Webinar Q&A: Petya and Weaponized Malware
This is a follow-up to Michael Dortch's blog summary of our latest ransomware webinar: Petya and Weaponized Malware: Is Ransomware the New DDoS Attack?
We had several questions roll in that we did not have time to answer during the webinar. Here are a few of them below.
Q:I have no Trusted Publisher policy setup to allow an application that has been signed with a digital certificate from a trusted source to run on an endpoint. Does this mean the unsigned/invalid digital Microsoft certificate from Petya will not run?
A: Trusted Publisher looks at the vendors you have approved. It validates their digital signature and either allows or denies based on that established trust. For initial infection, there are a few different approaches.
First, the MEDoc approach. This is a vendor you would have wanted to put on your trusted vendor list. So initially the application would have gotten into the environment. Once that installed the payload, the perfc.dat would have been laid down, and that file would not have been trusted and would have been blocked.
In the case of the Office RTF exploit, the vulnerability could have been exploited because the RTF file may have been allowed to run and exploit; but, again, once the perfc.dat file came into play, it would have been blocked because it was not signed by a trusted publisher.
Q: There are articles that reference creating a perfc file in the Windows directory. Does that really help prevent your system from being infected?
A: Petya' checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won't run the encryption side of the software. Placing perfc.dat in c:\Windows\ and making it “read only” would stop this specific infection, but it would not address other, similar attacks.
Q: Is this slide saying only 40 companies were hit in the US?
A: The Symantec graph showed how many organizations had reported being hit by the time they released this information on the 27th. Not all companies would have reported being hit and more would likely have been hit since.
Q: Have any systems such as flight control, CTC, 911, etc. been impacted?
A: Reports did not specify those services were hit. Even the energy companies hit reported that power was not disrupted, so likely air-gapped systems and more highly protected systems with multiple layers of security were protected in this case.
Q: Is anyone having issues confirming compliance with MS17-010? It appears the Microsoft KBs related to it are ever-changing.
A: Traditional bulletin designations no longer apply. The fact that Microsoft did this for MS17-010 and MS17-013 is a bit confusing, as you will not see this as an installed patch on anything newer than Windows 7. MS17-010 is an OS update that is part of either the Monthly Rollup or Security Only Bundle if on pre-Win 10 systems (there you get to choose Security Only or Monthly Rollup).
Q: Is that to say if a user is not a local admin the malware will fail from the get go?
A: In this case (according to findings from Symantec), if the user exploited is not a full admin, the tools the malware would try to use and its ability to encrypt the MBR would fail. This may not render the entire attack impotent. The EternalBlue exploit is still remotely exploitable over the network without the need for authentication, so additional layers beyond privilege management are needed to defend against the spectrum.
Q: You mention the Security Rollups, but when I search in Shavlik for MS17-06-MR7, that does not show as an installable option in the patch template—the SO7 but not MR7.
A: To resolve issues of both the Security Only and Monthly Rollup being pushed to the same system, Ivanti has designated the Security Only updates as Security for Patch Type. The Monthly Rollup is designated as Non-Security, since they also include feature updates and bug fixes. You are likely looking at Security Patch Type only.
Q: Which patch need to apply for Window 10?
Q: I read this morning (ZDnet) that data encrypted by the newest exploit cannot be decrypted. After paying the ransom, the decrypt string returned is random junk that does nothing.
A: We have seen similar reports from different sources as well. Paying the ransom is completely useless in this case and not recommended in most ransomware situations, as the chances of successful recovery are slim or risky.
Q: Do you guys know if it downloads PsExec or finds it in the environment already? Just asking ’cause PsExec isn’t common outside of IT.
A: We don’t have confirmed information on if it can download PsExec if it is not already present.
Q: Does Shavlik examine the actual DLL versions for vulnerabilities on Rollups?
A: Yes, we use file and registry detection wherever possible. In the case of Security Only updates, we can do file and registry detection. Rollups are a little different.
Q: Is Ivanti Patch for Windows Server a standalone platform? Shavlik used to complement SCCM and other platforms.
A: Ivanti Patch for Windows (formerly Shavlik Protect) is a standalone solution that will completely replace WSUS or SCCM as the Microsoft OS and application updates system, along with our extensive 3rd-party catalog. The benefits are having more robust scheduling, assessment, and remediation capabilities, better reboot controls, and purpose-built patch management.
Ivanti Patch for SCCM (formerly Shavlik Patch for SCCM) is intended to be a complement for organizations heavily invested in SCCM that are looking to keep the native experience and scale while extending coverage to all the 3rd-party apps they need to update in their environment.
It is very common to see customers of ours who run SCCM running Patch for SCCM on the endpoints and Patch for Windows in the data center (where our additional agentless support, VMware integration [Offline VM and template patching as well as snapshot capabilities], and APIs for integration into complex flows and other technologies like vulnerability vendors, password vaults, etc., make for an ideal solution for the differences in process and complexity.