Using NetMon to Detect WannaCry Initial Exploit Traffic

The WannaCry ransomware campaign is just the latest wave of malware to target exploits in core networking protocols. The ransomware spreads to unpatched Windows systems (see Microsoft Security Bulletin MS17- 010 - Critical) using a buffer overflow attack, called EternalBlue, against the Server Message Block (SMB) protocol host. Any unpatched Windows environment running SMB version 1 is potentially vulnerable to this attack.

Fortunately, from the analysis we’ve done of the WannaCry exploit, the SMB dropper traffic is very easy to detect with Network Monitor using a simple Query Rule. Note that the rules described here are refinements based on additional analysis of the malware.

  1. WannaCry propagates via SMB protocol, and forces the use of version 1 only (SMBv1).
  2. We know that the WannaCry/EternalBlue attack uses a buffer overflow exploit that will most likely go beyond a single SMB command. This means that the SMB communication will require more than a single UDP packet and will require the secondary transaction command “transaction2_secondary” in the SMB command string. More information on this protocol command can be found at MSDN SMB_COM_TRANSACTION2 and MSDN SMB_COM_TRANSACTION2_SECONDARY.
  3. From testing on various networks, the combination of SMBv1 and secondary transaction is technically valid, but appears to be very rare. SMBv1 is considered a legacy version of the protocol, although it is still in use in few applications. The combination also requires SMB commands that are too long for a single SMB message. Because most SMB commands fit easily in a single message, this allows this combination of SMBv1 and the transaction2_secondary command to be considered a simple differentiating indicator of EternalBlue.
  4. The chance for false positives will be dependent on your internal use of SMB. Filtering out internal “good endpoints” should be fairly easy if you do see SMBv1 with the “transaction2_secondary” command and can confirm it is not malicious traffic.
  5. Alternately, we know that the current variant of WannaCry uses two hard coded static IP addresses in the dropper. Each of these IPs will show up in the SMB commands as the path. A WannaCry attack issues a first SMB command with a path of \192.168.56.20\IPC$. If the first command succeeds, a second SMB command is sent with the transaction2_secondary CommandString and a path of \172.16.99.5\IPC$

Query Rule 1: Generic Check for SMBv1 and “transaction2_secondary”

EternalBlue and WannaCry leverage a buffer overflow attack via SMBv1. To capture the successful attack, look for SMBv1 and the “transaction2_secondary” command. In combination, you will have a rule that will not generate false negatives. It may generate false positives if you are using older software depending on SMBv1 that also happens to use large commands requiring transaction2_secondary. This should be an extremely rare case in modern systems.

  1. Go to any Network Monitor dashboard. (Download NetMon Freemium here.)
  2. To look for long SMB commands, type the following into the query bar:
  Application:SMB AND Version:1 AND CommandString:transaction2_secondary
  
  1. In a clean network, you should see “No results found.”
  2. Expand the timeframe and look over the past several days and weeks to confirm.
  3. If you still do not see any matching traffic, you can save the rule and have a high degree of confidence of catching either successful WannaCry attacks or the more general “EternalBlue” attack vector.
  4. If you do see matching traffic:

    • It may be WannaCry/EternalBlue ransomware.
    • It may be valid SMB traffic.
  5. To differentiate the traffic, examine the source and destination and rule out normal operations within your network.

Query Rule 2: Specific WannaCry IP Addresses

For WannaCry’s current versions, you can use an alternate query to look at the “Path” metadata field for SMB traffic. This query is specific for the in-the-wild WannaCry as of May 15th, 2017. Future variants of this malware could use different IP addresses.

  1. In any Network Monitor Dashboard, enter the following query:
  Application:SMB AND Version:1 AND (Path:192.168.56.20 OR Path:172.16.99.5)
  
  1. The actual path metadata will be \192.168.56.20\IPC$ or \172.16.99.5\IPC$.
Figure 1: Path Metadata

Figure 1: Path Metadata (Click Image to View Larger)

  1. If you see any traffic similar to the above, then you almost certainly are witnessing WannaCry traffic.
  2. The first SMB session will have the 192 path. On success, the second SMB session will have the 172 path AND the transaction2_secondary command string.
  3. Other SMB sessions may occur depending on how fast the malware is trying to spread.

Other means of detecting the traffic with Network Monitor are possible, but they require deeper packet-level analysis with a DPA rule.

Acknowledgements

Special thanks to these LogRhythm Labs employees for their continued work analyzing and reporting on WannaCry and other threats affecting LogRhythm customers: Ryan Sommers, Andrew Costis, Brian Coulson, Erika Noerenberg, Kim Raburn, Matt Willems, and Nathaniel Quist.

The Top 8 Things to Analyze in Your Network to Detect a Compromised System

Free Training: Brush Up on Your Deep Packet Analytics Rules and Dashboards

A Technical Analysis of WannaCry Ransomware

WannaCry Ransomware

Analysis of Shamoon 2 Disk-Wiping Malware