DIRECT LINK: Windows XP SP3 WanaCry/WanaCrypt patch

Discussion:

(too old to reply)

XP-SP3

2017-05-13 17:46:11 UTC

If you want to protect your Windows XP systems from WanaCry/WanaCrypt ransomware install the following patch from Microsoft.

<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>

CRC32: 93BB0094
MD5: 3AD11C9883051E5A5EEC5A000DC4C37C
SHA1: ECEB7D5023BBB23C0DC633E46B9C2F14FA6EE9DD
SHA256: 3530b7890c22096693fd473d8c6455b9992ac4aa400e1b8ce14d0049234c489d

More information:
<http://www.zdnet.com/article/wannacrypt-ransomware-microsoft-issues-patch-for-windows-xp-and-other-old-systems/>

VanguardLH

2017-05-14 03:20:11 UTC

Permalink

Post by XP-SP3
If you want to protect your Windows XP systems from WanaCry/WanaCrypt ransomware install the following patch from Microsoft.
<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>
CRC32: 93BB0094
MD5: 3AD11C9883051E5A5EEC5A000DC4C37C
SHA1: ECEB7D5023BBB23C0DC633E46B9C2F14FA6EE9DD
SHA256: 3530b7890c22096693fd473d8c6455b9992ac4aa400e1b8ce14d0049234c489d
<http://www.zdnet.com/article/wannacrypt-ransomware-microsoft-issues-patch-for-windows-xp-and-other-old-systems/>

"Consider adding a rule on your router or firewall to block incoming SMB
traffic on port 445"

Who has a router (seperately or in a modem/router combo from their ISP)
that doesn't have a simple stateful firewall that blocks unsolicited
inbound connect attempts?

Ben Myers

2017-05-14 05:20:54 UTC

Permalink

Post by VanguardLH

"Consider adding a rule on your router or firewall to block incoming SMB
traffic on port 445"
Who has a router (seperately or in a modem/router combo from their ISP)
that doesn't have a simple stateful firewall that blocks unsolicited
inbound connect attempts?

I'm very interested on how this might be done on my Western Digital
router. "Source" and "Destination" options are "LAN" and "WAN".
Protocol options are "TCP+UDP", "TCP", "UDP" and "ICMP".

Ben

Paul

2017-05-14 05:59:21 UTC

Permalink

This post might be inappropriate. Click to display it.

Steve Hayes

2017-05-14 14:10:41 UTC

Permalink

Post by Paul
1) Real threat arrives as an email attachment.
Employee clicks attachment. Weapon is armed.
2) Now, the malware is inside the network, on the LAN
side of the router. Port 445 is open on other machines
on the LAN, allowing a worm-like attack. So now it
spreads to all your machines, like it was Sality.
This threat really isn't all that much different than
some other Ransomware, which can encrypt any file shares
that it can discover. Existing Ransomware could do a lot
of damage in any case. The new vector will just be
doing a much-more-complete exploitation. You still
have to do (1) to let them in.
If you are the sole occupant of your home LAN, and
have half-a-clue about email attachments, your risk
is low. And the NAT IPV4 router you use with your broadband
connection should be enough.

Thanks for that.

None of the articles I've read said how it was delivered, and someone
in a comment on Facebook said it was not delivbered by e-mail
attachment but by a backdoor.

--
Steve Hayes
http://www.khanya.org.za/stevesig.htm
http://khanya.wordpress.com

Paul

2017-05-14 15:17:38 UTC

Permalink

Post by Steve Hayes

Thanks for that.
None of the articles I've read said how it was delivered, and someone
in a comment on Facebook said it was not delivbered by e-mail
attachment but by a backdoor.

Well, it has to get *in* somehow. And most people, by "luck"
will not have port 445 facing outwards. If you were doing
that, something probably would have happened to you over
the years anyway.

Even the router itself is not bulletproof. At one point,
there was an exploit that affected 70 different models of
home routers. The reason for that, is the firmware used
was written by one company, so the same bug was present
across a broad range of products. Your router is a
computer too, and the quality of the code running in
there is just as important.

*******

A buddy at work one day, comes running over to my desk at
about 4PM in the afternoon and says "hey, I'm on someones
hard drive [on the Internet], I can see all their
files and their email - should I email them a warning?". Now,
the first question that comes to mind is "what the hell have
you been doing?". Since I don't have time on a given day,
to discover what my fellow monkeys are up to, I had
no trouble answering "yes, of course, email them and
tell them to fix it". Was it a honey pot ? My guess is,
it's someone just as stupid as my buddy :-) So if
you did connect your PC directly to the ADSL modem
(no router), and then shared C: to "Everyone", that's
what happens. If that machine was still operational today,
somewhere on the Internet, it probably has a Ransomware dialog
on the screen.

Paul

J. P. Gilliver (John)

2017-05-14 10:50:27 UTC

Permalink

In message <***@mid.individual.net>, VanguardLH <***@nguard.LH>
writes:
[]

Post by VanguardLH
"Consider adding a rule on your router or firewall to block incoming SMB
traffic on port 445"
Who has a router (seperately or in a modem/router combo from their ISP)
that doesn't have a simple stateful firewall that blocks unsolicited
inbound connect attempts?

I don't know if my modem/router combo has this - it probably does - but
I thought I'd add such a rule to my firewall anyway. But my firewall
doesn't seem to list "SMB" among the protocols I can select - it offers
the following choice:
Any
TCP
UDP
UCP and UDP
ICMP
Other
Only the TCP and UDP ones let me specify a port. Other produces a box,
but I get an error beep if I try to type SMB into it - I _think_ I can
only type numbers into that.
(Firewall is KPF 2.1.5 FWIW.)

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

I hope you dream a pig.

Paul

2017-05-14 18:41:59 UTC

Permalink

Post by J. P. Gilliver (John)
[]

I don't know if my modem/router combo has this - it probably does - but
I thought I'd add such a rule to my firewall anyway. But my firewall
doesn't seem to list "SMB" among the protocols I can select - it offers
Any
TCP
UDP
UCP and UDP
ICMP
Other
Only the TCP and UDP ones let me specify a port. Other produces a box,
but I get an error beep if I try to type SMB into it - I _think_ I can
only type numbers into that.
(Firewall is KPF 2.1.5 FWIW.)

They could be listed by port number.

https://serverfault.com/questions/346196/tcp-ip-ports-necessary-for-cifs-smb-operation

137/UDP, 138/UDP, 139/TCP and 445/TCP

http://www.icir.org/gregor/tools/ms-smb-protocols.html

And it's possible that printing or other ancient nameserving
dependencies, could be affected by your exuberance.

Yes, I've been thinking about blocking these too, as an
alternative implementation. One thing I don't know, is
if my "router" right now, has an interface to upload a
rule set. I'd rather block something at the router, than
modify every OS I've got for this. Since these machines
would be on the switch side of my home router, the rules
probably don't apply to them anyway. (Only to WAN side,
which has IPV4 NAT for 445 protection.)

I'm just afraid of blowback, if I mess with things too much.

And if I do it this way, It looks like I'm going to have
to test all the OS combinations, anyway. Grrr.

https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/

Mayayana already suggested disabling some service,
and maybe that's a better way. At least with the service
disabled, you know file sharing is never going to work again.

Lots of *really great* choices.

Paul