Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Infecting virtual box lead to my router being infected with wanna cry
#1
https://help.avast.com/en/av_free/17/hns/win10/hns-doublepulsar-infection.html#solution

The machines on my network are win vista,win 7 and windows 10 plus some smart phones and tvs.

I purposely infected a virtual box with the wanna cry ransomware well i decided to get on my laptop and do a network scan with avast and the link above should explain the rest
Reply

#2
Your router's not infected but your network is. It runs through the file sharing service on port 445.


Restarting your machines may stop the double pulsar but payloads may have been downloaded so run many scans / re-image machines, whatever it takes.

When infecting a VBox system your host should always be Linux based, not Windows based. You should also make sure drag n drop is not enabled be it bidirectional or guest-to-host.
Reply

#3
I used dariks boot and nuke with the dod method on the machine that i had the virtual box on. yeah ill make sure to run a bunch of scans. If it comes down to it ill wipe the hard drives of all computers i have with 3 passes lol
Reply

#4
DBAN? Wow that's harsh, I'd make that a last resort if I were you, a re-image would've been better and easier in this case.

Double Pulsar resides in RAM and is removed upon reboot, the issue comes from a payload that's been downloaded from a C & C server.
Reply

#5
smirk24 well you got to remove it and you make sure the NSA can't find anything on hard drive
Reply

#6
@smirk24 If you're DBAN'ing you might as well wipe the HPA (if it exists) and reset the DCO using a Linux Live CD. Tongue
Reply

#7
DBAN is way over kill and will shorten the life of the drive not to mention it will take days to finish a large drive.
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 
Reply

#8
So would i have to go into the firewall and block port 445 after a few rootkit scans to get it out of there?
Reply

#9
Blocking the port won't get rid of it, 445 is where the exploit is made. It should've been blocked well in advance.
If you're using file sharing 445 will be used but if testing malware your machine should be standalone and not in a multi-pc network for these very issues.

A little light reading for you;

https://www.grc.com/port_445.htm
Reply

#10
https://www.backup-utility.com/anti-ransomware/how-to-block-port-445-in-windows-3889.html

What do you guys think about this guide?

I feel like i understand what it is that i need to do to fix the problem but yet its like im not in the ball park.

Port 445 if for file sharing could i just disable the server service and disable net bios service as well or should i follow the guide provided in the link above?
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.