On 14/05/17 17:42, G.W. Haywood wrote: >> Are clamav users protected from this ransomware?
Partially. Everyone agrees: * Check MS17-010 is applied on every Windows device you can - before tomorrow! I don't have access to samples, but ClamAV seems to be picking up some of Wcry/WanaCrypt0r/WannaCry: https://virustotal.com/en/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/analysis/ but not all: https://virustotal.com/en/file/f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494/analysis/ and new variants come out all the time. There's a long list of SHA256 hashes here, unfortunately without file lengths: https://www.redsocks.eu/news/ransomware-wannacry/ and here are some SHA1s: https://pastebin.com/quvVH5hS > To be clear about this, the current excitement is caused by a 'worm'. Spreading by SMB within and between networks on ports 139 and 445, true. That doesn't mean there aren't or haven't been other vectors. > It has nothing to do with mail. Clamav is irrelevant because there is > nothing for ClamAV to scan, at least until it is too late. So ClamAV > scanning mail cannot protect against this threat, and was not designed > to do so. I'm not sure it has nothing to do with mail. The US-CERT page mentioned upthread https://www.us-cert.gov/ncas/alerts/TA17-132A rather unhelpfully says "According to open sources, one possible infection vector is via phishing emails.... Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users." https://www.engadget.com/2017/05/12/12-countries-hit-in-massive-cyber-heist/ says "The virus appears to have originally spread via email as compressed file attachment so, like last week's Google Docs issue, make sure you confirm that you email's attachments are legit before clicking on them." Here's one observation that matches my experience: "I cannot find any evidence of the email infection vector. SMB v1 & open RDP sessions are the only confirmed vectors." https://twitter.com/cyb3rops/status/863679016804462592 <digression> WanaCrypt0r on Friday was confused with Thursday's smaller Jaff ransomware outbreak: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168#gistcomment-2093599 This was delivered via a malicious PDF attachment (with email body 'Please open attached XXXX.docm file') that again ClamAV is only partially blocking: http://blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html https://virustotal.com/en/file/f363c532d7401c75289bbf8e83bca276e7dffdd1b70d5df4167503fcefd3de05/analysis/ Devs - is it possible to block PDFs based on containing '/JavaScript' and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from definite signatures first to secondly checking heuristics... </digression> And from what I hear from people decompiling WannaCry there is no SMTP function within the worm. * But https://twitter.com/IdoNaor1/status/863796364865613825 says: "The HTA is part of the phishing docx. Traditional spear w/ macro, downloads HTA, and HTA downloads #WannaCry from abandoned server in Brazil" which to me suggests April's Office vulnerability CVE-2017-0199 was used, although I can't yet confirm it is Wcry. Is anything besides MiscreantPunch099-Low.ldb (available via Sanesecurity and clamav-unofficial-sigs) detecting that exploit? And so: On 13/05/17 19:19, Alain Zidouemba wrote: > We don't ship Yara rules. We continue to ship signatures in the ClamAV > signatures format > > ClamAV includes Yara support so that end-users can choose to locally use > Yara rules like the ones you referenced. Thank you, Alain. Installing Maldoc_CVE-2017-0199.yar from https://github.com/Yara-Rules/rules may detect RTF files using this exploit, but is there more work to do on .doc, .docm and .docx? [snip] > Comments on a postcard, please, to the NSA. For example you might > like to remind them what the 'S' in those initials stands for, as they > surely seem to have forgotten. And I think Donald fired the head of > the wrong agency. Oh, hang on, that's a bit political for this list. :) I suspect most of us agree with you, regarding the NSA at least. CK _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
