rain1 rain-1

## fishbowl.c
// This program runs another program in a "fishbowl" set to the
// current working directory. The idea is that the subprocess
// should only be able to edit files in that path or anything
// descended from it. It can read outside the fishbowl but if it
// attempts to create or edit files outside of it that syscall
// is blocked (by switching it to getpid which does nothing).
//
// A malicious program can bypass the fishbowl using threads to
// make a syscall and then swap the path after verification.
// This is not a security tool, it is just to protect against

## wcry.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                rain-1
                / wcry.md
            
            
              Created
              May 12, 2017 20:23
                — forked from anonymous/wcry.md
            
              
                wcry.md
              
          
    Ransomware attack hits UK NHS, Spain Telefonica, 74 countries affected.


Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: Windows 7 is vulnerable. It uses EternalBlue MS17-010 to propagate.

Malware samples


hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
hxxps://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE (main dll)


## Wannacrypt0r-FACTSHEET.md

      
              1 file
            
          
              158 forks
            
          
              267 comments
            
          
              713 stars
            
          
                rain-1
                / Wannacrypt0r-FACTSHEET.md
            
            
              Last active
              March 10, 2024 11:03
                — forked from Epivalent/Wannacrypt0r-FACTSHEET.md
            
          
    WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm


Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

  
## makesfile
#!/bin/sh
set -e
set -x

function clean {
	rm -f src/version.h
	rm -f src/builtin.inc
	rm -f src/*.o
	rm -f jq
}

## example.tsv

          
            Name
            Age
            Address

            
              Paul
              23
              1115 W Franklin

            
              Bessy the Cow
              5
              Big Farm Way

            
              Zeke
              45
              W Main St

## isqrt.c
#include <stdio.h>
#include <stdint.h>

uint64_t myisqrt(uint64_t n) {
	int i;
	uint64_t r, tmp;

	r = 0;
	for(i = 64/2-1; i >= 0; i--) {
		tmp = r | (1 << i);

## mrx.js
var text = "foobar";

text = text.replace(/o/g, "a");
text = text.replace(/a/g, "x");

document.write(text);


var text = "foobar";

## build bash 5.0!
#!/bin/bash

# do this first
# ./configure
#
echo '#include <sys/types.h>' >> config.h

CFLAGS="-DHAVE_CONFIG_H -DSHELL -g -O2 -Wno-parentheses -Wno-format-security -DRCHECK -Dbotch=programming_error -DMALLOC_DEBUG"

##

## dcs.rkt
#lang racket

;; printing s-exps as DCS and TDCS, plus examples of what DCS and TDCS look like

(define (dcs l)
  (cond ((pair? l)
         (begin
           (display ".")
           (dcs (car l))
           (dcs (cdr l))))

## boot.S
.code16
.global _start
_start:
	cli
	xor	%ax, %ax
	mov	%ax, %ds
	mov	$msg, %si
	cld
loop:
	lodsb
	// This program runs another program in a "fishbowl" set to the
	// current working directory. The idea is that the subprocess
	// should only be able to edit files in that path or anything
	// descended from it. It can read outside the fishbowl but if it
	// attempts to create or edit files outside of it that syscall
	// is blocked (by switching it to getpid which does nothing).
	//
	// A malicious program can bypass the fishbowl using threads to
	// make a syscall and then swap the path after verification.
	// This is not a security tool, it is just to protect against
	#!/bin/sh
	set -e
	set -x

	function clean {
	rm -f src/version.h
	rm -f src/builtin.inc
	rm -f src/*.o
	rm -f jq
	}
Name	Age	Address
Paul	23	1115 W Franklin
Bessy the Cow	5	Big Farm Way
Zeke	45	W Main St
	#include <stdio.h>
	#include <stdint.h>

	uint64_t myisqrt(uint64_t n) {
	int i;
	uint64_t r, tmp;

	r = 0;
	for(i = 64/2-1; i >= 0; i--) {
	tmp = r \| (1 << i);
	var text = "foobar";

	text = text.replace(/o/g, "a");
	text = text.replace(/a/g, "x");

	document.write(text);


	var text = "foobar";
	#!/bin/bash

	# do this first
	# ./configure
	#
	echo '#include <sys/types.h>' >> config.h

	CFLAGS="-DHAVE_CONFIG_H -DSHELL -g -O2 -Wno-parentheses -Wno-format-security -DRCHECK -Dbotch=programming_error -DMALLOC_DEBUG"

	##
	#lang racket

	;; printing s-exps as DCS and TDCS, plus examples of what DCS and TDCS look like

	(define (dcs l)
	(cond ((pair? l)
	(begin
	(display ".")
	(dcs (car l))
	(dcs (cdr l))))
	.code16
	.global _start
	_start:
	cli
	xor %ax, %ax
	mov %ax, %ds
	mov $msg, %si
	cld
	loop:
	lodsb