Mayo 18

wannacry-vaccine.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecsvc.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasksche.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhsvc.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wcry.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lhdfrgui.exe]
"Debugger"="taskkill /F /IM "
Category: TIPS AND TRICKS | Los comentarios están deshabilitados en wannacry-vaccine.reg
Mayo 17

Use NMAP to Scan network for WCRY or WannaCry Ransomware vulnerability

  1. If you havent already got it, download and install NMAP from https://nmap.org/
  2. Download the script from https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
  3. Save it to Nmap NSE script directory
    1. Windows location is C:\Program Files (x86)\Nmap\scripts
    2. Linux – /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
    3. OSX – /opt/local/share/nmap/scripts/
  4. Test the script on a known vulnerable device such as 202.157.185.31 or 64.17.101.90
    1. nmap -sC -p 445 -max-hostgroup 3 -open -script smb-vuln-ms17-010.nse 64.17.101.90
  5. Run against your enviroment

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 10:30 South Africa Standard Time
Nmap scan report for ns.bvtsvc.com (64.17.101.90)
Host is up (0.22s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds

Category: TIPS AND TRICKS | Los comentarios están deshabilitados en Use NMAP to Scan network for WCRY or WannaCry Ransomware vulnerability
Mayo 17

Close ports 135 and 445

According to the reports of antivirus companies, wcrypt penetrates computers through SMB (Server Message Block) ports. To prevent penetration, we block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users).

To do this, open the console with administrator rights (cmd.exe -> run as administrator). And we execute in turn 2 commands (after each command there should be status OK).

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name=”Block_TCP-135″

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name=”Block_TCP-445″

 

Disabling SMBv1 support

 

The vulnerability can also be closed by completely disabling SMBv1 support. Run this command in cmd (run as administrator).

dism /online /norestart /disable-feature /featurename:SMB1Protocol

Category: TIPS AND TRICKS | Los comentarios están deshabilitados en Close ports 135 and 445