Discussion Post

Wow, week five already! The long weekend helped me get caught up and break the cycle I’ve been on, yay!

While not the latest in malware I decided to discuss WannaCry (also known as WCry or WanaCryptor). (Hunt, 2017) The reason for my choice is I have personal experience with this self-propagating (worm-like) ransomware. I have spent the last year working on various projects to mitigate the potential impact of ransom malware like WannaCry. In this post, I will explain the ransomware approach that WannaCry took, as it does not differ that dramatically from most recent ransomware. I will also talk a bit about some of the projects that I have been involved in, some of my customer’s concerns and some mitigation strategies like WORM (Write once read many, 2018) and Isolated Recovery (Korolov, 2016) that I have helped automate and implement for customers.

A simple explanation of WannaCry is that it encrypts files, rendering them useless and demands a ransom be paid in bitcoin, of course, to have the files decrypted.

Some basic information on WannaCry (Berry, Homan & Eitzman, 2017):

  1. WannaCry exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol (also known as CIFS of Common Internet File System). (Microsoft, 2017) For our purposes, we can consider SMB and CIFS are synonymous, but in the interest of education the SMB protocol was invented by IBM in the mid-1980’s and CIFS is Microsoft’s implementation of SMB.
  2. The WannaCry malware consists of two key functions, encryption, and propagation.
  3. WannaCry leverages an exploit called EternalBlue (NVD, 2017) to exploit the vulnerability in Microsoft’s SMB protocol implementation.
  4. What makes WannaCry and other ransomware attacks incredibly dangerous is that once on a corporate network they begin propagating using vulnerabilities in sharing protocols like SMB. It’s difficult to firewall these protocols because they are heavily used by users to share data across secure networks.

Ransomware attacks like WannaCry, NotPetya, and Locky created serious concern across many enterprises who store terabytes and petabytes of data on shares which are accessed using the SMB protocol. Organizations started thinking about how they could mitigate the risk of ransomware and what their recovery plan would be if they were hit with ransomware.

Many customers who share data on the Windows server platform leverage the VSS (Volume Shadow Copy Service) to take snapshots and protect / revision data. The idea of a snapshot is it is a point-in-time copy which a user can rollback to. Developers writing malicious software understand pervasive mitigation techniques like the use of VSS snapshots and they address them. Crafty developers of malicious software use vssadmin.exe to remove VSS snapshots (previous versions) so a user can’t rollback to an unencrypted version of the file(s).  (Abrams, 2016)

The obvious risk of having petabytes of data encrypted has created questions regarding the vulnerability of enterprise NAS (Network Attach Storage) devices from manufacturers like DellEMCNetApp, etc… Enterprise-class NAS devices provide additional safeguards like filesystems which are NTFS, no hooks to vssadmin, read-only snapshots, etc… so the protections are greater, but corporations are still concerned with zero-day exploits so additional mitigation approaches are being developed. Backing up your data is an obvious risk mitigation practice, but many enterprises are backing up to disk-based backup devices which are accessible via the SMB protocol so this has raised additional questions and cause for concern. A model called “Isolate Recovery” which leverages an air gap (Korolov, 2016) and other protection methods to ensure that data is protected, this is more of a programmatic implementation of a process then it is a technology.

Example Topology
[HOST] <-> [NETWORK] <-> [SHARED STORAGE] <-> [NETWORK] <-> [BACKUP TARGET]
Note: This is a simple representation but what is important to know here is that the HOST, SHARED STORAGE and BACKUP TARGET (could be a disk-based backup target or a replicated storage device) are all SMB accessible.

Example Isolated Recovery Topology
[HOST] <-> [NETWORK] <-> [SHARED STORAGE] <-> [NETWORK] <-> [BACKUP TARGET] <-> [NETWORK] <-> /AIR GAP/ <-> [ISOLATED RECOVERY TARGET]
Note: In this case, there is a tertiary copy of the data which resides in an isolated recovery environment which is air gapped. This paradigm could also be applied with only two copies of the data by air gapping the backup target, little tricker, but it can be done.

From a programmatic process perspective, the process might look something like this: https://gist.github.com/rbocchinfuso/a8b688546fad294d04281ab6eb632bfd#file-isolatedrecovery-md

A WORM (write once read many, not work as in virus) process is triggered via cron or some other scheduler or trigger mechanism might look something like this: https://gist.github.com/rbocchinfuso/b78a8a3a41021fc0df9c/#file-retentionlock-sh
Note:  This script is specific to WORM on a Data Domain disk bases backup device and leverages a feature called Retention Lock. The atime (access time) (Reys, 2008) of the file(s) is changed to a date in the future which places the file in WORM compliant mode until such date, once the date is reached the file reverts back to RW and can be deleted or modified.

References

Abrams, L. (2016, April 04). Why Everyone Should disable VSSAdmin.exe Now! Retrieved May 29, 2018, from https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

Air gap (networking). (2018, May 27). Retrieved May 29, 2018, from https://en.wikipedia.org/wiki/Air_gap_(networking)

Berry, A., Homan, J., & Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved May 29, 2018, from https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

Hunt, T. (2017, May 18). Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware. Retrieved May 29, 2018, from https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

Korolov, M. (2016, May 31). Will your backups protect you against ransomware? Retrieved May 29, 2018, from https://www.csoonline.com/article/3075385/backup-recovery/will-your-backups-protect-you-against-ransomware.html

Reys, G. (2008, April 11). atime, ctime and mtime in Unix filesystems. Retrieved May 29, 2018, from https://www.unixtutorial.org/2008/04/atime-ctime-mtime-in-unix-filesystems/

Microsoft. (2017, October 11). Microsoft Security Bulletin MS17-010 – Critical. Retrieved May 29, 2018, from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

NVD. (2017, March 16). NVD – CVE-2017-0144 – NIST. Retrieved May 29, 2018, from https://www.bing.com/cr?IG=F94DFB39323448E6A46972AE19E1BB95&CID=304F78623FEB653F3DCF739C3E166483&rd=1&h=Dh-3S1QaiFT9tJkWNYeBAluFO8Y9ylpehdjBtEs6kAU&v=1&r=https://nvd.nist.gov/vuln/detail/CVE-2017-0144&p=DevEx.LB.1,5527.1

Write once read many. (2018, April 10). Retrieved May 29, 2018, from https://en.wikipedia.org/wiki/Write_once_read_many

 

Discussion Response 1

Good post on a very relevant and current topic.   IMO this trend will continue, the replacement of ASICs and RTOS with commodity ARM/x86 architecture and Linux makes it a lot easier for someone to create malicious code that can exploit routers across multiple manufacturers like Linksys, MikroTik, Netgear, and TP-Link.  I remember 20 years ago when if you wanted to go fast you used an ASIC and an RTOS like VxWorks, but x86 got so fast that ASICs no longer made sense for most applications, the ability to commoditize the hardware with a general purpose OS like Linux drove down cost and increased release velocity, a win all around.  With that said I think we may be on the doorstep fo a new cycle, we are seeing general purpose GPUs being used for everything from machine learning to crypto mining, these are essentially general purpose integrated circuits.  Power and environmental requirements are a big deal with general purpose GPUs and I believe we are on the doorstep of a cycle that sees the return of the ASIC. The TPU is is the beginning of what I believe will be a movement to go faster, get greener and more secure.

 

Discussion Response 2

Well done, as usual, well researched written and engaging exploration of different types of malware.
Response short this week because I spent most of my reading and responding time on Dr. Ford’s polymorphic coding challenge, a great exercise, wish there was more work like this.

 

Discussion Response 3

Dr. Ford’s polymorphic coding challenge

Anyone else given Dr. Ford’s polymorphic coding challenge a try?

Here is where I am:

  1. I am a Linux user so fired up a Win7 VM (suppose I could have done this in a dosbox or qemu freedos session, like Dr. Ford suggested, but been so long since I worked in 80 columns I find it unbearable).
  2. Used Bloodshed Dev-C++ w/ MinGW as C compiler.
  3. Got this far but I think I am missing something because obviously, the hex signature is the same for each .com file. Feel like this should not be the expected behavior.

Source Code: https://gist.github.com/5859ee8be77fd188f78b64eaa8538c62#file-hello-c

YouTube video of the compile, execute and hex signature view of hello0.com and hello1.com files: https://youtu.be/2vQOS4E1JB0
Note: Be sure to watch in 1080p HD quality.

I am not sure how I would alter the hex. I believe the hex code at the top of the stack needs to be what it is, the hex code for “Hello World!” just maps back to the hex for the ASCII characters.

When I look at hello0.com, hello1.com, etc… with a hex viewer the hex is the same, as you would expect. Does anyone have any thoughts on this? I would think a virus scanner would pick up this signature pretty easily.

 

Discussion Response 4

Replying to my own post with disassembled hello0.com and hello1.com files.
Wondering if this is polymorphic because hello.exe and the spawned hello?.com files have differing signatures.

> ndisasm hello0.com
00000000 0E push cs
00000001 1F pop ds
00000002 BA0E01 mov dx,0x10e
00000005 B409 mov ah,0x9
00000007 CD21 int 0x21
00000009 B8014C mov ax,0x4c01
0000000C CD21 int 0x21
0000000E 48 dec ax
0000000F 656C gs insb
00000011 6C insb
00000012 6F outsw
00000013 20576F and [bx+0x6f],dl
00000016 726C jc 0x84
00000018 642124 and [fs:si],sp

bocchrj@WIN7 C:\src\hello
> decompile –default-to ms-dos-com hello0.com

bocchrj@WIN7 C:\src\hello
> decompile –default-to ms-dos-com hello1.com

bocchrj@WIN7 C:\src\hello
> type hello0.asm
;;; Segment code (0C00:0100)

;; fn0C00_0100: 0C00:0100
fn0C00_0100 proc
push cs
pop ds
mov dx,010E
mov ah,09
int 21
mov ax,4C01
int 21
0C00:010E 48 65 He
0C00:0110 6C 6C 6F 20 57 6F 72 6C 64 21 24 llo World!$

bocchrj@WIN7 C:\src\hello
> type hello1.asm
;;; Segment code (0C00:0100)

;; fn0C00_0100: 0C00:0100
fn0C00_0100 proc
push cs
pop ds
mov dx,010E
mov ah,09
int 21
mov ax,4C01
int 21
0C00:010E 48 65 He
0C00:0110 6C 6C 6F 20 57 6F 72 6C 64 21 24 llo World!$

 

Essay Assignment

What are the financial and other models which drive malware? How do they impact the types of malware seen?

[google-drive-embed url=”https://docs.google.com/document/d/1F9ET0EbuasT_E0f_1TOUqOzaCkrciUfGozEcbCC2JfE/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 5 – Assignment 1″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]

 

Malware History Module Assignment

[google-drive-embed url=”https://docs.google.com/document/d/13zIZqwoLdvYj72Hx6F3itdMnmQm3OKI6OjxohvzCJ_8/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 5 – Assignment 2″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]