Feed aggregator


First Comics News - Fri, 05/19/2017 - 21:01

First Episode of Univision NOW Original Series will Premiere May 20 at 5 p.m. /4 p.m. CT, Featuring Axel Rico, Michelle Renaud and Eleazar Gomez


All Episodes will be Available for Binge-Watching Exclusively via Hispanic America’s only Spanish-language Live Streaming and On-demand Subscription Service


NEW YORK – MAY 19, 2017 – Univision Communications Inc. (UCI), the leading media company serving Hispanic America, will launch “Super X” (Super Ordinary), the latest Univision NOW Original series, on Saturday, May 20. The first episode will premiere simultaneously on the Univision Network (airing that day at 5 p.m. ET/PT (4 p.m. CT) and on Univision NOW – Hispanic America’s only Spanish-language live streaming and on-demand subscription service. Also on May 20, all 13 episodes of the series will be available on demand, exclusively on Univision NOW.


“Super X” tells the story of Alex (Axel Rico), an ordinary guy, who works at a video game store, lives with his mother, has bad luck with women, and spends his days with his two best friends who give him the worst advice: Lalo (Mauricio Llera), an eccentric whose dream is to be a famous actor; and Simon (Paco Rueda), his cousin. Everything changes one night when, in the middle of a thunderstorm, Alex gets hit by lightening and gains the super powers of the hero in the video game he is playing. Alex’s real problems appear when he falls in love with Vicky (Michelle Renaud), his new neighbor. His emotions for Vicky cloud his thoughts and judgement, causing his super powers to betray him.


“The premiere of ‘Super X’ builds on our commitment to making the best programming available everywhere our audience is,” said Eric Ratchman, executive vice president of content distribution at UCI. “As we continue to expand Original offerings, Univision NOW gives our audience the most sophisticated experience and the richest content on every screen, as is expected by a digitally-savvy community that over-indexes on mobile, digital video and social.”


Univision NOW Originals offer U.S. premieres of series never-before-seen in the country, with titles featuring Hispanic America’s most beloved stars such as Danna Garcia, Victoria Ruffo, Cesar Evora, René Casados, Dulce Maria, Alexis Ayala, Pablo Lyle, and Danilo Carrera, among others. Since the launch of Univision NOW, UCI has heightened user experience with introduction of Originals, while also expanding its library with 3,000-plus hours of available on-demand content, including local newscasts in Atlanta, Chicago, Dallas, Houston, Los Angeles, Miami, New York, and San Francisco. Univision NOW was recently added to Roku, and is also available on AirPlay, Apple TV and Chromecast.


Univision NOW is Univision’s direct-to-consumer platform, available on iOS, Android and web. With Univision NOW, viewers can watch the live broadcast of the Univision and UniMás networks featuring their respective full schedules of telenovelas, sports, news, award shows and more. Users can sign up to Univision NOW with a monthly $5.99 or annual $49.99 subscription on univisionnow.com.

Categories: Comic Book Blogs

RICH REVIEWS: Jimmy’s Bastards # 1

First Comics News - Fri, 05/19/2017 - 20:49

Title: Jimmy’s Bastards # 1
Publisher: After Shock Comics
Writer: Garth Ennis
Artist: Russ Braun
Colorist: John Kalisz
Letterer: Rob Steen
Cover A: Dave Johnson
Cover B: Russ Braun
Price: $ 3.99 US
Rating: 4 out of 5 stars
Website: www.aftershockcomics.com
Comments: Regent aka Jimmy is one suave agent. He has some weird opponents. These villainous opponents have a unique way of talking.
The art certainly does jump out at you. The villains are exciting while Regent stays calm in the face of danger.
James Regent is a lot like James Bond. The similarities are easy to see.
There are sexy situations so this is a mature title.
The art is solid, the lines clear and crisp. The shading is well done.
Th way the villains talk though is not explained. It is unique yes but also just plain weird and hard to understand what they mean.
James Regent is a man of confidence. He knows he is good because he is. The character is wonderful, he knows how to enjoy life while saving the world.
This secret agent comic is for those who enjoy action, excitement and thrills with a light hilarious twist to them.

Categories: Comic Book Blogs

Mummy’s Little Sweatshop

Yarn Harlot - Fri, 05/19/2017 - 20:13

The paper and silk jacket continues to trudge along, though I’m feeling better and as my energy and will to go on returns, I’m trying to get a bunch of stuff done. I cleaned up around here,  zipped out to get a new bank card (I lost mine over a week ago and somehow decided I didn’t need or want money until now) and then Samantha and I went to the fabric store, because the other yarn still isn’t here, and we decided that the two of us could probably churn out two skirts, a pair of pants and some shorts in…

(Obviously, the Power Rangers fabric is not for me. I think.)

Well, fine. We think we can do it in about 24 hours. This is likely a bit of a dream, and we’re making all summer clothes and it’s freaking freezing so it wouldn’t matter too much if we didn’t finish, but it would be nice to have them done before the next blanket yarn arrives and I go in deep.  (The baby is due very, very soon.)  Both Sam and I know how to sew, so with the two of us cutting, pinning, ironing and using the machine, we should make good time. The first batch of fabric is in the washer, and as soon as it’s clean and dry, we’re off.

(PS. Sam is clearly my kid. Today in the fabric store she pretty much shrugged off the fact that we don’t really have a pattern for the skirts. Or the shorts. “How hard can it be?” she said.  I smiled to myself, because really, I can’t tell you how many times I’ve said that right before all hell broke loose.)

(PPS. Being an infrequent sewer, I don’t really know what’s out there. Anybody bi-craftual want to point me to some of your favourite sewing blogs? I can’t see myself sewing any more than I do, but I’d still like to see what’s going on out there.)

(PPPS. My heart lies with yarn.)

Categories: Knitting Feeds

WannaDecrypt your files? The WannaCry solution, for some

Malwarebytes - Fri, 05/19/2017 - 20:11

We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry/WannaCrypt/wCrypt. There is a catch though, it only works for the following operating systems:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows 7

So if you’ve got a WannaCry infection on one of the above operating systems, there is hope!


The decryptor is only going to work if you haven’t restarted the infected system and you haven’t killed the ransomware process (should be wnry.exe or wcry.exe) so please don’t restart or kill the process if you want to get those files back!


In order to use this tool, you first need to download it from here.

This tool essentially searches the system’s memory for prime numbers and pieces together the encryption key used. However, it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).

To run it, download the linked file (above) and extract the .zip to a folder on your desktop, (if you can download the file from a clean system and then transfer it via USB, you run less risk of overwriting the key in memory).

Next, you can either double click it (boring) or open the command prompt (Start + CMD) and run it through there (fun!).

The tool will automatically identify the WannaCrypt applications running on the system if they are called wnry.exe or wcry.exe, but if for some reason they can’t find them, maybe check out the running applications on your system (Task Manager/Process Explorer) and find the offender (it’s pretty obvious), then identify the Process Identification Number (PID) and you can just plug that into the command prompt after wanakiwi.exe.

It might take a few minutes for the tool to find the key (or many minutes in some cases), but once it’s found the tool is going to start searching your system for encrypted files and decrypt them automatically.


After the tool finishes decrypting your files, you are going to be left with a ransom note as a background and lots of encrypted files next to your unencrypted files.

Here are some possible next steps:

  • Download Malwarebytes 3.0 (or whatever scanning tool you prefer that can clean up WannaCry) and run a scan on the system to identify all artifacts related to WannaCry. This will help you get the malware off the system in case it tries to encrypt again.
  • Restart the computer to finish clean-up.
  • Find all the most important files you want to keep and move them to some form of backup.
  • Wipe the system and reinstall Windows.
  • OR you can just go through your system looking for all files with the .WNCRY extension and getting rid of them.

The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi). These guys are incredibly talented and deserve a round of applause!

We found out about the tool thanks to the very extensive blog post by Matt Suiche (@msuiche), which you should check out to get more information about how these tools work. You might remember Matt from his assistance in stopping a variant of the WannaCry released last week by registering the killswitch domain.


We didn’t want to write about this tool until we tested it in some capacity. A lot of other security researchers have given it a go and it seems that the tool works well in lab environments (sometimes). I personally tested it on a Windows 7 system using the following sample (with mixed results):


  • My first test worked like a charm.
  • My second test with a new profile (for taking screenshots for this post) couldn’t actually launch the malware.
  • My third test launched the malware, but the decryptor took forever and eventually never found the key.
  • My fourth test worked like a charm again (original profile).
  • Some of our other researchers tried it and were unable to get the tool to find the key.

This tool was put together very quickly and it’s meant to help those that it can help and that is likely not everybody. I wouldn’t recommend putting all your eggs in the basket that if you get hit, you couldn’t decrypt using this tool because either:

  • You are likely going to be unable to recover the key OR
  • The malware will modify to clean up the running memory or force a reboot after install to make the tool ineffective

But if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the operating systems listed at the beginning of this post, running the tool is not going to break anything that isn’t already broken so it’s worth a shot just to see if you can get those files back.

That being said, once again big thanks to @adriengnt, @gentilkiwi & @msuiche for their hard work, information spreading and ingenious development skills.

Let us know in the comments if this tool worked for you (and your configuration too!)

The post WannaDecrypt your files? The WannaCry solution, for some appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Aikido Blogs - Fri, 05/19/2017 - 20:04
I'd like to start this blog off apologizing in advance. My intention is not to offend anyone or point the finger at anyone, just something I've been focusing on for a while now.

Aikido is a martial art and as one, one of the foundation of it is physical. That means you need to be in shape. I see way to many aikido sensei's that are over weight, that smoke or drink...they get up in front of the class and set the example, and it's not a good one!

On one occasion, I went to a seminar, and the first thing the instructor did after class was to light up a cigarette and invite everyone to drink. I watched an aikido demonstration, on another occasion, the the instructor was just way over weight!

Can you do 100 pushups or a 100 pull ups, jog 3 miles comfortably? Being in shape is a very important factor in our health and in our ability to perform the techniques of Aikido effectively.

If you're not in shape, Aikido is a wonderful tool to get into shape, as long as you're not the teacher...because most of the time they're just walking around telling everyone else what to do...

Consider most importantly your diet. What you eat is very important for overall health. Alcohol consumption, caffeine, sugary foods, these are not your friend.

Please comment below, What are you doing to become healthier, stronger and better at Aikido?
Categories: Aikido

Block(ing) party

Knitting to Stay Sane - Fri, 05/19/2017 - 20:03
My name is Glenna and I’m here to tell you that you too can be a stubborn pouty knitter and do the bare minimum progress needed to eventually finish a knitting thing…and still eventually finish the knitted thing. Two knitted things, even! And then end up using almost your entire apartment floor to lay out […]
Categories: Knitting Feeds

This Is The Droid You’re Looking For: Announcing STAR WARS: ROGUE ONE – CASSIAN & K-2SO SPECIAL #1!

First Comics News - Fri, 05/19/2017 - 17:20

Duane Swierczynski and Fernando Blanco bring you the epic adventures of Cassian Andor and K-2SO


New York, NY—May 19, 2017—Cassian Andor and his reprogrammed Imperial security droid K-2SO have a partnership that rivals the closeness of Luke Skywalker and R2-D2. But like all great stories, that wasn’t always the case. So how did the great partnership of human and droid come to be? This August, find out the real history between the two characters when Marvel releases STAR WARS: ROGUE ONE – CASSIAN & K-2SO SPECIAL #1, written by acclaimed author Duane Swierczynski (Cable, Punisher: Frank Castle) with art by Fernando Blanco (Marvel Zombies, Thunderbolts).


Despite fighting to protect the galaxy, Cassian Andor and K-2SO haven’t always been on the same side of the Galactic Civil War – and readers will find out why in this new story, which includes the two characters meeting each other for the very first time!


“When I first heard about ROGUE ONE, I was thrilled,” said series writer Duane Swierczynski. “A heist movie set in the Star Wars universe? Are you kidding? Never in my wildest dreams did I think I’d be invited to tell a small piece of that story. And it was even cooler that I was asked to write about the first meeting of Cassian and K-2SO — easily my two favorite characters in the movie. What can I say? I love bad-asses and robots.”


Without spoiling anything, we can confirm that this IS the droid you are looking for this August, when Marvel releases STAR WARS: ROGUE ONE – CASSIAN & K-2SO SPECIAL #1, available wherever comics are sold this August!







FOC – 07/17/17, On-Sale – 08/09/17 

Categories: Comic Book Blogs


First Comics News - Fri, 05/19/2017 - 17:00
“It’s perfect and I love it. We need more books like this out there.” —Skottie Young From writers Jody LeHeup (former editor of Uncanny X-Force, Deadpool, Quantum and Woody) and Sebastian Girner (editor of SOUTHERN BASTARDS, DEADLY CLASS, BLACK SCIENCE), newcomer artist Nil Vendrell, colorist Mike Spicer (HEAD LOPPER, MYTHIC), and letterer Dave Lanphear comes a modern tall tale for the ages.

After being betrayed by the bears that raised him, the legendary SHIRTLESS BEAR-FIGHTER wanders the forest he’s sworn to protect, fist-fighting bears, eating flapjacks, and being the angriest man the world has ever known! When wild-eyed, super-strong bears attack the citizens of Major City, Shirtless ventures into the human world to do what he does best…PUNCH THOSE BEARS IN THE FACE! But all is not as it seems. Someone is manipulating Shirtless…and only by confronting the demons of his past can Shirtless hope to save his future!

IGN calls the series, “As wonderfully wild as it is completely literal,” while Pixelated Geek describes it as “over-the-top, intentionally offensive, raunchy, cheesy, campy, and totally ridiculous. It’s also, not surprisingly, really fun.” Monkeys Fighting Robots declares, “This is one of the funniest comics I have read in a long time.”

SHIRTLESS BEAR-FIGHTER is a an over-the-top action/comedy chock full of humor, colorful characters, larger-than-life battles, and high adventure. It’s the story of a wrathful man at war with himself, what happens when we allow anger to rule our lives, and what we can do to set things right.

The #WarOnBearror begins with SHIRTLESS BEAR-FIGHTER #1 (Diamond Code APR170718) on Wednesday, June 21st. The final order cutoff deadline for retailers is Monday, May 29th.

Categories: Comic Book Blogs


First Comics News - Fri, 05/19/2017 - 16:51

Dark Horse to Produce Graphic Novel Series Based on Original Animated Show

MILWAUKIE, Ore., (May 19, 2017)—Corus Entertainment’s Nelvana, a world-leading international producer and distributor of children’s animated content, announced yesterday its licensing agreement with Dark Horse Comics. Dark Horse will produce a series of graphic novels based on Nelvana’s original animated action series, Mysticons. Set to be released late summer 2018, the graphic novels follow the epic tale of four unexpected heroes who transform into legendary warriors and undertake a mythic quest to save the world.

Dark Horse’s Shantel LaRocque will act as editor on the Mysticons graphic novel series. Having previously worked on titles such as Hellboy, B.P.R.D., Fight Club 2, Rexodus, and David Mack’s Kabuki, LaRocque brings a great knowledge of comics and genre fiction to the project.

“We are incredibly excited to bring on Dark Horse as our graphic novel partner for Mysticons,” said Pam Westman, Head, Nelvana Enterprises. “Mysticons is a contemporary, genre-defining series that shows girls the strength, power, and courage they already have from within. Comics and graphic novels have continually showcased dynamic and confident female characters, and we look forward to continuing the Mysticons’ adventures in this rich and powerful way of storytelling.”

“I am delighted to be working on the Mysticons project with Nelvana as they lead into this new genre,” said Shantel LaRoque, Associate Editor, Dark Horse Comics. “We look forward to bringing these breakthrough characters to life with new stories for Mysticons fans.”

Mysticons is slated to premiere on Nickelodeon in the U.S. this Summer and on Corus’ TELETOON network in Canada this Fall. The series is produced by Nelvana Limited, with Steven A. Cohen and Noel Bright executive producing for The Topps Company and Scott Dyer and Irene Weibel executive producing for Nelvana. Sean Jara is Creator, Writer and Executive Story Editor for the series (previous writing credits include Ben 10, RedaKai, Hot Wheels: Battle Force 5, Johnny Test, League of Super Evil).

The creative team and Nelvana are attending Licensing Expo, May 23 – 25, in booth H214.

Categories: Comic Book Blogs

Double the Love Baby Blanket

Moogly - Fri, 05/19/2017 - 16:14

The Double the Love Baby Blanket is double thick, super plus, and reversible for two different looks – and it’s a free crochet pattern here on Moogly! Disclaimer: This post includes affiliate links; Lion Brand provided the yarn for this pattern. I love the stitch pattern used in the Double the Love Baby Blanket, and [...]

The post Double the Love Baby Blanket appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Adapting Shannach - The Last by Leigh Brackett & More To The 'Old Solar System' Campaign Setting

Swords & Stitchery - Fri, 05/19/2017 - 15:45
Yesterday I looked at Leigh Brackett's The Jewel of Bas & how it relates to the Old Solar System setting that I've been working on and off for a year now. Partially as an adventure campaign thought exercise & as an actual sandbox play setting. Today I want to re examine Shannach - The Last by Leigh Brackett What exactly happened to Mercury in The Old Solar System setting? Something similar to Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

X-O MANOWAR #3 preview

First Comics News - Fri, 05/19/2017 - 15:11

X-O MANOWAR (2017) #3
Written by MATT KINDT
Cover A by LEWIS LAROSA (MAR172157)
Interlocking Variant Cover by MICO SUAYAN (MAR172159)
X-O Manowar Icon Variant by DAVID MACK (MAR172160)

Their world became his war!

Across every frontline, and through every trench, Aric of Dacia continues his hostile journey through a brutal alien planet the only way he knows how: with war. But the man once known as X-O Manowar is not alone. With a dedicated band of soldiers sworn to his side, Aric will prove his worth on the battlefield… and find himself in a position that no one saw coming!

New York Times best-selling writer Matt Kindt and Valiant exclusive rising star Tomas Giorello bring the punishing first act to Valiant’s biggest series of the year to its final stand-off… and will leave readers everywhere reeling with a last page surprise!

$3.99 | 32 pgs. | VALIANT PREMIUM | T+ | On Sale MAY 24 (FOC – 5/1/17)


Categories: Comic Book Blogs

RAPTURE #1 preview

First Comics News - Fri, 05/19/2017 - 15:11

RAPTURE #1 (of 4)
Written by MATT KINDT
Art by CAFU
Cover A by MICO SUAYAN (MAR172161)
Cover B by J.G. JONES (MAR172162)
Character Design Variant by KANO (MAR172165)
Variant Cover by CAFU (MAR172166)
B&W Sketch Variant by MICO SUAYAN (MAR172167)
NINJAK VS. THE VALIANT UNIVERSE Variant Also Available (MAR172164)
Blank Cover Also Available (MAR172163)

On a scarred landscape, two otherworldly armies prepare to battle one last time, vying for control of a massive tower named from an ancient language no longer permitted to be spoken.

One army is led by a primeval force named Babel, whose goal is singular: to breach “Heaven” no matter the cost. The only thing standing in his way is a gray-haired barbaric warrior, filled with rage and regret, a man who sees this battle as his last chance for redemption. But he knows his depleted forces have little chance of victory unless aid comes.

Enter Tama: A 12-year old girl on the crest of a hill overlooking the battle, who has just become humanity’s only hope. The last in an ancient line of mystics who protect the Earth, she has foreseen this battle and knows millions will perish if she’s unable to stop it. Now Tama and her ragtag team of malcontents – Ninjak, Shadowman and Punk Mambo – must somehow defeat an elder god hell bent on piercing the heavens.

This summer, New York Times best-selling writer Matt Kindt (X-O MANOWAR) and artistic sensation CAFU (RAI) lead a Tolkien-esque journey into the space between life and death…through the Deadside…and into the many worlds that lie beyond right here with a spellbinding and horrific standalone event!

$3.99 | 32 pgs. | T+ | On Sale MAY 24 (FOC – 5/1/17)


Categories: Comic Book Blogs


First Comics News - Fri, 05/19/2017 - 15:09

May 18, 2017 – Burbank, CA) – The acclaimed comedy series “Mom,” starring Anna Faris and Allison Janney, is spearheading a donation campaign to support Planned Parenthood in response to recent partisan political efforts to target America’s leading provider of women’s health care. The U.S. Senate is currently considering legislation that would block low-income patients from going to Planned Parenthood for preventive care, like birth control and cancer screenings. “Mom” co-creator/executive producer Chuck Lorre and Emmy-winning series star Janney broke the news of the initiative today, encouraging fans and concerned citizens to stand with Planned Parenthood by making donations via the ppaction.org/MOMsupport link and rallying support by using the #StandwithPP hashtag throughout social media.

“In Los Angeles County alone, we answer approximately 2,000 calls each day from people asking us for help,” says Sue Dunlap, President/CEO of Planned Parenthood Los Angeles. “Across the country, millions of women and men are relying on Planned Parenthood health centers for their basic care — like birth control, life-saving cancer-screenings, and STD testing and treatment. We are committed to being here for them, no matter what. Generous support from our community fuels this work, and we are honored that the team behind ‘Mom’ is launching this campaign at this critical time.”

In lieu of spending on an Emmy For Your Consideration campaign this year, the creative team behind “Mom” has decided instead to launch this public support campaign and make a $250,000 donation to support Planned Parenthood and the Los Angeles affiliate. The “Mom” initiative furthers Janney’s longstanding support of Planned Parenthood, which her family has championed “for generations,” and continues the ongoing commitment by Lorre and Faris to healthcare-related charities and educational efforts. Lorre has been a long-standing benefactor of the Venice (Calif.) Family Clinic, where he established the Robert Levine Family Health Center in his father’s name, and Faris supports The Global Alliance to Prevent Premature and Stillbirth (GAPPS), a global effort to drastically prevent prematurity and stillbirth.

Critically acclaimed for tackling serious topics such as substance abuse, addiction, suicide and more, “Mom” follows single mom Christy (Faris), who’s trying to get her life back on track after years of questionable choices. Testing her daily is her mother, Bonnie (Janney), who Christy still considers the root of her troubles. They must both work to overcome their mistakes and build a better future for their family.

The New York Times has praised “Mom” as “…a comedy confident enough to have a serious agenda,” adding that “No series is better at mixing laugh-out-loud comedy and somber themes than ‘Mom.’” In 2016, Janney and Lorre visited the White House to join the Obama administration’s effort to reduce drug abuse, and participated in the White House Champions for Change event which honored individuals from across the country who were being recognized for their efforts to advance prevention, treatment and recovery. In 2014, the series was recognized by the Television Academy Honors, which celebrates programming that creates awareness, enlightens, educates and/or positively motivates audiences.

For the past century, Planned Parenthood has transformed women’s health and empowered millions of people worldwide to make informed health decisions, forever changing the way they live, love, learn and work. Planned Parenthood health centers serve 2.5 million people each year with essential health care, and one in five women in America has relied on Planned Parenthood at some point in her life. More than half of Planned Parenthood’s health centers are in rural and underserved communities, and without them, many patients would have nowhere else to go for care.

The American Health Care Act, which is currently being negotiated behind closed doors by an all-male team in the Senate, would prevent Medicaid recipients from accessing Planned Parenthood services.

To join the “Mom” campaign to support Planned Parenthood, please click here: ppaction.org/MOMsupport. For more information about Planned Parenthood, please visit www.plannedparenthood.org.

Recently renewed for its fifth season, “Mom” was created by Chuck Lorre, Eddie Gorodetsky and Gemma Baker. Lorre, Gorodetsky and Nick Bakay are executive producers; Baker is co-executive producer. The series is from Chuck Lorre Productions, Inc., in association with Warner Bros. Television. The all-female main ensemble cast of the show is led by Anna Faris and Allison Janney, and also includes Sadie Calvano, Mimi Kennedy, Jaime Pressly and Beth Hall. “Mom” airs Thursdays at 9/8c on CBS.

Categories: Comic Book Blogs

How did the WannaCry Ransomworm spread?

Malwarebytes - Fri, 05/19/2017 - 14:00

Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004.

News organizations and other publications were inundating security companies for information to provide to the general public – and some were all too happy to oblige. Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns. Admittedly, we also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit. But like many others, our traps came up empty.

Claims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email and the popular Necurs botnet. We recently wrote about the Jaff ransomware family and the spam campaign that was delivering it.

Some may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document malware in their honeypots, and then jumped to conclusions as a way to be first with the news.

But here at Malwarebytes we try not to do that. And now after a thorough review of the collected information, on behalf of the entire Malwarebytes Threat Intelligence team, we feel confident in saying those speculations were incorrect.

Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.

We will present information to support this claim by analyzing the available packet captures, binary files, and content from within the information contained in the ShadowBrokers dump, and correlating what we know thus far regarding the malware infection vector.

Here’s what we know EternalBlue

EternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008. The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system. The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445. The EternalBlue code is closely tied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation routine.

EternalBlue checks for DoublePulsar

EternalBlue strings

Bits of information obtained by reviewing the EternalBlue-2.2.0.exe file help demonstrate the expected behavior of the software. The screenshot above shows that the malware:

  • Sends an SMB Echo request to the targeted machine
  • Sets up the exploit for the target architecture
  • Performs SMB fingerprinting
  • Attempts exploit
  • If successful exploitation occurs, WIN
  • Pings the backdoor to get an SMB reply
  • And if the backdoor is not installed, it’s game on!

The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous. The ability to spread and self-propagate causes widespread infection without any user interaction.


DoublePulsar is the backdoor malware that EternalBlue checks to determine the existence and they are closely tied together.

This particular malware uses an APC (Asynchronous Procedure Call) to inject a DLL into the user mode process of lsass.exe. Once injected, exploit shellcode is installed to help maintain persistence on the target machine. After verifying a successful installation, the backdoor code can be removed from the system.

DoublePulsar Parameters

The purpose of the DoublePulsar malware is to establish a connection allowing the attacker to exfiltrate information and/or install additional malware (such as WannaCry) to the system. These connections allow an attacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.

DoublePulsar Ring0 Connections

Network analysis

Taking a look at the wannacry.pcap file shared to VirusTotal by @benkow_ helps us attribute the previously discussed code as the infection vector via the initial calls of the attack cycle.

A high-level view of a compromised machine in Argentina ( that attacked the honeypot:

The widely publicized kill-switch domain is present in the pcap file. As was reported, the malware made a DNS request to this site. Until @MalwareTech inadvertently shut down the campaign by registering the domain, the malware would use this as a mechanism to determine if it should run.

DNS lookup to Sinkhole

The SMB traffic is also clearly visible in the capture. These SMB requests are checking for vulnerable machines using the exploit code above.

SMB Requests

The exploit sends an SMB ‘trans2 SESSION_SETUP’ request to the infected machine. According to SANS, this is short for Transaction 2 Subcommand Extension and is a function of the exploit. This request can determine if a system is already compromised and will issue different response codes to the attacker indicating ‘normal’ or ‘infected’ machines.

Diving into the .pcap a bit more, we can indeed see this SMB Trans2 command and the subsequent response code of 81 which indicates an infected system. If the attacker receives this code in response, then the SMB exploits can be used as a means to covertly exfiltrate data or install software such as WannaCry.

Trans2 Multiplex ID

Putting it all together

The information we have gathered by studying the DoublePulsar backdoor capabilities allows us to link this SMB exploit to the EternalBlue SMB exploit. It’s really not hard to do so as both were patched as part of the MS17-017 Security Bulletin prior to this event, and as previously mentioned, were both released in the well-publicized ShadowBrokers-NSA dumps.

Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks.

Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.

So what did we learn?

Don’t jump to conclusions. Malware analysis is difficult and it can take some time to determine attribution to a specific group, and/or to assess the functionality of a particular campaign – especially late on a Friday (which BTW, can all you hackers quit making releases on Fridays!!). First, comes stopping the attack, second comes analyzing the attack. Remember, patience is a virtue.

Update, update, UPDATE! Microsoft released patches for these exploits prior to their weaponization. Granted, patches weren’t available for all Operating Systems, but the patch was available for the vast majority of machines. This event even forced Microsoft to release a patch for the long-ago EOL Windows XP – which gets back to the first thing that was said. UPDATE! Why are there still machines on XP!? These machines are vulnerable (beyond this attack) to the ransomware functionality of this attack and they need to be updated.

Disable unnecessary protocols. SMB is used to transfer files between computers. The setting is enabled on many machines but is not needed by the majority. Disable SMB and other communications protocols if not in use.

Network Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from spreading to other systems and networks, thus reducing exposure of important systems.

And finally, don’t horde exploits. Microsoft president Brad Smith used this event to call out the ‘nations of the world’ to not stockpile flaws in computer code that could be used to craft digital weapons.

That reminds me of an article I wrote a few years ago (and which was substantially cut for length) about Hacking Team and the government sanctioned use of exploits.

Hack Me: A Geopolitical Analysis of the Government Use of Surveillance Software

I guess things haven’t changed…

The post How did the WannaCry Ransomworm spread? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Doctor Who S10 E06 ‘Extremis’ – Spoiler Free Preview

Blogtor Who - Fri, 05/19/2017 - 13:42

When Steven Moffat writes a mid-series episode, you know it’s gonna be a game changer. ‘Extremis’ throws the whole trajectory of the series aside to kick off a three-part epic informally dubbed the Monk trilogy. Anyone who thought ‘The Pilot’ was an unusual Moffat episode will be pleased to see his trademarks make a return. This […]

The post Doctor Who S10 E06 ‘Extremis’ – Spoiler Free Preview appeared first on Blogtor Who.

Categories: Doctor Who Feeds

A world for only $5, Harnworld

Bat in the Attic - Fri, 05/19/2017 - 13:18
Just a heads up, Columbia Games has been running a series of sales on their PDFs for Harn. The latest is $5 for the Harnworld PDF which you can get through this link. Note that it automatically adds it to your cart so if you don't get it make sure you remove it.

If you want to look at the product you can goto the normal RPGNow page through this link.

I am not using any type of affiliate ID the one on the first link is for Columbia Games.

There are other discounted PDFs that you can pick and you can see what are the latest by following this thread on the Lythia forum.

The individual articles, like Heru Castle, are often useful as resources for your campaign for when you need it a particular Locale and don't have time to generate one of your own from scratch.

Categories: Tabletop Gaming Blogs

Another Fine Article on ENWorld - Ernie Gygax Shares A Little of Tenser's History

Tenkar's Tavern - Fri, 05/19/2017 - 12:54

Alright, stop the presses! I have found yet ANOTHER OSR related article on ENWorld that should interest the readers of The Tavern. Ernie Gygax shares shares some of Tenser's history.

The article is a short one and I'm only repeating a single paragraph here - grab the rest over on ENWorld.
"Tenser was the first magic user ever in Greyhawk. No books or previous experience existed. The first spell I took was a Read Magic and I used it to read the glyphs above a stairway leading down (level 1 to 2). It told us (Rob, Terry and I) that as you descend into the depths of the Dungeon the encounters will be more difficult but the rewards far grander. At 3rd level when facing off with an Evil 5th level mage I asked to join him and turn to Evil with him. He laughed stripped me naked and released me on the 3rd level to die. I made it to the surface. Took a rock in hand and set an ambush on another low level wandering mage. This stocked me with a new outfit, but I truly missed my now missing paralyzation wand. "
Categories: Tabletop Gaming Blogs

Pin Ups and Link Love: My Favourite Things This Week

Knitted Bliss - Fri, 05/19/2017 - 11:00


My Favourite Articles and Links This Week Why you need ‘white space’ in your daily routine. Sad portraits of your recycled electronics. This was a pretty amazing talk by Glennon Doyle Melton. I’ve watched it a few times now, and it’s so good. Have you guys heard about this whole eating cold oranges in the shower

The post Pin Ups and Link Love: My Favourite Things This Week appeared first on %%www.knittedbliss.com%%.

Categories: Knitting Feeds


Subscribe to Furiously Eclectic People aggregator