Please run windows update now

Royce Williams royce at
Fri May 12 18:30:06 UTC 2017

My $0.02, for people doing internal/private triage:

- If your use of IPv4 space is sparse by routes, dump your internal routing
table and convert to summarized CIDR.

- Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
randomizes targets, so destination office WAN links won't saturate, but
local/intermediate might if you're not careful, so tune):

    sudo masscan -p445 --rate=[packets-per-second safe for your network]
-iL routes.list -oG masscan-445.out

- Use (the
python2 one, or the Metasploit one if you can use that internally) to
detect vuln. the python one is not* a parallelized script, so consider
breaking it into multiple parallel runners if you have a lot of scale.

- If you're using SCCM/other, verify that MS17-010 was applied - but be
mindful of Windows-based appliances not centrally patched, etc. Trust but

- In parallel, consider investigating low-hanging fruit by OU
(workstations?) to disable SMBv1 entirely.



On Fri, May 12, 2017 at 10:02 AM, Alexander Maassen <outsider at>

> Hail backups, and whoever keeps those ports accessible to the outside
> without a decent ACL in the firewall, or restricting it to (IPsec) VPN's
> should be shot on sight anyways.
> On Fri, May 12, 2017 7:35 pm, Ca By wrote:
> > This looks like a major worm that is going global
> >
> > Please run windows update as soon as possible and spread the word
> >
> > It may be worth also closing down ports 445 / 139 / 3389
> >
> >
> 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> system-ransoms-demanded
> >

More information about the NANOG mailing list