From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.net AIM/iChat/MSN: jlg@mac.com
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 14. May 2017, at 21:45, Jon Gardner toradmin@brazoslink.net wrote:
From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.net mailto:jon@brazoslink.net AIM/iChat/MSN: jlg@mac.com mailto:jlg@mac.com_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Exactly what I was thinking.
On May 14, 2017, at 14:51, niftybunny <abuse@to-surf-and-protect.netmailto:abuse@to-surf-and-protect.net> wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
niftybunny abuse@to-surf-and-protect.netmailto:abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 14. May 2017, at 21:45, Jon Gardner <toradmin@brazoslink.netmailto:toradmin@brazoslink.net> wrote:
From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.netmailto:jon@brazoslink.net AIM/iChat/MSN: jlg@mac.commailto:jlg@mac.com _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.orgmailto:tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.orgmailto:tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 05/14/2017 08:54 AM, niftybunny wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
| WanaCrypt0r will then download a TOR client from | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip | and extract it into the TaskData folder. This TOR client is used to | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-te...
Sad but true.
But what they want to block are guards and directory servers. But their list will probably include all relays, so whatever.
Longer term, it's pointless, because malware authors can just hard code bridges. Even custom unlisted bridges.
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 14. May 2017, at 21:45, Jon Gardner toradmin@brazoslink.net wrote:
From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.net mailto:jon@brazoslink.net AIM/iChat/MSN: jlg@mac.com mailto:jlg@mac.com_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The last time I checked .onion domains don’t need exits. Every Tor node can be a chain of the path to the .onion domain. So it is completely pointless to block all the exits and second: Exits are the end of the chain to the “normal” internet, if you don’t want outgoing Tor traffic from your internal network you fucking block guards and entry/middle nodes not exits …. btw, good luck with blocking all guards ….
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise. Thomas Gray
PS: >In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK????? WHYYYY?????
On 15. May 2017, at 00:08, Mirimir mirimir@riseup.net wrote:
On 05/14/2017 08:54 AM, niftybunny wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
| WanaCrypt0r will then download a TOR client from | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip | and extract it into the TaskData folder. This TOR client is used to | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-te...
Sad but true.
But what they want to block are guards and directory servers. But their list will probably include all relays, so whatever.
Longer term, it's pointless, because malware authors can just hard code bridges. Even custom unlisted bridges.
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 14. May 2017, at 21:45, Jon Gardner toradmin@brazoslink.net wrote:
From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.net mailto:jon@brazoslink.net AIM/iChat/MSN: jlg@mac.com mailto:jlg@mac.com_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 05/14/2017 11:56 AM, niftybunny wrote:
The last time I checked .onion domains don’t need exits. Every Tor node can be a chain of the path to the .onion domain. So it is completely pointless to block all the exits and second: Exits are the end of the chain to the “normal” internet, if you don’t want outgoing Tor traffic from your internal network you fucking block guards and entry/middle nodes not exits
Ummm, that's basically what I said. It was stupid for the writer to say "exits". But you know that blacklists include all Tor relays.
…. btw, good luck with blocking all guards ….
Guards are public, bro. But not all bridges, of course.
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise. Thomas Gray
PS: >In accordance with known best practices, any organization
>who has SMB publically accessible via the internet (ports >139, 445) should immediately block inbound traffic.
WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK????? WHYYYY?????
Because you're a dumbass motherfucker ;)
On 15. May 2017, at 00:08, Mirimir mirimir@riseup.net wrote:
On 05/14/2017 08:54 AM, niftybunny wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
| WanaCrypt0r will then download a TOR client from | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip | and extract it into the TaskData folder. This TOR client is used to | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-te...
Sad but true.
But what they want to block are guards and directory servers. But their list will probably include all relays, so whatever.
Longer term, it's pointless, because malware authors can just hard code bridges. Even custom unlisted bridges.
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 14. May 2017, at 21:45, Jon Gardner toradmin@brazoslink.net wrote:
From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.net mailto:jon@brazoslink.net AIM/iChat/MSN: jlg@mac.com mailto:jlg@mac.com_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 15. May 2017, at 01:42, Mirimir mirimir@riseup.net wrote:
On 05/14/2017 11:56 AM, niftybunny wrote:
The last time I checked .onion domains don’t need exits. Every Tor node can be a chain of the path to the .onion domain. So it is completely pointless to block all the exits and second: Exits are the end of the chain to the “normal” internet, if you don’t want outgoing Tor traffic from your internal network you fucking block guards and entry/middle nodes not exits
Ummm, that's basically what I said. It was stupid for the writer to say "exits". But you know that blacklists include all Tor relays.
Okay, they will overkill/overblock all nodes but they are out of luck with bridges. So it is pointless but they will feel better? Wow, much secure, so block, such ASL, wow!
…. btw, good luck with blocking all guards ….
Guards are public, bro. But not all bridges, of course.
You are right, my bad.
niftybunny abuse@to-surf-and-protect.net mailto:abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise. Thomas Gray
PS: >In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK????? WHYYYY?????
Because you're a dumbass motherfucker ;)
Firewall default is to block all traffic. You have to allow this traffic. Without using an VPN this is a special case of stupid …
On 15. May 2017, at 00:08, Mirimir mirimir@riseup.net wrote:
On 05/14/2017 08:54 AM, niftybunny wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
| WanaCrypt0r will then download a TOR client from | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip | and extract it into the TaskData folder. This TOR client is used to | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-te...
Sad but true.
But what they want to block are guards and directory servers. But their list will probably include all relays, so whatever.
Longer term, it's pointless, because malware authors can just hard code bridges. Even custom unlisted bridges.
niftybunny abuse@to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 14. May 2017, at 21:45, Jon Gardner toradmin@brazoslink.net wrote:
From the SNORT folks...
http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
<>< Jon L. Gardner Mobile: +1 979-574-1189 Email/Skype/Jabber: jon@brazoslink.net mailto:jon@brazoslink.net AIM/iChat/MSN: jlg@mac.com mailto:jlg@mac.com_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org mailto:tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org mailto:tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 15/05/2017 00:08, Mirimir wrote:
| WanaCrypt0r will then download a TOR client from | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip | and extract it into the TaskData folder. This TOR client is used to | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-te...
Was the increased number of downloads from the malware visibile from the logs?
I mean, if you are able to detect such an event and be reasonably sure that the downloads do not come from humans you could stop them. If the URL is hardcoded you could, say, move the file and it would not affect users.
(this is of course assuming that blocking the possibility of contacting the said onion services would be of any help in blocking the malware)
Cristian
On Mon, May 15, 2017 at 09:17:33AM +0200, Cristian Consonni wrote:
| https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Was the increased number of downloads from the malware visibile from the logs?
I looked, and there were a few hundred downloads per day. It didn't look like a huge number. Maybe people misread the code, or maybe there aren't actually that many infections and all the "threat intelligence" companies want to keep talking about it anyway, or who knows.
But the low number of downloads, plus the fact that folks said they'd disabled the ransomware component (by registering the domain it checked), plus the fact that I hadn't investigated the worm code to figure out if it did anything surprising when the URL is disabled, made me decide to leave it alone.
--Roger
On 15/05/2017 09:38, Roger Dingledine wrote:
On Mon, May 15, 2017 at 09:17:33AM +0200, Cristian Consonni wrote:
| https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Was the increased number of downloads from the malware visibile from the logs?
I looked, and there were a few hundred downloads per day. It didn't look like a huge number. Maybe people misread the code, or maybe there aren't actually that many infections and all the "threat intelligence" companies want to keep talking about it anyway, or who knows.
Interesting. In fact, I though that downloading the whole browser seemed to be not so smart, surely there are better ways to connect programmatically to the tor network.
To my untrained eye, this malware seems to be both clever (self-replication) and dumb (kill switch, downloading the browser) at the same time.
But the low number of downloads, plus the fact that folks said they'd disabled the ransomware component (by registering the domain it checked), plus the fact that I hadn't investigated the worm code to figure out if it did anything surprising when the URL is disabled, made me decide to leave it alone.
Very reasonable.
Thanks for the info.
Cristian
On Mon, May 15, 2017 at 09:58:26AM +0200, Cristian Consonni wrote:
Interesting. In fact, I though that downloading the whole browser seemed to be not so smart, surely there are better ways to connect programmatically to the tor network.
It is not the whole browser -- it is the "windows expert bundle": https://www.torproject.org/download/download So it is indeed stupid to treat its libraries like the cloud, but not so stupid that it's fetching the whole tor browser.
To my untrained eye, this malware seems to be both clever (self-replication) and dumb (kill switch, downloading the browser) at the same time.
Also ask yourself whether it checks the signature of the tor win32 thing that it downloads before running it. :( Good thing we're not evil.
--Roger
Il 15/05/2017 00:08, Mirimir ha scritto:
But what they want to block are guards and directory servers. But their list will probably include all relays, so whatever.
Longer term, it's pointless, because malware authors can just hard code bridges. Even custom unlisted bridges.
Organizations sometimes can, and do, block Tor at the application level. This raises the bar up to obfuscation, which is not perfect nor hassle free right now.
Jan
On Sun, May 14, 2017 at 09:54:55PM +0200, niftybunny wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
To help you be less surprised next time, the template to look for is:
"Additionally, organizations should strongly consider [buying our fancy proprietary "threat intelligence" tools]. Enabling this to be blacklisted will prevent [thing that we're trying to scare you about without explaining, or even understanding ourselves]."
--Roger
Roger,
Exactly! bahahaha.
John
On May 14, 2017, at 17:24, Roger Dingledine arma@mit.edu wrote:
On Sun, May 14, 2017 at 09:54:55PM +0200, niftybunny wrote:
Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Wait, what?
To help you be less surprised next time, the template to look for is:
"Additionally, organizations should strongly consider [buying our fancy proprietary "threat intelligence" tools]. Enabling this to be blacklisted will prevent [thing that we're trying to scare you about without explaining, or even understanding ourselves]."
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sun, May 14, 2017 at 6:28 PM, Roger Dingledine arma@mit.edu wrote:
"Additionally, organizations should strongly consider [buying our fancy proprietary "threat intelligence" tools]. Enabling this to be blacklisted will prevent [thing that we're trying to scare you about without explaining, or even understanding ourselves]."
Did you have an epiphany about corporations, my friend? Welcome.
tor-relays@lists.torproject.org
-
Cristian Consonni -
grarpamp -
Jan Reister -
John Ricketts -
Jon Gardner -
Mirimir -
niftybunny -
Roger Dingledine