Skip to content

Instantly share code, notes, and snippets.

Avatar
☂️
Umbrella

rain1 rain-1

☂️
Umbrella
View GitHub Profile
View Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@rain-1
rain-1 / s_packed.c
Created Jan 8, 2021
S as a single file
View s_packed.c
#include <assert.h>
#include <errno.h>
#include <libgen.h>
#include <limits.h>
#include <linux/limits.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@rain-1
rain-1 / makesfile
Created Apr 10, 2018
example makesfile to build jq
View makesfile
#!/bin/sh
set -e
set -x
function clean {
rm -f src/version.h
rm -f src/builtin.inc
rm -f src/*.o
rm -f jq
}
View fishbowl.c
// This program runs another program in a "fishbowl" set to the
// current working directory. The idea is that the subprocess
// should only be able to edit files in that path or anything
// descended from it. It can read outside the fishbowl but if it
// attempts to create or edit files outside of it that syscall
// is blocked (by switching it to getpid which does nothing).
//
// A malicious program can bypass the fishbowl using threads to
// make a syscall and then swap the path after verification.
// This is not a security tool, it is just to protect against
@rain-1
rain-1 / wcry.md
Created May 12, 2017 — forked from anonymous/wcry.md
wcry.md
View wcry.md

Ransomware attack hits UK NHS, Spain Telefonica, 74 countries affected.

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: Windows 7 is vulnerable. It uses EternalBlue MS17-010 to propagate.

Malware samples

View build bash 5.0!
#!/bin/bash
# do this first
# ./configure
#
echo '#include <sys/types.h>' >> config.h
CFLAGS="-DHAVE_CONFIG_H -DSHELL -g -O2 -Wno-parentheses -Wno-format-security -DRCHECK -Dbotch=programming_error -DMALLOC_DEBUG"
##
@rain-1
rain-1 / example.tsv
Last active Apr 30, 2020
Tab Separated Values file format specification version 2.0
View example.tsv
Name Age Address
Paul 23 1115 W Franklin
Bessy the Cow 5 Big Farm Way
Zeke 45 W Main St
@rain-1
rain-1 / dcs.rkt
Last active Sep 17, 2019
Dotted Canonical S-expressions - DCSexps
View dcs.rkt
#lang racket
;; printing s-exps as DCS and TDCS, plus examples of what DCS and TDCS look like
(define (dcs l)
(cond ((pair? l)
(begin
(display ".")
(dcs (car l))
(dcs (cdr l))))
@rain-1
rain-1 / minikanren.scm
Created Jan 6, 2019
minikanren.scm - based off orchid-hybrid mirukanren. works in Chez
View minikanren.scm
;; utils
(define (assp p l)
(if (null? l)
#f
(if (p (caar l))
(car l)
(assp p (cdr l)))))
View SPECIFICATION.txt
# INTRODUCTION
This document specifies the DEPENDS.TXT file for a software project.
This is simply a list of the build time and runtime dependencies of the software.
# SPEC
The file is in TSV (tab separated values) format with UTF-8 encoding, so each line is a record describing a single dependency.
Each record is <package-name>\t<type>\t<version>