back to article Windows XP crashed too much to spread WannaCrypt

Yes, WannaCrypt can infect all those machines that still run Windows XP, but because XP is so flaky the zombie boxen are unlikely to have contributed much to the spread of the worm. That's the conclusion of Kryptos Logic researchers after a couple of weeks trashing crash-test-dummy machines in the laboratory. The company …

Funny

Now I know that XP is well beyond it's end of life and I know that new version are far superior, but how did XP go from what was considered a very stable version of windows to an OS that crashes at the slightest whim?

I think XP is getting too little credit, there's a reason why it's still so insanely widespread.

13
3

Re: Funny

Insanely widespread .... because the beancounters wouldn't agree to the cost of upgrading the software and then the hardware needed to run the new software. So blame the accountants for the whole mess.

5
2
Windows

Re: Funny

Also the immediate successor to XP was Vista which was widely panned, thus putting people off from upgrading when their hardware might have coped with it.

12
0

Relativity

I think XP was considered a very stable version of Windows - when compared to 95/98/ME.

18
0
Anonymous Coward

Re: Blame the accountants

alongside the MBA's who morph into PHB's as soon as the get some responsibility.

Add in corrosive envitonments like those described at DXC yesterday where I'm sure it won't be long before toilet paper is rationed (or exchanged for Gov issue Izal sheets) and you get the perfect environment.

The PHB's can hide behind 'If it ain't broke then don't fix it' while ignoring the fact that XP was broke OOTB.

There but for the grace of god (and my job going to India) go I. Gardening leave ain't so bad after all. not sure if I want to look for another IT job at the moment.

3
1

Re: Relativity

> I think XP was considered a very stable version of Windows - when compared to 95/98/ME.

...and running workloads it was (more or less) designed for. Any software running reasonably good on AMD64 W7 most probably does not work well with i386 WXP.

3
1
Silver badge
Windows

@Danny

"Now I know that XP is well beyond it's end of life"

You'd be surprised, Microsoft still maintains it. Just not for John Doe anymore, but only for those who are willing to cough up a big paycheck for all the hard work. Why do you think they released that patch in the open? Trust me: they didn't build that out of good will and such.

There are still many legit XP environments out there. Even my government quickly ensured the continued use of XP when it became clear that Microsoft was really going to pull the plug. Makes you wonder how skilled the people within those organizations are. I mean: the rest of the world had seen it long coming, yet within our wonderful world of bureaucracy they needed a good dose of the taxpayers money so that they could maintain the status quo.

And that's just one, I know there are plenty of other European governments where XP is still a thing. And Microsoft is more than happy to oblige (for the right payment of course). Always fun to know that plenty of your tax dollars get "well spent", right?

6
1
Silver badge

Re: And Microsoft is more than happy to oblige (for the right payment of course).

What would you prefer?

1
2
Silver badge
Windows

Re: And Microsoft is more than happy to oblige (for the right payment of course).

"What would you prefer?"

Software that isn't so shitty?

8
4
Anonymous Coward

Re: @Danny

I mean: the rest of the world had seen it long coming, yet within our wonderful world of bureaucracy they needed^H^H^H^H^H^Hknew they'd get a good dose of the taxpayers money so that they could maintain the status quo.

FTFY

7
1
LDS
Silver badge

Re: Funny

I would not be surprised if an exploit that attempts to use a memory corruption bug may crash the machine - especially if it can corrupt kernel memory (a BSOD means something is wrong in the kernel), and doesn't corrupt it in an always reliable way.

While looking for vulnerabilities it's not uncommon to crash any OS you may work with - it's exactly unexpected situations you're looking for - and the post mortem debugger info could lead to useful insights about how to exploit the issue.

In some situations (not all, of course), an OS that crashed under attack may be better than one that lets the attack succeed and propagate.

3
0
Anonymous Coward

Re: Funny

Insanely widespread .... because the beancounters wouldn't agree to the cost of upgrading the software and then the hardware needed to run the new software. So blame the accountants for the whole mess.

<- Ex NHS IM&T.

Is replacing a multi million pound state of the art MRI machine because the control software only runs properly on XP is a sensible use of money compared to the deployed solution of either not connecting it to the network, or putting a hardware firewall in place that only allows access to the webpage that serves results? Did that result in any infections? No evidence to suggest it did so far.

The *actual* problem? The "NHS" is actually comprised of many hundred independent trusts, all of which operate their IT to widely different standards, many of which are not competent to be running a network. Why do I say that?

This is what's blocked on the central NHS mail system (nhs.net)

http://www.ipswichandeastsuffolkccg.nhs.uk/LinkClick.aspx?fileticket=IE4CvEtA3OU%3d&tabid=933&portalid=1&mid=3371

And we know that NHS Mail/NHS.net was not used to spread the infection.

https://www.digital.nhs.uk/media/1486/NHSmail-confirmation-it-is-safe-to-connect/pdf/NHSmail_150517

Therefore, this event simply provides a map of which trusts are:-

A) Running their own onsite mailservers.

B) Not adequately securing said mailservers.

C) Not adequately securing their network.

The reason not to use the (cheap) central NHS Mail (nhs.net) for email when I was working in IM&T was if the trusts IM&T department did not meet the audit requirements for low level admin access to central systems or wanted to run their own (expensive) exchange setup. Which is sort of bourne out by having a network insecure enough to get written off by wannaCrypt.

Searching questions ought to be asked of these trusts as to what is going on, but they have so far gotten away scot free.

7
0
LDS
Silver badge

"software running reasonably good on AMD64 W7 most probably does not work well with i386 WXP"

Yes, I'm quite sure any 64-bit code will have issues running on 32-bit XP... <G>

Jokes apart, running newer software on older hardware has always been a probable source of issues, because the higher hardware resources expectations - and XP may have issue to exploit actual hardware fully (multiple cores, SSD disks, large RAM) - and, often, if you're still using XP is because you have also hardware compatibility issues.

And of course software written for 7 may use APIs not available on XP, so it woldn't work either.

There are profilers (i.e. AQTime) which have an API calls profiler which will tell you what APIs are called and on which version of Windows the application will run on.

4
0
Silver badge

Re: @Danny

@ShelLuser

" Why do you think they released that patch in the open? Trust me: they didn't build that out of good will and such."

The patch in question was written for POSReady 2009 or some variant of XP embedded which M$ still supports. Probably didn't cost M$ much at all...

As for orgs that still run XP on the desktop due to reason x, y or z, yes you are right

1
0

Re: Funny

> And we know that NHS Mail/NHS.net was not used to spread the infection.

Actually so far there has been no evidence that any emails were used to spread this particular infection, although I'll certainly agree that email is a very common method of entry for other attacks in general. WCry actually got inside the NHS network due to certain Trusts having SMB shares on unpatched* servers lying open to the wider internet... these servers were remotely infected by external attackers using the leaked NSA exploits. Once inside, the nastyware replicated itself across the internal networks between trusts quite handily, infecting unpatched* Windows 7 boxes as it went. (*At least two months behind the regular MS Windows patch cycle, given that the WCry SMB exploit was patched back in March)

There's no doubt that IT competency and redundancy levels vary wildly between the different NHS trusts, but in this case having a lot of loosely-connected trust networks instead of one big one was both a curse (the infection got in) and a benefit (the infection could only spread so far). Firewalls between trusts blocked a LOT of infections: one such example being the Northern Ireland *.hscni.net network - itself a collection of smaller trusts - which didn't get infected at all.

Having dozens of different interconnected IT networks therefore makes the NHS more difficult to secure, but more difficult to bring down: In an emergency situation you can completely close off the WAN pipe between your trust and the others and run off your own dedicated internet links. Any authentication etc. can take place on cached copies of user credentials such as a secondary DNS zone and backup AD - so it's only the centrally-held internal databases (like Staff Overtime and Travel claims) that will be temporarily unreachable.

Objectively there's very little reason for hospital machinery control systems to need to be on the same section of a network as a standard Windows client attached to a projector in a meeting room. Or for the 999 Room's Computers to be able to talk across to someone's BYOD smartphone.

3
0

Re: Funny

> Is replacing a multi million pound state of the art MRI machine because the control software only runs properly on XP is [sic] a sensible use of money

No. But updating said software on to a supported platform would be.

If equipment supplier is still in business: then should be part of the support contract. (If you don't have a support contract what is keeping the MRI machine running?)

If equipment supplied is not in business: 1. review purchasing process: was viability of supplier correctly checked; 2. apply escrow clause to get source code and work with other customers to get it up dated.

(If you didn't have an escrow clause: sack whomever approved the purchase contract for incompetence, because escrow is a normal part of any non-trivial software purchase.)

2
5
Bronze badge

Re: Relativity

Considering XP is NT based, then yes it would be a lot more stable than the 9x series.

0
0
Anonymous Coward

Re: Funny

"1. review purchasing process: was viability of supplier correctly checked;

How? Any company can be run to the ground in short notice (bad management, sued to bankruptcy, force majeure etc etc)

All the MRI manufacturers are big names in multiple industries. Toshiba, Philips, GE, Hitachi and so on.

If your company buys e.g. Ford automobiles do you actually check Ford's viability or do you focus more on the details of the cars and the value of the deal?

"If you didn't have an escrow clause: sack whomever approved the purchase contract for incompetence, because escrow is a normal part of any non-trivial software purchase."

How often have you managed the companies like GE, Samsung or Siemens to provide their source code for an escrow? And even if they agree, what is the cost of such clause in a contract?

I agree that the idea of source code in escrow is wonderful, but it's just not realistic in many cases.

2
0
Silver badge

Re: @Danny

"You'd be surprised, Microsoft still maintains it. Just not for John Doe anymore, but only for those who are willing to cough up a big paycheck for all the hard work."

Or for anyone that sets the Registry Key marking it as a version of Windows XP Embedded...

0
0
Silver badge

Re: Funny

Well if they are all those big businesses, then they should be able to provide updated software that can run on an OS for which support ended 8 years ago, and extended (paid) support ended over 3 years ago.

0
1

Re: Funny

These suggestions may often be applicable in the world of business/clerical software, which I suppose is the environment of many discussions on this forum. In the world of engineering, medical(e.g.MRI) and scientific control/research machinery, the equipment may be unique and needing long-term support. There might be multiple x$100millions of project on the end of it. The system builder may have used a computer(s)/cluster system from a respected computer supplier, that gets taken over a few years down the line, think DEC->Compaq->HP... or Sun->Oracle...

Assuming a system of which the usage requirements are frozen, you pay the support to NOT update the software, only patch bugs if necessary and with rigorous regression testing, on a reference system if possible.

And, of course, it's air-gapped from the outside world.

0
0

Re: "software running reasonably good on AMD64 W7 most probably does not work well with i386 WXP"

Software written exclusively for Windows 7 or Vista onwards?

Let's refresh our memories about a Vista feature called Glass, the transparent layers effect similar to the one on Mac OS X. It was going to encourage a new generation of applications, we were told. Aside from a few gimmicks in the Windows Explorer desktop, few people saw Glass functionality. I worked at an organisation which used applications -- GIS, CAD, scientific imaging -- which might exploit OS-native transparent layers, but every new application release was designed to work on XP upwards. Nobody demanded an OS upgrade to provide Glass.

Our main reasons to switch to Windows 7 were "modernisation" (to avoid being stuck on a dying OS) and 64-bit applications. It was quite liberating to tell management that software purchased 10+ years previously to run on Windows 2000 or 3.1x had reached end of life.

0
0
Silver badge

Re: Funny

Any PC with the chops to run Vista ought to run 7 even better, since 7 is built on an optimized Vista base. Win 8 is supposed to be lighter still, and 10's built on that as much as 7 was on Vista. As such, anything that could have run Vista well should be able to run any later version of Windows too.

0
0

Re: Funny

I have noticed that my doctor has XP on her desktop and uses IE6 to connect to some medical encyclopedia (google for doctors or whatever).

I wonder if actually, the satellite offices were an attack vector being more likely to have a lower security policy / no security policy compared with a big hospital with an IT department.

I obviously have no idea how or if her GP PC is connected to a larger NHS network. I did ask but she had no idea and wondered what the hell i was talking about.

0
0
Anonymous Coward

So now even the bad guys need you to keep up to date

where will this upgrade madness end/

Mutually Assured Distraction...

0
0
Holmes

Re: So now even the bad guys need you to keep up to date

BSOD - it's a feature, not a bug.

1
0
Silver badge

One thing to take from this ...

... the folks at Kryptos don't know how to properly setup XP.

I'm no huge Redmond fan, but XP was a fairly stable OS when installed properly.

6
3
Silver badge

Re: One thing to take from this ...

I'm no huge Redmond fan, but XP was a fairly stable OS when installed correctly and then configured/hobbled properly to stop the idiot user from doing things they should not be like viewing Pron in the lunchtime.

There fixed it for you.

8
0
Silver badge
Windows

Re: One thing to take from this ...

I didn't bother hobbling my proper XP installs, just blocked ALL Pron and such at the firewall and content filter, and blocked\removed admin rights from the users as it should be in any case.

+1 for identifying users as the main problem ;-}

5
0
Silver badge
Trollface

One thinks it would suit Microsoft's ambitions if all of those using Windows XP moved on to an OS that was "immune" or better suited to battle against these sorts of viruses.

You know, something like, I dunno, Windows 10?

2
1
Silver badge

Or perhaps ...

... it would be more sane to avoid the Redmond clusterfuck entirely?

8
4
Silver badge

Re: Or perhaps ...

But Redmond can't make money doing that.

2
0
Bronze badge

El Reg writing alternative facts fake news again. Sad!

This isn't about the stability of XP. It's about the stability of the exploit. Apparently NSA simply didn't think it was worth getting the exploit working reliably against it, or atleast hadn't at the time their toys leaked.

9
0
Silver badge

NSA coders?

Makes you wonder at the quality of the NSA coders.

Just because they have a zero-day that they're hiding from the makers, doesn't mean they don't have to test their code properly - what if their target was using XP? Not all trrrrsts can afford a legit copy of Windows 10.

3
0
Silver badge
Pint

Re: NSA coders?

You can't beat FREE!

Just note the contents are probably spiked!

0
0
LDS
Silver badge

Re: NSA coders?

It was the NSA coders, or the WannaCrypt ones? See for example https://community.rapid7.com/community/metasploit/blog/2017/05/17/metasploit-the-power-of-the-community-and-eternalblue about how WannaCrypt writers may have used some info from public disclosures of how ETHERNALBLUE exploit works to code their version, and deploy DOUBLEPULSAR.

So, it could be NSA actually have a version working with XP as well, and there are around demos if working attacks against XP using ETHERNALBLUE.

So don't infer from WannaCry that ETHERNALNBLUE doesn't work against XP, so you don't really need patching or upgrading.

3
0
Bronze badge

Re: NSA coders?

I would suspect that since DOUBLEPULSAR is used as part of the attack, they also pretty much re-used ETERNALBLUE (perhaps not the actual executable but rather network traces, but still). If you did the entire thing from scratch with the purpose of worming up ransomware, you probably wouldn't use a general-purpose backdoor like that. Especially as the vulnerability is in code which runs in kernel mode - the optimal solution would be to do as much work as possible in kernel mode since that way there's significantly less possibility of AV/anti-ransomware/HIPS stuff intercepting it. And since DOUBLEPULSAR is public, you run a significant risk of that component being intercepted on its own.

But regarding the exploit not working on XP/2003 - this doesn't have to mean anything. Due to the nature of the vulnerability, chances are that you have to develop what's essentially different exploits for XP/2003 vs. never kernels and not just stick some different values in the same exploit.

And/or they simply prioritized development/testing (and you need a lot of the latter under these circumstances since an unreliable exploit would mean getting caught and screwing operations plus losing a valuable 0day) based on the operational needs at that particular time. They could very well have one for XP somewhere that either didn't leak to Shadowbrokers or hasn't been released by them yet.

0
0

“it was assumed – including by El Reg – that unpatched Windows XP systems were part of the problem”

Too modest.

“Many assumed Wannacry could infect any pre-Windows 10 systems, however it mostly infected Windows 7 computers that hadn't pick up Microsoft's March security patch for the SMB bug. That's because the malware's implementation of EternalBlue is ineffective on Windows XP and Windows Server 2003: it simply wouldn't work reliably.”

– ElReg, 20 May 2017 https://www.theregister.co.uk/2017/05/20/wannacry_windows_xp/

2
0

WGA

<Windows XP with Service Pack 2 – No infection>

Yet another reason to have punted WGA and stayed with SP2

0
0

This was obviously a false flag perpetrated by Microsoft in an effort to get people off of WIndows 7 since technically they are still obligated to support it for a few more years. Making WIndows Update run like malware didn't work because people just turned update off, so they did this, to get specifically those who turned updates off. They didn't target XP because they already stopped supporting it and don't care about it.

3
3
Silver badge

We told you for years

This is not a bug, this is a feature ^^

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018