Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • The “new” XP patch KB 982316 is a dud, but the new MSRT is for real

    Posted on May 23rd, 2017 at 06:12 woody Comment on the AskWoody Lounge

    Yesterday, I wrote about the mysterious “new” Windows XP patch KB 982316. There’s speculation all over the web that Microsoft is now patching Windows XP again.

    Wrong.

    @abbodi86 dug in and confirmed:

    The digital signature of the downloaded file indicates that it’s still the same old one, “Monday, ‎June ‎14, ‎2010”. So this is just a review/renew of the download page for some reason

    On the other hand, the new Malicious Software Removal Tool, KB 890830, is very real. An anonymous poster notes that it’s marked “Important” in Windows 7. The Windows Update list says that the program has changed, and the metadata has changed. @ch100 theorizes that it’s a WannaCry detector, which is confirmed in the Technet post Customer Guidance for WannaCrypt attacks:

    Update 5/22/2017: Today, we released an update to the Microsoft Malicious Software Removal Tool (MSRT) to detect and remove WannaCrypt malware. For customers that run Windows Update, the tool will detect and remove WannaCrypt and other prevalent malware infections. Customers can also manually download and run the tool by following the guidance here. The MSRT tool runs on all supported Windows machines where automatic updates are enabled, including those that aren’t running other Microsoft security products.

    As I’ve said many times over the past week, WannaCrypt only attacks Windows 7. No matter which version of Windows you have, you’d be well advised to run the new MSRT and see if it picks up any vestiges.

    (Historical note: Microsoft’s sticking to the “WannaCrypt” name while most of the popular press has moved to “WannaCry.” I switched from WannaCrypt to WannaCry, too, in response to an edit. The worm calls itself “Wana Decrypt0r” with a zero. Malware researchers pick their own names, and there’s no central authority assigning names to specific infections. It’s all about branding, folks — I guess “WannaCry” sounds more compelling.)

  • Windows 10 Anniversary Update OK?

    Posted on May 21st, 2017 at 15:42 woody Comment on the AskWoody Lounge

    Just got this from reader NP:

    I have been following your articles about issues with Windows 10.  Would you say at this point, it is safe to update, or should we still wait?  I am concerned about not having the latest patches because of the WannyCry ransomware.

    It’s safe to upgrade to Windows 10 Anniversary Update, version 1607

    http://www.infoworld.com/article/3136257/microsoft-windows/windows-10-anniversary-update-finally-ready-for-prime-time.html

    It’s too early to upgrade to Windows 10 Creators Update, version 1703

    http://www.infoworld.com/article/3188869/microsoft-windows/todays-the-day-to-block-windows-10-creators-update.html

    This is the part that gets me. WannaCry only infects Windows 7 machines. Period. (And Server 2008R2, which is basically Windows 7.)

    WannaCry does NOT infect Windows XP. I’ve been saying that since my first report a week ago. In spite of what you’ve read, WannaCry does not infect WinXP.

    WannaCry does NOT infect Windows 8.1.

    WannaCry does NOT infect Windows 10. Any version. That tiny blip on the Kaspersky chart is no doubt due to mis-reporting, or the possibility that people were running infected WinXP machines in a Virtual Machine on Windows 10. I don’t know of any other way there could be any occurrences.

    That said, you need to make sure your Windows computer is fully protected against WannaCry – every version, from XP to Win10. The problem isn’t WannaCry itself. The problem’s all the other malware that’s likely to follow in its footsteps.

  • EternalRocks SMB Worm Uses Seven NSA Hacking Tools

    Posted on May 20th, 2017 at 15:57 woody Comment on the AskWoody Lounge

    Original posts here:

    EternalRocks SMB Worm Uses Seven NSA Hacking Tools

    @MrBrian and @Kirsty just raised the alarm in the Code Red forum….

    From https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/:

    Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.

    The worm’s existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.

    It’s happening.

  • The original WannaCry does NOT infect Windows XP boxes

    Posted on May 19th, 2017 at 08:00 woody Comment on the AskWoody Lounge

    I’ve been saying that for a week now – sometimes fighting over it.

    I’m not saying the EternalBlue infection method doesn’t work on XP. (Sorry for the double negative.) What I am saying is that no Windows XP boxes were infected, in the wild, by the original WannaCry worm.

    I’m also saying that the original WannaCry worm is now a distant memory, with much nastier things to come, and you have to get yourself patched, no matter which version of Windows you’re using.

    There’s an interesting debate going on right now about infections on XP boxes that weren’t part of the first wave.

    UPDATE: The Scottish National Health Service reports that 1,500 computers came down with WannaCry. Independently, NHS says they still have 6,500 computers running XP. Somehow that’s getting reported in the press that 1,500 XP NHS computers were infected. The announcement from NHS is apparently correct. The poorly-spun media reports are clearly wrong.

    ANOTHER UPDATE: Catalin Cimpanu at BleepingComputer comes to the conclusion that we’ve known all along — WannaCry only infects Windows 7 and Server 2008 R2, which is basically the same thing as Windows 7.

    The Kaspersky graph shows a tiny, tiny number of Win10 machines infected. My guess is that’s either a false positive, or from people who were intentionally infecting Win7 machines running in a Virtual Machine on Win10.

    There’s a commenter (I know, I shouldn’t read the comments) who says:

    You want to know why Windows 10 was on the list?
    I blame Microsoft for still allowing people to opt-out of auto-updates. The mass do not always know what’s best for them, so it is our responsibility to firmly reject their demand when it’s harmful, and educate them why so.

    I could pull my hair out. Win10 wasn’t directly affected. Opting in or out of updates isn’t a problem – although if you opted out of Win7 auto updates and you didn’t check for two months, yep, you could’ve gotten stung. But Win10? Puh-lease.

  • Breaking: WannaCry has been decrypted, if you follow the rules

    Posted on May 19th, 2017 at 07:37 woody Comment on the AskWoody Lounge

    For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen:

    DON’T REBOOT.

    Matt Suiche has confirmed that the wanakiwi tool can reach into your infected Win7 machine and retrieve the decryption key. The tool was created by Benjamin Delpy, @gentilkiwi. Per Suiche:

    His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

    Suiche has confirmed that the tool works on WinXP x86, Server 2003 x86, and Win7 x86 “This would imply it works for every version of Windows from XP to 7, including… Vista and 2008 and 2008 R2.”

    Remember, the original WannaCry worm ONLY infects Windows 7 computers. Anything you’ve read to the contrary is wrong.

    REMEMBER – You have to make sure your Windows machines are updated, to protect against new versions of WannaCry. They’re starting to make an appearance. If you haven’t already done it, drop everything and get patched now. Every Windows machine. No exceptions.

  • The Shadow Brokers, in new taunt, threaten to release even more NSA sourced malware

    Posted on May 16th, 2017 at 06:57 woody Comment on the AskWoody Lounge

    If you thought WannaCry was bad, you ain’t seen nothin’ yet.

    Malware as a Service. Do they really have Win10 sploits, nuke details from Russia and North Korea? Their story lines up with what we know from the inside. Are their tales of bribery and double-crossing true, too?

    It’s a bombshell of a story.

    InfoWorld Woody on Windows

  • How to make sure you won’t get hit by WannaCry/WannaCrypt

    Posted on May 13th, 2017 at 15:36 woody Comment on the AskWoody Lounge

    UPDATES: You might imagine this is a hot topic. Here’s what I discovered on Sunday morning:

    • WannaCrypt does not infect XP machines – the problem appears entirely (or almost entirely) on unpatched Win7 machines. Kevin Beaumont reports that folks inside the UK NHS tell him their machines haven’t been patched since December.
    • The people behind WannaCrypt have collected a total of about $30,000.
    • People at Microsoft claim that “nobody running Windows 10 was infected.” I can’t confirm that. Clearly, those who have installed MS07-010 through Win10 cumulative updates are OK (see the list below). But if all Win10 machines are immune, I’d sure like to see an explanation.
    • There are lots of explanations about the inner workings of the worm. This one from Malwarebytes is particularly thorough. But I haven’t yet seen a definitive description of how the payload first gets into a network. Many believe that the first point of infection is via a rigged email — but I haven’t yet seen a copy of a bad email. If you have definitive evidence, I’d sure like to hear about it in the comments.
    • Last night (which is to say very early Sunday morning my time), @MalwareTechBlog put it best: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”
    • There are new variants, both with and without killswitches. I haven’t seen any widespread problems yet, but folks YOU HAVE TO GET PATCHED. Creating a new variant is easy.

    Back to Saturday’s advice…

    I’ll have a more detailed and up-to-date post on InfoWorld on Monday, but for now, here’s what you need to know if you’re concerned about the WannaCry/WannaCrypt worm and its enablers.

    We’re at MS-DEFCON 2, and that’s as it should be: you should not install any of this month’s patches. It’s still too early to tell if anything this month will cause problems — and there’s so much dust floating around it’s hard to see anything. But if you missed the March or April patches, if you’re running Windows XP, 8 or Server 2003, or  you aren’t sure if you got March and April patches installed, here’s what you need to do.

    IMPORTANT details about WannaCrypt:

    • It clobbered lots of sites and many computers, but it’s no longer a threat. The folks at Malwaretech.com enabled a sinkhole that’s blocking WannaCrypt. No more infections.
    • Rather than specifically rooting out WannaCrypt, you need to focus immediately on plugging the hole(s) that made WannaCrypt possible. The WannaCrypt code’s out in the wild, and a simple change would make it work again. More than that, other pieces of the Shadow Brokers trove can be used to make new, innovative malware. Get patched now.
    • As of this writing, nobody has any idea who made WannaCrypt, why they released a weapons-grade exploit to beg for chump change ($300 per infection), and how the first infection(s) appeared.
    • Microsoft released patches for Windows 10, 8.1 and 7 back in March (that’s MS17-010). Yesterday, they released patches for Windows XP, Win 8, and Server 2003 SP2.

    There’s an excellent overview by Elizabeth Dwoskin and Karla Adam published in the Washington Post on Saturday evening.

    Here’s how to see if you need patching, and how to get patched if need be.

    Windows XP, Windows 8

    You don’t have the patch, unless you downloaded and installed it already. Follow the links under “Further Resources” at the bottom of the Technet page to download and run the installer.

    (NOTE: I had a question in the earlier post about installing this patch on pirate copies of Windows XP. I’ve seen a lot of pirate copies of WinXP – living in Thailand for 13 years will do that to you – and I don’t trust any of them. If you install Microsoft’s patch on a pirate XP machine, you may well brick it. On the other hand, if you don’t install the patch, somebody else may come in and brick it for you. Wish I had a better response, but that’s the way the SMB crumbles. If I had to do it, I’d back up everything and roll the dice, but be ready to install Win7 from scratch if the XP pirate doesn’t come back up for air.)

    Vista

    See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Look for one marked “Security Update for Windows Vista (KB4012598).” If you don’t have it, download it from the Microsoft Update Catalog, and install it.

    Windows 7

    See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

    2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
    April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
    April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
    March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
    March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

    If you have any of those patches already installed, then you are good to go and you can sleep well at night. Don’t be confused. There’s no reason to download or install anything, unless you have absolutely none of those patches. No, I’m not recommending that you install something. Just look at the list and see if you have any of the patches.

    (Thx, Chris M)

    If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 7 (KB4012212) for 32-bit or 64-bit.

    (Note that the list is quite deliberate and, I think, exact. In particular, if you’re manually installing Security-only patches in the “Group B” style, you MUST have the March, 2017 Security Only Quality Update for Windows 7 (KB4012212). Other Security-only patches don’t include the MS17-010 fix.)

    Windows 8.1

    See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

    2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
    April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
    April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
    March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
    March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

    If you have any of those patches, you’re fine. Again, I’m not suggesting that you install anything unless all of those patches are missing.

    If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213) for 32-bit or 64-bit.

    See note above about Security-only patches. Again, this list is complete, I believe, and accurate.

    Windows 10

    Creators Update (version 1703) is OK.

    Anniversary Update (version 1607) – Check your build number. If you have Build 14393.953 or later, you’re fine. If you don’t, use Windows Update to install the latest build 14393.1198. Yes, I know that violates the current MS-DEFCON 2 setting, but you need to get up to or beyond 14393.953.

    Fall (er, November) Update (version 1511) – use the steps above to check your build number. You have to be at build 10586.839 or later. Abandon the MS-DEFCON rating system (and all hope — “Lasciate ogne speranza, voi ch’intrate”) if you must to get up to or beyond that build number.

    RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319. And remember that your system’s toast soon.

    ======================================

    Nice and easy, huh?

    Everybody needs to get their systems updated, at least to the point mentioned here. Yes, that includes your sainted Aunt Martha.

  • If you didn’t get MS17-010 installed six weeks ago, you may be hurting now

    Posted on May 12th, 2017 at 13:33 woody Comment on the AskWoody Lounge

    On April 24, I warned everybody that y’all needed to install the March Windows patch MS17-010 right away.

    I sure hope you did. Even those among you who never install patches – the Group W contingent.

    There’s a huge wave of Ransomware attacks running through Europe, and it’s already been spotted in the US. Britain’s National Health Service and most of its broader healthcare system is on its knees, with medical caregivers greeted by ransomware demands.

    The culprit is a ransomware package called “Wanna Cry” that’s using the Shadow Brokers exploit known as EternalBlue to infect — all created by the US’s very own NSA. (Gratuitous comment about tax dollars delete.)

    Graham Cluley says:

    it would be wrong to think that the NHS was targeted. They weren’t. This plain old extortion – 21st century style. The bad guys release ransomware (in this carried by a worm which exploits a vulnerability), and their intention is to infect as many PCs as possible to make as much cash as possible.

    Hitting the NHS wasn’t necessarily their intention, but it is a soft target due to its poor defences. And, of course, the implications of a widespread NHS infection is felt by many people.

    If you haven’t installed MS17-010, drop everything and do it. Make a full, clean backup while you’re at it.

    UPDATE: Darien Huss reports that

    #WannaCry propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed

    Looks like the number of new infections has tapered off.

    Nonetheless, get patched, folks.

    PLEASE: If you’re going to manually install updates (“Group B” style), you have to keep up with the patching pace. Microsoft released this patch on March 14, without describing its genesis. On April 14, Shadow Brokers released the exploits. By April 24, it became apparent that the EternalBlue exploit was being used to infect normal machines. Prior to that, there was some doubt as to how many machines were infected, and whether the infections were geared toward non-military-grade targets.

    Those in Group A were much less likely to get hit because each of the March and April Monthly Rollups had the patch. I gave the go-ahead for March Monthly Rollup on March 30 and the April Monthly Rollup on April 25. If you had applied patches either time, you’d be all clear right now.

    If you’re in Group W and don’t install patches — well, now you know one reason why I don’t recommend Group W.

    Good technical summary here on Github.

    Into conspiracy theories? How about a weapons test that was intentionally disabled with a killswitch before the US woke up? Seems plausible. Cisco’s Talos blog has details.

    Or this one, where the worm was released inadvertently by Shadow Brokers and Russian gov.