Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?

[Winter Soldier]

While you were making your post I was editing mine . I read somewhere that the worm uses the heapspray method. But, I think that remote heapspray may be a challenge for some anti-exploits.

Heapspray method writes more
times a shellcode in the memory of a running process.
But then DEP "should" block the execution of malicious code in the memory according to my experience.

 

[Andy Ful]

SMBv1 has long been established as bad ju-ju.

I tested WannaCry on two unpatched and connected Win 7 (2011 with no applied updates) VMs, created file and network shares and still the SMBv1 exploit isn't working = I can't get one VM to infect the other. I see in the Wireshark captures on both VMs the SMB2 - but I want to see only SMB. So I enabled only SMB1 and still can't get the damn thing to work... LOL. just how it goes sometimes.

It could be that the worm attack depends of the kernel version.

 

[SHvFl]

SMBv1 has long been established as bad ju-ju.

I tested WannaCry on two unpatched and connected Win 7 (2011 with no applied updates) VMs, created file and network shares and still the SMBv1 exploit isn't working = I can't get one VM to infect the other. I see in the Wireshark captures on both VMs the SMB2 - but I want to see only SMB. So I enabled only SMB1 and still can't get the damn thing to work... LOL. just how it goes sometimes.

It's probably the way the 2 vms communicate. For the exploit to work some ports need to be accessible. Don't remember the ports but i am pretty sure it was 2 specific ports.

 

[Andy Ful]

@Lockdown
If you mastered enough Metasploit, that would be the simplest way to perform EternalBlue & DoublePulsar attack.

 

[509322]

It's probably the way the 2 vms communicate. For the exploit to work some ports need to be accessible. Don't remember the ports but i am pretty sure it was 2 specific ports.

Windows Firewall disabled. The SMB2 can be seen in both VMs so they are chatting-away. What I am not seeing in only SMB. I am using Host-Only so that I do not infect the rest of the network.

@SHvFl thanks for the reminder though. I will install the Telnet feature in Windows features and do port-checks for 137 - 139 and 445.

If anyone is interested, Telnet Client is not installed by default in Windows. It can be installed via Control Panel > Programs and Features > Turn Windows Features ON\OFF. Articles don't explain this little tidbit. You would think that they would have common sense and explain that fact - right ? Meanwhile you are sitting there and keep re-typing telnet IP or URL address port # in cmd over-and-over wondering - and doing the huh ?

@Lockdown
If you mastered enough Metasploit, that would be the simplest way to perform EternalBlue & DoublePulsar attack.

It will take time to learn Kali Linux. Just focusing on Kali Linux instead of the standalones. So much is packed-into Kali.

I am thinking it might be something I overlooked in networking - not exactly my cup of tea.
______________________________________________________________________________________________
netstat -a show ports 139 and 445 listening = open

Head-scratcher...

I have a few choice words on this one that I may not post.

I've read that WannaCry is buggy, but not sure if that is even the case here.

 

[ahity]

Heapspray method writes more
times a shellcode in the memory of a running process.
But then DEP "should" block the execution of malicious code in the memory according to my experience.

thanks for information, so i think i should enable DEP..

 

[shmu26]

netstat -a show ports 139 and 445 listening = open

Head-scratcher...

I have a few choice words on this one that I may not post.

I've read that WannaCry is buggy, but not sure if that is even the case here.

Maybe your sample is VM-sensitive?

 

[Winter Soldier]

thanks for information, so i think i should enable DEP..

The default option is the selected one but you can turn on DEP for all programs and services except those selected.

 

[AtlBo]

The default option is the selected one but you can turn on DEP for all programs and services except those selected.

An element of EMET 5.5 for Windows 7 is the ability to do this also. EMET is painful to configure but at least this is an option for Win 7 users who aren't ready to move on yet. It's actually super light I will say.

 

[509322]

Maybe your sample is VM-sensitive?

Possible, but those types generally just self-terminate.

 

[Andy Ful]

So, the VoodooShield developer made a test I wrote about in the post #24. It is good to know that meterpreter remote session cannot be established using Metasploit with EternalBlue & DoublePulsar exploits, when the target computer is protected with VoodooShield 'ALWAYS ON' mode or NVT ERP with rundll32.exe on the list of vulnerable executables.



Good work @NastyBrother.

Yet, I am not sure what DLL injection was stopped in the video. It looks like that was not EternalBlue. If that was DoublePulsar, then how it is related to the analysis: Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique | Countercept , where the injection using rundll32.exe is not mentioned at all? So, maybe VoodooShield blocks only the meterpreter payload?
Anyway, it is a very good result, for developers and people who use VoodooShield or NVT ERP.

The bad news is, that any of tested security programs, could not stop EternalBlue (and probably DoublePulsar) exploit. I said 'bad news' not to depreciate the excellent security programs, but to stress how nasty are EternalBlue & DoublePulsar exploits.

Edit
Corrected - I have embeded the wrong video.

 

[ZeroDay]

So, the VoodooShield developer made a test I wrote about in the post #24. It is good to know that meterpreter remote session cannot be established using Metasploit with EternalBlue & DoublePulsar exploits, when the target computer is protected with VoodooShield 'ALWAYS ON' mode or NVT ERP with rundll32.exe on the list of vulnerable executables.



Good work @NastyBrother.

Yet, I am not sure what DLL injection was stopped in the video. It looks like that was not EternalBlue. If that was DoublePulsar, then how it is related to the analysis: Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique | Countercept , where the injection using rundll32.exe is not mentioned at all? So, maybe VoodooShield blocks only the meterpreter payload?
Anyway, it is a very good result, for developers and people who use VoodooShield or NVT ERP.

The bad news is, that any of tested security programs, could not stop EternalBlue (and probably DoublePulsar) exploit. I said 'bad news' not to depreciate the excellent security programs, but to stress how nasty are EternalBlue & DoublePulsar exploits.

So even Comodo Internet Security or FW with CS settings could not stop Eternal Blue and probably Double Pulsar exploit?

 

[Andy Ful]

So even Comodo Internet Security or FW with CS settings could not stop Eternal Blue and probably Double Pulsar exploit?

Sorry for my mistake - I embedded the wrong video (corrected). Dan did not test Comodo Firewall (CS settings), but he is going to make more tests. We will see ...

 

[Deleted member 178]

About AG (from this post and after.)

VoodooShield ?

 

[509322]

So even Comodo Internet Security or FW with CS settings could not stop Eternal Blue and probably Double Pulsar exploit?

Why is everyone so worried about exploits that Microsoft has already patched ? It's pointless to worry about them - unless you continue to use an unpatched version of Windows, have SMBv1 enabled and are using it for SMB client-server file sharing and such.

The bad news is, that any of tested security programs, could not stop EternalBlue (and probably DoublePulsar) exploit. I said 'bad news' not to depreciate the excellent security programs, but to stress how nasty are EternalBlue & DoublePulsar exploits.

Edit
Corrected - I have embeded the wrong video.

AppGuard is not an anti-exploit. We recommend that other means be employed to protect against application, kernel and network exploits.

I think this article has been revised. When I read it a week ago, I recall that the original version of this article stated that *.dlls were written to disk in the first or second paragraph, Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique | Countercept, but I could be having a memory lapse.

 

[My name Jeff]

Why is everyone so worried about exploits that Microsoft has already patched ? It's pointless to worry about them - unless you continue to use an unpatched version of Windows, have SMBv1 enabled and are using it for SMB client-server file sharing and such.

@Lockdown I would like to ask how to prevent getting infected while reinstalling windows as an internet connection is required to obtain the patch? Would disabling SMB 1 be sufficient while updating windows?

 

[509322]

@LockdownI would like to ask how to prevent getting infected while reinstalling windows as an internet connection is required to obtain the patch? Would disabling SMB 1 be sufficient?

Microsoft does not use SMB for Windows Updates, but Microsoft has recommended (not using) disabling SMBv1 for many years. Therefore, it is ludicrous that Microsoft has SMBv1 enabled by default. They ship it with Windows for "legacy" compatibility reasons.

 

[shmu26]

@Lockdown I would like to ask how to prevent getting infected while reinstalling windows as an internet connection is required to obtain the patch? Would disabling SMB 1 be sufficient while updating windows?

Hi, I am just trying to understand your question: are you reinstalling Windows, or updating Windows?
If you are reinstalling, then your tweak of disabling SMB1 will get undone as soon as your old Windows installation is gone. However, you can run an offline reinstall, if you wish.
If you are updating, then all your Windows security features are in place, so you don't have much to worry about. Windows update channel is about as safe as you can get. It does not deliver malware.

 

[My name Jeff]

Hi, I am just trying to understand your question: are you reinstalling Windows, or updating Windows?
If you are reinstalling, then your tweak of disabling SMB1 will get undone as soon as your old Windows installation is gone. However, you can run an offline reinstall, if you wish.
If you are updating, then all your Windows security features are in place, so you don't have much to worry about. Windows update channel is about as safe as you can get. It does not deliver malware.

Hi @shmu26, I'll take note of asking a question more clearly. I was meant to ask would the tweak of disabling SMB1 be a sufficient security measure to prevent being infected by wannacry so I can update to the latest version of windows.

 

[shmu26]

Hi @shmu26, I'll take note of asking a question more clearly. I was meant to ask would the tweak of disabling SMB1 be sufficient security measure to prevent being infected by wannacry so I can update to the latest version of windows.

Thanks for explanation. Like @Lockdown said, SMB1 is not how the latest version of Windows will be delivered to you.

You have the option of downloading the ISO for the latest Windows version, and using that for your upgrade. I see you are on Windows 10. So you can mount the ISO, run the installer file in it, and by default it will upgrade you to the newest version of Windows, saving your apps and files. After it finishes the initial stage of checking out your system and downloading latest updates, and it actually starts to do the real upgrade process, you could pull the plug on your internet connection, until it's all finished. You don't have to, but if you are concerned about an open internet connection, you could do it.