NB - this page is written around Windows 7, but some of it may relevant to other version of Windows.
This web page is a sequel to my two previous web pages about a world wide ransomeware attack called WannaCrypt that was based on a vulnerability in SMBv1, a networking protocol that is part of the core of Microsoft file and printer sharing.
Once the vulnerability was found out about, malware writers created the WannaCrypt worm, and send it on its way to attack the world, with quite devastating results.
Interestingly, the writers of WannaCrypt included a kill switch - this was found out about , and by setting up a particular domain name, the kill switch started to limit the spread of WannaCrypt.
So after a massive bang to start with, WannaCrypt sort of withered a bit, but it is still catching out some unpatched computers.
Various copycat malware has been produced that doesn`t have kill switches, but they don`t really seem to be having the same impact as WannaCrypt, probably because Microsoft produced patches for all versions of Windows back to Windows XP.
So the world has now got tired of talking about WannaCrypt, and gone off to find other topics to get excited about.
Which is a pity, because it now appears that new types of worms are being developed that exploit the vulnerabilities in SMBv2 and SMBv3.
So a whole new generation of ransomeware worms is coming.
Windows 7 doesn`t know about SMBv3, but it does use SMBv2 by default, as well as SMBv1, so an unpatched installation of Windows 7 is vulnerable to attack by all the various worms that are exploiting the vulnerabilities of both SMBv1 and SMBv2.
Back in March 2017 Microsoft issued a Security Bulletin MS17-010 which addressed the vulnerabilities in SMBv1 - and for Windows 7, pointed to an update KB4012212 - this update did quite a few things, including the replacement of three sys files in C:/Windows/System32/drivers -
These are the core driver files that the services LanmanServer and LanmanWorkstation need to operate.
Note that even though the security bulletin didn`t mention a vulnerability in SMBv2, KB4012212 replaced the mrxsmb20.sys driver file.
Now during the height of the WannaCrypt attack, the Microssoft Security Bulletin MS17-010 got a bit of publicity as a good source of information.
What has not really had any publicity is that also in March 2017, Microsoft produced another Security Bulletin - MS17-012 - this security bulletin refers to issues in SMBv2 and SMBv3, and points to the same update.
So it appears that although Microsoft split the vulnerabilities in SMBv1, SMBv2 and SMBv3 across two Security Bulletins, all these vulnerabilities in Windows 7 are covered by KB4102212.
Both the Security Bulletins also point to another security update for Windows 7, KB4012215, which they call a monthly rollup - however this update does not update the driver files, so whilst it no doubt does stuff that needs doing, it doesn`t fully address the vulnerabilities in SMBv1 and SMBv2.
So if you are manually updating Windows 7, then you need to install both KB4012212 and KB4012215, quite apart from any other updates you install.
Hopefully, with these patches, Windows 7 will be protected against these worms attacks based on the vulnerabilities used by WannaCrypt.
But - and it is a big but - there is evidence on the web that KB4012215 causes some significant problems on some Windows 7 computers, and that it isn`t the only March update that is iffy.
Now I have installed it on two computers so far, and I haven`t had any problems - so you need to make up your own mind whether to install it.
If you want to address the issues of SMBv2 then maybe you should install it. But if it is going to break something then don`t. Your choice.
The above two patches have addressed the vulnerability that was used by WannaCrypt - however they may not have addressed any other vulnerabilities in SMBv1 and SMBv2 which have not as yet been found about in the outside world.
If you don`t need any kind of Microsoft file sharing, you might be happier removing SMB entirely from Windows 7.
First off, do the updates listed above - or at least KB4012212 - otherwise the update will partly reverse what you are about to do.
You can then completely remove the whole of the following keys from the registry -
HKLM/System/CurrentControlSet/Services/LanmanServer HKLM/System/CurrentControlSet/Services/LanmanWorkstation HKLM/System/CurrentControlSet/Services/mrxsmb HKLM/System/CurrentControlSet/Services/mrxsmb10 HKLM/System/CurrentControlSet/Services/mrxsmb20
Be warned - these are major changes to the registry, and there is a significant risk you will break your installation of Windows.
You have been warned !!!!!!
Do a reboot, then delete the driver files -
C:/Windows/System32/drivers/mrxsmb C:/Windows/System32/drivers/mrxsmb10 C:/Windows/System32/drivers/mrxsmb20
These files are owned by TrustedInstaller, so you will have to fight with file properties before you can delete them.
I have done all this on two Windows 7 machines, and it all works okay - your mileage may be different - I have subsequently also done it on two Windows 8.1 machines, and they both survived.
If you need SMB and Microsoft file sharing you have a more difficult path - obviously patching is essential.
Then you need to think network.
It is odd how malware has gone full circle - away back in time many of the malware attacks were done across the network, and network security was key.
Then malware evolved, and other propagating technologies were used, such as corrupted websites and distribution through email attachments.
Now we have gone back to attacks across the network.
So now you can get to play with all kinds of network security techniques - some that come to mind are -
Lots of fun !
The usual disclaimer applies - this all works on my computers, but I can give no guarantee that it will work on your computer(s), and you make these changes to your computer(s) entirely at your own risk.