This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the viru
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Based on http://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_ambari-installation/content/index.html | |
export host_os=centos7 | |
export ambari_version=2.4.1.0 | |
export hdf_ambari_mpack_url="http://public-repo-1.hortonworks.com/HDF/${host_os}/2.x/updates/2.0.0.0/tars/hdf_ambari_mp/hdf-ambari-mpack-2.0.0.0-579.tar.gz" | |
export ambari_repo="http://public-repo-1.hortonworks.com/ambari/${host_os}/2.x/updates/${ambari_version}/ambari.repo" | |
#1. turn off firewall | |
systemctl stop firewalld.service | |
systemctl disable firewalld |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
These commands are based on a askubuntu answer http://askubuntu.com/a/581497 | |
To install gcc-6 (gcc-6.1.1), I had to do more stuff as shown below. | |
USE THOSE COMMANDS AT YOUR OWN RISK. I SHALL NOT BE RESPONSIBLE FOR ANYTHING. | |
ABSOLUTELY NO WARRANTY. | |
If you are still reading let's carry on with the code. | |
sudo apt-get update && \ | |
sudo apt-get install build-essential software-properties-common -y && \ | |
sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y && \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Why do compilers even bother with exploiting undefinedness signed overflow? And what are those | |
mysterious cases where it helps? | |
A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but | |
I think it's useful to know what compiler writers are accomplishing by this. | |
TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all | |
major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some | |
fairly common cases. The signed overflow UB exploitation is an attempt to work around this. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Kickstart an Ubuntu image | |
# - 2 network interfaces, and internal and external | |
# - forward all traffic from internal -> external | |
# - Log all traffic using the SiLK netflow package to /data | |
# - Log all DNS traffic as pcaps in /var/log/ulogd | |
# - Backup all netflow and dns to an external server | |
# | |
# Before using this kickstart script, search and replace 'kyoder' with your username | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* SQL to convert a Triforce ANJP USN Journal database to a Gource custom log | |
by ryan@obsidianfornesics.com | |
Convert the human-friendly timestamp to epoch seconds: */ | |
SELECT CAST(round((JULIANDAY(ur_datetime)-2440587.5)*86400,0) as integer), | |
'USN', -- gource needs a 'User', so I set it statically to 'USN' | |
CASE ur_reason_s -- gource supports three file 'update types': | |
WHEN 'File_Create' THEN 'A' -- 'A' for adding a file | |
WHEN 'File_Delete,Close' THEN 'D' -- 'D' for deleting | |
ELSE 'M' -- and 'M' for modifying |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Bro-IDS Logstash parser | |
# Parts of this taken from http://www.appliednsm.com/wp-content/uploads/logstash-SObro22-parse.conf_.txt | |
#Logs being parsed: | |
#app_stats.log | |
#conn.log | |
#dns.log | |
#dpd.log | |
#files.log | |
#http.log |
-
Download the XenServer 6.2.0 ISO image
-
Format a USB stick using FAT32.
-
Use unetbootin to install the ISO to the USB stick. Use the “DiskImage” option instead of the “Distribution” one, and point it right to the ISO file.
-
Now we need to fix up some boot stuff (All paths are relative to the root of the USB drive)