PSA: Windows worm spreading around the internet like wildfire
21Are you running Windows? Go right now and run Windows update.
I’ll await.
Patched? Good.
Hundreds of thousands of machines have been infected by ransomeware today. This took out NHS early this morning and has been spreading worldwide all day.
The worm spreads using an exploit leaked over a month ago. The patch for it has been out since March. If you run Windows, and you don’t regularly patch, either get off the internet or patch now.
/giphy internet on fire
- 18 comments, 44 replies
- Comment
Much thx. My machines haven’t been patched since last summer. Because they haven’t been booted since then. Using chrome books at the moment.
What is the best way to deal with this? Manually downloaded update and apply offline??
Thx, NSA, for allowing this exploit info into the wild.
@f00l it spreads over smb (port 445), most routers/firewalls will block it from coming in from the outside. If your on your home network, and no other infected machines are on the same network, you can just boot and run Windows update.
Infection is hitting when people connect to large corporate networks or public hotspots. It just takes 1 infected machine inside a network.
@f00l it’s not clear how machine 1 gets infected. I’ve heard reports of emailed PDFs, or already infected machines getting an update from the malware author with this new attack vector.
FedEx is shutting off it’s computers till Monday
Hospitals are turning away patients, cancelling surgeries
This is bad people. Please patch
/giphy please
@MrGlass
I know a small biz that changed ISPs and changed out routers yesterday. They didn’t know about this problem at the time, but they paid someone professional to come in and setup the new router and test it. Till then, all their machines were offline and turned off. After that, they brought each machine up one by one, waiting for a while in between. The router expert had brought in a “bait” clean install laptop to run on the network, and some packet inspection tools or something. (I just heard about this over the phone, and the people who told me aren’t savvy and can’t describe what the guy did beyond that. 10 years ago I was the person screaming at them to get updated antivirus onto all their machines and get someone to check how the phone company had setup their router.)
Anyway, so far so good.
Haven’t turned on my laptop this week.
I’m assuming that I’m running one of the latest patches, but next week I’ll double check.
For those who just want to patch for this, without a full update:
MS17-010
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Interesting article on this:
http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-attack-hits-englands-nhs-hospital-system-ransoms-demanded
@Shrdlu Question from a computer dummy…is it safe to come to meh and get this link? I normally use an android tablet, I boot the windows laptop once a month to pay bills, and once in a while for photo work. I only update when prompted. So it’s been sleeping since the first of the month.
@moondrake Dunno. I have a single windows machine with no ports open, and no Microsoft products (other than the OS) running on it. It’s running Win7. I doubt I’ll patch it.
This patch actually came out in March. Personally, I’d cut and paste the link, rather than click on it (even though I’m sure clicking on it would be fine, better safe than sorry).
Mine updated 2 days ago. Is that good, or should I redo?
@KDemo
If you updated fully, you’re probably good.
If you’re at home w one machine, you’re prob good
You might run update manually to check you’ve got them all.
@f00l - TYVM
@KDemo As I’d said in an answer above, this patch actually came out in March. If you patched two days ago, you are fine.
@Shrdlu
@Shrdlu Oh good, looks like I last patched in April, and it looks like i already applied this patch.
I don’t imagine it’s possible for wildfire to spread over the Internet…
@medz
Then don’t imagine.
/giphy wildfire
Some form of this sort of incident was just sitting there here waiting to happen in some fashion.
Get used to it I guess?
BTW I’m clueless and not super-prepared or anything either. I just kinda get the idea of what might/did hit.
wow I’ve waiting for something like this to happen. I was working on a hospital IOT project and they were using windoze ce for a wifi app. I still chuckle everytime I think of it.
@cranky1950
Now you’re taking me back.
Sure it t wasn’t Win ME?
@f00l nope ce they still market it for dubass cheapskate marketing idiots to fuckup engineering projects with. This project became a classic textbook case of what happens when you habitually source to the lowest bidder. I won’t even go into the marketing idiots sourcing the control app to a web design firm instead of someone grounded in remote machine control because you know it’s a web app.
@cranky1950 You’ll find windows ce embedded in almost any controlled device.
@cranky1950
I know ce is still out there. Was just making a lame M$ joke.
@cranky1950 We still have several XP boxes in our hospital… including one of the ones that does our backups! I have been preaching against this for a long time… but still they persist…
@chienfou
I have worked with a few biz who are still running xp boxes for one-off purposes (specialist drivers that talk to factory equipment interfaces and similar). Huge scale machine shop stuff. 18-wheeler Peterbilt engine parts and battery mount parts amd bumpers and the like. And some other oddball uses.
The IT dept finally persuaded the $ people to ditch or update the other remaining XP machines.
I asked, when I saw the xp ones, at the places that still had them going: I was assured that these machines were not on any LAN. Stuff is hand carried over to them on a USB key.
Once a week someone hooks them up one by one on their own little subnet and runs windows update and does the antivirus patches.
Or so I was told. Hope that’s true.
No one had downtime last week that I heard about.
@cranky1950 @f00l so you’re saying I shouldn’t have my Dreamcast hooked up in my company’s server room?..
@Oneroundrobb
You could put up a poster with all the network config info and admin or root logins for all the critical machines and routers… then you could point an HQ webcam at the poster, and set up a public feed. Or ever stream the webcam to your company’s facebook page perhaps.
First time I haven’t been annoyed about forced windows 10 updates.
Microsoft patched w10 tuesday evening.
or not ulp?
I’ve got a great idea: Why don’t we connect all of our mission-critical infrastructure (hospital labs, power generators, power grids, law enforcement, financial transactions, ?military control?, elevator systems, car steering and braking, dam spillways, health and insurance records, …) to the internet. That way the admins can connect from home instead of having to drive 10 minutes to do an update. What can go wrong?
[stupid shits]
Home automation, anyone?
@phendrick
Oh yeah. I need an iot sink sponge. I’m sure the manufacturer will keep it up to date with security patches.
@phendrick
On a related note.
Is this JIT or TLTL?
JIT = Just in time (software & educationalese term) – I see urban dictionary has an altogether different usage!
@phendrick It isn’t even that, a lot of places are still running xp because the computer still runs and it works fine here and hasn’t got the resources to up grade to a new os. Yet they don’t disconnect from the internet and in fine MBA logic, there’s no problem as long as there’s no problem.
@cranky1950 AMEN! (see post a few above this!)
I want to thank you - have a laptop that is almost never used unless needing to print things off since my spouse & teen refuse to hook theirs up to the printer (they are both hardcore Steam users/players) but laptop just got turned on two days ago to purchase tickets for a Dodgers/Reds Father’s Day baseball game. If you ask my Daddy I’m a Dodgers fan (my sister, him and I were born in CA.) but the fam was moved to Virginia (which is why I declare myself a southerner and always will be) when I was 3 so he won’t accept I’m a Pittsburgh fan (Steelers,Flyers & Pirates). Spouse, sons and Mother all born in Ohio. Hence, the yearly trek to the game.
@WTFsunshine I’m sorry… Flyers?
@falseaccount Same state at least.
@falseaccount,@sammydog01 Yes I know Flyers are Philly I just combine them because yes - same state - but I did forget the Penguins. Shame on me for forgetting them.
@WTFsunshine That does make me question if you’re actually a fan of the team if you can’t remember the name of the team…
@jqubed I remember their name I just forgot to include them in the list when typing out the overly long explanation of why I was thanking MrGlass. So, yes, I am a fan. When I was young and living in Virginia we use to play with some of the Redskins players children but my heart stayed with Steelers.
We got hit with one of these a couple weeks ago at work. We think one of our less-savvy coworkers clicked a “Your computer is infected! Click here!” alert. A bunch of people couldn’t do anything for days while the IT contractors came in to clean computers and restore from backups. It’s amazing to me that it’s completely acceptable for businesses to use a product that can so easily cause so much downtime. If it was anything but Windows, people would be fired for installing it.
I know linux isn’t bulletproof, but this is one of the reasons I use linux.
@rtjhnstn for similar reasons, Windows 98 is pretty safe as well. Nobody bothers to attack a little-used OS for obvious reasons.
@RedOak by design linux is hard to hack, but 98 would still be a gonner pretty quickly as it hasn’t been supported and is a swiss cheese for all the simple stuff wandering around out there.
@cranky1950 but nobody would bother going after it. Just like Linux.
Just a minor quibble here… Linux isn’t hard to hack (although it’s certainly harder than WinXp), but is mostly protected by the vast variety of installs out there. Running Ubuntu on random hardware isn’t much safer than Win(XP/7/8/10), and I’ve seen the updates hit just as often for Ubuntu as for Windows. The biggest reason it doesn’t show on the same radar tends to be the slightly higher sophistication of the user base.
(Yes, I know there are plenty of other varieties of Linux than Ubuntu, including the Debian that it’s based on; just making a point.)
I’ve run multiple operating systems for years (always at least one Windows, always at least one Mac, always at least one Linux, and the rest are either FreeBSD or OpenBSD). One of my favorite exploits was called “ShutUpTheo” and I’m waiting for the compromise for “systemd” (and that will be a messy one).
The main things everyone should have learned from this is to patch regularly, and to have multiple backups (including offsite). I’m betting on the side of laziness, though. It’ll all calm down and be forgotten
…until the next time…
@Shrdlu
Curious. Did you ever mess with BeOS?
@f00l BeOS is (or was, really) a toy. I have no interest in partial systems. I haven’t done anything interesting for years and years, though. I retired in 2006, and starting being serious about it in 2007.
Sometimes I look at the number of computers I have that are still alive, and wonder what on earth I’m doing with them, and why I bother. I’m just not quite ready to give them up. Maybe five years from now… Maybe not.
@Shrdlu
Something about this exploit news made me remember BeOS for some reason. Can’t fathom why it popped into my head.
I met someone who had flown out to CA to meet with some kernel people and some execs a few times, was gonna work on driver dev. Then they wanted to put the as-yet-unsigned contract off for a few months … a few months more … then, nothing…
Did you hear the one about how a guy stopped an attack by buying a domain name?
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
@thismyusername
Yeah that was a sweet move.
I have Malwarebytes paid, and got an email from them that up-to-date users are also protected. I know being up to date on Windows should help, but the additional level of protection can’t hurt.
Never underestimate the gullibility of people that have computers and you will never have to worry about this kind of thing!
We lost a handful of laptops to ransomware a while back at work when an ‘email from the CEO’ was opened by a bunch of tech clueless folks…
Apparently Microsoft thinks this is serious enough that the patch that fixed the issue on modern systems is now available to XP & 2003 users: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
@dashcloud
What about 2K? I have a laptop somewhere or other that runs that, assuming I can find it.
I presume Vista is getting the patches, so the next time I approach those toxic beasts fully armed, I can make them “safe”, even tho the OS will still suck beyond my capacity to bear?
(they’ve been in storage since 2011 or so I think)
@f00l 2k is long dead- Vista is still supported for a little while longer.
@dashcloud
I think I have one or two slower-than-a-user-can-bear 2K machines in storage, because of the media I never got around to cleaning off.
For more than 15 years. <cringes>
Actually, it’s media I’ll never look at, listen to, or watch. I ought to boot them up, scrap 99% of it, pull and drill the hard drives, and donate the rest to Goodwill.
I have heard that Goodwill has arrangements with charities that work in countries where those sorts of machines might still be useful. And if even an old 2k machine is not wanted anywhere, Goodwill recycles everything properly.
@f00l Our local Goodwill won’t take computers or tube TVs. They also stopped making home pickups. Best Buy still takes old computers, printers and cell phones. I have two old drives that I need to drill and dump, but the Pentium boxes they came from are gone, gone, gone. I kept some cables because You Never Know.
Well, since we’re at SMB v3, it’s probably wise to stop using SMB v1. If you set your PC for automatic updates (or if you’re a corp and make patching a priority), no problem. It’s guys like this that perpetuate the issue. If you are this guy, you are the problem:
@novedrake BTW nsfw language. Also, it’s patching what the NSA didn’t report (until about the time of the leak)
@novedrake
That guy needs a nice cup of tea.
@novedrake Not that disabling SMB1 is bad advice- it’s wonderful advice, and Microsoft absolutely wants you to do that, but it’s tricky to make sure things don’t break when you do it.
Tons of crap still relies on SMB1 besides Server 2003 (and variants) which only support SMB1, like a vast majority of NAS devices, and old SANs. It’s possible your copier or other device that talks to the file server may only do SMB1 as well.
I saw a story from one of the Microsoft storage folks that they actually tried disabling SMB1 by default in an early preview of Windows 10, and it was a nightmare then.
@dashcloud Oh yeah, it’s terrible. I broke a ton of workstations NetApp connections with that one time. There should be options to mitigate that now, though.