Take a closer look at WannaCry

The ransomware attack has damaged many companies and organizations around the world, including the Spanish telecommunications company Telefonica, hospitals in the UK and the American delivery company FedEx. A malicious program belonging to the class of crypto ransomware has become known as WannaCry.

The malware can scan port 445 (Server Message Block / SMB) via TCP and spread like a worm, attacking hosts and encrypting files that are on them. After which he requires to list a certain number of bitcoins for decryption.

In connection with this attack, all organizations were encouraged to make sure that the latest updates were installed on their Windows computers. Also, ports 139 and 445 for external access should be closed on them. Ports are used by the SMB protocol.

It should also be noted that the threat is still being actively investigated, so the situation may change depending on the response of the attackers to the actions of computer security experts.

CAMPAIGN DETAILS

We observed a surge in the scanning of our “Internet baits”, which began at almost 5 am EST (9 am UTC).

image

INFRASTRUCTURE ANALYSIS

Researchers first noticed the Cisco Umbrella requests to the domain switch (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea com [.]), Which started in the 07:24 UTC, but only after 10 hours the number of requests has exceeded 1400 hours ( approx pens.. : Apparently it it comes to requests for their service).

image

The domain name looks like it was composed by a person, since most of the characters are on adjacent rows of the keyboard.

This domain can be called a switch, based on its role in executing the malware:

image

The above code attempts to get a GET request to the domain and, in case of failure, continues to spread. If the request is successful, then the program ends. Now the domain is registered on the well-known DNS funnel , which forces to interrupt the malicious action.

From a translator: The C&C domain was specifically registered, according to MalwareTech's Twitter account, to stop or suspend the spread of malvari .

BACKGROUND ANALYSIS

The original mssecsvc.exe file runs another file called tasksche.exe. Then, the domain switch is checked, after which the mssecsvc2.0 service is created. This service executes the mssecsvc.exe file with a different entry point than during the first run. The second start receives the IP address of the infected machine and tries to connect to the 445 TCP port of each IP address inside the subnet. When the malware successfully connects to the remote machine, a connection is established and data is transferred. Apparently, somewhere in the process of this transfer, a known vulnerability is used, which was closed by update MS 17-010. At the moment, there is no full understanding of SMB traffic, and under what conditions the malware can spread using a security hole.

The tasksche.exe file checks all disks, as well as folders shared on the network and connected devices that are mapped to letters, such as 'C: /', 'D: /', etc. Malvar then searches for files with the extensions that are listed in the program (and listed below) and encrypts them using 2048-bit RSA encryption. While the files are encrypted, a 'Tor /' folder is created, where the tor.exe file and the 9 dll files that it uses are placed. Additionally, taskdl.exe and taskse.exe are created. The first of them deletes temporary files, and the second launches @ wanadecryptor @ .exe, which shows the user a request for payment. The file @ wanadecryptor @ .exe is only responsible for the output of the message. File encryption occurs in the background using tasksche.exe.

The tor.exe file is launched using @ wanadecryptor @ .exe. This new process starts connecting to Tor nodes. In this way, WannaCry remains anonymous by driving all its traffic through the Tor network.

Typical of ransomware, the program also deletes any shadow copies on the victim’s computer to make recovery even more difficult. This is done using WMIC.exe, vssadmin.exe and cmd.exe

image

WannaCry uses various ways to help its execution. So it uses attrib.exe to change the + h flag (hide), as well as icacls.exe to give full rights to all users: “icacls. / grant Everyone: F / T / C / Q. "

It is noteworthy that the program has a modular architecture. It is likely that all the executables in it are written by different people. Potentially, this may mean that the program structure may allow you to run various malicious scripts.

After encryption is completed, the malware displays a window asking for ransom for files. An interesting point is that the window is an executable file, not a picture, an HTA file, or a text file.

image

Victims should understand that there is no obligation for criminals to truly provide keys for decryption after paying the ransom.

HOW TO FIGHT

To combat this malware there are two recommendations:

  • Make sure that all computers using Windows have the latest update. At a minimum, MS17-010 update.
  • In accordance with best practices, any organization in which SMB is publicly available (ports 139, 445) should immediately block incoming traffic

Defeat Indicators

File Names:

  • d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa b.wnry
  • 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
  • e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 taskdl.exe
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d taskse.exe
  • 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 t.wnry
  • b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 u.wnry

Used IP:

  • 188 [.] 166 [.] 23 [.] 127: 443
  • 193 [.] 23 [.] 244 [.] 244: 443
  • 2 [.] 3 [.] 69 [.] 209: 9001
  • 146 [.] 0 [.] 32 [.] 144: 9001
  • 50 [.] 7 [.] 161 [.] 218: 9001
  • 217.79.179 [.] 77
  • 128.31.0 [.] 39
  • 213.61.66 [.] 116
  • 212.47.232 [.] 237
  • 81.30.158 [.] 223
  • 79.172.193 [.] 32
  • 89.45.235 [.] 21
  • 38.229.72 [.] 16
  • 188.138.33 [.] 220

Extensions, encrypted files:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc

Source

Also popular now: