Many people have felt the global impact of WannaCry – from late nights to a heightened sense of awareness, WannaCry has put many people on edge. Unfortunately, WannaCry will not be the last outbreak as assuredly as it wasn’t the first. Complex software systems will always have bugs. However, the knowledge, skill, and time needed to ferret those bugs out and develop them into exploits has increased significantly. With WannaCry, we’ve witnessed what can happen if those weaponized exploits are not safeguarded and handled like the dangerous weapons they are.
We are continuing to track the WannaCry ransomware plague and determine what can be learned from this global crisis. The folks at EndGame did an amazing job of breaking down the WannaCry ransomware worm. If you want a play-by-play analysis of the wormable variation, we highly recommend you dig into their post (after you’re done reading this, of course).
As a team, we’ve primarily been tracking coverage of WannaCry to ensure new variants are covered by our product. As a result, we’ve been slogging through a surprisingly large number of variations.
Here’s what we have discovered.
Primary Malicious Components
First, a quick overview of the WannaCry worm for those unfamiliar with the inner workings of this ransomware:
Worm (a.k.a. mssecsvc.exe)
The worm is the first-stage dropper and is responsible for the worming behavior of this ransomware. It is 3.6MB (3723264 bytes) in size, and contains the URL “kill-switch” along with the SMB exploit for MS17-10. It contains the second-stage dropper in the clear as a resource named ‘R’, Since the dropper is in the clear and not otherwise compressed or obfuscated, string-based detections made for the dropper will always hit on the worm too, unless other conditions are added to those rules.
The propagation works (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog