Thread replies: 54
Thread images: 5
Thread images: 5
Anonymous
Windows XP SP3 WanaCry Patch 2017-05-13 02:26:40 Post No. 60368429
[Report] Image search: [Google]
Windows XP SP3 WanaCry Patch 2017-05-13 02:26:40 Post No. 60368429
[Report] Image search: [Google]
File: windows-xp.jpg (81KB, 600x529px) Image search:
[Google]
81KB, 600x529px
If you want to protect your Windows XP systems from WanaCry/WanaCrypt ransomware install the following patch from Microsoft.
http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe
For Windows 7/8/10 just run Windows Update, it was patched back in March.
More info here: https://support.microsoft.com/en-us/help/4012598/title
Link to Microsoft Update Catalog for KB4012598 (server maybe overloaded): http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
VirusTotal analysis (just in case): https://www.virustotal.com/en/file/3530b7890c22096693fd473d8c6455b9992ac4aa400e1b8ce14d0049234c489d/analysis/
SHA256: 3530b7890c22096693fd473d8c6455b9992ac4aa400e1b8ce14d0049234c489d
MD5: 3AD11C9883051E5A5EEC5A000DC4C37C
>>
>>60368429
I don't get it. How do vulnerabilities actually work? Ok, someone has one of their ports open, then what? Why external computer has full systemwide access / admin privileges?
>>
>>60368429
Thanks man.
>>
>>60368519
It uses some NSA leaked tools to basically run on the systems that aren't patched via scanning of ips, local networks.
The worm has been stopped at the moment, because a malware researcher registered a domain that WanaCry used, it was either a killswitch or a method to check if it was in a research environment.
What happened is that WanaCry checked a specific domain, if the domain didn't resolve WanaCry would spread and encrypt files, if it did resolve it would stop.
The assumption is that the creators wanted to delay researchers in fixing it, because their test environments would often resolve unregistered domains. But it was poorly implemented.
It could only be a matter of time before it starts again and affect all unpatched systems.
If your Windows is up to date, you should be okay. But very important to have offline backups as well, the worm can encrypt anything attached.
>>
File: IMG_2831.jpg (53KB, 1046x569px) Image search:
[Google]
53KB, 1046x569px
>>60368646
Except for people who haven't upgraded to common sense 2017 edition. Their snake oil antivirus blocks the requests to said site, so they block the killswitch signal. The only way to get infected at the moment is if you fell for the antivirus meme. (Kaspersky, Cisco Ironport and Fortinet are also affected).
https://mobile.twitter.com/GossiTheDog/status/863185030595710977/photo/1
>>
>>60369141
it's blocked after all antivirus soft updated you retard
>>
I got 8.1, whenever I try to update it shit doesn't download. What do?
>>
>>60369260
http://lmgtfy.com/?q=windows+8.1+does+not+update
>>
>>60369260
You mean you are trying to update via Windows Update?
Go here and download KB4012598 for Windows 8.1 (server might be overloaded right now btw): http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Also check Windows Update and see if you have March & April Security & Quality Rollup, which is all you really need.
>>
>>60369423
Didn't work m8.
I think i got those two updates though.
>>
>>60369708
Then you should be good.
>>
>>60369423
Which should I get for windows 7?
>>
>>60370233
Just update Windows 7 normally, you don't specifically need Microsoft Update Catalog update for 7/8/10 to be protected.
You can try Security Update for Windows 8 for x64-based Systems (KB4012598) if you really want, assuming you have 64-bit windows. Should in theory work for 7/8/10, but I haven't tried it myself.
Should in theory be rolled for May's security update anyways.
>>
>>60370233
The April Security Rollup, and perhaps the one after that as well.
>>
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
>PATCH IS COMPROMISED
PATCH IS COMPROMISED
MICROSOFT SERVERS ALREADY COMPROMISED!!
DON'T UPGRADE OR YOU'LL GET RANSOMWARE!! THIS IS NOT A TROLL!!
>>
>>60370233
Check here:
https://www.ghacks.net/2017/03/14/microsoft-security-updates-march-2017/
https://www.ghacks.net/2017/04/11/microsoft-security-updates-april-2017-release/
>>
>>60370611
How do you know?
>>
>>60370571
So, this?
>>
>>60370655
Caps lock is cruise control for truth
>>
>>60370697
Damn that's an old expression.
>>
>>60370658
Yes and also April, as I am not sure which one they released it for. It was released March 14th, so probably in April's rollup.
>>
>>60368646
>The assumption is that the creators wanted to delay researchers in fixing it, because their test environments would often resolve unregistered domains. But it was poorly implemented.
What's that mean in plain English?
>>
All you need is this. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
>>
>>60370611
Don't listen to this, it's bullshit.
I've updated 4 vmware instances of XP and 1 Thinkpad with XP hours ago.
The ransomware is detected by virus scanners as well.
If Microsoft catalogue was compromised, there would be a MASSIVE class action suit.
Just make sure you get the update from Microsoft servers directly, check whois info if need be, run a virus scan, compare sha/md5, etc.
There are zero reports of this anywhere as well.
Also always make sure you have offline data of important files, get some cheap USB sticks and maybe even some DVDs and backup the most important files first, and do this 2-3 times for redundancy. Better to do backups while offline as well.
>>
>>60370853
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
> In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).
> I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
>>
>>60368429
Anyone on /g/ should not have any legit reason to be running XP systems.
>>
>>60370853
If malware is sending data to a server a researcher might spoof the URL of the server and basically intercept the communications that the malware makes to the server. If they're lucky they might find something they can use the break open the encryption and use that to make an unlocker program.
>>
>>60370996
Except you need it for many legacy software/drivers. If you run older computers, you know what I am talking about.
Also XP isn't the only system affected, it's just that you need to update it manually.
>>
>>60368429
>all these people forgetting Blaster
>all these people not remembering the birth of clickjack malware
lmao
>>
File: Untitled.png (71KB, 1055x866px) Image search:
[Google]
71KB, 1055x866px
>>60369260
just uninstall SMD 1.0 and everything else you don't see in my image from Ethernet Properties.
>>
>>60371078
sorry, I mean 'SMB'
>>
>>60370853
to figure out what malware does, they're running them in special environments where they can see everything that happens
they don't want the malware actually talking with the internet, so they fake things
like if the malware trying to connect to "doesntexist.com", their software will respond with a (fake) "hi, i'm doesntexist.com" (so to speak), then they can see what the malware attempted to send there
the trick here is that the malware deliberately tries to talk to a site which doesn't exist, in order to try to know if it's being researched or not
>>
>>60371114
Why would it care if it's been researched or not?
>>
>>60371158
slowing down research means it can last longer before it's figured out and countermeasures can be put in place (virus definition, software updates...)
to stop something, you need to know how it works
>>
>>60371158
It makes it harder to examine and develop a fix for. With these cryptolocker malwares the longer the thing is alive the more money they make.
>>
>>60371158
Because the encryption is not broken and the keys are on the private servers somewhere.
Once we find the origin police raids and locks the computers like Europol did few months back.
>>
>>60371158
>>60371199
to explain a little further
take this smb service bug for example, microsoft wasn't aware of the bug, as if they were, a fixed version would have been made already
so to find out how the malware is doing what it's doing to smb, you need to watch how it interacts with it (such as sending a certain, unusual or should-be-invalid packet of data to it)
once you know how it does what it does, the software developer (microsoft) can then figure out what the bug is (what part of the software isn't acting as expected), and fix it
>>
the localized versions can be downloaded on
>http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
and it responds with the patches in the language defined by the accepts-language of your browser request
>>
>>60370909
Not to mention Windows would shit on your screen if you ran an update not digitally signed.
>>
>>60371078
The fuck is SMB anyways?
Googled it and people are saying it's old bad shit.
>>
>>60371723
it's the windows file sharing protocol
>>
>>60371723
Super Mario Bros
You can play it by deleting \??\ on windows, so a very secret and almost undocumented windows flag is activated, and you can find a NESticle with a SMB rom in your program folder
>>
>>60370743
Even with cruise control you still need to know how to steer.
>>
>>60368519
I would suck a dick for an explanation-dor-noobs-like-myself
I want to know too
>>
>>60371723
Sabma, nigger. The protocol which allows you no access network folders.
>>
>>60368429
Install gentoo.
>>
>>60372591
"samba" is a foss implementation of the SMB/CIFS protocol, the protocol isn't officially called samba
>>
>>60372783
Nobody spells it like es-em-bee.
https://help.ubuntu.com/community/How%20to%20Create%20a%20Network%20Share%20Via%20Samba%20Via%20CLI%20%28Command-line%20interface/Linux%20Terminal%29%20-%20Uncomplicated%2C%20Simple%20and%20Brief%20Way%21
>>
>>60372940
that's a guide on how to setup samba
windows doesn't use samba
>>
File: Capture.png (6KB, 400x116px) Image search:
[Google]
6KB, 400x116px
>>60373006
OK.
>>
>>60373079
it uses smb, but not samba
they're not the same thing
>>
>>60373102
> it uses smb, but not samba
I set it up. I get this. If it uses smb, then SMB = Samba.
>>
>>60373155
then guess these are also true;
sumatrapdf = pdf
cups = ipp
reactos = windows
x264 = H.264
etc
>>
>>60373079
since when did you stop tripping furfag?
Thread posts: 54
Thread images: 5
Thread images: 5