Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday May 19 2017, @11:56AM   Printer-friendly
from the maybe-there-is-hope dept.

Various news outlets report the release of
Wannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."

From the Wired article noted below:

Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.

Coverage:

Previous stories:
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Funny) by SomeGuy on Friday May 19 2017, @12:17PM (9 children)

    by SomeGuy (5632) on Friday May 19 2017, @12:17PM (#512131)

    Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

    Oh, sure, lets blame the old cheapskate Luddites running Windows XP for all of this.

    As far as I can tell, Windows 10 was vulnerable to this attack until just very recently. Next time, older Windows may not even be a target. But lets go ahead and perpetuate the illusion that having the "latest and greatest" will always keep you absolutely 100.000000000% safe.

    Keep on opening those e-mail attachments! You are SAFE!

    • (Score: 0) by Anonymous Coward on Friday May 19 2017, @01:18PM

      by Anonymous Coward on Friday May 19 2017, @01:18PM (#512152)

      I know someone who was surprised to hear about all this and admitted she has been clicking on all email links sent to her. The scariest part to her was that an email containing a bible verse could be dangerous. That just isnt something that seemed possible before ransomware, but now even your mom is scared of email.

    • (Score: 3, Interesting) by kaszz on Friday May 19 2017, @01:20PM (2 children)

      by kaszz (4211) on Friday May 19 2017, @01:20PM (#512153) Journal

      Great as now it seems Windows XP will be safer with time while keeping the software base and having ReactOS [wikipedia.org] accomplish better and better compatibility. 32-bit architecture is a sweet spot in terms of memory pointer size, accessible memory and processor efficiency.

      4 GB ought to be enough for anybody!

      As for sweet spot, a 24-bit system with 24-bits per memory position gives 48 MB system memory size. Maybe 8-bit as a unit for processing isn't optimal either. Maybe 6-bits is better?

      Bit size: System memory size:
      19 bits 1.19 MB
      20 bits 2.50 MB
      21 bits 5.25 MB
      22 bits 11 MB
      23 bits 23 MB
      24 bits 48 MB
      25 bits 100 MB
      26 bits 208 MB
      27 bits 432 MB
      28 bits 896 MB
      29 bits 1856 MB
      30 bits 3840 MB
      31 bits 7936 MB
      32 bits 16384 MB

      That 32-bit x86 systems seem to max out at 4 GByte perhaps indicate a unnecessary bottleneck in that 8-bits per memory address is used. If instead 32-bits is used more memory can be accessed with the same address limit.

      • (Score: 2) by butthurt on Friday May 19 2017, @10:47PM (1 child)

        by butthurt (6141) on Friday May 19 2017, @10:47PM (#512422) Journal

        There existed a 64-bit version of Windows XP, but it saw little uptake.

        On x86, Physical Address Extension allows the use of more than 4 GB of memory.

        The 32-bit size of the virtual address is not changed, so regular application software continues to use instructions with 32-bit addresses and (in a flat memory model) is limited to 4 gigabytes of virtual address space.

        -- https://en.wikipedia.org/wiki/Physical_Address_Extension [wikipedia.org]

        • (Score: 2) by kaszz on Friday May 19 2017, @11:46PM

          by kaszz (4211) on Friday May 19 2017, @11:46PM (#512439) Journal

          PAE still leaves the CPU to handle up to 64 GB ie 36-bit addresses. Though it's all hidden to the scheduler side of things. Perhaps the kernel needs to deal with it too for program jumps etc? Data access seems to still be that each address in userland have 8-bits.

          So in PAE, the CPU has at least 36-bit virtual addressing. There may be less physical address lines than this. Each process in userland may however only use up to 32-bits.

          As for 64-bit Windows XP. The Microsoft ecosystem is very much a Win32 thing. And things will evolve around that unless a big bat is used. Which Microsoft did with their later 64-bit OS, ie to get 32-bit certification you got to present a workable driver for 64-bit and so on.

    • (Score: 2) by nobu_the_bard on Friday May 19 2017, @03:03PM (3 children)

      by nobu_the_bard (6373) on Friday May 19 2017, @03:03PM (#512207)

      Actually you could blame Microsoft of that aspect; it wouldn't have been a problem if Windows XP could still get updates automatically. The original patches were released in March; XP and Vista probably had patches created around that time as well because of the extended life contracts some large corporations and governments have with them. They could have just pushed it automatically if they hadn't taken down the public update mechanisms. Tons of systems would have been updated for months before the ransomware hit. Instead, the patches need to be installed manually, and were only released as a response to the malware on a Saturday, so many many systems did not get patched until well after the ransomware was crippled.

      Also the patch doesn't work great on Windows Server 2003 systems, or so that has been my experience. Had to leave a few systems unpatched after I rolled back the update... Though this might partly be from the applications those servers are running being extremely fiddly.

      Windows 10 (and 7/8/8.1/etc) had the updates available in March. I had very few newer systems I had to worry about because of that.

      • (Score: 2) by bob_super on Friday May 19 2017, @04:45PM (1 child)

        by bob_super (1357) on Friday May 19 2017, @04:45PM (#512249)

        Yes, you could blame MS for not wanting to support a 16-year-old system with ever-declining users, and dedicating their resources to making sure patches don't break it for those rare users who do bother to patch.
        But that would put you at odds with the realities of running a profitable company.

        • (Score: 2) by butthurt on Friday May 19 2017, @11:18PM

          by butthurt (6141) on Friday May 19 2017, @11:18PM (#512433) Journal

          > [...] you could blame MS for not wanting to support a 16-year-old system [...]

          According to the tabloids, Microsoft, as recently as 2015, offered--for a fee--support for Windows XP (which isn't quite 16 years old). They imply that the support is still available:

          The Government Digital Service, set up by David Cameron , decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP.

          -- http://www.mirror.co.uk/news/uk-news/tories-cut-security-support-outdated-10413160 [mirror.co.uk]

          Windows XP - which was released more than 15 years ago - is still used in hospitals across Britain despite it no longer being serviced by Microsoft.

          Up until 2015 the government had a special support deal which meant the computer manufacturer provided security updates for the software.

          But the £5.5million contract was scrapped [...]

          -- http://www.dailymail.co.uk/news/article-4503522/Government-scrapped-support-NHS-two-years-ago.html [dailymail.co.uk]

          > [...] with ever-declining users [...]

          As of November 2016, Windows XP desktop market share makes it the fourth most popular Windows version after Windows 7, Windows 10 and Windows 8.1. Windows XP is still very popular in some countries; Africa as a whole and in Asia, e.g. in China, with it running on one third of desktop computers (and highest ranked in North Korea).

          -- https://en.wikipedia.org/wiki/Windows_XP [wikipedia.org]

          > But that would put you at odds with the realities of running a profitable company.

          A 2015 IDG News Service article corroborates the tabloids

          The Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, signed a $9.1 million contract earlier this month for continued access to security patches for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003.

          The entire contract could be worth up to $30.8 million and extend into 2017.

          -- http://www.computerworld.com/article/2939435/government-it/us-navy-paid-millions-to-stay-on-windows-xp.html [computerworld.com]

      • (Score: 2, Insightful) by toddestan on Saturday May 20 2017, @02:49AM

        by toddestan (4982) on Saturday May 20 2017, @02:49AM (#512500)

        Even more curious is Vista. If they patched 7/8.1/10 in March, then why wasn't a patch pushed out to Vista too? Vista was still in extended support until mid-April. The end might have been close, but Microsoft should have made the patch available.

    • (Score: 3, Insightful) by mcgrew on Friday May 19 2017, @03:08PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Friday May 19 2017, @03:08PM (#512212) Homepage Journal

      There are some shops that rely on software that no longer runs on new hardware and there is no modern equivalent. There are also poor people with XP computers that had been donated and can't afford a new one. I have two XP computers, but they're never online. I just can't see discarding perfectly good (or would be if Microsoft had ethics) being discarded.

      --
      mcgrewbooks.com mcgrew.info nooze.org
  • (Score: 2) by dbe on Friday May 19 2017, @03:17PM (3 children)

    by dbe (1422) on Friday May 19 2017, @03:17PM (#512219)

    For once this decryption code is actually small and can be easily analyzed if you look at the "search_primes.cpp" file.
    It's based on the fact that the WinXP encryption library does not clean its memory from the key primes when returning, so the main:
    1/ gets the memory pages in the context of the wannacry process
    2/ check if it's not used
    3/ retrieve it
    4/ parse through and when a section of the memory entropy is low check if number is prime
    5/ if prime try to divide the N product and report in case of success

    Now i'm not a windows developer but i assumed you would not be able to retrieve processes memory pages like this, maybe it only works in root/admin mode? unless XP has no such context?
    Also this is not cracking anything but just hopping that the memory was not overwritten so i'd say you have a pretty low chance of getting the keys back this way but it's cool to see nonetheless.
    Cheers
    -dbe

    • (Score: 2) by kaszz on Friday May 19 2017, @04:43PM (2 children)

      by kaszz (4211) on Friday May 19 2017, @04:43PM (#512248) Journal

      How long is the key btw? and what algorithm does it use?

      As the hack only works when not rebooting. Maybe next time people could trigger suspend to disc or such to preserve the necessary data?

      At least some memory dumper would be handy. I'll presume core can't be dumped on Windows..

      • (Score: 2) by edIII on Friday May 19 2017, @10:13PM (1 child)

        by edIII (791) on Friday May 19 2017, @10:13PM (#512410)

        There ain't shit anybody can do once you have an elevated process encrypting files. We've designed it so that an elevated process encrypting files is protected against tampering and snooping :) Gaining access to keys after the fact is a major problem for you, not so much for the attackers. So we've done our best to lock that out. How well that is done on XP is anyone's guess, but the fact a decrypt utility exists for XP is telling.

        The big two problems?

        1) Running as administrator.
        2) Running attachments in email.

        The fundamental problem? Running Microsoft at all. It was great growing up, I still really enjoy the interface, but it is an old insecure toy now that needs to be put away by the adults. I'd have more respect for Microsoft if it completely broke with compatibility and designed a new OS (without telemetry).

        Regardless of OS though, if you have a long enough backup window with versioning control there is nothing people can do to you like this. I'm completely safe and secure. If my system locked up now with a ransom, I would just laugh my ass off. I would be pretty upset they got a copy, but not worried about me having continued access.

        No different then recovering data deleted by an employee upset on termination day.

        --
        Technically, lunchtime is at any moment. It's just a wave function.
        • (Score: 2) by kaszz on Friday May 19 2017, @11:34PM

          by kaszz (4211) on Friday May 19 2017, @11:34PM (#512436) Journal

          People can put away Microsoft, I would say it's technically doable now. Microsoft security sucks but that doesn't happen unless someone is choosing the crap. And there's a tendency for people doing the Windows thing to be less competent in security than for other systems.

          So the problem boils down to people. And that would mean there are types of people that should not handle IT systems.

  • (Score: 2) by Gaaark on Friday May 19 2017, @04:08PM (1 child)

    by Gaaark (41) on Friday May 19 2017, @04:08PM (#512233) Journal

    Cry baby cry, make your mother sigh...

    Makes me glad i'm off windows.

    Side note: Bell (in Canada) got hacked, and i got informed by haveibeenpwned 1 day before Bell told me. Bell says no passwords were taken, but pwned says there were.
    Anywho, i changed my password. My wife asked me what the new password was, then asked me why i couldn't have a nice simple password.

      Yes, she uses windows, but mostly uses her tablet (android) because she can't get online with her windows laptop: she keeps getting redirected to some website (she keeps saying windows is better than linux, but wont let me try to fix her laptop, so......)

    Too many people are just lazy with clicking, passwords, security....... sigh.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 0) by Anonymous Coward on Friday May 19 2017, @08:13PM

      by Anonymous Coward on Friday May 19 2017, @08:13PM (#512352)

      "keeps saying windows is better than linux"... Do you know how many times I've heard that while fixing their malware infested porn terminal? I sometimes want to install Linux but change the themes to look like Windows and be done with it.

  • (Score: 2, Informative) by Anonymous Coward on Friday May 19 2017, @08:28PM (2 children)

    by Anonymous Coward on Friday May 19 2017, @08:28PM (#512363)

    From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

    Disable SMBv1 on the SERVER, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SERVER, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    ---

    Disable SMBv1 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

    sc.exe config mrxsmb10 start= disabled

    Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

    sc.exe config mrxsmb20 start= auto

    ---

    * The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]

    APK

    P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

    That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

    I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=HOW+TO+SECURE+Windows+2000/XP&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.

    * This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

    AND?

    Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk

    • (Score: 0) by Anonymous Coward on Friday May 19 2017, @08:53PM (1 child)

      by Anonymous Coward on Friday May 19 2017, @08:53PM (#512370)

      its advice STILL STANDS THE "TEST OF TIME"

      But does it pass the HairyFeet Challenge?

      • (Score: 3, Funny) by aristarchus on Saturday May 20 2017, @03:25AM

        by aristarchus (2645) on Saturday May 20 2017, @03:25AM (#512511) Journal

        But does it pass the HairyFeet Challenge?

        No, but then nothing ever did, since it was only a test to defend Hairykrishnafeet from the fact that he had sold out, was no longer a Tolkien hippy, but is now a "reverse-racist" old fogey, or in plain words, a Trump-voting Microsoft lackey. Anyone would need a defense from that much shame.

(1)