The beginning of this weekend, started on a very rough note, for most of us in the cyber security domain; thanks to the WannaCry / Wcry / WannaCrypt ransomware.
At the time of this writing, this malware has infected more than a million machines across the world, impacting organisations in more than a dozen countries, with UK, Russia, Spain and India being the most hit.
There has been enough written about the WannaCry / Wcry / WannaCrypt. And so in this post I want to focus on the technical aspects of how this malware has been constructed and it’s propagation.
I found Talos analysis of this malware to be the most comprehensive and is an excellent read for anyone who is keen to understand this malware under the hood.
Let’s approach our analysis alongside the cyber kill chain framework.
There is enough evidence that email was used as the “Delivery” mechanism to deliver the payload of this attack. Once delivered onto a machine, this malware spreads via SMB; that is the Server Message Block protocol typically used by Windows computers to communicate with other file systems over a network. An infected computer then propagates the infection to other vulnerable machines in the same network. The same vector is also used to spread across hosts which are externally facing, and have inbound connections allowed on on TCP ports 139 and 445.
It also appears, in order for the malware to “Laterally move”, it uses the notorious Doublepulsar backdoor, as Talos notes:
Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.
And if there are no machines found which have been previously compromised and implanted with DOUBLEPULSAR, the malware uses ETERNALBLUE for the initial exploitation of this SMB vulnerability. And this is exactly the cause for this activity to look like a worm propagation across the World Wide Web.
The Kill switch
The security researcher tweeting from @MalwareTechBlog has become the #AccidentalHero, in the last two days, for saving the mankind (or “machinekind”) from this whole fiasco.
The researchers from Cisco Umbrella team first observed DNS requests for one of WCry’s kill switch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com), early on May 12th, with the hit count going as high as 6000-7000 requests per second by late evening.
If you look closely, the domain composition looks nearly human typed, with most of the characters falling into the top rows of a typical keyboard.
The reason why this domain is being called a kill switch is due to the role it plays in the overall execution of this malware, as shown in the code below:
The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.
Dwelling deeper into the dropper and the payload itself, it is observed that there are two files which are essential for the exploit to be run – mssecsvc.exe which executes the file tasksche.exe. Once the kill switch domain is checked, and the logic as explained earlier is checked, the file mssecsvc.exe is run. The second execution is run to check the IP address of the infected system and then attempts to connect on TCP port 445, of every IP address in the same subnet. When a successful response is received proving that the IP address is of a node in the network, the SMB vulnerability is used to connect and then transfer the data. This is the vulnerability that Microsoft has addressed in the bulletin MS17-010.
Talos goes further and explains how this malware scans for local and network disk drives and identifies files with certain extensions, before starting to encrypt them all. Post the encryption is complete, the @wanadecryptor@.exe is run which is the pop-up or note that shows up on the computer screen of the victim’s machine. Then an external connection is launched onto Tor networks, in order to proxy their communication outbound, through the Tor network.
All this sounds exciting and quite sophisticated to be detected by any intrusion detection system, isn’t it? But the key to detecting this kind of attack, wouldn’t be possible by using signatures or fingerprints (hashes of the malware file or the IOCs that have been discovered so far), but by using a good anomaly and behaviour detection system.
I will write more on this once more information about the propagation of this malware comes to light. But I think in this particular case, it is very evident that prevention is and has to be the key focus are for all the organisations and individual computer users alike.
Before I get into that, I would also like to highlight the political angle to this entire story.
Edward Snowden has been quite vocal about NSA’s involvement in this, on his twitter account.
I am not that interested in getting into the political angle here, as it only causes anger and frustration, but I would just like to recall the drama played last year when a whole bunch of people wanted Apple to create a special version of iOS for the U.S. government, under the promise that it would never escape their safe hands and get into the wild. What happened this time folks? How did this vulnerability got out loose and into the hands of these adversaries, impacting businesses, important government departments (impacting German Auto Bahn) and people’s lives (impacting UK’s NHS)”?
So what now?
Well, we’re pretty much in clean-up mode. All the major anti-virus vendors have released signatures for WannaCry / Wcry / WannaCrypt. And while everyone is busy investigating what and how it happened, and some resting in peace thanking the #AccidentalHero for the kill switch, I am sure the advisories are already working on newer variants of this malware.
But the most important lesson to be reiterated here is something that the security community has been preaching for a long long time – keep all your software up to date, and apply all the security patches on a regular basis. It’s more about the processes and the governance around it, that is more important than waiting for a machine learning and artificial intelligence based intrusion detection system to pick all this up and block them for you. As our old doctor used to say, prevention is better than cure!
Calling some of these preventive steps again, many of which are obvious to most people:
- Keep your operating system and the applications running on them, up to date
- Test and apply the patches, especially the security patches, early on
- Have a fool-proof backup strategy, and test them at least once every yea
- Do not open emails or attachments from unknown or suspicious senders
- Lock down computers, by providing minimal access, based on need basis
- Limit the access to network resources; in this case ransomware can only lock down files on systems that it can access
- Only open ports that are essential for your business to operate. In this particular case, it was found in many cases that inbound TCP 139 and 445 was allowed in many of the perimeter firewalls.
- Block all unnecessary outbound connections – especially the ones that use anonymity like Tor. Only thieves want to conceal themselves.
- If you are still having difficulty in implementing all of the above measures, then one must depend on a strong treat “detection” system, beyond conventional anti-virus applications and use intrusion detection systems that use machine and deep learning to detect and block the “unknowns”.
I have blogged about the last point, in various bog posts. More on using those techniques for WannaCry, in another blog post.