Bitcoin blackmail virus incident
In my opinion, I don't know if it's right. We still need criticism and correction. I don't think this virus has anything to do with which way you use to access the Internet, and it also has nothing to do with which kind of computer (PC or laptop) you use. He mainly aims at some loopholes in the Current Windows operating system. We all know that when a software is downloaded, it must have the highest administrator authority to install the software on this computer. This should be a security policy of the computer operating system. However, there are loopholes in everything, and the operating system is no exception. For example, this virus outbreak, in fact, the patch was released as early as March, but many users didn't pay attention to it and didn't fix it. So, now as long as you are connected to the network, and the system vulnerability is not repaired in time, you can scan the port, use the vulnerability of a port, directly install the encryption software (virus) to your computer in the background, and encrypt your important files, so as to achieve the purpose of blackmail. So it's better not to turn off the self-renewal function of windows for convenience. At the same time, it's also recommended to turn off some ports that are not often used but are very dangerous, such as 445, 135, 137, 138 and 139—— Finally, WiFi is just a way to access the Internet. It can also spread viruses. So, quickly update and patch it .... There is also a video here. I think it's very good, but I don't know if I can watch it http://weibo.com/tv/v/?fid=1034 :
bitcoin virus (bitcoin Trojan horse) "bitcoin blackmailer" was popular abroad in 2014, and was found in China in early 15 years. This kind of Trojan will encrypt 114 kinds of files in the infected computer, such as docx, PDF, xlsx, JPG and so on, making it unable to open normally, and pop up windows to "blackmail" the victim, requiring the victim to pay 3 bitcoin as "ransom". According to the recent bitcoin price found by the reporter from the Internet, 3 bitcoin is almost 5000 yuan or 6000 yuan. This kind of Trojan horse is generally spread through English mail. The name of the Trojan horse program is usually in English, which means "order", "proct details", etc., and uses fax or form icon, which is very confusing. The recipient easily mistakenly thinks that it is a working file and clicks to run the Trojan horse program.
At present, 360 is the first in China to launch 360 anti extortion service
to provide document restoration and decryption service for the current popular specific Trojan family using asymmetric encryption
download and install the latest security guard 11.0 beta, and click "anti blackmail service" in the main interface
2. This kind of blackmail virus mainly infects windows system. It will use encryption technology to lock files, forbid users to access, and blackmail users
3. The attacker claimed that he could only unlock the file after asking for more than $300 worth of bitcoin. In fact, even if the ransom is paid, it may not be able to unlock the file
Why are they infected
once the blackmail worm attacks a user machine that can connect to the public network, it will scan the IP of the intranet and the public network. If the scanned IP has opened port 445, it will use the "enternal blue" vulnerability to install the back door. Once the backdoor is executed, a blackmailer virus named wana crypt0r will be released to encrypt all documents and files on the user's machine for blackmail
why use bitcoin
bitcoin is a kind of point-to-point network payment system and virtual pricing tool, commonly known as digital currency. Bitcoin is popular among cyber criminals because it is decentralized, unregulated and almost untraceable< Background of transmission and infection
this round of blackmailer worm virus mainly includes two family variants onion and wncry, which first broke out in Britain, Russia and other countries, and many enterprises and medical institutions were recruited in the system, resulting in heavy losses
global monitoring of security agencies has found that as many as 74 countries have suffered this blackmailer worm attack
since May 12, the spread of infection in China has also begun to increase sharply, and the outbreak has been intensified in many universities and enterprises
wannacry blackmail virus prevention method:
1. Install the latest security patch for the computer. Microsoft has released patch ms17-010 to fix the system vulnerability of "eternal blue" attack. Please install this security patch as soon as possible; For Windows XP, 2003 and other machines that Microsoft no longer provides security updates, we can use 360 "NSA Arsenal immunity tool" to detect whether there are vulnerabilities in the system, and close the ports affected by the vulnerabilities, so as to avoid being infringed by blackmail software and other viruses
2. Close ports 445, 135, 137, 138 and 139, and close network sharing
3. Strengthen the awareness of network security: don't click the unknown link, don't download the unknown file, don't open the unknown email...
4. Back up the important files in your computer to the mobile hard disk and U disk as soon as possible (regularly in the future), and save the disk offline after the backup
5. It is recommended that users who are still using Windows XP and windows 2003 should upgrade to Windows 7 / windows 10 or windows 2008 / 2012 / 2016 as soon as possible.
At the beginning, I heard that it was so serious all of a sudden. As a practitioner, I really had a sense of fear. Once it spread in my scope, it would cause endless trouble to my work. Moreover, some phenomena were exaggerated in the report, such as unnecessary operation and automatic infection of virus. I don't know how this principle came about. Is it a myth of network technology, Viruses, Trojans and malware become uncontrollable demons
"eternal blue virus" can scan windows machines with open 445 file sharing port to implant malicious programs. There are no absolutely safe operating systems in the world. They are all early systems of foreigners. Besides, there are no flawless things in the world. I have to learn more and take good precautions. I am engaged in enterprise information and security work. I know the dangers of viruses, Trojans and malicious programs, and I can't help the panda who gets up early to burn incense. There are a lot of solutions, but some people are still poisoned
how to shut down ports 445, 135, 137, 138 and 139 and turn off network sharing can also avoid winning. The method is as follows:
run, input "dcomcnfg", right-click "my computer" on the right of "computer" option, and select "properties". In the default properties tab of my computer properties dialog box, remove the check before "enable Distributed COM on this computer", select the default protocol tab, select "connection oriented TCP / IP", click "delete" button,
Close ports 135, 137 and 138: right click the network neighbor to select properties, On the new connection, right-click to select properties, and then select the network tab to remove the check boxes of Microsoft network file and printer sharing and Microsoft network client. In this way, ports 135, 137 and 138 on the shared end are closed
Close port 139: Port 139 is a NetBIOS session port for file and print sharing. The way to close 139 is to select "Internet Protocol (TCP / IP)" attribute in "local connection" in "network and dial-up connection", enter "advanced TCP / IP settings" and "disable TCP / IP NetBIOS" in "wins settings", and check to close 139 port
Close port 445: start - run, input regedit. After confirming, locate to HKEY_ LOCAL_ Machine, system, currentcontrolset, services, NetBt, parameters, create a new DWORD value named smbdeviceenabled, and set it to 0 to close port 445
whether practitioners or ordinary users, it is a difficult problem to face the virus Trojan horse vulnerability and malicious code. How to ensure their own safety is to take action in advance, take precautions, keep the safety warning in mind, and do not surf the Internet, operate or click randomly. There are so many bad guys that it is impossible to prevent them. Then the whole society should take action to make the virus and bad guys have no place to hide
okcoin reminds users that the current domestic bitcoin trading platform does not support extracting bitcoin. If netizens want to buy computers for ransom payment, they need to choose a trading platform that can withdraw bitcoin to avoid a second loss. In addition, after paying the ransom, whether the computer attacked by the virus can be effectively unsealed remains unknown. Therefore, the technical personnel of okcoin currency bank suggest that the majority of Internet users upgrade and install the relevant patches of Windows operating system as soon as possible, and the infected machines should be disconnected immediately to avoid further spread of infection. Users who have not been attacked by virus should update the system as soon as possible, install regular and safe anti-virus software, and improve the defense ability of the computer.