back to article 'SambaCry' malware scum return with a Windows encore

Malware authors continue to chip away at Samba bugs similar to those that helped spread WannaCry/WannaCrypt. Kaspersky researchers writing at Securelist say they've spotted a Windows variant of SambaCry, which was first spotted in June. The new variant has been dubbed "CowerSnail". The researchers strongly suspect CowerSnail …

  1. Ken Hagan Gold badge
    Unhappy

    So the only people vulnerable to this are folks running cheap NAS or ADSL boxes that have Linux firmware but for which the vendor never bothers to issue patches.

    So that would be just about everyone then. :(

    The general public really needs to learn the difference between free as in beer and free as in speech. Perhaps we need to maintain a list of vendors (of the above items) who have a track record of providing patches for their products (through auto-update, coz otherwise it won't happen on Joe User's box) for a period of at least five years (for want of a "lifetime" estimate). I'm guessing it won't be a long list at first, but in the long term it needs to include everyone.

    1. Anonymous Coward
      Anonymous Coward

      Someone, Please...

      Tell me, how do I access the Other Internet? This one is starting to shit me!

      1. Sanctimonious Prick
        Devil

        Re: Someone, Please...

        Windows: Alt+F4

        Chrome: Crtl+F4

        OSX: CMD+Q

        *Nix: (no instructions needed. *nix users know everything)

        :D

    2. Spotswood

      Wrong. It's a Windows variant as stated in the article, and therefore affects Windows and not Linux based NAS devices.

      Presumably, with a patched version of Windows you're fine.

      1. Anonymous Coward
        Anonymous Coward

        SMB != Samba

        The author made his best to made things unclear. First, SMB != Samba. The former is a protocol specification, Samba is just an open source implementation of if for *nix OS.

        For a while MS attempted to rename SMB to "CIFS" and make it an Internet standard (https://tools.ietf.org/html/draft-leach-cifs-v1-spec-01), it never happened, and only the SMB name is now used.

        Windows doesn't have a specific name for its SMB implementation, and the server/client code is split into the Server and Workstation services respectively (they have no relation to the Windows SKUs - they exist in any version of Windows).

        WannaCry used flaws in the Windows implementation of SMBv1, SambaCry used flaws in the Samba implementation.

        Both have been used to drop the actual malware inside a system. It looks these scums reused their *nix malware code to target Windows system, using the ETHERNALBLUE exploit to drop the payload.

        1. Ken Hagan Gold badge

          Re: SMB != Samba

          "WannaCry used flaws in the Windows implementation of SMBv1, SambaCry used flaws in the Samba implementation."

          Precisely. Thank you. And since both implementations have now been patched, the only remaining problem is those systems that cannot be patched because the vendor is a fucking sociopath.

          1. TheVogon

            Re: SMB != Samba

            " the only remaining problem is those systems that cannot be patched because the vendor is a fucking sociopath."

            Or because the owner is lazy / ignorant of the issue.

            Some interesting server side vulnerability stats here: https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf

      2. LozWhat

        Strange, when I read "it's compiled using Qt, with a library framework that provides “cross-platform capability and transferability of the source code between different operating systems.”", I thought I saw "cross-platform".

      3. Anonymous Coward
        Anonymous Coward

        Presumably, with a patched version of Windows you're fine.

        .. for a few minutes ..

    3. David Roberts
      Paris Hilton

      Autoupdate?

      Yeah, I'm cool about having a back door in my router so the manufacturer (they keep good secrets, no?) can overwrite the firmware any time they please.

      I mean, what could possibly go wrong?

      NB this does seem pretty standard for ISP supplied routers, but then again they don't seem to fix known problems anyway. Looking at you VM.

      At least with anything less than W10 you get some notification that an update is pending with a choice of when/if. Much the same if you are lucky enough to still get updates for your phone. How will you decide if you want the update to your router?

      1. Sebastian Brosig

        Re: Autoupdate?

        you left out the obligatory "Paris because..." section

      2. Ken Hagan Gold badge

        Re: Autoupdate?

        "Yeah, I'm cool about having a back door in my router ..."

        Well switch it off, then. I wasn't suggesting the MS insanity of not letting you do that.

        My point is that the current situation makes it impossible for anyone to switch it on because the vendor has no update and if we fixed *that* problem then we'd still have the problem that Joe User couldn't switch it on. So it has to be on by default and only those with basic IT skilz (like you) will be able to switch it off but that's still one hell of a lot safer (in terms of herd immunity) than the present clusterfuck.

      3. TheVogon

        Re: Autoupdate?

        "Yeah, I'm cool about having a back door in my router so the manufacturer (they keep good secrets, no?) can overwrite the firmware any time they please."

        You do generally have a choice to enable updates for non ISP routers. And after all - you are already trusting their software by using the router!

        I would suggest that the sensible thing in most home setups is likely to enable auto updates on everything....

  2. John Smith 19 Gold badge
    Unhappy

    "Qt..so the creators..stick with familiar environments, save..the pain of learning..Windows APIs,"

    And who hasn't done that?

    Being a malware writer, eh? It's just work, work, work.

    I think we all feel your pain.

    That is if most of us didn't wish you would just die in screaming agony for all the chaos you cause.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Qt..so the creators.." (etc - there is a length limit?!?)

      That is if most of us didn't wish you would just slowly die in screaming agony for all the chaos you cause.

      FIFY

      1. Fatman

        Re: "Qt..so the creators.." (etc - there is a length limit?!?)

        <quote>That is if most of us didn't wish you would just slowly die in screaming excruciating agony for all the chaos you cause.

        FIFY</quote>

        No, I really FTFY!

  3. Adam JC

    'Using the same C&C Server as before'

    Why on earth was the server not pulled and/or commandeered by white-hat folk, especially if it has 'self removal' as a feature?

    1. Robert Carnegie Silver badge

      Re: 'Using the same C&C Server as before'

      (Maybe) The C&C is in Latveria and communicates via Spotify playlists on Parker Industries Webware. Good luck closing -that- down.

      1. Anonymous Coward
        Anonymous Coward

        Re: 'Using the same C&C Server as before'

        Sounds to me that the existence of a C&C box ANYWHERE should be enough to haul people into some court. Let's say the malware gets into some machine here in the USA, and by extension part of it is the C&C box, it too can be hauled into court. Perhaps evidence or some such.

        C&C boxen should be terminated (with extreme prejudice!) on sight by anyone! The traffic should be cutoff immediately. I would like to have a tactical nuclear strike, but I don't have that ability (*SIGH*). And so it goes, as I dream on.......

  4. sitta_europea Silver badge

    "Malware authors continue to chip away at Samba bugs similar to those that helped spread WannaCry/WannaCrypt. ..."

    This was all that I read of this article. The author evidently doesn't know what he's talking about.

  5. Sloth77

    Enough with the cute names already!

    Do we really need 'cute' names for vulnerabilities? Seems to me that security research these days is more about showmanship than actually securing software....

    </rant>

    1. Phil W

      Re: Enough with the cute names already!

      More importantly why names that don't seem to have any basis, wtf is CowerSnail?

      I'd have gone for something like MyLittlePwny (Friendship is Hacking)

      1. Adrian Midgley 1

        Re: Enough with the cute names already!

        Codenames are well sorted.

        CASE NIGHTMARE GREEN or

        GOD GAME INDIGO are less good than some, but fun.

        1. John Smith 19 Gold badge
          Terminator

          "CASE NIGHTMARE GREEN " is being held in reserve.

          For what Simon Peggs character in MI3 called "The Anti-God"

          of malware.

          I'll leave others to think about what that could mean.

      2. MyffyW Silver badge

        Re: Enough with the cute names already!

        I claim rights to the LetItGo and DoYouWannaBuildASnowman names before they are used to plunge Arendelle into deep, deep snow.

        1. John Brown (no body) Silver badge

          Re: Enough with the cute names already!

          WinterIsComing(tm)?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon