What is Uiwix:
UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.
UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.
These both viruses use security holes in the Microsoft Windows operating systems to rename files and encrypt them in order to limit users from accessing the computer or files unless they pay a ransom, CVERC deputy head Chen Jianmin said, The National Computer Virus Emergency Response Centre .This Virus rename the file with .UIWIX extension
What is EternalBlue:
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
The Ransom amount it will ask to 200 bitcoin
Recommendations for Field Locations:
Administrator/Root password should be restricted to authoritative person only.
Enforce a password policy for user accounts. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root/Administrator password, ensure that the program asking for administration-level access is a legitimate application.
Turn off file sharing if not needed. If file sharing is required, Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. Don’t download/install freeware softwares. Always keep all system patch levels up-to-date.
Train employees not to open attachments having extensions .vbs, .bat, .exe, .pif and .scr.
Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Do not visit malicious (flash/advertisement) websites.
Avoid using pen drives in DoP system to prevent DoP N/W from any virus or Trojan. Please check Anti-Virus definition. If it is not updated either get it updated from SEPM live update or connect with CSI Helpdesk team (011-66076756).
If any system is not updated with latest security patches and Antivirus update, it is required to block SMBv1 as explained in next pages as a preliminary measure.
Due to blocking of SMB V1 if any impact is noticed in any business application then re enable SMB V1 in that system if MS17- 010 security patches are updated in the system and latest Antivirus signatures are updated.
Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/
For details refer below URL
https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1-smbv2- and-smbv3-in-windows-and-windows-server
UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.
UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.
These both viruses use security holes in the Microsoft Windows operating systems to rename files and encrypt them in order to limit users from accessing the computer or files unless they pay a ransom, CVERC deputy head Chen Jianmin said, The National Computer Virus Emergency Response Centre .This Virus rename the file with .UIWIX extension
What is EternalBlue:
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
The Ransom amount it will ask to 200 bitcoin
Recommendations for Field Locations:
Administrator/Root password should be restricted to authoritative person only.
Enforce a password policy for user accounts. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root/Administrator password, ensure that the program asking for administration-level access is a legitimate application.
Turn off file sharing if not needed. If file sharing is required, Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. Don’t download/install freeware softwares. Always keep all system patch levels up-to-date.
Train employees not to open attachments having extensions .vbs, .bat, .exe, .pif and .scr.
Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Do not visit malicious (flash/advertisement) websites.
Avoid using pen drives in DoP system to prevent DoP N/W from any virus or Trojan. Please check Anti-Virus definition. If it is not updated either get it updated from SEPM live update or connect with CSI Helpdesk team (011-66076756).
If any system is not updated with latest security patches and Antivirus update, it is required to block SMBv1 as explained in next pages as a preliminary measure.
Due to blocking of SMB V1 if any impact is noticed in any business application then re enable SMB V1 in that system if MS17- 010 security patches are updated in the system and latest Antivirus signatures are updated.
Here is a summary of WannaCry and UIWIX’s notable features:
| WannaCry | UIWIX | |
| Attack Vectors | SMB vulnerabilities (MS17-010), TCP port 445 | SMB vulnerabilities (MS17-010), TCP port 445 |
| File Type | Executable (EXE) | Dynamic-link Library (DLL) |
| Appended extension | {original filename}.WNCRY | ._{unique id}.UIWIX |
| Autostart and persistence mechanisms | Registry | None |
| Anti-VM, VM check, or anti-sandbox routines | None | Checks presence of VM and sandbox-related files or folders |
| Network activity | On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser | Uses mini-tor.dll to connect to .onion site |
| Exceptions (doesn’t execute if it detects certain system components) | None | Terminates itself if found running in Russia, Kazakhstan, and Belarus |
| Exclusions (directories or file types it doesn’t encrypt) | Avoids encrypting files in certain directories | Avoids encrypting files in two directories, and files with certain strings in their file name |
| Network scanning and propagation | Yes (worm-like propagation) | No |
| Kill switch | Yes | No |
| Number of targeted file types | 176 | All files in the affected system except those in its exclusion list |
| Shadow copies deletion | Yes | No |
| Languages supported (ransom notes, payment site) | Multilingual (27) | English only |
Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/
For details refer below URL
https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1-smbv2- and-smbv3-in-windows-and-windows-server
any Comment!! EmoticonEmoticon