The Outdated XP Testimony on WannaCry to Congress

The Oversight Committee had a hearing on WannaCry last week. I won’t have time to watch the hearing for a few days, but I did read the testimony with some alarm. That’s because two of the four witnesses appear to have misstated one detail about the attack.

First, Symantec CTO Hugh Thompson suggested that the spread of the ransomware was due to Microsoft not releasing a patch for XP when it had released EternalBlue patches for other systems in March.

WannaCry spread to unpatched computers. Microsoft released a patch for the SMB vulnerability for Windows 7 and newer operating systems in March, but unpatched systems and systems running XP or older operating systems were unprotected. After the WannaCry outbreak began, Microsoft released a patch for XP and earlier platforms. Four days after the initial outbreak these patches were widely applied and new infections slowed to a trickle.

The implication here is that the ransomware primarily affected XP, and only because there hadn’t been a patch available.

Retired General Touhill suggested this outdated system was actually Windows 95 — and claimed that Microsoft had released that patch in March, along with the supported system patches.

Systems using unpatched versions of the Windows 95 operating system have been highlighted as exemplar victims of the Wannacry attack. Microsoft who, after a long and very public notification process, discontinued support to the Windows 95 operating system in 2014, about 19 years after its initial release. However, in light of the warnings and their own research, in March of this year Microsoft issued a rare emergency patch to Windows 95, nearly three years after they had discontinued support of the software. Despite these extraordinary actions, many organizations still did not heed the warnings and properly patch and configure their systems. As a result, they fell victim to Wannacry.

In fact, XP (to say nothing of Windows 95) was not the problem. Windows 7 was. Kaspersky Lab (which Congress has spent time of late demonizing as potential Russian spies) first pointed this out on May 19.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That’s according to Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there’s little question Windows 7 was overwhelmingly affected by WCry, which is also known as “WannaCry” and “WannaCrypt.” Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

The figures challenge the widely repeated perception that the outbreak was largely the result of end users who continued to deploy Windows XP, a Windows version Microsoft decommissioned three years ago. In fact, researchers now say, XP was largely untouched by last week’s worm because PCs crashed before WCry could take hold. Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn’t installed a critical security patch Microsoft issued in March

Days later Sophos confirmed that analysis.

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

[snip]

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

It’s still a question of whether a victim patched their computer or not, but Microsoft did make a patch available for Windows 7 along with other supported systems. Though, as Sophos notes, unless users were paying extra for support, they might not have noticed the patch was there.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

That suggests one problem with the patching wasn’t the timeliness, but the secrecy. But, Congress might not learn that detail given the testimony they got last week.

Three days after the attack started, Homeland Security Czar Tom Bossert was still claiming WannaCry was spread via phishing. Now Congress is getting other debunked reporting.

We might respond better to these threats if the government was getting information that was at least as accurate as that information available to lowly hippie bloggers.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

12 replies
  1. lefty665 says:

    The difference between win7 and win10 infection rates apparently being that win10 pushes updates while win7 allows users to decide if, what and when to apply even critical patches.

    Although I have never been under the illusion that all security patches were for my security as a user, it was clear by the millennium that individually evaluating and deciding what critical windows patches to apply was a mugs game. Turn on auto update for important updates and be done with it.

    • Cujo359 says:

      For individual users, definitely. Organizations that are well staffed enough to reinstall their own OSs might want to pick and choose if they have regression tests against their organizations’ internal services, software, or critical third party software. For everyone else, you might as well apply the patch and see what it breaks…

      • lefty665 says:

        My organization was not big, but I had a couple of techies. They came to me and complained that researching windows updates was sopping up enough of their time that they were not getting other work done. At their recommendation we enabled important updates, they never crashed anything and the techies lost the ability to blame it on Bill when their work did not get done. Win win.

  2. Cujo359 says:

    Was the problem with XP reinfection rates? IIRC, victim computers would try to spread WannaCry to others. XP was less careful about privilege separation, etc., than later Windows versions. That might explain why they thought a small number of computers were the problem.

    Though you’d think Kaspersky would have thought of that…

    • emptywheel says:

      Did you read the Sophos piece? It explains some of the reason.

      Recall that the NSA was having blue screen problems with Eternal Blue for a while, but then it got better. So it may well be that the exploit was better written for 7.

  3. SpaceLifeForm says:

    To reiterate, it was mostly 7 because most were illegal copies. More below. Reviewing the normal consumer versions…

    95 – No way. Most machines that came with 95 were converted to 98se as soon as the user figured it it was easy to do so. Yeah, it was likely via an illegal copy, but if you had a working license key, no problem. Note there were no driver issues either, so you got a working machine with some better functionality, more stable, no headaches.
    So, why not blame 98se?

    98se – good enough for the hardware at the time.

    ME – Piece of crap, probably 5 working machines on planet with ME. If you could get 98se on a machine that came with ME, and find the right drivers, that wouod be the route to take.

    XP – now, it gets interesting. XP keygens available, but trying to run XP on a machine that was older would not run very good due to lack of ram available due to older motherboards.
    It would get unstable, and crash.
    XP on a new machine (at the time) was actually useable but most of time was painfully slow due to lack of ram. Most of the newer motherboards could support more ram, it was that the OEM boxes were not delivered with the max ram on that motherboard because the ram was still relatively expensive at the time. Ram stick market took off.

    Vista – see ME. Still sucked, and 64 bit coming out now. But Vista sucked, so just like ME, the user would want 7. Could not use XP due to hardware/driver issues.

    7 – by now, most of the older machines are dying. 7 needs 4GB of ram to run well, so trying on pre-Vista box would not fly. PATA drives hard to find due to SATA going mainstream, which would be the number one problem on older machines. The drive would wear out due to excessive swaping. If you were smart enough to get a second drive early, that would help, but swapping would eventually eat your ‘C’ drive.
    Even if you maxed out the ram, updates kept flowing from Microsoft that, somehow, needed more and more ram, and swapping increased.
    Then PATA-SATA adapters would become popular. But you would still have a chunk of change to fork out, and almost certainly, after losing your ‘C’ drive, likely partitioned by OEM which means you had no installation media, and no recovery partition. You were screwed.
    The machine was perfectly ok otherwise, had sufficient ram to run 7 acceptably, but even if you got a different PATA drive (likely old) or went the PATA-SATA adapter route with a SATA drive, you still had no OS.

    Now, at this point, a lot of people probably tried Linux. But a lot could not. They were locked in via some application that they just ‘needed to have’ that only worked on Windows.
    Or they did not have the time or inclination to even try Linux.

    So, the ‘solution’ was a keygen for 7.
    Finding the 7 iso was not the problem, you just needed a working license key. Keygen to rescue after having a friend download the 7 iso via their working computer, and make you a bootable DVD or thumbdrive. They could even find the keygen for you or you could once you encountered the ‘Windows Geniune Advantage’ problem.

    But, at least your computer was working again.

    We are now at the point where things went south and the field for Wannacry was ready to exploit.

    Here is what happened. Most users, knowing they were running an illegal copy of 7, *TURNED OFF* windows update. They likely learned about WGA and were paranoid, so they blocked windows update. Even though it would continue to function! At least for a while it did.

    Touhill and Thompson are misdirecting. Why? Hell, why were they asked for their input and not others? Who told whom these two were experts in the first place? Last on my list.

    There is no doubt IMO that Wannacry was created to teach those with illegal 7 machines a lesson.

    It just did not magically disappear because all of the users running illegal copies went out and bought a legal copy and re-installed from scratch. Very doubtful.

    • P J Evans says:

      I have a working Win98 machine. However, it doesn’t go out on the Net, as it doesn’t have current security.

      One of the problems with Win7 machines is that MS, in their eagerness to convert everyone to Win10, patched the control panel so it ignores your settings for update notices: it won’t tell you about them at all. [There’s a way around it, but it involves getting another app (GWX control panel). MS botched that fix, IMO.]

      • SpaceLifeForm says:

        I never saw that issue with 7. But they were 7pro. I tell everyone that if they have apps that only work in windows, to pay the piper, and for now, go with 7pro. 8 sucked, 8.1 could be made usable (ClassicShell). 10 is total spyware.

        BTW, have a 98 machine still in box.
        Clock may be off by now. :-)
        Maybe not.

        • lefty665 says:

          End of support for 7 is only 2 1/2 years off. That’s a pretty short term solution. What is your recommendation for a longer term fix? I ask in part because I don’t want to buy more 10 and recently decided that 7 was so time limited I did not want to do that either.  Critical apps are windows based.

          That’s a pretty big paper weight, you must have a lot of paper. But it must be a good one to last almost 2 decades:)

        • P J Evans says:

          Have two XP-capable boxes  (I liked XP); one has something dead so it won’t run, and the other is a different revision of the BIOS so it can’t use the existing system disk. (Need expert techies to fix that. I’d even consider taking it to the manufacturer, which is in the area.) But it wouldn’t go out on the internet either.

    • lefty665 says:

      NT/2k wasn’t bad, more stable than either 98 or XP, but suffered even more from small memory.  Was there ever a worse OS than ME?

      Interesting that Wannacry could be Microsoft’s revenge on OS pirates.  OTOH, watch what happens when win10 “free” upgrades update hardware.  Last week I replaced a mobo and Microsoft was very earnest about wanting to sell me a new copy of 10. Same CPU, memory, SSD, CDrom. Mobo was all that changed. That machine came up from a win8 full retail copy with upgrade rights.  I wasn’t very happy.

  4. Hugo says:

    All we need to do is to get DEC to re-manufacture the PDP-10 and we could all be using ITS again and writing our own code in LISP !

    Seriously, the problem is twofold: OS’s and applications should be coded in modern languages and based on Finite State Machines, and people need to have a sufficient level of computer (and privacy) literacy if they are going to let some mystical piece of hardware and “the internet” dominate their productivity and communications.

    The deeper problem is medical / scientific devices. Their drivers were written 15+ years ago for Win XP and large public sector organisations (public health, research institutions) are left having to support these machines and the only operating system that will allow them to run. MoFo crazy.

    Expect all of the above to continue for some time until “getting your device driver into the Linux kernel” or “you shall support later versions of X commercial operating system” becomes something that manufactures see as useful and governments demand.

    Ho hum.

Comments are closed.