#wcry

WannaCry and WanaCrypt0r is so 2017, as MS17-010 should be patched like zillions of weeks ago, but there are always some hidden unofficial, often abandoned systems being vulnerable for EternalBlue on the corporate network. They once got WanaCryptor and since then they are scanning the network against potential victims trying to infect further.

In order to get rid of them, I first installed a dionaea SMB honeypot into the network and waited the infected hosts to appear. After a while I had a nice list of IPs scanning the network for SMB shares. The idea was to stop them spreading the malware without causing any service interruption. Solutions like changing the default gateway to drive them against the wall, or to shutdown or crash the system are not feasible. DoS is a no-go.

When I was younger I often cleaned infected machines manually, just by finding the malware process, suspend or kill it, remove the executable, remove the persistence etc. I was curious if it can be done remotely, so I launched msfconsole on my kali box, loaded the exploit and the correct payload:

Targeted an IP from the honeypot report and run the exploit gave me a nice reverse meterpreter session:

Ok, now let’s have a look on the network activity of this system:

Look at that! It is scanning the network against tcp/445 smb connections. The masked IPs are random IP addresses. Note the scanning process name, mssecsvc.exe. Some google research confirmed that this is the worm that spreads the WanaCrypt0r. Enumerating services shows that the service name is “mssesvc2.0″:

It seems to be stoppable, so let us stop it:

Very good. The network status can show if it have stopped its malicious activity:

Hey, look at that! It stopped scanning. Excellent. Now the next step is to make sure that it will not be started again. Removing the service or the executable will be no solution, because it will be infected again. They executable should be staying on where it is, but it must not run. So I will ruin it by overwriting its content with an arbitrary string. In this example I will put a “1″ into the exe file.

The executable was not visible at first, but I remembered from the golden age of manual cleaning of infected computers that files can be protected from modification and even from showing up in dir listings using the attrib command. Running attrib *.exe revealed that the mssecsvc.exe and tasksche.exe have the S flag set, which renders them system files. It also means that I will not be able to overwrite them:

Exactly as I expected. Fortunately I have nt/system privileges, so the system flag can be removed using the attrib command:

It is now a regular file and it is displayed with the dir command as well. Look at the file size and the creation date. This host was infected at 12/03/2018. Ok, quickly corrupt this file and make it unusable:

Seems much better. Now it’s time to put back all the protections in order to avoid reinfection:

R,S,H flags mean Read Only, System and Hidden. As you can see, I am not able to write the file any more. Finally let’s try if the service can be started:

Wonderful! The worm has been disabled on this system. However, the MS17-010 hole is still open, so when an infected host tries to spread the worm, it will not be able to overwrite the corrupted executable file. Due to this file is hardcoded into the worm, it will not be able to infect this computer again.

Don’t forget to corrupt the other S-flagged executable, the “tasksche.exe” as well, which is the ransomware itself. It is disabled by the DNS kill-switch, but it is definitely not a good idea to keep it runnable on the filesystem.

This is another problem that can happen if you use a PC with windows on your digital signage channel. #wcry 

Пользователь Интернета на Тайване, компьютер которого был заражён программой-шифровальщиком WannaCry (WCry), написал вымогателям письмо, и его компьютер был разблокирован, т.к. хакеры в значительной мере, по их мнению, переоценили доходы жителей островного государства. Участник сообщества

WannaCry Ransomware infects computers in 99 countries

#CyberDoomsDay:

Computers in thousands of locations have been locked by a programme that demands $300 (£230) in Bitcoin. 

The UK's National Health Service (NHS) has been hit and screenshots of the WannaCry program were shared by NHS staff.

NHS cyber attack: 'My heart surgery was cancelled' 

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast

AV provider Kaspersky Lab said organizations in at least 74 countries have been affected

Spanish telecoms giant Telefonica is facing an 85 percent computer shut down after hackers infiltrated its systems demanding $550,000 in Bitcoin.

Sources:

Massive ransomware, WannaCry, infection hits computers in 99 countries, BBC

An NSA-derived ransomware worm is shutting down computers worldwide, ArsTechnica

FedEx targeted in cyber attack as hackers hit companies across globe

Telefonica Succumbs to $600,000 Bitcoin Ransomware Attack, The Coin Telegraph

Telefonica, other Spanish firms hit in "ransomware" attack, Reuters

Cybersecurity Executive Order By Trump Signed Amid Global Cyberattack, International Business Times

“NSA tool EternalBlue is being used to spread WannaCry”, Forbes