Last week, the WannaCry ransomware outbreak infiltrated systems across the globe. From home computers, to NHS systems, news of the infection spread like that of an epidemic. Security companies originally claimed the breach was the result of a malicious spam campaign, but WannaCry was not distributed by email. New information suggests that WannaCry infections used the alleged NSA-leaked EternalBlue software to exploit underlying vulnerabilities in public facing server message ports.
WannaCry ransomware: what is it and how to protect yourself
Security company Malwarebytes has today claimed its threat intelligence team has traced the spread of WannaCry back to its source. Using packet captures, binary files, and content from within the ShadowBrokers dump, Malwarebyte’s Adam McNeil suggests that EternalBlue is the original culprit of the ransomware spread.
EternalBlue is a SMBv2 exploit that targets various Windows operating systems, including XP and Windows 7, with various iterations of Windows Server 2003 & 2008 also affected. The method of exploitation it uses is known as HeapSpraying – by injecting shellcode into vulnerable systems, this allows for the exploitation of the machine in question. The code is capable of targeting vulnerable machines using their IP address and works to directly target the Server Message Block (SMB) port 445, the connected network of devices. As it exposes these vulnerabilities in the machine, it works to search for backdoor malware DoublePulsar that has already been running undetected.
This counteracts original reports that suggested the malware was spreading through a phishing email. As well as the technical analysis of the malware, the security company has also produced a heatmap showing how it spread around the world.
EternalBlue checks for DoublePulsar
By using the backdoor malware DoublePulsar, WannaCry was able to infiltrate vulnerable machines and alter the user mode process. Backdoor codes bypass the normal methods of authentication in a computer system, and are often used in restoring remote access. In this case, a hidden DoublePulsar programme can successfully install itself on a device and then delete the original backdoor code – leaving the device connectivity in the hands of the attacker.
Once one machine is infected, it could send SMB requests to different systems – ‘trans2 SESSION_SETUP’ code. This request is designed to alert the hacker as to whether a machine is clean or already infected. If an underlying infection already exists, DoublePulsar can be used to effectively allow for the withdrawal of files as well as the installation of additional WannaCry malware.
Malwarebytes says that by installing itself in this manner, EternalBlue acted as a beacon to other potential SMB targets – utilising network connectivity as a means to spread malicious software to all connected devices. Using this system, it could replicate itself on a number of devices at rapid speed – spreading quickly out of control.
SMB ‘trans2 SESSION_SETUP’
Having studied the DoublePulsar SMB exploits, Malwarebytes was then able to ascertain the link between EternalBlue – a piggybacking system to compromise computers with WannaCry.
Another large cyberattack is underway and it could be worse than WannaCry
Without additional proof as to another cause of infection, it can be concluded that the attackers initiated their plan to specifically target machines with a pre-existing vulnerability, using these to spread WannaCry to other systems on a connected network. Just a few thousand machines could yield a widespread distribution of WannaCry across the world, with a speed and scale that hasn’t been seen since the MyDoom email worm that affected Microsoft computers in 2004.
The case of the WannaCry spread teaches us not only about developing malware techniques, but about the need for clearer heads in times of crisis. Fake News can propagate like a virus, and misinformation can become fact when panic sets in. With WannaCry, initial reports of email worms, while based on past experience, appeared to prove inaccurate.