on May 12, called "encryption" (Wannacry) "worm" blackmail software in large-scale spread around the world.The software using the Windows SMB services vulnerabilities, documents, pictures, etc. Of computer implementation of high-strength encryption, and ransom.Currently, including universities, energy and other important information system, more class user attack, have serious security threat to China's Internet network.
a, infected host emergency isolation methods given WannaCry worm has a great risk, all the known infected host must isolate their work from the current network.
in view of the file has been damaged by worms, as of 2017/5/14 haven't found any effective means to restore.To prevent further spread worms, it is forbidden to infected host any file copy to other host or device, it is strictly forbidden to known infected host to access any network.
2, important documents emergency handling methods in order to ensure the important document is not destroyed by WannaCry worms, minimize loss, all uninfected hosts or ban on uncertain whether infected host.
the type host need to adopt the method of physical copy for processing, i.e., the host opens by the professionals, remove all the hard disk where important files, and use the external devices mounted to determine uninfected hosts will be copied.
to prevent secondary infection, copy the file must be in the isolation zone for processing.
it is strictly forbidden to hard disk may be infected by the IDE and SATA motherboard interface mounted directly to the copy machine, in order to prevent the copying machine use the hard disk boot, leading to possible infection.
existing in the network, have access to all Windows host should adopt the method of important file backup.
after the physical copy process, in accordance with the: three, host, emergency detection strategy is used to detect the emergency treatment.
the temporary absence of these conditions or because of some must be switched on, it is important to ensure keep access to the Internet boot in out of the office network environment (such as 4 g networks, ordinary broadband, etc.), at the same time must be the entire keep clear of the Internet.(access to the Internet standard for success: can open the following web site in the browser, and see the content as shown: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
for classified machine cannot access to the Internet, make sure the web server, network configuration and the domain name resolution to access the Intranet server.
the Intranet server home page must return the following contents:
sinkhole. Tech - where the bots party hard and the researchers harder. & lt;!- h4 - & gt;At the end of the temporary boot process, shutdown and physical copy process.
3, host, emergency detection strategies in view of the physical copy after the host, to make the following treatment:
test be mounted hard drive Windows directory, see if there are files: mssecsvc. Exe, if there are infected.
in view of the host other boot, check whether there is a file system disk Windows directory: mssecsvc. Exe.Check whether there is a service in the system mssecsvc2.0 (see specific operation at the end of this section).Any one is exists to prove that is infected.
for there is a firewall with other logging equipment in the network, check whether there is in the log of domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, if any, prove the existence of network within the infected host.In view of the infected host detect, be sure to at the end of the physical copy process format for all the hard disk.
similar to the host if there is a backup before 2017/4/13, full recovery operations can be performed (including system disk as well as other all), a backup after this time may have been infected, not for recovery.
in view of the network known to exist the infected host, prohibit open closed host, at the same time to physical copies of the host process.For the host has been switched on, immediately shut down, and the physical copy process.Attachment: the method of inspection service:
Windows + R key to open the "run" window:
input services. MSC enter, open the service administration page:
check all items in the" name "column, there mssecsvc2.0 suggests that infected.
4, uninfected hosts emergency defense strategy
to an infected host, there are four emergency defense strategy.
one strategy as the most effective means of defense, but takes longer.Other strategies for temporary solution for unable to implement strategies for temporary use.
application strategy two or three in the host will not be able to access the network sharing, please carefully use.
in no immediate application strategy and suggestion first application strategy four temporary defence.No matter use what kind of temporary strategy, all must be application strategy as soon as possible in order to achieve complete defense.
under 10 version for Windows host, suggest to upgrade to Windows 10 and update to the latest version of the system.Because of the situation cannot upgrade, be sure to use an emergency defense strategy for defense.
strategy one: install MS17-010 system patches
according to the system version, install patches MS17-010.With Windows 7 and above can be gained through the automatic updates to install all patches, Windows xp, Windows 2003 and Windows vista can be gained by installing temporary tools provided with the document.
strategy 2: closing loopholes related services
by professionals using the following command to close loopholes related services:
sc stop LmHosts
sc stop lanmanworkstation
sc stop LanmanServer
sc config LmHosts start = DISABLED
sc config lanmanworkstation start = DISABLED
sc config LanmanServer start = DISABLE
strategy 3: configure the firewall ban vulnerabilities related port
for Windows 2003 or Windows xp system, click on the start menu, and open the "control panel".
double click the" Windows firewall "option in control panel, click on the" exception "TAB, and uncheck the" file and printer sharing ", and click ok.
for Windows 7 and above system, click on the start menu, open the control panel, click on the" system and security "" Windows firewall".
in Windows firewall configuration page, click the" allow the procedure or function through Windows firewall "option, click at the top of the" change Settings ":
in the list to find" file and printer sharing "checkbox, uncheck the, click ok in the end.
strategy 4: use the vulnerability defense tool
360 company provides tools for temporary immune defense worm, this tool can be downloaded in the 360 site.
directly to perform this tool can be simple to defence, every time to restart the host must perform this tool again.
5, emergency public server and network security defense strategy
on public server (such as web sites, public system, etc.) most can connect to the Internet, for Windows server 2008 r2 and higher versions, suggested that open system "automatically update" function, and install all patches.
for Windows server 2003, you can choose four, uninfected hosts emergency strategy of defense strategy for defense, at the same time Suggestions as soon as possible to upgrade to higher version of the server (such as Windows 2008 r2).
according to the internal network, need to ensure the safety of the host of the case to prevent possible infection.
without using the sharing function, but on firewalls, routers and other equipment 445 port access is prohibited.
since this worm using domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com as "switch", instantly attacks when unable to access the domain name.Therefore, the ban on the network security devices such as firewall and IPS intercept this domain name, otherwise it will trigger the infected host encryption process, cause irreparable damage.
use Intranet private DNS, be sure to configure the domain analysis, and point to survive in the Intranet web server.The Intranet server home page should be returned the following contents:
sinkhole. Tech - where the bots party hard and the researchers harder.
& lt;!- h4 - & gt;
net letter tianjin municipal party committee office, network security and information technology evaluation center