Server Message Block (SMB) is the transport protocol used by Windows
machines for a wide variety of purposes such as file sharing, printer
sharing, and access to remote Windows services. SMB operates over TCP
ports 139 and 445. In April 2017, Shadow Brokers released an SMB
vulnerability named “EternalBlue,” which was part of the Microsoft
security bulletin MS17-010.
The recent WannaCry
ransomware takes advantage of this vulnerability to compromise
Windows machines, load malware, and propagate to other machines in a
network. The attack uses SMB version 1 and TCP port 445 to propagate.
SMB provides support for what are known as SMB Transactions. Using
SMB Transactions enables atomic read and write to be performed between
an SMB client and server. If the message request is greater than the
SMB MaxBufferSize, the remaining messages are sent as Secondary Trans2
requests. This vulnerability affects the srv2.sys kernel driver and is
triggered by malformed Secondary Trans2 requests.
After the initial SMB handshake, which consists of a protocol
negotiate request/response and a session setup request/response, the
ransomware connects to the IPC$ share on the remote machine. Another
related aspect of this attack is that the malware is configured to
connect to a hardcoded local IP, as shown in Figure 1.
Figure 1: Connecting to the IPC$ share
Next it sends out an initial NT Trans request, which is a huge
payload size and consists of a sequence of NOPs, as shown in Figure 2.
What it essentially does is move the SMB server state machine to a
point where the vulnerability exists so that the attacker can then
exploit it using a special crafted packet.
Figure 2: Preparing server for exploit via NT Trans
Speaking the SMB language, the large NT Trans request leads to
multiple Secondary Trans2 Requests to accommodate for the large
request size. These Secondary Trans2 requests are malformed, as seen
in the Figure 3. They act as a trigger point for the vulnerability,
and the request data portion contains the shellcode and encrypted
payload, which is the launcher for the malware on the remote machine.
Figure 3: Overflow via Malformed Trans2
Post Exploitation & Full Cycle
On successfully triggering the vulnerability, an encrypted payload
containing the stager for the malware is loaded on the remote machine.
The payload delivered to the remote machine launches a service
“mssecsvc” from within the lsass process. This service scans the local
network and the internet for machines that are accessible and have
exposed SMB ports. The service then uses the aforementioned
vulnerability to gain access to a remote machine and deliver the
malware payload, thus completing the full cycle. All of these
activities happen very quickly and the attack penetrates all machines
in a typical LAN within minutes.
contains two parts, the main executable file containing the code
for scanning the network and triggering the SMB vulnerability on
accessible machines. Within the resource section of this executable is
another executable file embedded in a section named “R”, which
contains the ransomware code. The executable containing the ransomware
code has an encrypted ZIP file embedded in the resource section named
“XIA”. The encrypted ZIP file contains encrypted keys, image files,
Tor client and two other executables: taskdl.exe and tasse.exe. The
ZIP file contents can be extracted using the password WNcry@2ol7
embedded within the malware code
There are anomalies and patterns in the NT Trans, Trans2 requests
and responses packets that analysts and researchers can use to create
useful network level detection. A couple of example signatures that
can be deployed are found here
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog