Be a Supporter!

The Flash 'Reg' Lounge

  • 2,080,237 Views
  • 64,778 Replies
New Topic Respond to this Topic
MSGhero
MSGhero
  • Member since: Dec. 15, 2010
  • Online!
Forum Stats
Supporter
Level 16
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-14 17:01:54 Reply

Good thing @egg82 is an exorcist.

The Flash 'Reg' Lounge

egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Supporter
Level 05
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-14 17:44:31 (edited 2017-05-14 17:47:45) Reply

At 5/14/17 05:01 PM, MSGhero wrote: Good thing @egg82 is an exorcist.

BEGONE, DEMONS!
BY THE POWER VESTED IN ME BY GATES HIMSELF, I SAY BEGONE!

Edit: Seriously, though. Your laptop does NOT like running Linux. Good thing diskpart is adequate enough for SSDs.


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Supporter
Level 05
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-14 22:52:54 (edited 2017-05-14 23:04:42) Reply

Alrighty, here's a story for those who were out all weekend and have no idea what in the world just happened (and as of a few hours ago is happening again, but we'll get to that in a sec)

Now I normally wouldn't even be following this story much beyond "yeah, this happened. Again." but there's a few particular bits and moments that very much interested me. So here I am. Also, my days and times may be slightly off. I've been following this story off and on all weekend.

Out story being on a Friday afternoon. I'm in the middle of calling professors across the country to push out new company-approved laptops and reading Reddit between calls. After a quick refresh of my home screen I see a new post with some title like "Ransomware sweeping across the globe" - thinking this was a sensationalist piece with little value (I mean, they mostly are) I skip it and find a new post on r/talesfromtechsupport. Ooh, goody!

Fast-forward a few hours. As I'm heading back from work I once again hop on Reddit and see what's going on. A few more pieces about this malware, so I figure "eh, why not?" and dig into one a bit. Again, looks pretty sensationalist and I wasn't interested in overblown facts in an article telling me everything I already knew. Closed, and found a few new posts on r/gaming and r/talesfromretail.

It wasn't until Saturday morning that I really noticed something was up. After reading Twitter and asking my Google Home what was going on in the world, I got some interesting news. Apparently the ransomware variant I had quickly checked up on and forgotten about had made a big splash. Bigger than usual. I decide to do a little more digging since I thought this particular variant was pretty par-for-the-course stuff.

So, here's the thing; I was right. This strain of malware was very standard and didn't really bear anything unusual. Uses "zero-day" exploit? Check. Infecting a ton of PCs? Check. Standard encryption and warning screen? Check. Asking for a variant amount of money based on factors present on the internal network? Check. AV evasion? Triple-check.

Except for one little thing that really bugged me. This malware contained a kill-switch in the form of a domain. Basically, this malware had a dropper (all of them do) that first checks to see if a domain gives a response. If it does, it shuts down immediately and nothing further happens. If it doesn't, it continues on and starts encrypting files. Again, this wouldn't have bugged me so much except for the fact that everything else was perfect. Everything. It would have been unbreakable and damn-near impossible to stop except for that one VERY BIG flaw.

A researcher by the name of MalwareTech discovered this domain and immediately bought it, not knowing what would happen. This is standard procedure for him in an attempt to track infections. This is the part of the story, I think, that made the whole thing really explode. Also, poor guy has now had to do a lot of diversion on his domain, Twitter, and e-mail accounts and has also been unintentionally doxed by the media. Ouch.

So this all raises a few questions. Clearly, the makers of this malware knew exactly what they were doing and how to do it. Were they being careless or was this simply a test? Either way, we're clear of it for now. It's only a matter of time before a new variant of this rolls around without the kill-switch, though..

Sunday morning rolls around with lots more fanfare but no more real news of this ransomware. It looks dead, and thank MT for it. Sunday afternoon, however, is a very different story. All of a sudden pings start coming up about a new variant that uses the same code and the same dropper minus the killswitch. Welp. Fuck.

So, here's the rundown on how this thing works. Prepare for hell on Monday if you're one of the poor souls without patches.
It uses an exploit developed by the NSA a month or so prior called ETERNALBLUE (this exploit just got a Metasploit module named MS17-010)
ETERNALBLUE is an exploit targeted at SMB1 and is effective on all Windows systems that use it, including Win 10 up to some security patches (again, a month or so ago)
Also, yeah, I was wrong about the exploits earlier not affecting Win 10. Looks like at least one did, but researchers were using machines that were too up-to-date because MS couldn't put out a security bulletin on the bug due to an NSA gag-order.

Once you've got the red warning screen, it's game over and your files are already gone. I hope you either have working backups or a lot of money.

Have a happy Monday!


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
Gimmick
Gimmick
  • Member since: Aug. 20, 2008
  • Offline.
Forum Stats
Member
Level 27
Programmer
Response to The Flash 'Reg' Lounge 2017-05-15 04:37:40 Reply

At 5/13/17 12:44 PM, egg82 wrote: this might help some. You can also use FLAC with OGG, so you've really got your bases covered in terms of "compression like MP3" or "losslessness" - take your pick, really.

Hmm, didn't know that.


Slint approves of me! | "This is Newgrounds.com, not Disney.com" - WadeFulp
"Sit look rub panda" - Alan Davies

BBS Signature
Glaiel-Gamer
Glaiel-Gamer
  • Member since: Dec. 28, 2004
  • Offline.
Forum Stats
Member
Level 28
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-16 00:14:23 Reply

At 5/12/17 11:29 PM, Gimmick wrote: The last time I encountered an OGG file that wasn't being ironic was in 2008. Wasn't the Vorbis project plagued with roadblocks too? Last I heard it was inferior to MP3, and its video codec was inferior to MP4. Seemed like the only thing going for it was that it was open source.

pretty much literally every game uses ogg for music, its widely supported in game engines and audio engines and has good open source support for loading it if you wanted to use something else.

also doesn't have padding at the end like mp3 does so it loops perfectly without any extra work

Gimmick
Gimmick
  • Member since: Aug. 20, 2008
  • Offline.
Forum Stats
Member
Level 27
Programmer
Response to The Flash 'Reg' Lounge 2017-05-16 22:25:36 Reply

At 5/16/17 12:14 AM, Glaiel-Gamer wrote: pretty much literally every game uses ogg for music, its widely supported in game engines and audio engines and has good open source support for loading it if you wanted to use something else.

Hmm, I'll have to check a few game directory files then.

also doesn't have padding at the end like mp3 does so it loops perfectly without any extra work

That's nice to know...does that mean I can replay them smoothly in VLC? (I know foobar2000 can replay almost all media smoothly, but can't install it right now)


Slint approves of me! | "This is Newgrounds.com, not Disney.com" - WadeFulp
"Sit look rub panda" - Alan Davies

BBS Signature
MSGhero
MSGhero
  • Member since: Dec. 15, 2010
  • Online!
Forum Stats
Supporter
Level 16
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-22 02:07:53 Reply

Can't let these kids and their devlogs show me up. Finally wrote something since I finally have free time again http://msghero.newgrounds.com/news/post/986889

Free time is nice time
egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Supporter
Level 05
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-22 02:33:23 (edited 2017-05-22 02:33:44) Reply

At 5/22/17 02:07 AM, MSGhero wrote: Can't let these kids and their devlogs show me up. Finally wrote something since I finally have free time again http://msghero.newgrounds.com/news/post/986889

Free time is nice time

Yeah, no kidding. Makes me want to do a write-up on something, but the only things I got currently are the two MC mods and my framework.

I assume that means your PC's fixed? :D?


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
MSGhero
MSGhero
  • Member since: Dec. 15, 2010
  • Online!
Forum Stats
Supporter
Level 16
Game Developer
Response to The Flash 'Reg' Lounge 2017-05-22 02:37:16 Reply

At 5/22/17 02:33 AM, egg82 wrote: I assume that means your PC's fixed? :D?

SFC caught something after I updated my BIOS, haven't had an issue in the past 24 hours or so...