Have you patched your Windows against EternalBlue?

[~]

It creates a service called "Microsoft Security Center (2.0) Service". Just run "services.msc" to find out if it's present and remove it with a good antivirus or manually with the disk as external.

I'm asking this because it seems to be an extremely dangerous exploit that allows the installation of cryptographic viruses against user files from Windows XP onwards, via an automated SMB 1/Samba 1 attack from the Internet.

The C:\WINDOWS\mssecsvc.exe and tasksche.exe ended up being installed in my Windows 7 server overnight today, but Avast stopped it. I can upload a 7-Zipped file with the worm if you want a sample of it.

Now I've put this information here so that the least amount of people get to lose extremely important files.


EternalBlue is an extremely dangerous vulnerability coming from the Internet that often causes blue screens of death and the installation of cryptographic file viruses that ask for money to rescue our files. It affects mainly Windows XP and newer versions.

Use the following tool to check if you have already applied the patch successfully:
[................]


Apply these 2 patches for your Windows version. Apply one by one. Install the first one and reboot Windows, install the second one and reboot again, and then use the tool above to check whether you patched the vulnerability:
http://www.catalog.update.microsoft.com ... =KB4012212

http://www.catalog.update.microsoft.com ... =KB4012215


Special patch version for Windows XP and other outdated versions:
http://www.catalog.update.microsoft.com ... =KB4012598

[hgoel]

This one was patched a month or two ago, so for a technical group of people like osdevs, it hopefully isn't too big of a risk.

[Brendan]

Hi,

"Download and execute random stuff from an unknown and untrusted web site, to protect yourself against things and stuff!" is a great way to get infected by malware.

I've edited the original post to remove links to the unknown and untrusted web site.


Cheers,

Brendan

[~]

The tool from GitHub is from ESET Antivirus.

I also read it before running it. It's just a VB Script that checks that the patches against EternalBlue are installed.

Without it the user won't know for certain if the patch for the actual dangerous exploit is in place.

[iansjack]

How many home users do you imagine expose SMB to the Internet?

[zaval]

ah, this. this is that Wannacrypt SMBv1 thing. yes i applied this kb. but the way i did it (the promptness), made me feel a little uncomfortable. i had always update enabled, but since last autumn, it got buggy, making 100% cpu usage for nothing. interestingly, right after a monthly update, when I logged as an administator and let it install updates, it calmed down and didn't loop, but with some time, it was gradually increasing in the looping again (the update service was starting shortly after the login and since I am not logged as an administrator, did nothing). definitely a bug in the update service. so, last autumn, when this has manifested, pissed off completely, I turned update off. and now this malware happenned. I guess, should my machine be a real target for this attack, it would get infected way before I noticed somewhere on the Internet about this patch and installed it.
on the other hand, i don't use any anti-virus software (for years) and thanks god, never had any infections.

[bluemoon]

How many home users do you imagine expose SMB to the Internet?

While it's probably blocked by firewall, there are still huge attack surface from local network, which can be exploited with other vector (eg. IoT, old NAS, or recent CVE from defender(*)).

Anyway, do not download security patch from random site, just use the Windows update.

REF: https://technet.microsoft.com/en-us/lib ... 22344.aspx

[~]

How many home users do you imagine expose SMB to the Internet?

It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

The rest is done by a kernel level exploit to bugs in SMB, sent through the Internet, unless the patch is properly applied.

It seems that the hardest attack was activated this week and past week, so it can be dangerous if your network range is currently being scanned by this.

[iansjack]

How many home users do you imagine expose SMB to the Internet?

It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.

Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.

[bluemoon]

How many home users do you imagine expose SMB to the Internet?

It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.

Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.

Recently there is a new type of phishing email using unicode domain name(it looks exactly like http://www.apple.com and even get a https domain-verified certificate), even tech geek might get caught off guard.

[~]

I got the WannaCry files installed in my server after a lot of BSODs for several weeks and a slow down. Fortunately Avast was installed and I realized that I needed a patch.

I first thought that it was because of the BenQ S6 drivers that failed after some hours of Apache serving files.

Then I thought that it was because it was an old version of Apache for Windows XP.

When the server crashed equally under an UMPC with Windows XP and under a laptop with Windows 7, then I realized that it was virus-related. If I didn't have a home web server and Avast, but mainly a server to check networking the whole day as a side effect, I wouldn't have realized the problem.

A network might be protected but if you use mobile machines you would be exposed, one only needs to see how many people, hospitals, businesses, governments and machines have been affected. It needed a patch that corrected the privileged memory leakage.