Have you patched your Windows against EternalBlue?

All off topic discussions go here. Everything from the funny thing your cat did to your favorite tv shows. Non-programming computer questions are ok too.
Post Reply
User avatar
~
Member
Member
Posts: 1227
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Have you patched your Windows against EternalBlue?

Post by ~ »



It creates a service called "Microsoft Security Center (2.0) Service". Just run "services.msc" to find out if it's present and remove it with a good antivirus or manually with the disk as external.

I'm asking this because it seems to be an extremely dangerous exploit that allows the installation of cryptographic viruses against user files from Windows XP onwards, via an automated SMB 1/Samba 1 attack from the Internet.

The C:\WINDOWS\mssecsvc.exe and tasksche.exe ended up being installed in my Windows 7 server overnight today, but Avast stopped it. I can upload a 7-Zipped file with the worm if you want a sample of it.

Now I've put this information here so that the least amount of people get to lose extremely important files.


EternalBlue is an extremely dangerous vulnerability coming from the Internet that often causes blue screens of death and the installation of cryptographic file viruses that ask for money to rescue our files. It affects mainly Windows XP and newer versions.

Use the following tool to check if you have already applied the patch successfully:
[................]


Apply these 2 patches for your Windows version. Apply one by one. Install the first one and reboot Windows, install the second one and reboot again, and then use the tool above to check whether you patched the vulnerability:
http://www.catalog.update.microsoft.com ... =KB4012212

http://www.catalog.update.microsoft.com ... =KB4012215


Special patch version for Windows XP and other outdated versions:
http://www.catalog.update.microsoft.com ... =KB4012598
Last edited by ~ on Thu May 18, 2017 7:55 pm, edited 9 times in total.
YouTube:
http://youtube.com/@AltComp126

My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
User avatar
hgoel
Member
Member
Posts: 89
Joined: Sun Feb 09, 2014 7:11 pm
Libera.chat IRC: hgoel
Location: Within a meter of a computer

Re: Have you patched your Windows agains EternalBlue?

Post by hgoel »

This one was patched a month or two ago, so for a technical group of people like osdevs, it hopefully isn't too big of a risk.
"If the truth is a cruel mistress, than a lie must be a nice girl"
Working on Cardinal
Find me at [url=irc://chat.freenode.net:6697/Cardinal-OS]#Cardinal-OS[/url] on freenode!
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: Have you patched your Windows against EternalBlue?

Post by Brendan »

Hi,

"Download and execute random stuff from an unknown and untrusted web site, to protect yourself against things and stuff!" is a great way to get infected by malware.

I've edited the original post to remove links to the unknown and untrusted web site.


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
User avatar
~
Member
Member
Posts: 1227
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: Have you patched your Windows against EternalBlue?

Post by ~ »

The tool from GitHub is from ESET Antivirus.

I also read it before running it. It's just a VB Script that checks that the patches against EternalBlue are installed.

Without it the user won't know for certain if the patch for the actual dangerous exploit is in place.
YouTube:
http://youtube.com/@AltComp126

My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
User avatar
iansjack
Member
Member
Posts: 4703
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Have you patched your Windows against EternalBlue?

Post by iansjack »

How many home users do you imagine expose SMB to the Internet?
User avatar
zaval
Member
Member
Posts: 656
Joined: Fri Feb 17, 2017 4:01 pm
Location: Ukraine, Bachmut
Contact:

Re: Have you patched your Windows against EternalBlue?

Post by zaval »

ah, this. this is that Wannacrypt SMBv1 thing. yes i applied this kb. but the way i did it (the promptness), made me feel a little uncomfortable. i had always update enabled, but since last autumn, it got buggy, making 100% cpu usage for nothing. interestingly, right after a monthly update, when I logged as an administator and let it install updates, it calmed down and didn't loop, but with some time, it was gradually increasing in the looping again (the update service was starting shortly after the login and since I am not logged as an administrator, did nothing). definitely a bug in the update service. so, last autumn, when this has manifested, pissed off completely, I turned update off. and now this malware happenned. I guess, should my machine be a real target for this attack, it would get infected way before I noticed somewhere on the Internet about this patch and installed it.
on the other hand, i don't use any anti-virus software (for years) and thanks god, never had any infections.
Last edited by zaval on Fri May 19, 2017 2:15 am, edited 1 time in total.
ANT - NT-like OS for x64 and arm64.
efify - UEFI for a couple of boards (mips and arm). suspended due to lost of all the target park boards (russians destroyed our town).
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: Have you patched your Windows against EternalBlue?

Post by bluemoon »

iansjack wrote:How many home users do you imagine expose SMB to the Internet?
While it's probably blocked by firewall, there are still huge attack surface from local network, which can be exploited with other vector (eg. IoT, old NAS, or recent CVE from defender(*)).

Anyway, do not download security patch from random site, just use the Windows update.

REF: https://technet.microsoft.com/en-us/lib ... 22344.aspx
User avatar
~
Member
Member
Posts: 1227
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: Have you patched your Windows against EternalBlue?

Post by ~ »

iansjack wrote:How many home users do you imagine expose SMB to the Internet?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.

The rest is done by a kernel level exploit to bugs in SMB, sent through the Internet, unless the patch is properly applied.

It seems that the hardest attack was activated this week and past week, so it can be dangerous if your network range is currently being scanned by this.
YouTube:
http://youtube.com/@AltComp126

My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
User avatar
iansjack
Member
Member
Posts: 4703
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Have you patched your Windows against EternalBlue?

Post by iansjack »

~ wrote:
iansjack wrote:How many home users do you imagine expose SMB to the Internet?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.
That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.

Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: Have you patched your Windows against EternalBlue?

Post by bluemoon »

iansjack wrote:
~ wrote:
iansjack wrote:How many home users do you imagine expose SMB to the Internet?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.
That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.

Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.
Recently there is a new type of phishing email using unicode domain name(it looks exactly like http://www.apple.com and even get a https domain-verified certificate), even tech geek might get caught off guard.
User avatar
~
Member
Member
Posts: 1227
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: Have you patched your Windows against EternalBlue?

Post by ~ »

I got the WannaCry files installed in my server after a lot of BSODs for several weeks and a slow down. Fortunately Avast was installed and I realized that I needed a patch.

I first thought that it was because of the BenQ S6 drivers that failed after some hours of Apache serving files.

Then I thought that it was because it was an old version of Apache for Windows XP.

When the server crashed equally under an UMPC with Windows XP and under a laptop with Windows 7, then I realized that it was virus-related. If I didn't have a home web server and Avast, but mainly a server to check networking the whole day as a side effect, I wouldn't have realized the problem.

A network might be protected but if you use mobile machines you would be exposed, one only needs to see how many people, hospitals, businesses, governments and machines have been affected. It needed a patch that corrected the privileged memory leakage.
YouTube:
http://youtube.com/@AltComp126

My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
Post Reply