back to article Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

Miscreants have developed the first strain of ransomware worm capable of infecting legacy systems, such as Windows XP and 2003. The infamous WannaCry outbreak, which severely affected the UK's NHS, showed just how much damage ransomware can do. ransomware 74 countries hit by NSA-powered WannaCrypt ransomware backdoor: …

  1. GnuTzu
    Trollface

    SMB -- Ugh

    How long have the warnings been coming, more than a decade? When ya gonna learn? The low hanging fruit in your walled garden are up for grabs.

    1. Pascal Monett Silver badge

      I think it's less a case of "when ya gonna learn" and more a case of "when are your managers going to allocate the funds to get you out of that hellhole" - and the answer to some cases is replacing a MRI machine that cost millions with another one that costs millions.

      I've got a hunch those bastards that made the nasty are going to make WannaCry look like a walk in the park.

      1. Anonymous Coward
        Anonymous Coward

        I think it's less a case of "when ya gonna learn" and more a case of "when are your managers going to allocate the funds to get you out of that hellhole" - and the answer to some cases is replacing a MRI machine that cost millions with another one that costs millions.

        No one said they have to replace them. Also no one said it was a good idea to connect those mission critical machines to the internet to watch po*n, while disregarding 'backups'. It is still a "when they gonna learn" case.

        1. DropBear

          Which part of "needs no internet connection" did you miss? It's enough if any PC that has access to that MRI machine on a LAN gets infected, by any means, and you're done. As for the universal lack of backups and the reasons thereof, let's have that argument some other year...

          1. Prst. V.Jeltz Silver badge

            "Which part of "needs no internet connection" did you miss?"

            I may have missed something here. Is the author implying that previous ransomwares needed an internet connection to operate? if so why?

            Viruses in the old days managed just fine without an internet connection.

            Also I think what that AC was getting at was that if you dont connect it to the internet , it wont get the malware in the first place. Not without a herculean effort from some idiot to download it and put it on a usb stick or something.

          2. GnuTzu

            "walled garden" == "needs no internet connection"

            @DropBear, you're obviously getting it (voted up), but I thought I'd clarify my intended meaning for others. Air gapping is one of those things that has been done as an excuse, err..., a mitigation for garbbage technology (i.e. "low hanging fruit"), but now that's just not enough.

  2. 89724102172714582892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    That link does not lead to a patch for Windows XP. Simply blocking ports 445, 137 and 138 using a firewall would help.

    1. Robert Helpmann??
      Childcatcher

      Simply blocking ports 445, 137 and 138 using a firewall would help.

      Help, maybe, but that should be done anyway for your network perimeter and doesn't do much good for local network use given what those ports are used for. Once this thing gets past the hard outer shell of a network, it will be able to feast on the soft parts unimpeded. As the implementation allows it to spread to air-gapped systems (per the article), I wouldn't think concentrating on perimeter security is going to do too much good.

      1. Lee D Silver badge

        "Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice – e.g. no working antivirus software"

        Poor security practice like running obsolete and unsupported operating systems, for example?

        I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed. Give it up, stop developing, testing and shipping software for it, let it on the kerb.

        Until you do that, people will just keep running it forever and think that just because there's some ancient version of Sophos on it that it's somehow magically "secure" now.

        1. JohnFen

          "I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed"

          That wouldn't be honest, though (except insofar as any network's security can never be guaranteed regardless).

          It is entirely possible to run an old, insecure operating system on a machine in such a way that the rest of the network is protected. It takes a bit of work and know-how, but it's certainly doable.

          1. Spanners Silver badge
            Boffin

            @JohnFen

            It is entirely possible to run an old, insecure operating system on a machine in such a way that the rest of the network is protected. It takes a bit of work and know-how, but it's certainly doable.

            I remember being taught how to do this a long time ago.

            1. Sever all cables as close to the device as possible. == Limit communication.

            2. Embed it in concrete. == Limit unauthorised access

            3. Drop into the Mariana Trench. == Remove future access

            Simples!

        2. Mark 85

          I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed.

          I do believe that XP fits the "security by obscurity" model. In this case, outdated but still in use.

    2. Doctor Evil

      "That link does not lead to a patch for Windows XP."

      The real patch for SMB1 under Windows XP is KB4012598 which is described here and can be downloaded from here

  3. Threlkeld

    High-tech options

    Oh! doesn't 'air-gapped' mean the same thing as 'no wi-fi, no bluetooth and chewing gum in all the Ethernet and USB sockets' then?

    Who knew?

    1. doublelayer Silver badge

      Re: High-tech options

      Usually. It definitely includes disabling, by force if necessary, wifi, bluetooth, and ethernet. However, depending on the use case, some airgapped systems may need USB or similar for reading or writing data. For example, a machine might include access to systems that analyze data securely. This can't be infected, but it does need to read data from somewhere. If there is too much data to enter manually, it might be brought in on a USB disk or optical disk, either of which could be infected. Security of airgapped machines is thus also very important.

    2. DropBear

      Re: High-tech options

      In this instance, it's probably (poor) code for "networked and therefore absolutely positively definitely NOT air-gapped machine on a LAN (hence SMB) that isn't connected to the internet and therefore could itself be called air-gapped"...

      1. Prst. V.Jeltz Silver badge

        Re: High-tech options

        " The nasty no longer needs a command-and-control server, meaning it can operate in air-gapped environments"

        Big whoop. In the old days all malware did this. Why did previous versions need a server?

        The things job is:

        Poke around the network

        Encrypt stuff

        Display notice saying send $$ to bitcoin wallet.

        Maybe also display long guid type string so the bad guys can provide working unique decrypt key.

        so why did old versions need a server?

  4. Anonymous Coward
    Anonymous Coward

    And people still use XP

    How long will it take to kill this thing? Last year (yes, it was 2017), a client reported some problems with some machines they had, complaining that they were running slowly. This company needed cheap machines whose entire purpose was to run a web application for some people who had to fill out some stuff. Nothing else. So what did they use? Raspberry pis? Old chromebooks? The recycled machines of any self-respecting business for the past five years? No. They used dell tower machines from 2003, rocking a 2.53ghz celeron and a wonderful 256mb ram. They were right about their being slow, that's for sure.

    Of course, when I recommended rather strongly that we get rid of them, my supervisor told me the policy was that any machine that could run windows 7 would be supported. In the following conversation, my instinct to yell "Processor clock speeds don't work like that. I don't care that windows 7 will run on a 1 GHZ processor, a 2.53 GHZ celeron from 2003 is not fast enough" was tempered with difficulty. Eventually I was able to get them scrapped by resorting to the machines not having enough ram. Still, you'd expect any IT company to know that already.

    Anonymous because they did really stupid things at that company.

    1. Anonymous Coward
      Gimp

      Re: And people still use XP

      Get a grip. My firm tends to a Win 98 (*) machine for someone. You'd be surprised what runs the machinery in manufacturing ...

      (*) It breaks if you put a default gateway on it. NetBEUI becomes NetBIOS and that's too modern. Hilarious

      1. Anonymous Coward
        Anonymous Coward

        Re: And people still use XP

        I was serving my country when XP was introduced. My workstation ran MS-DOS to manage our logistics, complete with transmitting data via a dial-up connection. For the really sensitive things, we had to physically transport the data on a 3.5 floppy. I was assigned to an air defense unit, and the missile system fixers were showing me their diagnostic kit. It was a hardened briefcase laptop thingie running Windows 3.1! Granted, that OS was only creeping up on 10yrs old at the time, but that was my first experience with people "sticking with what works."

      2. jcitron

        Re: And people still use XP

        I've supported more than a few machines like that as well. Here's one which was run by a small graphics company and print shop.

        An RIP and controller box running proprietary software on Windows 3.1. The RIP software controlled an imagesetter for printing films for the printing industry. The PC hardware was an old EISA based system with a 486 DX-50 and 512 MB of RAM. 512MB hard disk, and a 3-Com Ethlink card with a Thin-net connector.

        On top of Windows 3.1 was Microsoft's network add-on and then on that was COPS-Talk. COPS-Talk, aka Cooperative Printing Solutions network software provided the AppleTalk drivers to support the output device so the RIP could "publish" the printer as an Apple-compatible printer on the network as a Linotronics 330, although it really was an ECRM VR-30.

        The VR-30 its self was connected to a proprietary SCSI card, which needed the EISA bus. Since I haven't seen this setup in about 6 years, I've forgotten what the SCSI spec was, but it was some powered SCSI line with the VR-30 being terminated internally.

        I was, and I am still amazed today, that this setup even worked. By the time all the software loaded, there was less than 720K of RAM left for any processing.

        This hardware was bought new in 1992 and was still in operation as far as I know in 2012!

    2. Cuddles

      Re: And people still use XP

      "How long will it take to kill this thing?"

      When I worked in a hospital a while back, there was still a BBC-B in use in the records department (it held the filing system for the microfiche). People worrying that an OS and PCs from this millennium are still in use always make me smile. How long will it take to kill XP? Ask me again in 30 years.

      1. Prst. V.Jeltz Silver badge

        Re: And people still use XP

        My brother looks after a newsagents "IT" system

        It runs on DOS , requires a floppy to be 1.4mb and in a drive labelled A , and prints only to LPT1

        I have managed to sucker it into thinking those things are happening.

  5. Roland6 Silver badge

    Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

    and so does Kaspersky... depending on which product, this could be until July 10, 2020...

  6. BlackWingCat
    Happy

    My Windows 2000 has protected from MS17-010 :3

    > Windows 2000 systems are among the few not protected by this safety net. Running antivirus and segmenting systems will also help

    I patched Windows 2000 SMB driver and , applied MS17-010 ! :3

  7. glnz

    What about the POS hack? What, you didn't know?

    Hey, smarty pants Register people - you never say what will happen if the XP machine has been kept updated with the POS hack.

    Well, what about it? If updated, vulnerable to this mosquito?

    And what about FollishIT's CryptoPrevent? Does it work?

    1. phuzz Silver badge
      Facepalm

      Re: What about the POS hack? What, you didn't know?

      You're totally right, they should have written something like:

      Systems should be updated to run MS17-010, a patch for Windows XP and Windows Server 2003

      Oh wait, that's exactly what was written in the article.

      As for Cryptoprevent, that appears to only be written to prevent cryptolocker, so no, it's doubtful it will work. It certainly won't block the SMB vuln.

  8. RobinCM

    some older environments may end up at risk where there is poor security practice  – e.g.

    ...if there are network connected, unsupported or unpatched operating systems running.

  9. EnviableOne
    Stop

    MRIs on XP are not out of support

    Most medical devices and systems are running highly customised versions of Windows for embeded Systems 2009 which is not end of support until january

    https://support.microsoft.com/en-gb/lifecycle/search?alpha=Windows%20Embedded%20Standard%202009

    2009 is an uprated version of XPe with some of the vista security features ported in, because MS couldnt be bothered to componentise Vista

  10. J27

    I wonder how long it will be before any Windows XP system that's connected to the Internet is instantly owned, like Windows 98 systems are right now? It seems like the window is closing fast.

  11. jms222

    Still run Me

    I still run a fully connected Windows Me system (DOS software, ISA cards) which until recently (months) had no firewall. Never had a problem with malware.

    1. Prst. V.Jeltz Silver badge

      Re: Still run Me

      You were lucky to avoid the wanncry then!

      p.s. Whats your IP?

  12. AmenFromMars

    Where?

    Where can I get a copy of this? Might finally be able to get the last few XP machines off my enterprise network!

  13. blondie101

    non existing "freeze" option

    "It is entirely possible to run an old, insecure operating system on a machine in such a way that the rest of the network is protected. It takes a bit of work and know-how, but it's certainly doable."

    Yes doable. But also leading to the assumption that "you only have to invest once to run any software system" which is the mother of all fuck-ups. Any automated system needs lots of funds during its life-time to operate secure and according to expectation of the (end) users.

    Isolating the lack of proper funding will leave you eventually with a spaghetti of total unmanageble systems and a total stand-still of changebility of all the organisation. Because organisations change and the expectations change. For example that stand alone MRI scanner one day will be connected to the other systems, al be it for monitoring, input for patient files, etc, etc. Bye, bye air-gap.

    1. Roland6 Silver badge

      Re: non existing "freeze" option

      >But also leading to the assumption that "you only have to invest once to run any software system" which is the mother of all fuck-ups.But also leading to the assumption that "you only have to invest once to run any software system" which is the mother of all fuck-ups.

      I suspect the real cause of that style of thinking is Capex and Opex, witht the move to subscriptions costs are also moving from Capex to Opex, which will influence thinking..

  14. Anonymous Coward
    Anonymous Coward

    Legacy

    I have told a large number of people that our XP machines were untouched by Wannacry. Win7 ones were affected. If we had not been forced to get a ,ore recent and shinier OS, we would have been fine!

    We would have had a nice warning and perhaps a giggle...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like