RiskSense security experts successfully modified the EternalBlue exploit used by the famous WannaCry Trojan. Now you can use the exploit for Windows 10.
Windows 10 is no longer a panacea.
Specialists of RiskSense have published a lengthy report on how to make the EternalBlue exploit work in a Windows 10 environment that previously did not function.
EternalBlue is one of the "NSA exploits" stolen from cyber group Equation in 2016.. In the middle of April 2017 g. This exploit, along with several others, was distributed by The Shadow Brokers. Shortly thereafter, a global epidemic of the WannaCry cryptographer-extortionist, which exploited this exploit.
A global cyber attack using the extortion virus WannaCry began May 12, 2017. The virus has infected tens of thousands of computers around the world, including computers of government agencies.
It is vulnerable to all computers based on Windows operating systems under the tenth version. In Windows 10 implemented a number of security mechanisms designed to prevent the penetration of malicious software into the system, and EternalBlue before them was powerless.
However, RiskSense experts demonstrated that this exploit can be made to work under Windows 10, although they noted that the March update of the MS17-010 system is the most effective barrier against malicious software using EternalBlue.
"We omitted a number of details.
In the published paper, the researchers showed how they managed to bypass the Windows 10 security tools - in particular, to come up with a new way to bypass DEP (Data Execution Prevention, Data Execution Prevention) and ASLR (address space layout randomization).
As the senior analyst of the company Sean Dillon (Sean Dillon) said, RiskSense does not plan in the foreseeable future to release the source code of the "port" EternalBlue under Windows 10. The publication omits many details that are of no use to legitimate security researchers and may be of interest only to intruders.
But other aspects are painted in all details.
The "original" EternalBlue works in conjunction with the backdoor DoublePulsar, which should be the first to get into the system. As Dillon said, many cybersecurity experts paid too much attention to the "pulsar". Meanwhile, it is quite a substitute for something else.
"DoublePulsar is a kind of distracting maneuver especially for security experts," Dillon said.. "We proved this by creating a new component that allows you to directly download malware, without first installing DoublePulsar. So those who want to defend themselves against such attacks in the future, do not focus on DoublePulsar. It's better to tackle those parts of the [EternalBlue] exploit that can be identified and blocked ".
A new component for EternalBlue was the asynchronous Windows call procedure, which allows you to run malicious components from under the user's processor access mode without using a backdoor. Technical details of the implementation of this method, as well as a description of the technical protection methods are available on the link.
RiskSense experts point out that the most effective method of protection is still the installation of an update from Microsoft, released in March 2017..
- Something happened that should have happened, - says Ksenia Shilak, Sales Director of SEC-Consult Rus. - It is gratifying that the "port" of EternalBlue was dealt with by legitimate security specialists, and not by criminal hackers. Now, at least, potential victims have information about what measures can be taken to protect themselves. The problem is that the WannaCry epidemic has shown how often users and system administrators neglect the installation of even the most critical updates.
Module in Metasploit.
RiskSense experts were among the first to take a close look at EternalBlue and DoublePulsar. Just two days after the main wave of attacks from WannaCry they added a module to the Metasploit platform, which is a "truncated" version of EternalBlue, which also does not need DoublePulsar. Due to the lack of backdoor, the module generates less traffic, which allows to bypass automatic intrusion detection systems configured on EternalBlue and DoublePulsar.