[新聞] 部落客意外地暫停勒索病毒消失

看板Gossiping作者StockVirtual時間8年前 (2017/05/14 01:38)推噓7(11推 4噓 8→)

留言23則, 20人參與討論串1/1

1.媒體來源: ※ 例如蘋果日報、奇摩新聞 BBC 2.完整新聞標題: ※ 標題沒有寫出來 ---> 依照板規刪除文章 Global cyber-attack: Security blogger halts ransomware 'by accident' 3.完整新聞內文: ※ 社論特稿都不能貼! 違者退文，貼廣告也會被退文喔! A 22-year-old UK security researcher has told the BBC how he "accidentally" halted the spread of ransomware affecting hundreds of organisations, including the UK's NHS. The man, known online as MalwareTech, was analysing the code behind the ransomware on Friday night when he made his discovery. He first noticed the software was trying to contact an unusual web address - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - but this was not connected to a website, because nobody had registered it. NHS 'robust' after cyber-attack So, every time the ransomware tried to contact this mysterious website, it failed - and set about doing damage. So the blogger decided to spend $10.69 (￡8) to claim the web address. By owning this web address, he could also access analytical data and get an idea of how widespread the ransomware was. Image copyright MalwareTech Image caption Owning the web address let MalwareTech monitor where infections were happening But he later realised that registering the web address had also stopped the ransomware trying to spread itself. "It was actually partly accidental," he told the BBC, after spending the night investigating. "I have not slept a wink." What happened? Originally it was suggested that whoever created the ransomware had included a "kill switch" - a way of stopping it from spreading, perhaps if things got out of hand. In this case, the act of registering the mysterious web address would trigger the kill switch. But the blogger MalwareTech now thinks it was not a kill switch. He thinks it was a way of detecting whether the ransomware was being investigated within a secured, disposable environment that researchers use to inspect viruses. This is known as a "virtual machine". "The [ransomware] exits to prevent further analysis," MalwareTech wrote in a blog post. "My registration... caused all infections globally to believe they were inside a [virtual machine] and exit…thus we initially unintentionally prevented the spread and further ransoming of computers." The researcher has been called an "accidental hero" for slowing the spread of the ransomware. "I would say that's correct," he told the BBC. Does this mean the ransomware is defeated? While the registration of the web address appears to have stopped one strain of the malware spreading, it does not mean the ransomware itself has been defeated. Any files that were scrambled by the ransomware will still be held to ransom. Security experts have also warned that new variants of the ransomware that ignore the "kill switch" will appear. "This variant shouldn't be spreading any further, however there'll almost certainly be copycats," said security researcher Troy Hunt in a blog post. MalwareTech warned: "We have stopped this one, but there will be another one coming and it will not be stoppable by us. "There's a lot of money in this, there is no reason for them to stop. It's not much effort for them to change the code and start over." 4.完整新聞連結 (或短網址): ※ 當新聞連結過長時，需提供短網址方便網友點擊 https://goo.gl/mnFCxW 5.備註: ※ 一個人一天只能張貼一則新聞，被刪或自刪也算額度內，超貼者水桶，請注意大致上是說一名研究網路安全的部落客意外發現勒索病毒會先存取一個網址: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 但這網址卻還沒人註冊，所以存取會失敗，病毒就會進行下一步感染。所以這位老兄就去註冊了這個網址，然後收到了一堆資料… 也暫時停止了病毒的傳播。這個故事告訴我們，寫程式時要寫對網址。 -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 31.53.114.218 ※ 文章網址: https://www.ptt.cc/bbs/Gossiping/M.1494697106.A.F35.html

噓

zxcv820421

05/14 01:38, , 1^F

05/14 01:38, 1^F

推

johnwu

05/14 01:38, , 2^F

05/14 01:38, 2^F

推

mvpdirk712

05/14 01:39, , 3^F

05/14 01:39, 3^F