WannaCry Ransomware

WannaCry is the name of the very destructive Ransomware that has hit millions in over 100 countries. This worm utilizes vulnerabilities found in the SMB protocol that only affects Windows machines. These vulnerabilities were first seen in the tools leaked from the NSA in the VAULT7 leak. ExternalBlue is the initial tool used to establish the foothold on a machine which is followed by the DoublePulsar tool.

ExternalBlue

ExternalBlue utilizes a vulnerability labeled as a Kernel Pool Corruption. It is a buffer overflow in the memmove operation in the Srv!SrvOs2FeaToNt. When calculating the size of Srv!SrvOs2FeaToNt a DWORD is subtracted into a WORD this operation allows for the out-of-bounds memory allocation and the successful SMBv1 buffer being overwritten and the ability to execute injected code. This Vulnerbility is officially detailed in CVE 2017 0144.

DoublePulsar

Is what is called a covet channel or “backdoor”. This is a tool that allows for command and control communication over created channel after a system has been exploited. DoublePulsar utilzes the Transaction 2 Subcommand Extension of SMB. A request is sent to a victim machine over the network as trans2 SESSION_SETUP. Normal machines will respond with 65 indicating “Not Implemented” if they have been exploited the machine would respond 81 indicating the channel is open.

Windows has responded by releasing a security patch MS17-010 which can be found here if not already apart of the update in Windows Update.

It also recommended that any Windows machine run the Malicious Software Removal Tool found here if not installed.

For those who would like to do additional scanning and have access to tools like Nessus or Metsploit there are plugin modules available to download. Here and Here.

A full list of affected machines is as follows:

Unify OpenStage Xpert 6010p 5R1
Unify OpenStage Xpert 6010p 5
Microsoft Windows XP Embedded SP3 x86
Microsoft Windows XP Sp3 X86
Microsoft Windows XP Sp2 X64
Microsoft Windows Vista x64 Edition Service Pack 2 0
Microsoft Windows Vista Service Pack 2 0
Microsoft Windows Server 2012 R2 0
Microsoft Windows Server 2012 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2003 x86 SP2
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows RT 8.1
Microsoft Windows 8.1 for x64-based Systems 0
Microsoft Windows 8.1 for 32-bit Systems 0
Microsoft Windows 8 X86
Microsoft Windows 8 X64
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 10 Version 1607 for x64-based Systems 0
Microsoft Windows 10 Version 1607 for 32-bit Systems 0
Microsoft Windows 10 version 1511 for x64-based Systems 0
Microsoft Windows 10 version 1511 for 32-bit Systems 0
Microsoft Windows 10 for x64-based Systems 0
Microsoft Windows 10 for 32-bit Systems 0