Windows 10: New global ransomware attack hits East Europe and spreading

Of course! My specialty is InfoSec and IT security. So, I've really invested my time into this new wiper.

To reduce the attack surface and minimize the probability of the malware spreading and to prevent future attacks, yes. I recommend blocking these ports unless you use NetBIOS. I agree with Symantec as they explain if you do not use SMB or Windows Network File Sharing capabilities, turn off NetBIOS and SMB, as well as adding the port configurations for extra protection.

Not necessarily a problem unless you have other P2P clients and services running on your IP address, (assuming poorly configured firewall and router, best to assume the worst to be secure) which can be used by attackers for a remote execution exploit or run some arbitrary code if those software are not updated and remain vulnerable.

I turn it off because I have high speed internet and all the time in the world to download updates (automatically).

If you do not use NetBIOS, I suggest you turn it off in services to reduce attack surface, it's a great way for hackers to get in on a Windows box.













I found all the rules required to block the current strain of Petya we know of: (thanks logo-symantec-dark-source <3)

• Add the following Inbound network rules:
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
  • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
• Add the following Outbound network rules:
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
  • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445

My policy is that for the ports listed, you access your Firewall (assuming for Windows 10) it's from:













Create new firewall rules accordingly to the rules I have described above.

If you would like, I will create a powershell script to append the same rules to your current firewall configurations!

 

Great post 89 by Hydrate! I disabled NetBios as suggested. I also see you can disable NetBIOS via the TCP settings from the network adapter. Which is the best approach?

I use Kaspersky Total Security and tried disabling the ports in KTS. However, video streaming from BBC iPlayer stops as soon as I disable port 137. It seems disabling these ports is not a good idea for me. It would be useful to know what these ports are used for so people can decide whether to disable them.

 

This is an awesome discussion! so lively and rich!

When you block the settings at the adapter level, this is known as reducing your attack surface.





I suggest using Windows Firewall for BBC iPlayer and add an outbound inbound exception (rules can be overridden) for it while still adding the rules so the program can work. I do not depend on 3rd party paid software to do my bidding normally, but you should add the rules to Kaspersky and WF (I love Kaspersky).

According to: Port 137 (tcp/udp) :: SpeedGuide

Which is accurate.


137 tcp,udp NetBIOS NetBIOS Name Service (official) Wikipedia 137 tcp trojan Chode, Nimda Trojans 137 udp trojan Bugbear, Msinit, Opaserv, Qaz Trojans 137 tcp,udp netbios-ns NETBIOS Name Service IANA 137 tcp Chode [trojan] Chode Neophasis 137 tcp Qaz [trojan] Qaz Neophasis 137 udp Msinit [trojan] Msinit Neophasis 137 udp threat Femot Bekkoame 137 udp threat Msinit Bekkoame 137 tcp threat Chode Bekkoame


The NetBIOS Name Service is sent outbound from svchost.exe and is used by a numerous amount of malware, now including Petya.
It translate human readable names to IP addresses for IPv4 and is can be used across multiple protocols, however it may be safely disabled if you do not explicit use NetBIOS.

 

I know how to block Ports in Kaspersky Total Security but I can't work out how to add an exception for sites like BBC iPlayer. Any ideas?

 

My idea would be to simply remove the firewall rules made in Kaspersky and stick to Windows Firewall, add the normal blocking rule and add a outbound inbound rule for the .exe of BBC iPlayer with overriding allowed.

 

It's OK now. I was putting the port number in the remote port box instead of the local port box!

 

There are no oopsies in the corporate IT world. Only pink slips.

Jk, that's fine. It's important to configure correctly as it just defeats the whole purpose sometimes, such as in this case! I'm happy you caught the error.