In this newsletter, we will learn how today’s malware programs are able to replicate themselves and spread over the network.
How the infections occur
Let us go back at the beginning. A few decades ago, the only way to spread a malware was through a physical medium. Infected files, such as games or any other utilities, were copied on a floppy disk, and shared between people. This modus operandi has persisted despite the evolution of medium, and nowadays USB keys are still an efficient way to infect devices.
Then came the Internet and professional hackers, and new ways to spread malware emerged. They can now be either downloaded directly, hidden into legit software, by unsuspecting users.
Alternatively, they can be downloaded by a third party software. For example, via an email containing a malicious attachment, such as an Office containing a macro. Once opened, the macro will attempt to download and execute the malware, unknowingly to the users.
In both case, human interaction is a prerequisite. However, there are other ways…
The infamous Wannacry and NotPetya
During the first half year 2017, two pieces of malware made the front page of the news: WannaCry and NotPetya. Both are cryptovirus, meaning they will encrypt the users’ files, but while the former ask for a ransom in order to decrypt files, the second one will just destroy data. However, they also have the capability to replicate themselves to neighbor devices. As a result, a lot of industrial or Health Company were literally shutting down at this time, due to the poor or nonexistent IT security practices in these sectors. If ransomware was not a new threat (CryptoLocker hit the Internet four years before), the wayWannaCry and NotPetya were able to spread through the network was.
This behavior characterizes the computer worm type of malware. A worm can replicates itself and spread to other computers, automatically, without any human interaction. Conficker (2008) and Mirai (2016) are two of the most known worms that come to mind.
Going back to WannaCry. On March 14, 2017, Microsoft released a patch fixing several vulnerabilities in the Server Message Block (SMB) protocol, which is used to provide shared access to resources in Windows environments. As there were critical impacts, CERT-XLM urged its customers to apply the updates.
On April 14, 2017, the hacker group named “The Shadow Brokers” released its fifth leak, including theEternelBlue exploit, which targets one of the above-mentioned SMB vulnerabilities.
Despite all these early warnings, when the WannaCry cyber-attack started in May 2017, hundreds of thousands computers were still not patched against the vulnerability and fell victim to the attack.
A month later, on June 2017, NotPetya stroke multiple Ukrainian organizations. Again, this malware usedEternalBlue, this time combined with another SMB exploit called EternalRomance.
This last exploit was released in the same leak, and was patched by the same security update. NotPetyaalso used additional tools, such as Mimikatz, PsExec and WMIC, to steal credentials of domain administrators, and spread to other machines. All while relying on a common weakness seen in company, which is to use the same administrative credentials on every computers. If this practice makes it easier to manage a domain, it also means that when the credentials are stolen, the entire network is compromised.
The end of 2017 saw the appearance of an updated version of Emotet, a banking Trojan of the Feodofamily dating back from 2014. The improvements included worming capabilities through the SMB protocol, allowing it to spread over the network, install itself in network shares or on other computers. To achieve its goals, this version of Emotet was embedding a tool to brute-force credentials using a list of common users and weak passwords.
In 2018, Trickbot, another banking malware, was upgraded with new capabilities. This one has also the ability to download and install additional pieces of software, classifying it as a “dropper”. Anecdotally, one of the plugins installed in the recent versions is a cryptocurrency miner.
Amongst the other interesting features of this malware is that it is distributed by the Necurs botnet, a swarm of internet-connected devices controlled by a Command and Control (C&C) software. Trickbotleverages too the EternalBlue exploit to identify the computers in a network and send information to its C&C.
These are only a few examples of malware relying on several exploits, and it proves that even nowadays,EternalBlue is still surprisingly very popular. It was recently added to the following malware:
- Retefe, a banking Trojan, which targets only a few countries in the world
- Satan, a ransomware usually spread via spam emails or fake updates
- TROJ64_WMINE, a Trojan and miner, dropped by another malware or downloaded by users when visiting malicious websites
How to protect against worms?
Microsoft released patches against EternalBlue and EternalRomance back in March 2017. Actually, even unsupported versions of Windows such as XP were granted with a patch, the exploits having such a critical impact. Still, one year later, malware keep appearing which exploit the same vulnerabilities successfully.
Before that, we have to go back to 2008 to find a Windows exploit with these kind of remote capabilities. Therefore, having an update policy in your organization will help prevent this kind of breach. If a device cannot be patched, isolate it and restrict access to it. For all other devices, plan regular patch campaigns. That way, one of the worst vectors of infection will be suppressed.SMB or not SMB
Sharing data is essential for a company, therefore the SMB protocol often cannot be disabled entirely. However, a few simple actions can help secure it. The version 1 of SMB should be disabled. Access to SMB ports 137, 138, 139 and 445 should be blocked from outside your organization, and restricted inside.Secure privileged access and password policy
Malware will often try to brute-force passwords or grab credentials directly from memory in order to spread over the network. Administrative accounts are an obvious target: Local, network or domain administrator. If the credentials are shared, then the malware has the potential to compromise your entire network.
There are some solutions to mitigate these risks:
- Implement administrative tiers inside your active directory domains: segregate administrators accounts based on their duties (Workstation administrator, server administrator, forest/AD administrator)
- Use a different password for administrator account on each computer. This can be done in no time with the help of the Local Administrator Password Solution (LAPS), a free and easy to deploy Microsoft product.
- Enforce a strong password policy to deter brute-force attacks
Users and Administrators awareness
Recent malware can duplicate themselves and spread over a network, but in order to do so, at least one sample must gain a foothold in your infrastructure. More than often, attackers will use the path of least resistance to distribute a malware, meaning the users. A phishing email with a malicious document will do, as explained earlier. However, to be successful, macros need to be first allowed in your organization by the administrators. They also must be allowed to run by the user despite multiple warnings and popup.
Organizing awareness sessions might be beneficial for your company. In addition, avoid or restrict usage of macros whenever possible.
Lastly, when a computer seems to be compromised, simply disconnect it from the network. This single and efficient measure will help any forensic analysis that will be needed later, without destroying evidences. Shutting it down or trying to “clean” it will cause more harm than good. Especially as you might be tempted to use administrator credentials to perform these actions, and, as we have seen, they might be stolen by common malware. Once it gets elevated privileges, there can be no guarantee that the threat will not spread the next time the computer will be connected to the network.
Computer threats evolve constantly, and criminals will use every possible ways to achieve their ends. Still, simple solutions can be applied to limit the diffusion of new malware. The sheer amount of examples listed in this newsletter and the prejudices a company could face should give anyone enough incentive to take action. It would be a mistake to think that this kind of breach happens only to others.
The security Bulletin for the MS17-010 vulnerability and the associated patches are available here: