[clamav-users] Malware/ransomware and Yara signatures with clamav

Joel Esler (jesler) jesler at cisco.com
Tue May 16 16:52:41 UTC 2017 

Rdp was a factor, but only locally.  

No initial vector has been established.  The only propagation method we have seen is via SMB.  

Check the blog post.  We laid it all out there.  

--
Sent from my iPhone

> On May 16, 2017, at 12:40, Eric Tykwinski <eric-list at truenet.com> wrote:
> 
> I don't think anyone really knows the initial vector, but RDP was an entry
> point according to the site I was reading:
> Backdooring: The worm loops through every RDP session on a system to run the
> ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It
> corrupts shadow volumes to make recovery harder. (source: malwarebytes)
> It seems more believable to me than everyone with SMB access to the public
> internet.
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf
> Of Dennis Peterson
> Sent: Tuesday, May 16, 2017 12:25 PM
> To: ClamAV users ML
> Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
> clamav
> 
> If not email what is the vector?
> 
> dp
> 
>> On 5/15/17 5:11 PM, Joel Esler (jesler) wrote:
>> To be clear let me link to our blog post on the subject:
>> 
>> http://blog.talosintelligence.com/2017/05/wannacry.html
>> 
>> There has been No email vector seen in WannaCry to date.  Almost everyone
> that has claimed this, has retracted it. Please read the above blog post for
> all the facts as we know them.
>> 
>> This is an ongoing threat.
>> 
>> --
>> Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
> 
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list