±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35755
New Yesterday: 0 Visitors: 92

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Petya //NotPetya Survival Guide

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Bunnysniper
Senior Member
 

Petya //NotPetya Survival Guide

Post Posted: Jun 28, 17 02:43

1. To prevent the initial infection, patch against EternalBlue (the WannaCry hole). This should have been done in March already...

2. If ONE client in your network gets compromised (because it was forgotten for patching...) , a "Killswitch" prevents the spreading of malicious code via WMI and psexec. Create a file called C:\Windows\perfc (no extension with any content or size).

3. If you are hit, power off immediatly. The CheckDisc screen is a fake. You can still recover files from a booted CD or USB thumb drive.

Good night.  
 
  

RolfGutmann
Senior Member
 

Re: Petya //NotPetya Survival Guide

Post Posted: Jun 28, 17 03:21

Thank you. Probably the Ukranian MeDoc customers are affected after MeDoc self was breached.  
 
  

jaclaz
Senior Member
 

Re: Petya //NotPetya Survival Guide

Post Posted: Jun 28, 17 13:04

- Bunnysniper

Create a file called C:\Windows\perfc (no extension with any content or size).

Are you sure?
Some sources talk about a perfc.dat set to Read Only:
www.theregister.co.uk/...ansomware/

Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Bunnysniper
Senior Member
 

Re: Petya //NotPetya Survival Guide

Post Posted: Jun 28, 17 14:21

- jaclaz
- Bunnysniper

Create a file called C:\Windows\perfc (no extension with any content or size).

Are you sure?
Some sources talk about a perfc.dat set to Read Only:
www.theregister.co.uk/...ansomware/

Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.


jaclaz


Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

best regards,
Robin  
 
  

jaclaz
Senior Member
 

Re: Petya //NotPetya Survival Guide

Post Posted: Jun 28, 17 16:14

- Bunnysniper

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

best regards,
Robin


Good Smile , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive ...

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Bunnysniper
Senior Member
 

Re: Petya //NotPetya Survival Guide

Post Posted: Jun 28, 17 17:36

- jaclaz
- Bunnysniper

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.


Good Smile , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive ...

jaclaz


This is what i suggested to my client and was done this morning. I am currently working for one of the major banks in Frankfurt and we started an emergency software rollout just for these two files. And we have patched (long ago), updated all antivirus products via push notice and blocked the four known C+C IP adresses tonight....and a lot of other measures.

Since psexec from Sysinternals/ Microsoft was abused so often, we deployed a Software Restriction Policy for all Windows OS to prevent any execution of psexec.exe (by name and hash value). The next steps will be a very strict Execution Policy for Powershell and WMI(C), but this needs some testing and might break some legitimate applications. Kicking Powershell and WMI completly is the target.

best regards,
Robin  
 
  

RolfGutmann
Senior Member
 

Re: Petya //NotPetya Survival Guide

Post Posted: Jun 30, 17 02:53

Comae & Kasp webinar about PetrWrap/NotPetya wiper not ransomware

www.brighttalk.com/web...ign=268285

Yara rules

cdn.securelist.com/fil...r_yara.zip

Make sure to close SMB port 445  
 

Page 1 of 3
Page 1, 2, 3  Next