Wiggly Wayne DDS posted:it's confirmed: that's the wannacry 2: electric tears?
|
|
# ? Jun 27, 2017 15:58 |
|
|
# ? Apr 28, 2024 22:01 |
|
cinci zoo sniper posted:that's the wannacry 2: electric tears?
|
# ? Jun 27, 2017 16:01 |
Wiggly Wayne DDS posted:considering there isn't a domain to conveniently sinkhole just prior to the us business networks waking up ya welp time to start the hospital counter i guess hopefully someone learned
|
|
# ? Jun 27, 2017 16:03 |
|
I hope this one comes in via email and then spreads internally
|
# ? Jun 27, 2017 16:03 |
|
cinci zoo sniper posted:welp time to start the hospital counter i guess hopefully someone learned hahahhhahahahahhaa.
|
# ? Jun 27, 2017 16:04 |
|
spankmeister posted:I hope this one comes in via email and then spreads internally
|
# ? Jun 27, 2017 16:04 |
|
Wiggly Wayne DDS posted:i saw talk of email spreading petya earlier before eternalblue got mentioned so i'd expect that amongst other spreading mechanisms good, gooood because that was wannacry's greatest flaw imo, it would _only_ spread through eternalblue
|
# ? Jun 27, 2017 16:05 |
ratbert90 posted:hahahhhahahahahhaa. i know, right. im just really not looking forward to a major life/-support system being hit by this poo poo, affect it me or not
|
|
# ? Jun 27, 2017 16:05 |
|
cinci zoo sniper posted:i know, right. im just really not looking forward to a major life/-support system being hit by this poo poo, affect it me or not Hello! If you are seeing this it's because your pacemaker is no longer accessible, because it has been encrypted. Perhaps you are looking for a way to recover your heartbeat?
|
# ? Jun 27, 2017 16:07 |
|
ratbert90 posted:Hello! If you are seeing this it's because your pacemaker is no longer accessible, because it has been encrypted. Perhaps you are looking for a way to recover your heartbeat?
|
# ? Jun 27, 2017 16:09 |
|
Wiggly Wayne DDS posted:i thought we all agreed to disable the heartbeat extension THE HEARTBEAT EXTENSION IS MISSION-CRITICAL AND REQUIRED WORDPRESS 2.0!
|
# ? Jun 27, 2017 16:12 |
|
explanation I gave over the weekend for what encryption is: "imagine a lock and key, but they're made of math"
|
# ? Jun 27, 2017 16:17 |
|
|
# ? Jun 27, 2017 16:31 |
|
ThePeavstenator posted:explanation I gave over the weekend for what encryption is: "imagine a lock and key, but they're made of math" great work
|
# ? Jun 27, 2017 17:01 |
spankmeister posted:good, gooood it also would fail to properly execute on XP, causing the computer to blue screen instead of becoming encrypted. seems like that happens in this one too: https://twitter.com/PolarToffee/status/879718578798436352 who knows how many people were saved by the accidental triggering of the kill switch in wannacry and thought that they weren't vulnerable as a result.
|
|
# ? Jun 27, 2017 17:11 |
|
Shifty Pony posted:it also would fail to properly execute on XP, causing the computer to blue screen instead of becoming encrypted. It wasn't even meant to be a kill switch, we got really lucky with that one
|
# ? Jun 27, 2017 17:13 |
|
ars has a peice on the anti-malware engine exploits tavis found
|
# ? Jun 27, 2017 17:19 |
|
"three weeks ago tavis said a dll had never been fuzzed. we asked microsoft and they said they used fuzzing." great work
|
# ? Jun 27, 2017 17:25 |
|
msft uses fuzzing a lot, it's a little surprising that they missed a part of their AV kit
|
# ? Jun 27, 2017 17:26 |
|
though they weren't fuzzing IE as of 2007, after the big internal push, so who knows
|
# ? Jun 27, 2017 17:27 |
spankmeister posted:It wasn't even meant to be a kill switch, we got really lucky with that one did they figure out what it was actually supposed to be? the whole wannacry worm seemed like someone hosed up and shipped a beta build.
|
|
# ? Jun 27, 2017 17:28 |
|
Shifty Pony posted:the whole wannacry worm seemed like someone hosed up and shipped a beta build. do you mean wcry or windows
|
# ? Jun 27, 2017 17:36 |
|
Jewel posted:Another day, another bitcoin ransomware. amber? should have gone with green.
|
# ? Jun 27, 2017 17:41 |
|
Shifty Pony posted:did they figure out what it was actually supposed to be? poorly-conceived anti-analysis tech was the prevailing assumption afaik. malware sandboxes typically send stock "yes it exists" replies to dns queries for a bunch of reasons. so you make a request to a bogus domain name that's never gonna be registered, and if dns claims it exists then you're probably in a malware sandbox so you should bail out to avoid leaking your secrets. sounds like a good idea until you notice the kill-switch potential.
|
# ? Jun 27, 2017 17:47 |
|
flakeloaf posted:do you mean wcry or windows
|
# ? Jun 27, 2017 17:51 |
no wanna no cry
|
|
# ? Jun 27, 2017 17:54 |
|
Jabor posted:poorly-conceived anti-analysis tech was the prevailing assumption afaik. This. What they did was use a single, hard-coded, unregistered domain to check if the sample is running in a sandbox. It was then trivial to register that domain. The guy (MalwareTech) didn't even know the malware would stop working if the domain were registered. He just thought he was sinkholing it. Now, to do this properly you should use domains that are randomly-generated on the spot and not beforehand, and you query several so you can recover from a false positive if a random domain happens to be registered.
|
# ? Jun 27, 2017 17:54 |
|
Looking forward to the Wiggly Wayne DDS overview of Defcon videos
|
# ? Jun 27, 2017 17:58 |
|
Migishu posted:Looking forward to the Wiggly Wayne DDS overview of Defcon videos not going this year so
|
# ? Jun 27, 2017 18:01 |
|
Migishu posted:Looking forward to the Wiggly Wayne DDS overview of Defcon videos the best part of defcon
|
# ? Jun 27, 2017 18:02 |
|
https://twitter.com/gossithedog/status/879745509015072769
|
# ? Jun 27, 2017 18:03 |
|
Migishu posted:Looking forward to the Wiggly Wayne DDS overview of Defcon videos
|
# ? Jun 27, 2017 18:10 |
|
Wiggly Wayne DDS posted:eh i never do defcon (nor ever have), rarely anything of value. based on their speaker page for this year there's only a handful of interesting talks, and even then it's just further details of public research (sha-1 collision) You don't go to def con for the talks tbqh
|
# ? Jun 27, 2017 18:23 |
a lot of reports from people dealing with infections of Petya seem to talk about affected systems rebooting to the ransom screen nearly simultaneously. I wonder if there is some sort of coordination between infected systems to pull that off.
|
|
# ? Jun 27, 2017 18:24 |
|
does anyone here have a good sec twitter list they can point me to? i'd really appreciate it, because left to my own devices i'd probably end up with dudes like thrurrott on my list and my pants on my head.
|
# ? Jun 27, 2017 18:30 |
|
WAR DOGS OF SOCHI posted:does anyone here have a good sec twitter list they can point me to? i'd really appreciate it, because left to my own devices i'd probably end up with dudes like thrurrott on my list and my pants on my head.
|
# ? Jun 27, 2017 18:36 |
spankmeister posted:You don't go to def con for the talks tbqh you go there to have a runin with exceptionally smelly mcaffee?
|
|
# ? Jun 27, 2017 18:36 |
|
cinci zoo sniper posted:you go there to have a runin with exceptionally smelly mcaffee? seeing other goons irl is funny but gently caress las vegas sideways
|
# ? Jun 27, 2017 18:39 |
|
spankmeister posted:You don't go to def con for the talks tbqh Vegas will have dispenaries open by Defcon so that should be... interesting.
|
# ? Jun 27, 2017 18:42 |
|
|
# ? Apr 28, 2024 22:01 |
|
Shifty Pony posted:a lot of reports from people dealing with infections of Petya seem to talk about affected systems rebooting to the ransom screen nearly simultaneously. WAR DOGS OF SOCHI posted:does anyone here have a good sec twitter list they can point me to? i'd really appreciate it, because left to my own devices i'd probably end up with dudes like thrurrott on my list and my pants on my head. given it's 2017 it's v hard to separate politics from pure sec feed though
|
# ? Jun 27, 2017 18:44 |