National Spy Service to break into enemy computers, were supposedly stolen. Then some of the code for the Cyber Weapons was released to the public, on 14 April, through a dump by a group called Shadow Brokers.

On May 12 2017, a new Ransomware was released on the Internet. It utilized some of the code found in the Cyber Weapons and also a Malware called WannaCry. Hundreds of thousands of computers around the globe got hit. Then a kill switch was set off which dramatically slowed and possibly will stop the Ransomware from spreading further.

Stop the presses. A new version 2 of the WannaCry Malware is now out, which no longer has the Kill Switch code. That will make it difficult to stop.

The Hacker News facebook page posted a solution. Essentially their posts stated to disable the SMB service within Windows. It is not needed and is enabled for backwards compatibility.

Ok, but how do you disable SMB in Windows?

In Windows go to Control Panel. In Control Panel go to the icon labeled “Programs”. Click on it. Then under Programs and Features click on Turn Windows Features on and off. Once there, just scroll down till you find SMB 1.0/CIFS File Sharing Support. Make sure the checkbox to the left of SMB 1.0 is “NOT” checked off. Then click OK and then close control Panel. Reboot the computer.

In my Windows 10 it was already off (unchecked).

Video is courtesy of the Andr.oid Eric YouTube channel

Video is courtesy of the HatimTech YouTube channel

Another way to disable SMB is by using the Registry Editor. The following Video shows how to do it in Windows 7.

Video is courtesy of the Brxtt Tech YouTube channel

Another way to do it is to key in a Powershell command. That is like a super DOS Prompt. Open a Powershell Window and key in the following (but not the Quotes):

Disable-WindowsOptionalFeature -Online -FeatureName SMB1protocol

Press Enter and you should be good to go after you reboot the computer. I would double check in ControlPanel. Better safe than sorry.

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

  • To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  • To disable SMBv1 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB1Protocol $false
  • You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet. But I would restart the computer.

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.
Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  • Note you must restart the computer after you make these changes.

REGISTRY. To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Restart the computer after making the changes to the Registry.

How to enable or disable SMB protocols on the SMB client
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:

     sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

     sc.exe config mrxsmb10 start= disabled
     Restart the computer after executing the above.

If that is the hole inside all Windows Versions that existed prior to the Mar 2017 Microsoft Patch, then it has been around for ages.

Click on this link to visit The Hackers News Facebook page.

Click on this link to visit The Hackers News website.

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

One final note which is bugging me. People are saying that this Ransomware is a “VIRUS“. WannaCry Ransomware is “NOT” a Virus. The WannaCry Ransomware is a vastly more complex computer “WORM“, hence it’s ability to find Windows computers connected to a network.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. The WannaCry Malware has already been changed (minus the Kill Switch). Disabling SMB may not prevent future versions from affecting your computer. Best Practice is to always create daily backups

Advertisements

Malware infected Android Apps discovered by Cybersecurity Researchers

Warning for Android based Cell Phone Users. Cybersecurity Experts have found a Fake Google Chrome Update which instals Malware

The Cybersecurity Researchers at Zscaler Inc have posted a new finding of a Fake Google Chrome Update which installs Malware. The only way to get rid of the Android Infostealer Malware is to reset the Android Phone to factory settings (thus wiping claen).

Click on this line to be taken to the Zscaler website to read their Blog post ttiled: Android infostealer posing as a fake Google Chrome update.
Their post was written by Viral Gandhi

Click on this line to visit the Zscaler YouTube channel

Click on this line to visit the Zscaler website.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Talk Security Podcast: discusses “Dark Hotel” and “WireLurker” which targeted Apple IOS and OSX based products

Kaspersky Lab publishes details about the Equation Hacker group’s arsenal, including “nls_933w.dll” which can reprogram the hard drive firmware of over a dozen different hard drive brands


Kaspersky Lab presented at their Security Analysts Summit something even more scary than the details about the Carbanak Bank Cyber Heist. Per Karspersky the Carbanak group ripped off about 100 banks around the globe of about $1 Billion Dollars (and in my opinion very likely still counting).

Kaspersky Lab Experts referred to the Equation group as the “God” or the “Death Star” of Malware. Part of the huge arsenal of code which the Equation group has been developing over what looks like decades is nls_933w.dll“. “It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands“.

Oncenls_933w.dll installs the Malware into the Hard Disk’s firmware, there is no way to remove it. Repartitioning will not affect it. Reformatting has no effect. The only way to get rid of this Malware from the targeted computer, is to physically destroy the Hard Disk.

Kaspersky Lab goes on to report that the Equation group seems to have existed long before the Stuxnet group.

The word “Elite” is part of the lexicon of Hackers. The Equation group therefore can be called the Elite of the Elite of the Elite of the Elite of the Elite and so on of Uber Hackers. To be able to hack and modify a Hard Drive’s firmware is unheard of. To be able to do so for Hard Drives of over a dozen different brands is insanely impossible. Yet the Equation group did it and very likely much more, that has yet to come to light. In comparison, this makes things like the REGIN Malware group’s incredible capabilities seem like no big deal.

Ok, enough of my rambling.

Click on this line to view the Kaspersky Lab report about the Equation group and their arsenal of jaw dropping Malware. On that page you will find a link to a downloadable PDF of the Question and Answer session from their presentation at the Security Analysts Summit.

Wow, this has turned into a CyberSecurity long weekend. Very impressive and rather scary stuff has been revealed by Kaspersky Lab.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Kaspersky Lab report: The Great Bank Robbery: Carbanak cybergang steals $1 Billion Dollars from 100 financial institutions worldwide

Video is courtesy of the Kaspersky Lab YouTube channel


The Kasperskpy Lab report which was presented at the Security Analyst Summit (on Feb 16 2015) is now available online.


Click on this line to visit the Kaspersky Lab SecureList page which discusses the report : The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.
You can also download a PDF of the “Full” Report via a link on that webpage.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Hackers supposedly were able to steal up to $1 Billion Dollars from Banks around the globe


This is a further update to our prior post about the breaking news of a major Cyber Bank Heist.

The amount supposedly stolen from assorted banks around the globe is now being published to be around $1 Billion Dollars.

Photo of racks filled with Cisco Networking gear. Photo Credit Vincent Banial

Racks filled with Cisco Networking gear. Photo Credit Vincent Banial

Continue reading

Hackers supposedly infiltrated Banks via Malware, allowing them to steal hundred of millions of dollars. Detailed report by cybersecurity firm Kaspersky Lab to be made public on Monday Feb 16

Photo of racks filled with Cisco Networking Gear. Photo Credit Vincent Banial

Photo of racks filled with Cisco Networking Gear. Photo Credit Vincent Banial

Click on this line to read what was posted today (Sat Feb 14)  by the New York Times about Hackers infiltrating Banks around the world by using Malware.

I have had many arguments about security software. One group especially got me going because to them Norton Security was the end all and be all. I finally got their so-called Tech to admit that to him Norton Security was the best because it had the largest market share. That’s like saying that GM automobiles are better than Rolls Royce automobiles because GM has a larger market share.

Of course Norton Security is very good. I believe that the security software created by Kaspersky Lab is better (your mileage may differ). Testing done by the Security Software testing site AV TEST http://av-test.org also top rates Kaspersky Lab security software. But I digress…our coverage of this major Cybersecurity Breach continues below.

The report on what Kasperky Lab had determined about the Cyber Bank Heist will be made public on Monday Feb 16.

Supposedly ATMs were instructed by the Hackers to dispense money at specific times.

Account balances were supposedly inflated and then the inflated amounts were transferred to Bank Accounts setup by the Hackers.

In the New York Times article it seems that Kaspersky Lab had supposedly seen evidence of hundreds of millions of dollars in supposed theft. The article implied that the Cyber Security Experts at Kaspersky Lab think that the sums stolen could possibly be multiple times more.

I will keep watching for the official Kaspersky Lab report on Monday. Till then you can learn more about this by visiting some of the links below.

Click on this line to read a prior report (Sept 11 2014) by Kaspersky Lab Security Experts. The report is titled: “Thefts in remote banking systems: incident investigations”. It details how Hackers were able to overcome one bank’s Security, by using Social Engineering to infect one key computer in that Bank’s Network. Makes for some interesting reading.

The New York Times post which looks to be the main post which  brought this to public light.

CNet’s post about the supposed Cyber Bank Heists.

ARS Techinca coverage of the Cyber Attack on Banks around the globe.

The Citizen post about this Hacker worldwide Bank Heist.

New York Times sub post about how Hackers infiltrated Banks.

 

I will continue to post about this as more is learned – most likely when that Kaspersky Lab report is released on Monday Feb 16 2015.

 

 

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

WireLurker Malware targeting Apple IOS and OSX products


If you use an Apple IOS or OSX device (phone, tablet, notebook and desktop) you might want to check out my post about WireLurker.

Apple users sometimes are smug about not needing any security software. Yes, Apple products have been highly secure.

As the number of Apple products being purchased keeps growing, Apple products are also becoming targets for those who create Viruses and Malware and other interesting code.

Back in 2012 “Flashback” victimized about 700,000 Macs. WireLurker and future variants of it could have the potential to do the same.

Staying informed can help keep you and your Apple IOS and OSX gear from falling victim to such attacks.

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Java patch Update for the Malware issue affecting Apple Mac computers has been released by Oracle and Apple

Oracle has posted a Java Patch update which is said to resolve the Malware issue which was affecting Apple Mac computers. Continue reading