Foreword: Discussions and technical articles about the WannaCrypt ransomware are overwhelming. A large number of technical schools and security manufacturers have offered ideas and suggestions. Some security manufacturers develop various security tools, which is a good thing for the security ecosystem, but not necessarily a good thing for individuals. , many users in our country are ordinary users and security novices. What should we do if we encounter WannaCrypt ransomware? Whether to actively respond or passively wait for the virus to be infected, it all depends on your personal choice, bloggers fight against the virus Once, I will share some experiences with you, I hope it can be helpful to you!
1. Introduction and principle of WannaCry/Wcry virus
1. Introduction to viruses and their principles
Since May 12, 2017, a global outbreak of malicious code of worms based on the Windows network sharing protocol has been launched. After research, it was found that this was initiated by criminals by modifying the "Eternal Blue" attack program in the NSA hacker arsenal that was leaked before. cyber attack incident. "Eternal Blue" scans Windows computers with open 445 file sharing ports or even electronic information screens, without the need for users to perform any operations. As long as the computer is turned on and connected to the Internet, criminals can implant ransomware, remote control Trojans, virtual machines in computers and servers. A series of malicious programs such as currency mining machines.
The worm that uses the 445 file sharing port to carry out destruction has repeatedly broken out in China. Therefore, operators have closed port 445 for individual users very early, but the education network has not made this restriction, and there are still a large number of open 445 ports. According to statistics from relevant agencies, at present, more than 5,000 computers in China are remotely attacked by the NSA "Eternal Blue" hacker weapon every day, and the education network has become a hardest hit!
The author will not repeat the analysis of the principle of WannaCrypt ransomware. For details, please refer to the complete analysis report of WanaCrypt0r ransomware (http://bobao.360.cn/learning/detail/3853.html).
2. Three time periods of virus infection
(1) The initial stage of virus infection
The virus entered the network from an unknown channel, and the virus began to attack a host on the intranet, attacking the computer with vulnerabilities. After success, the mssecsvc.exe file was released, and the fixed url (54.153.0.145) was connected.
① If the connection is successful, exit the program
② If the connection fails, continue to attack
(2) Middle stage of virus infection
Next, the worm starts to judge the number of parameters. When it is less than 2, it enters the installation process; when it is greater than or equal to 2, it enters the service process.
(3) Post-virus infection stage
The disk file is encrypted, and the ransomware interface appears.
2. Discovery and handling of WannaCry/Wcry virus
1. Prevention strategy before virus infection (if you have been infected with the virus, please ignore it and browse down quickly)
(1) Reinforce with port reinforcement methods such as 135, 139, and 445 in the subsequent parts of the article.
(2) 360's NSA weapon immunity tool can also be used to detect whether the computer has loopholes, and the detection in the windows2003SP1 virtual machine shows that there are no loopholes.
(3) Use Antiy immune tool for detection and setting, and set according to the running result.
2. The virus is infecting (this article focuses on the time period)
Features when the virus is infecting: Check through the netstat -an command, if the system has a large number of 445 connections, it means that there must be a virus, you can use the following methods to remove the virus, and unplug the network cable at the same time! (Another method is to use kali and other linux boot disks You can also remove the virus, and then back up the data directly through the U disk)
2.1 Setting View File Options
① Due to the hidden attribute set by the virus, the file cannot be viewed under normal circumstances. It is necessary to set the file view, that is, click "Tools" - "Folder Options" in the resource manager.
② Remove "Hide protected operating system files (recommended)", select "Show hidden files, folders and drives", remove "Hide extensions for known file types", you can view the virus hidden in the windows directory document.
2.2 Virus found
(1) File name and size
Three virus sample files were captured this time, mssecsvc.exe, qeriuwjhrf, tasksche.exe . According to their md5 check values, the size of tasksche.exe and qeriuwjhrf is 3432KB, and the size of mssecsvc.exe is 3636KB.
(2) md5 check value
Use the md5 calculation tool to calculate the md5 value of the above three files, and the md5 check values are as follows:
tasksche.exe 8b2d830d0cf3ad16a547d5b23eca2c6e
mssecsvc.exe 854455f59776dc27d4934d8979fa7e86
qeriuwjhrf: 8b2d830d0cf3ad16a547d5b23eca2c6e
(3) View virus files
① System directory view
The files are generally located in the windows directory under the system disk, such as c:\windows\, and enter through the command prompt:
cd c:\windows\
dir / od / a * .exe
② Full search
dir / od / s / a tasksche.exe
dir / od / s / a mssecsvc.exe
③ Virus phenomenon
Check the network connection through the netstat -an command, and you will find that the network keeps sending SYN_SENT packets at 445.
④ Virus service
Through the Autoruns security analysis tool, you can see that the service name "fmssecsvc2.0" exists in the service, and the time stamp of the file is 17:03 on November 20, 2010.
2.3 End the process
Through the task manager, right-click on the taskbar and select "Start Task Manager", find the mssecsvc.exe and tasksche.exe files from the process , select mssecsvc.exe and tasksche.exe, right-click and select "End Process" Tree" will end the virus program, and it may start repeatedly, and the end action should be quick . The above three files are generally located in the c:\windows directory.
I have no screenshots during the virus infection, the following pictures instead
2.4 Deleting programs
Go to the windows directory and sort the three files according to time. Generally, it will display today or a relatively new period. Delete it. If the process ends, it can be deleted and ended again and again if it starts again. Until these three files are deleted , empty the recycle bin. It is possible that by the time of writing this article, there are already virus variants, but the method is the same, delete the newly generated files.
2.5 Check the network again
① Use the netstat –an command to check the network connection again, there is no external connection, and everything is back to normal.
② You can use the security computer to download the security tools Autoruns and ProcessExplorer, burn the software on the CD, and remove the virus from the virus-infected computer! Software download address:
https://download.sysinternals.com/files/Autoruns.zip
https://download.sysinternals.com/files/ProcessExplorer.zip
③ Note that the virus removal in this article means that the ransomware has not yet encrypted the system software! If a small yellow icon appears on the desktop, a red English font is displayed on the desktop background (there is a window on the desktop with a pop-up picture with a lock, Wana Decryptor2.0), This indicates that the system has been infected.
3. The virus has been infected
If the system has been infected by a virus, download RansomRecovery ( http://dl.360safe.com/recovery/RansomRecovery.exe ) for recovery.
3. Security reinforcement (very important to prevent the virus from recurring again)
1. Close port 445
(1) Manual closing
① Enter "regedit" at the command prompt, open "HKEY_LOCAL_MACHINE" - "System" - "Controlset" "Services" - "NetBT" - "Parameters" in turn, and select "New" - "DWORD Value" (according to Choose 32-bit or 64-bit for your own operating system), name the DWORD value "SMBDeviceEnabled", and set it to "0" by modifying its value. Special attention must be paid not to write SMBDeviceEnabled wrong! Otherwise, it will have no effect!
② View the local area connection properties, and remove the check in front of "File and Printer Sharing for Microsoft Networks".
2. Close port 135
Enter "dcomcnfg" in the run, and then open "Assembly Services" - "Computer" - "Properties" - "My Computer Properties" - "Default Properties" - "Enable Distributed COM on This Computer" Uncheck the selection. Then click the "Default Protocol" tab, select "Connection-oriented TCP/IP", and click the "Delete" or "Remove" button.
3. Close port 139
Port 139 is provided for the "NetBIOS Session Service", which is mainly used to provide Windows file and printer sharing and Samba services in Unix. Click "Network" - "Local Properties", in the "Local Area Connection Properties" dialog box that appears, select "Internet Protocol Version 4 (TCP/IPv4)" - "Properties", double-click to open "Advanced TCP/IP Settings" - "WINS", select "Disable NetBIOS over TCP/IP" in "NetBIOS Settings".
4. Check if the port is open
In the future, the following commands will check that 135, 139, and 445 have been closed.
netstat -an | find "445"
netstat -an | find "139"
netstat -an | find "135"
5. Turn on the firewall
Enable the firewall that comes with the system.
6. Update system patches
Update the system patch through 360 Security Guard, or use the system update program that comes with the system to update the system patch.
4. Safety Revelation
This ransomware incident has had a great impact on colleges and universities in particular, and may break out in a wider group of end consumers. AsiaInfo reminds the majority of users to increase their security awareness, implement data backup strategies, and adopt more proactive tools to formulate Security strategies before, during and after the event can be used to deal with criminals hidden in the online world.
This wave of ransomware uses the exploit tools exposed by the NSA that broke out in March this year. After it came out, if the system was updated with vulnerability patches and hardening in time, the system would basically not be infected.
1. Do not open files of unknown origin
2. Use the USB flash drive carefully. You can create an antorun.inf folder in the USB flash drive to prevent the automatic spread of the USB flash drive (if it is a cloud server, there is no)
3. Install anti-virus software. The anti-virus software that has upgraded the virus database can identify the spreading virus.
4. Open the firewall
5 、 ATScanner (WannaCry)
http://www.antiy.com/response/wannacry/ATScanner.zip
6. Worm ransomware immunity tool (WannaCry) http://www.antiy.com/response/wannacry/Vaccine_for_wannacry.zip