Press Center

EternalBlue: Is your PC patched against the WannaCryptor worm vulnerability?

Created: 2017-05-22 07:54:44

 

By now, most of us have heard about last week’s global ransomware attack, which spread all over the world on May 12th, 2017. It is a new variant of WannaCryptor, which is also known as WannaCry and WannaCrypt, and detected by ESET as Win32/Filecoder.WannaCryptor.D. And it has characteristics of a worm, capable of compromising other computers on the network.

 

This attack, which is still ongoing, although with less impact as before, has set a new milestone in the history of events related to malware outbreaks. A combination of factors – and some negligence – has enabled the massive damage that this “ransomw0rm” has caused.

 

In this post, we will address what we can learn from this event and what may come next. We also provide a simple script that allows you to check whether your Windows PC is patched against EternalBlue.

 

 

EternalBlue is the name of the exploit that enabled WannaCryptor’s ability to self-replicate and, therefore, its rapid spread across the network. Reputedly, the NSA developed this exploit.

 

This is how this incident can be traced back to the leak of NSA’s cyberweapons, which have been allegedly stolen by the Shadow Brokers group. The group unsuccessfully tried to auction cyberweapons; they changed their minds, however, as the endeavor was not proving profitable and decided to sell the NSA tools individually.

 

On March 14th, Microsoft released MS17-010, fixing critical SMB vulnerabilities. At the time, it was not evident that the patch was in any way related to NSA cyberweapons. It wasn’t until April 14th, the day on which the Shadow Brokers unveiled many of the stolen tools, that it became clear.

 

The timing between the patching and the leaking of the exploits raised some speculation about the circumstances of the events. Nevertheless, the situation then was as follows: the vulnerability exploited by EternalBlue was patched and made available via Windows Updates, while the exploit itself was made public.

 

The race between patching and exploiting had started and it wasn’t by chance that the EternalBlue exploit has been increasingly used ever since.

 

 

 

On May 12th, EternalBlue became an important component of the already-mentioned massive infection incident. All the elements were in the cybercriminals’ hands: the ransomware – WannaCryptor has been active since the beginning of April – and the exploit (EternalBlue).

 

 

 

 

Even so, home users and especially companies could have circumvented the success of this ransomworm in many ways. Firstly, two months beforehand, the patch for EternalBlue was made available.

 

Although it is not related to the ransomware’s encryption routines, it blocks the host from damage caused by another compromised host on the same network. Furthermore, proactive protections installed on the host, such as an exploit blocker or an (up-to-date) anti-malware suite could block infection attempts, and could stop the attack in cases where the malware breaks through the network defenses.

 

Finally, some degree of control over data that came in and out of hosts on a network could also be helpful. Many companies decided to turn off computers and send employees back home, fearing having their computers compromised. However, if they were able to isolate the hosts on their network and raise detection capabilities, such extreme measures could possibly be sidestepped.

 

 

On Friday night, news about a “kill switch” feature in the ransomware came out. @MalwareTech noticed that the malware made a HTTP request that was supposed to fail before moving onto the encryption routine.

 

Since the domain was previously unregistered, all requests were failing, consequently enabling the ransomware to encrypt files. However, after registering the requested domain, @MalwareTech was able to redirect requests to replying servers and stop the (first variant of the) ransomworm’s propagation.

 

It didn’t take long for other variants show up. First, new versions appeared that patched the previous domain – by overwriting the binary data of the first version (using tools such as HEXEdit). Later, versions without the kill switch were also released.

 

So far, the earnings of this attack have amounted to little more than $50,000, which is negligible in comparison to the damage caused due to this outbreak. It once more made evident that exploiting vulnerabilities (not necessarily zero-days) may have a huge impact on normal business operation.

 

 

These fast responses by cybercriminals show that combating malware is no easy task. They strike quickly and are highly adaptive. Thus, after such successful attack, we expect a replication of tools and methodology and everybody should be prepared for more attacks, especially in the near future.

 

In the long term, we will probably see more “worm-enabled” malwares showing up, and in the short term, we may well have intense waves of malware variants availing themselves of the EternalBlue exploit. Therefore, patch your system!

 

 

Beyond this particular ransomworm case, I asked myself whether my computer was patched against EternalBlue – bear in mind that other kinds or families of malwares might show up using EternalBlue in the near future.

 

For local verification: I developed a simple script that fetches the list of installed KBs from the system and searches for those that patch EternalBlue.

 

 

The script is available on GitHub and is very easy to use: one executes the script, wait for about a minute while the script uses WMCI to fetch the list of installed KBs and finally get the EternalBlue patch status.

 

For remote verification: A new script capable to test if a host is vulnerable to EternalBlue was added in nmap. As commented in the code, the script “attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010)”.

 

NMAP v7.40 (or higher) should work with the following command:

nmap -sC -p445 –open –max-hostgroup 3 –script smb-vuln-ms17-010.nse X.X.X.X/X

 

Ultimately, patching is the best countermeasure against EternalBlue, since it addresses the root-cause of the vulnerability targeted by the exploit.