Crapness of WannaCrypt coding offers hope for ransomware victims Mistakes in the WannaCrypt ransomware worm might allow files to be restored after infection. A crack team of security researchers at Kaspersky Lab has discovered that WannaCrypt/WannaCry, which infected hundreds of thousands of victims at the beginning of May, contains several coding errors. Most of the whoopsies make it …
What?
I'd post tips on defensive programming but I don't want to give any hints to the idiots that wrote this virulent drivel, in case I get hit next time. Please continue to write code like it's being described to you in messages from the Morse code of a deaf bell ringer.
Unless..... maybe the guys who write this sort of program do occasionally get pangs of conscience and write the bare minimum to pass the tests of the organised criminals holding wrenches over their heads. Then again, they're probably just shit and can't get a proper job.
Most people don't. Most new users don't even know what a file type is. Oh, they recognize a PDF, all right - by the icon. Just like the icon will tell them if it's an Excel file or whatever else they use on a daily basis.
Hiding the extension has been a Microsoft default since Windows 98, if I'm not mistaken, and that abysmally stupid decision has given malware writers years of fun and years more are to come.
I set my folder view to not only show hidden files, but system files as well; the reason being that media software often not only downloads (extremely low-resolution, hence poor quality) album art, despite the files already having much better album art embedded, but erroneously flags them as system files(??), making it needlessly hard to get rid of them.
i cant function without file extensions on .How do i know which of the half dozen setup files to click on without some clues in the extension . or size.
Unfortunately Im often doing this on some other computer with the bullshit microsoft defaults on . I can virtually make all the setting changes required now just on kbd shortcuts withouth looking at the screen or mouse. It'd be easier if there was an "Invert selection" button inthere because just about every setting is fucking wrong!!!
... so if the read only files in clear text are not deleted, and there is a newly created version of that file in cipher text, then is it not possible to deduce the key? If the coder has used the same key across all files (I think likely) then the encrypted files should be recoverable, should they not?
@ Tim - In theory the key is recoverable. But the question is how much time and how big a computer do you need to do it. Ciphers and codes are not unbreakable in the strict sense but may take a long, long, long time to crack. But if the coders made a bunch of blunders then it might be easy to crack. The post notes that many have found major coding errors in WannaCrypt that makes file recovery possible without paying the ransom.
Having the plaintext version of the ciphertext file does not make it significantly easier to find the encryption key of most modern encryption algorithms. In fact it is one of the main goals of an encryption method that an adversary will not be able to reconstruct the key and be able to decode all messages after he has managed to get hold of a few decoded messages.
It seems that the media circus around the attack has at last convinced people to dump IE 9, which has dropped from around 1% to less than 0.4%. Why should you care? Well, while IE 9 isn't too bad a browser (MS did do a lot work for >= 9), it doesn't do Flexbox the way other browsers do, which makes it harder to write nice semantic HTML and let CSS do the arranging.
This ahead of Sharwood's mainly useless OS breakdown…
Of course cryptoviruses are full of coding errors... just like 99% of all other viruses and malware they are coded by the same ones that are selling antiviruses. So then they can get the money to serve and protect the affected ones... so smart.. what an industry ..yep!
The whole malwares, viruses and antiviruses/antimalwares thing is a huge criminal scam with politicians and rich people stealing money out of it.
It's not a "coding mistake". It's a pragmatic compromise. Changing the read-only file attributes on a file would trip most anti-malware/virus systems. These people may be bad, but they're not stupid. And let us not forget the original provenance of the exploit itself.
They're not stupid, either.
Sure it would. If it did nothing at all , except put a demand up it would still get some payments
Yup, there was one that changed the "shell" key in Windows registry from explorer.exe (or whatever) to their own file, and put up a screen claiming you'd been caught downloading illegal porn or other stuff, using FBI or local police logos (earlier versions use FBI or BATF, later versions used logos from the country of the victim). Changing the registry key back to what it should be, and deleting the file the altered key pointed to fixed it.
I've always hated Microsoft's virtual folders - with important stuff (i.e. the users data) buried out of sight in the same place as the users' settings, in the same partition as the OS. It makes no sense in terms of either managing files or data security. I want my files in a totally different partition, ideally. Somewhere that will be left untouched if the OS has to be over-written. Somewhere that means I can easily locate, copy and move files from by following a logical path. D:\documents for my documents P:\videos and P:\Photos for pictures and so on
This (moving library dirs to a 2nd drive) is known to break Apple iCloud on Windows though.
So the rumours that Apple has more shoddily written code than MS is true? Is that even possible?
Could you create a link to keep icloud happy while putting stuff "safely" elsewhere? Or would it still break?
Ask me how I know and you might need to step back from the fragments of my screen as I hit it in frustration.
There are other cloud options out there. Look at owncloud or (yet to try it myself) nextcloud :)
I was, perhaps, unclear. The scheme I stated is what I do already do. My point, (see title) is why Microsoft set the file system to do this on a normal set-up. There may well be a good reason for this on some systems - having each of several users' documents being called " my documents" for them might serve a purpose that being named for them might not ( like if the users are replaced but the computer log-in stays with the role rather than the person, I guess). But for most users having a clearly located folder, with their own individual name/role is perfectly reasonable, surely. And of course I don't use 'em and know I don't need to. But then this is The Register and we tend to know these things. It gets a little bit more complicated when a computer is shared in a home or small office and one person asks another where the named document or the important picture is, is told that it was saved in "My documents" or "my photos" and can't find it, because in their log-in it isn't the same "my documents" etc.
told that it was saved in "My documents" or "my photos" and can't find it, because in their log-in it isn't the same "my documents" etc.
You know what pisses me off? many things. On this subject 2 things:
1) Filepaths. People should not be allowed NEAR a fucking computer until they know what a filepath is and how to navigate it.
User "I cant find my important shit"
Me: "did you save it"
user: "yes"
me "where?"
User (paraphrased) No idea and i dont even understand the question , but i clicked on a button marked save.
Me: bangs head on desk
2) Libraries - for all the reasons explained in 1) and more
The Libraries that now pollute the file explorer in windows. Cancer. The absolute opposite of useful. WTF? How are you supposed to find anything if you dont know where that file is? no amount of clicking or context menus will apparently tell you where the file these imaginary libraries are hidden , apparently they can show the contents of 2 places at once . very quantum.
To me its just another way for microsoft to fuck new users over and ensure they can never find anything and will never learn what a filepath is , which, as i mentioned, is absolutely fucking vital . Similar to their "lets turn file exts off , that'll be good for a laugh and make new users click on malware"
Also moving "my pics" and "my videos" and "my other shit" out of "my documents" in the profile structure was a shit idea.
If there are any benefits to Libraries *spit* then advanced users should turn them on and use them , not be the default.
right, I feel a little better now
/rant
I've mentioned previously in these forums my encounter with a senior member of academic staff back in the Win '98 era who kept all his folders within the Waste Basket, because "it's always where I can find it". Which didn't help me at all when I Ghosted a new image onto his PC and then found that said location was specifically excluded from the University backup regime...
I can see the value in having format based folders IF document format == known AND file name = memorable_name.
But I also know that users will call a file something like "Wednesday meeting" and choose a format that happens to come to mind rather than being a sensible choice for that document. People who will use Excel for a simple table that can easily be made in WORD, or Powerpoint for a simple text document.
"Don't forget the souls who save everything to desktop."
My sister does that on her Win-ten laptop. She had so many icons that there was an overflow and Windows helpfully created a folder on the top left corner into which it stuffed some of them. Every so often when the desktop was refreshed after closing a program the set of displayed icons would re-arrange themselves and some would be foldered while others escaped.
I don't think it actually deleted anything but with her entire desktop covered in "Bills.pdf" I could never be sure.
As a (quite temporary) workaround, I moved *everything* into new folders called "Sister'sStuff" and "Tools" but I'm fairly sure she'll ignore the hint.
As a (quite temporary) workaround, I moved *everything* into new folders called "Sister'sStuff" and "Tools" but I'm fairly sure she'll ignore the hint.
I've used a stopwatch with some users to show them the difference. Start stop watch as you hit the power button, when the desktop appears click the lap button and the start button (windows start menu that is, not the stop watch one!), when the menu appears click lap again and click firefox or the program at the top or anything else of your choice. Click STOP when you can load a page etc.
Move all their guff into a proper place (even just create an "old desktop stuff" folder and toss it in there temporarily, if on the same disk should take milliseconds to "move"). Shut the machine down. Repeat the process above.
Users see their machine boots so much faster because it doesn't have to draw many thousands of icons, especially when said icons are generated by reading in a picture or finding a frame in a video file.
IME that works at least 70% of the time. If you create links to proper folders on the desktop they tend to be able to use it ok (or does windows now helpfully load those in as well?). Course if your link is whatever opens windows explorer on a certain directory (can you do that still?) then windows will only see explorer, not the contents of the target folder.
Not every one will follow it, but a lot of people watch you make the changes, see the difference it makes in starting their machine, and the lesson sticks. You can also try to explain that the extra wear and tear on their hdd means it would die quicker if they keep doing that, and explain that data recovery costs lots - but that usually is more inclined to induce dummy mode than teach them something valuable.
The restoration approach has limitations. If the file is in an "important" folder (eg, Desktop and Documents)
You mean there's somewhere to store data other than on my desktop? WOW! Who would've known! (thinks back to friends having lots of stuff, in one case near 200Gb of stuff stored on their desktop, who wonder why their machine b..o..o..t..s........s..o..o..o..o..o.......s..l..o..w..l..y..)
Thanks again MS. Due to your "wonderful" practices of trying to force people to keep stuff in only MS approved locations (and no where else!) you made it easier for the malware writers to target people (though that said, properly written stuff would've left a certain block of files alone, and properly overwritten the rest).
WC is not the first one I've known of that fails to properly delete files, but "at least" they made the effort to overwrite stuff in certain common folders.
(and before any one asks, my "documents" folder contains : a number of things created by WINE or similar to keep some windows stuff happy (no idea which), a couple of files I made in 2014 and a graphic I did for someone else a month ago, no idea why I saved it there instead of in its proper place, most of my "valuable" data is on a second disk, with special folders backed up to Owncloud (with plenty of spare space on the server for "versioning" so even if hit, I could recover older versions).
... 'cos I work with people who are way cleverer than me (and probably you), then I remember that day I did "rm -rf ~" instead of "rm -rf ~/some-tmp-dir" and was all "meh, well if I hadn't check it into my private git repo it's probably not important". Added bonus: I get to read tickets from clients along the lines "sorry we didn't respond earlier, we were busy dealing with WannaCrypt".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
