Systems May Still Be Infected After Patching MS17-010
Adylkuzz and other malware may still be lurking
Last week’s news of the rapidly spreading WannaCry ransomware likely accelerated the patch cycle of most organizations. WannaCry spread by leveraging an exploit known as EternalBlue allegedly developed by the NSA and dropped by the ShadowBrokers group in April. The exploit leveraged a critical remote code execution vulnerability (MS17-010) in the Microsoft Windows file sharing service. Without the need for human intervention, WannaCry spread rapidly and the subsequent hailstorm of news drove many organizations to deploy the patch which had been available for nearly two months.
A fact to be cognizant of is that the same EternalBlue exploit used to distribute WannaCry can be used to deliver other malware payloads as well. Anyone can tack malware onto this nation-state level exploit, saving the trouble of having to distribute it via e-mail or exploit kits. An example of another malware distributed via the EternalBlue exploit is Adylkuzz. Adylkuzz consumes the computing resources of the machines it infects in order to mine for the Manero cryptocurrency. Manero is like Bitcoin but claims to offer a higher degree of privacy.
Although WannaCry and Adylkuzz both leverage the EnternalBlue exploit, there are several important differences.
First, WannaCry propagates in worm-like fashion where every host that is infected subsequently starts scanning for other vulnerable hosts to infect. This self-propagating mechanism justifiably contributed to the attention garnered by WannaCry. Fortunately, the now infamous “kill-switch” helped to squelch this propagation. Adylkuzz, on the other hand, relies on a relatively small set of virtual private servers that scan for vulnerable hosts to infect. Once a host is infected with Adylkuzz, it starts mining for Monero but doesn’t try to find other hosts to infect.
Second, it will be obvious when a system is successfully compromised by WannaCry as it will present the equally infamous “Oops, your files have been Encrypted!” digital ransom note ingrained in nearly every WannaCry blog and news article. Adylkuzz, on the other hand, aims to keep a low profile, working in the background, so it can continue mining for Monero.
Third, Adylkuzz predates WannaCry. According to an excellent write-up on Adylkuzz by Proofpoint, “the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.“
Finally, Adylkuzz actually protects against WannaCry and any other malware that aims to spread via the EternalBlue-based exploit. It is common for malware to protect its turf and, as noted by Proofpoint, “once running, Adylkuzz will … block SMB communication to avoid further infection.” Thus, it is possible that some organizations may have avoided being impacted by WannaCry because they were already infected by Adylkuzz.
Organizations should remain vigilant even if they managed to escape WannaCry. MS17-010 is a serious unauthenticated, remote, kernel level vulnerability for which there was a publically available exploit (EternalBlue) and Backdoor (DoublePulsar) available since mid-April. Furthermore, applying a patch, doesn’t remove malware that has already exploited a system and established persistence. As noted above, Adylkuzz pre-dates WannaCry and may still be present on systems unbeknownst to their owners whether they’ve been patched or not. Security firm Sedco [http://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry] also claims to have identified EternalBlue-based attacks that pre-date WannaCry.
While vigilance includes a strong endpoint and network security monitoring solution, a strong network monitoring solution such as Arbor Networks Spectrum is paramount for kernel level vulnerabilities such as MS17-010. Malware that gains a foothold in the kernel may not be detectable by even the most advanced endpoint solutions. However, the network always tells the truth. Propagation, command and control, and data exfiltration traffic can still be identified by strong network security monitoring solutions such as Arbor Networks Spectrum even if such activity bypasses an endpoint solution.