Detect WannaCry Initial Exploit Traffic with NetMon

The WannaCry ransomware campaign is just the latest wave of malware to target exploits in core networking protocols. And you need to protect your network with advanced threat detection.

The ransomware spreads to unpatched Windows systems (see Microsoft Security Bulletin MS17- 010 – Critical) using a buffer overflow attack, called EternalBlue, against the Server Message Block (SMB) protocol host. Any unpatched Windows environment running SMB version 1 is potentially vulnerable to this attack.

Fortunately, from the analysis we’ve done of the WannaCry exploit, the SMB dropper traffic is easy to detect with LogRhythm NetMon using a simple Query Rule. Note that the rules described here are refinements based on additional analysis of the malware.

Here’s what we know:

  1. WannaCry propagates via SMB protocol, and forces the use of version 1 only (SMBv1).
  2. We know that the WannaCry/EternalBlue attack uses a buffer overflow exploit that will most likely go beyond a single SMB command. This means that the SMB communication will require more than a single UDP packet and will require the secondary transaction command “transaction2_secondary” in the SMB command string. More information on this protocol command can be found at MSDN SMB_COM_TRANSACTION2 and MSDN SMB_COM_TRANSACTION2_SECONDARY.
  3. From testing on various networks, the combination of SMBv1 and secondary transaction is technically valid, but appears to be rare. SMBv1 is considered a legacy version of the protocol, although it is still in use in few applications. The combination also requires SMB commands that are too long for a single SMB message. Because most SMB commands fit easily in a single message, this allows this combination of SMBv1 and the transaction2_secondary command to be considered a simple differentiating indicator of EternalBlue.
  4. The chance for false positives will depend on your internal use of SMB. Filtering out internal “good endpoints” should be fairly easy if you do see SMBv1 with the “transaction2_secondary” command and can confirm it is not malicious traffic.
  5. Alternately, we know that the current variant of WannaCry uses two hard coded static IP addresses in the dropper. Each of these IPs will show up in the SMB commands as the path. A WannaCry attack issues a first SMB command with a path of \192.168.56.20\IPC$. If the first command succeeds, a second SMB command is sent with the transaction2_secondary CommandString and a path of \172.16.99.5\IPC$

Query Rule 1: Generic Check for SMBv1 and “transaction2_secondary”

Let’s take a look at some example queries that can help you determine if you’re experiencing a WannaCry threat.

EternalBlue and WannaCry leverage a buffer overflow attack via SMBv1. To capture the successful attack, look for SMBv1 and the “transaction2_secondary” command. In combination, you will have a rule that will not generate false negatives. It may generate false positives if you are using older software depending on SMBv1 that also happens to use large commands requiring transaction2_secondary. This should be an extremely rare case in modern systems.

Here’s what you need to do:

  1. Go to any NetMon dashboard. (Download NetMon Freemium here.)
  2. Look for long SMB commands, type the following into the query bar:
Application:SMB AND Version:1 AND CommandString:transaction2_secondary
  1. In a clean network, you should see “No results found.”
  2. Expand the timeframe and look over the past several days and weeks to confirm.
  3. If you still do not see any matching traffic, you can save the rule and have a high degree of confidence of catching either successful WannaCry attacks or the more general “EternalBlue” attack vector.
  4. If you see matching traffic:
    • It may be WannaCry/EternalBlue ransomware.
    • It may be valid SMB traffic.
  5. To differentiate the traffic, examine the source and destination and rule out normal operations within your network.

Query Rule 2: Specific WannaCry IP Addresses

For WannaCry’s current versions, you can use an alternate query to look at the “Path” metadata field for SMB traffic. This query is specific for the in-the-wild WannaCry as of May 15, 2017. Future variants of this malware could use different IP addresses.

  1. In any NetMon Dashboard, enter the following query:
Application:SMB AND Version:1 AND (Path:192.168.56.20 OR Path:172.16.99.5)
  1. The actual path metadata will be \192.168.56.20\IPC$ or \172.16.99.5\IPC$.

Figure

Figure 1: Path Metadata (Click Image to View Larger)

  1. If you see any traffic similar to the above, then you almost certainly are witnessing WannaCry traffic.
  2. The first SMB session will have the 192 path. On success, the second SMB session will have the 172 path AND the transaction2_secondary command string.
  3. Other SMB sessions may occur depending on how fast the malware is trying to spread.

Other means of detecting the traffic with NetMon are possible, but they require deeper packet-level analysis with a DPA rule.

Using NetMon to Detect the WannaCry Exploit

How can you detect a WannaCry exploit? You need the power of LogRhythm NetMon.

LogRhythm NetMon gives you visibility into your network traffic, as well as security analytics that your team needs to monitor your organization’s network. NetMon helps you surface the most advanced threats in real time using application recognition, customizable Deep Packet Analytics, and multidimensional network traffic and behavioral analytics.

To learn more about NetMon, check out our use cases to discover how to quickly recognize and respond to vulnerabilities, such as WannaCry, and learn how to develop a protocol misuse that attempts to hide malicious activities.Acknowledgements

Special thanks to these LogRhythm Labs employees for their continued work analyzing and reporting on WannaCry and other threats affecting LogRhythm customers: Ryan Sommers, Andrew Costis, Brian Coulson, Erika Noerenberg, Kim Raburn, Matt Willems, and Nathaniel Quist.