Have you patched your Windows against EternalBlue?
Have you patched your Windows against EternalBlue?
It creates a service called "Microsoft Security Center (2.0) Service". Just run "services.msc" to find out if it's present and remove it with a good antivirus or manually with the disk as external.
I'm asking this because it seems to be an extremely dangerous exploit that allows the installation of cryptographic viruses against user files from Windows XP onwards, via an automated SMB 1/Samba 1 attack from the Internet.
The C:\WINDOWS\mssecsvc.exe and tasksche.exe ended up being installed in my Windows 7 server overnight today, but Avast stopped it. I can upload a 7-Zipped file with the worm if you want a sample of it.
Now I've put this information here so that the least amount of people get to lose extremely important files.
EternalBlue is an extremely dangerous vulnerability coming from the Internet that often causes blue screens of death and the installation of cryptographic file viruses that ask for money to rescue our files. It affects mainly Windows XP and newer versions.
Use the following tool to check if you have already applied the patch successfully:
[................]
Apply these 2 patches for your Windows version. Apply one by one. Install the first one and reboot Windows, install the second one and reboot again, and then use the tool above to check whether you patched the vulnerability:
http://www.catalog.update.microsoft.com ... =KB4012212
http://www.catalog.update.microsoft.com ... =KB4012215
Special patch version for Windows XP and other outdated versions:
http://www.catalog.update.microsoft.com ... =KB4012598
Last edited by ~ on Thu May 18, 2017 7:55 pm, edited 9 times in total.
YouTube:
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
- hgoel
- Member
- Posts: 89
- Joined: Sun Feb 09, 2014 7:11 pm
- Libera.chat IRC: hgoel
- Location: Within a meter of a computer
Re: Have you patched your Windows agains EternalBlue?
This one was patched a month or two ago, so for a technical group of people like osdevs, it hopefully isn't too big of a risk.
"If the truth is a cruel mistress, than a lie must be a nice girl"
Working on Cardinal
Find me at [url=irc://chat.freenode.net:6697/Cardinal-OS]#Cardinal-OS[/url] on freenode!
Working on Cardinal
Find me at [url=irc://chat.freenode.net:6697/Cardinal-OS]#Cardinal-OS[/url] on freenode!
Re: Have you patched your Windows against EternalBlue?
Hi,
"Download and execute random stuff from an unknown and untrusted web site, to protect yourself against things and stuff!" is a great way to get infected by malware.
I've edited the original post to remove links to the unknown and untrusted web site.
Cheers,
Brendan
"Download and execute random stuff from an unknown and untrusted web site, to protect yourself against things and stuff!" is a great way to get infected by malware.
I've edited the original post to remove links to the unknown and untrusted web site.
Cheers,
Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Re: Have you patched your Windows against EternalBlue?
The tool from GitHub is from ESET Antivirus.
I also read it before running it. It's just a VB Script that checks that the patches against EternalBlue are installed.
Without it the user won't know for certain if the patch for the actual dangerous exploit is in place.
I also read it before running it. It's just a VB Script that checks that the patches against EternalBlue are installed.
Without it the user won't know for certain if the patch for the actual dangerous exploit is in place.
YouTube:
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
Re: Have you patched your Windows against EternalBlue?
How many home users do you imagine expose SMB to the Internet?
Re: Have you patched your Windows against EternalBlue?
ah, this. this is that Wannacrypt SMBv1 thing. yes i applied this kb. but the way i did it (the promptness), made me feel a little uncomfortable. i had always update enabled, but since last autumn, it got buggy, making 100% cpu usage for nothing. interestingly, right after a monthly update, when I logged as an administator and let it install updates, it calmed down and didn't loop, but with some time, it was gradually increasing in the looping again (the update service was starting shortly after the login and since I am not logged as an administrator, did nothing). definitely a bug in the update service. so, last autumn, when this has manifested, pissed off completely, I turned update off. and now this malware happenned. I guess, should my machine be a real target for this attack, it would get infected way before I noticed somewhere on the Internet about this patch and installed it.
on the other hand, i don't use any anti-virus software (for years) and thanks god, never had any infections.
on the other hand, i don't use any anti-virus software (for years) and thanks god, never had any infections.
Last edited by zaval on Fri May 19, 2017 2:15 am, edited 1 time in total.
Re: Have you patched your Windows against EternalBlue?
While it's probably blocked by firewall, there are still huge attack surface from local network, which can be exploited with other vector (eg. IoT, old NAS, or recent CVE from defender(*)).iansjack wrote:How many home users do you imagine expose SMB to the Internet?
Anyway, do not download security patch from random site, just use the Windows update.
REF: https://technet.microsoft.com/en-us/lib ... 22344.aspx
Re: Have you patched your Windows against EternalBlue?
It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.iansjack wrote:How many home users do you imagine expose SMB to the Internet?
The rest is done by a kernel level exploit to bugs in SMB, sent through the Internet, unless the patch is properly applied.
It seems that the hardest attack was activated this week and past week, so it can be dangerous if your network range is currently being scanned by this.
YouTube:
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
Re: Have you patched your Windows against EternalBlue?
That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.~ wrote:It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.iansjack wrote:How many home users do you imagine expose SMB to the Internet?
Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.
Re: Have you patched your Windows against EternalBlue?
Recently there is a new type of phishing email using unicode domain name(it looks exactly like http://www.apple.com and even get a https domain-verified certificate), even tech geek might get caught off guard.iansjack wrote:That assumes that your router lets SMB through from the Internet. You'd have to be crazy to do that.~ wrote:It's dangerous because it's automatic and SMB 1/2 seem to be fully enabled by default, and only Windows 10 is not vulnerable.iansjack wrote:How many home users do you imagine expose SMB to the Internet?
Initial infection more likely comes from a phishing email. I'd hope that people here are not stupid enough to fall for that. So it's not a big deal for sensible home users. It is, and has been a a problem for large organisations where it just takes one idiot to get infected via an email and the malware can then spread via the internal SMB network.
Re: Have you patched your Windows against EternalBlue?
I got the WannaCry files installed in my server after a lot of BSODs for several weeks and a slow down. Fortunately Avast was installed and I realized that I needed a patch.
I first thought that it was because of the BenQ S6 drivers that failed after some hours of Apache serving files.
Then I thought that it was because it was an old version of Apache for Windows XP.
When the server crashed equally under an UMPC with Windows XP and under a laptop with Windows 7, then I realized that it was virus-related. If I didn't have a home web server and Avast, but mainly a server to check networking the whole day as a side effect, I wouldn't have realized the problem.
A network might be protected but if you use mobile machines you would be exposed, one only needs to see how many people, hospitals, businesses, governments and machines have been affected. It needed a patch that corrected the privileged memory leakage.
I first thought that it was because of the BenQ S6 drivers that failed after some hours of Apache serving files.
Then I thought that it was because it was an old version of Apache for Windows XP.
When the server crashed equally under an UMPC with Windows XP and under a laptop with Windows 7, then I realized that it was virus-related. If I didn't have a home web server and Avast, but mainly a server to check networking the whole day as a side effect, I wouldn't have realized the problem.
A network might be protected but if you use mobile machines you would be exposed, one only needs to see how many people, hospitals, businesses, governments and machines have been affected. It needed a patch that corrected the privileged memory leakage.
YouTube:
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1
http://youtube.com/@AltComp126
My x86 emulator/kernel project and software tools/documentation:
http://master.dl.sourceforge.net/projec ... ip?viasf=1