With regard to an initial infection vector of Petya believed to have been MEDoc autoupdates, a reminder from 2015https://twitter.com/halvarflake/status/681088010079842304 …
-
-
Replying to @0xdabbad00
Does anybody have details on how MeDoc updates occur? e.g. Are they signed?
1 reply 0 retweets 0 likes -
Replying to @wdormann
Only useful autoupdate info I've seen is just MS giving some confirmation: https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ …
1 reply 0 retweets 0 likes -
Replying to @0xdabbad00 @wdormann
You can download old versions at http://www.me-doc.com.ua/pages/obnovlenie.php … and then let it update and see what happens.
1 reply 0 retweets 0 likes -
Replying to @0xdabbad00 @wdormann
Given that the install site is HTTP and the downloads are unsigned I wouldn't have much hope the autoupdate mechanism is secure.
1 reply 0 retweets 0 likes -
Replying to @0xdabbad00 @wdormann
I don't know if those are really the downloads though (I can't read Russian/Ukranian and don't know anything about MEDoc).
1 reply 0 retweets 0 likes
Found full install at ftp://178.150.45.114/Medoc Fumbled my way through seeing that all updates are unsigned, over HTTP. Disaster happened.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.