One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 379980 |
| Date de publication | 2017-06-29 20:25:53 (vue: 2017-06-29 20:25:53) |
| Titre | NonPetya: no evidence it was a "smokescreen" |
| Texte | Many well-regarded experts claim that the not-Petya ransomware wasn't "ransomware" at all, but a "wiper" whose goal was to destroy files, without any intent at letting victims recover their files. I want to point out that there is no real evidence of this.Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.But these things aren't evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.The simplest, Occam's Razor explanation explanation is that they were simple mistakes. Such mistakes are common among ransomware. We think of virus writers as professional software developers who thoroughly test their code. Decades of evidence show the opposite, that such software is of poor quality with shockingly bad bugs.It's true that effectively, nPetya is a wiper. Matthieu Suiche†does a great job describing one flaw that prevents it working. @hasherezade does a great job explaining another flaw. But best explanation isn't that this is intentional. Even if these bugs didn't exist, it'd still be a wiper if the perpetrators simply ignored the decryption requests. They need not intentionally make the decryption fail.Thus, the simpler explanation is that it's simply a bug. Ransomware authors test the bits they care about, and test less well the bits they don't. It's quite plausible to believe that just before shipping the code, they'd add a few extra features, and forget to regression test the entire suite. I mean, I do that all the time with my code.Some have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn't true. While it's more sophisticated than WannaCry, it's about average for the current state-of-the-art for ransomware in general. What people think of, such the Petya base, or using PsExec to spread throughout a Windows domain, is already at least a year old.Indeed, the use of PsExec itself is a bit clumsy, when the code for doing the same thing is already public. It's just a few calls to basic Windows networking APIs. A sophisticated virus would do this itself, rather than clumsily use PsExec.Infamy doesn't mean skill. People keep making the mistake that the more widespread something is in the news, the more skill, the more of a "conspiracy" there must be behind it. This is not true. Virus/worm writers often do newsworthy things by accident. Indeed, the history of worms, starting with the Morris Worm, has been things running out of control more than the author's expectations.What makes nPetya newsworthy isn't the EternalBlue exploit or the wiper feature. Instead, the creators got lucky with MeDoc. The software is used by every major organization in the Ukraine, and at the same time, their website was horribly insecure -- laughably insecure. Furthermore, it's autoupdate feature didn't check cryptographic signatures. No hacker can plan for this level of widespread incompetence -- it's just extreme luck.Thus, the effect of bumbling around is something that hit the Ukraine pretty hard, but it's not necessarily the intent of the creators. It's like how the Slammer worm hit South Korea pretty hard, or how the Witty worm hit the DoD pretty hard. These things look "targeted", especially to the victims, but it was by pure chance (provably so, in the case of Witty).Certainly, MeDoc was targeted. But then, targeting a s |
| Notes | |
| Envoyé | Oui |
| Condensat | but @hasherezade does about accident account actual add address all along already among another answer any apis are aren around art asks author authors autoupdate average background bad base basic because been before behind believe best bit bitcoin bits blame boot bug bugs bumbling but calls can care case certainly chance check claim clumsily clumsy code common computers conclusionwe conspiracy constantly control corrupts creators cryptographic current decades decrypting decryption describing one destroy developers didn difference different disagree dod does doesn doing domain don drives each easily effect effectively email entire errors especially eternalblue even ever every evidence exist expectations experts explained explaining explanation exploit extra extreme fail fake far feature features figured files finally flaw forget from further furthermore general generally get giving goal good got great guess hacker hackers half hard has have history hit horribly how ignored incompetence indeed infamy insecure instead intent intentional intentionally internet isn issues itself job just keep know korea landings laughably least less letting level like little look luck lucky made major make makes making many matthieu mean medoc mistake mistakes moon more morris must necessarily need needed needing needs networking never news newsworthy nonpetya: norm normal not npetya occam often old one opposite organization out payment people perpetrators petya plan plausible point pointed poor preferred pretty prevent prevents problems professional proof provably psexec public pure quality question questions quite ransomware rather razor real really reason record recover regarded regression requests running russian same sector see several shipping shockingly should show shutdown signatures significant simple simpler simplest simply since single skill slammer smart/experienced smokescreen software some something sophisticated sophistication sort south spread spreading stars starting state such suiche†suite support surprises suspicious target targeted targeting technique test than them then theory there therefore these they thing things think thoroughly throughout thus time true trust typically ukraine ukraines unanswerable unlikely until update: comment use used uses using victims virus virus/worm wannacry want wasn way website well what when whether who whose why widespread windows wiper without witty working worm worms would writers year yet you |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.