View Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

View eqgrp-notes.md

Tools

  • DEWDROP
  • nftp - nopen-aware file transfer program, see Linux/doc/README.nftp, Linux/doc/nftp.1
  • NOPEN - NSA RAT, real progs are noclient and noserver
  • PITCHIMPAIR - redirector.
  • STOICSURGEON - utility to cloak processes and files on Linux, Solaris and, possibly, FreeBSD Linux/doc/old/etc/user.tool.stoicsurgeon.COMMON
  • STRIFEWORLD - TCP session recorder, sniffer, see Linux/doc/strifeworld.1
  • YELLOWSPIRIT, YS - Linux/bin/ys.auto
View trump-clinton.py
!/usr/bin/python
import string
t = open("trump", "r")
words = {}
for line in t:
for w in line.split():
word = string.strip(w, ":,.\"").lower()
View keybase.md

Keybase proof

I hereby claim:

  • I am ivladdalvi on github.
  • I am ivlad (https://keybase.io/ivlad) on keybase.
  • I have a public key whose fingerprint is C9E9 7316 03A0 BAC8 8838 AB26 0366 0B02 05F5 A398

To claim this, I am signing this object: