Recently, a virus called wannacry blackmail (also known as "want to cry" and "eternal blue") has spread from NHS hospitals in the UK to the world. Within five hours, more than 100 countries, including the United States, Russia, China and the whole of Europe, won the computer lottery. According to the data released by 360 Threat Intelligence Center on the morning of May 14, as of 20:00 on May 13, there were hundreds of thousands of machines infected by 29372 institutions in China, including 4341 educational and scientific research institutions, which was the disaster area of this event.
Where does wannacry blackmail virus come from?
Ma Jinsong, head of anti virus laboratory of Tencent security joint laboratory and security technology expert of Tencent computer housekeeper, said that the biggest difference between the blackmail virus "wannacry" incident and the past is that the blackmail virus combined with the way of worms to spread, using the ms17-010 vulnerability leaked by NSA (National Security Administration of the United States) not long ago.
Ms17-010 vulnerability means that an attacker uses this vulnerability to send a specially designed network packet to the 445 port of the user's machine for remote code execution.
In this incident, hackers used the vulnerability to scan the open port 445 on the network, and then implanted the two family based worms, ion and wncy, into the attacked computer. The controlled computer would scan other computers, and eventually infect other computers in the way of dominoes. Most of the university network environment did not deal with port 445, which is one of the reasons why the University became a disaster area.
One of the characteristics of onion and wncy viruses is that they extort bitcoin for 3-5 bitcoins and 300-600 US dollars, respectively. So they have the names of extortion virus and bitcoin virus. (in the current bitcoin market, a bitcoin is about 10000 yuan. )Because the code exploited by ms17-010 is called 'eternal blue' in the file leaked by NSA, this attack is also called 'eternal blue'. ("eternal blue" is known as the nuclear weapon class cyber attack tool of the national security administration of the United States. )
Reproduction variant, wannacry2.0
On May 14, Beijing Municipal Committee of the Communist Party of China, Beijing Municipal Public Security Bureau and Beijing Municipal Commission of economy and information technology jointly issued the notice on wannacry's blackmail worm mutation and disposal suggestions. According to the notice, the relevant authorities found that wannacry blackmail worm had a variant: wannacry 2.0. Unlike the previous version, this variant cancelled the so-called kill switch.
'kill switch' means emergency switch. Previously, before wannacry blackmailed the virus, it would send a request to a domain name. If the domain name has been registered, it would quit spreading; if it does not exist, it would continue to attack.
At the time of the massive outbreak of blackmail virus, a British security official analyzed the virus samples and found that at the beginning of the code, there was a special domain name address, which had not yet been registered. Due to his professional habits, he paid very little to register the domain name. Unexpectedly, his unintentional act triggered the emergency stop switch left by the virus author, thus preventing the spread of wannacry virus.
But now wannacry2.0 cancels the KLL switch, which means that the propagation of the mutant blackmail worm cannot be turned off by registering a domain name, so the propagation speed may be faster.
How to prevent wannacry2.0 virus
The three departments of Beijing pointed out in the notice that the disposal method of wannacry2.0 is the same as the previous version:
I. please organize intranet detection immediately to find all terminals and servers with 445 SMB service port open. Once the poisoned machine is found, disconnect the network immediately for disposal. At present, it seems that formatting the hard disk can remove the virus.
2. At present, Microsoft has released patch ms17-010 to fix the system vulnerability of the "eternal blue" attack. Please install this patch for the computer as soon as possible. The website is https://technet.microsoft.com/zh-cn/library/security/ms17-010. For XP, 2003 and other Microsoft computers that no longer provide security updates, it is recommended to upgrade the operating system version or close the ports affected by the vulnerability to avoid being affected by the vulnerability Blackmail software and other viruses.
3. Once the poisoned machine is found, disconnect the network immediately.
4. Enable and open 'windows firewall', enter 'Advanced Settings', and disable' file and printer sharing 'related rules in inbound rules. Close ports udp135, 445, 137, 138 and 139, and close network file sharing.
V. strictly prohibit the use of U disk, mobile hard disk and other devices that can perform ferry attacks.
6. Back up the important documents in your computer to the storage device as soon as possible.
7. Update the operating system and application program to the latest version in time.
8. To enhance the security of e-mail and effectively block phishing e-mail can eliminate many hidden dangers.
IX. install the genuine operating system, office software, etc.
But Zheng Wenbin, 360's chief security engineer, also said in a sense that the blackmail virus was' preventable and insoluble '. "This time, the encryption ability of the virus is very strong, which is very difficult to crack in principle, unless we can find its vulnerability. But it may take decades in vain. "Zheng Wenbin said that the extortion virus attack is under Windows 8.1, so the windows 10 system and apple system are temporarily safe.
Can wannacry infect cell phones?
At present, wannacry extortion virus only attacks windows system computers, mobile phones and other terminals will not be attacked, including UNIX, Linux, Android and other systems will not be affected.
However, security sources said that since last year, more and more extortion viruses posing as normal apps have appeared on mobile phones, using games or video playback to attract users to click and poison mobile phones.
Therefore, it is recommended that mobile users not download apps from unofficial channels or open email links and web pages that they are not familiar with.