Aite Tribe Stories (17): My Two Days and Two Nights of Fighting with Eternal Blue

[Original article from 51CTO.com] redhat9i is a network engineer born in the 1980s. Like most IT guys, he likes to tinker. His interests and hobbies are very wide, including radio communications, emergency rescue, flute playing, Chinese medicine therapy, photography and so on.

[[192724]]

redhat9i·Network Engineer

Meet 51CTO

redhat9i is mainly active in the 51CTO forum. He likes to discuss problems and exchange experiences with others on the forum. He has met many colleagues who have helped him solve many problems, which has greatly improved redhat9i's technical ability. He can also guide other agents in the region at that time. Since then, he has taken root in the 51CTO forum, from a section moderator to a super moderator. It has become a habit for redhat9i to log in to the forum every day.

WannaCry virus analysis

The company redhat9i works for is a regional agent for a certain antivirus software. In addition to product sales, it also provides professional after-sales services. May is destined to be another turbulent month. On May 13, the Eternal Blue virus broke out. The story happened in an industry customer of redhat9i. Since discovering the virus, redhat9i has begun to notify customers to reinforce it. According to the detailed information of the virus sent by the manufacturer's virus laboratory, after the virus is activated, it will release ten files: mssecsvc.exe, tasksche.exe, b.wnry, c.wnry, r.wnry, s.wnry, t.wnry, u.wnry, Taskdl.exe, and Taskse.exe. Then it will access a domain name address www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (hereinafter referred to as the virus website), which looks like it was typed out by hand and is very long and basically meaningless. If this domain name is available, it will stop encrypting the host, otherwise it will encrypt the host file. This behavior is called Kill Switch. Kill Switch is a decisive switch for the Eternal Blue virus to encrypt the system. This is a virus vulnerability discovered by a British network security engineer. Once the Eternal Blue virus successfully accesses the address www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, the virus will stop encrypting the system and infecting other machines. At the same time, he registered this originally non-existent domain name within *** time, which prevented the virus from continuing to wreak havoc to the greatest extent. This domain name looks like an emergency stop switch left by the virus author for himself to prevent things from getting out of his control.

After the virus is activated, it spreads in the LAN through ports 135, 137, 13, 445 and the MS17-010 vulnerability. The customer built a virus website on the provincial company's intranet (which cannot connect to the Internet) to prevent the virus from being activated and encrypted on the intranet. At the same time, all units were notified to patch and close ports 135, 137, 139 and 445. redhat9i also sent people to enable relevant prevention strategies for customers, and restricted the release of ten known virus files in the host system through antivirus software. But the bad thing is that their reinforcement speed still failed to catch up with the spread of the virus. On May 19, redhat9i detected two files, mssecsvc.exe and tasksche.exe, from the customer's network and was diagnosed as Eternal Blue. Fortunately, it was killed by antivirus software. Just when he was relieved, the provincial company found through access monitoring of the virus website that a large number of intranet hosts in at least 5 branches were accessing this site. What does this mean? It means that a large number of hosts in the intranet are infected with this virus. The redhat9i team was shocked. There were tens of thousands of computers in this LAN. If the virus really spread, it would be a disaster. After careful investigation, he found that no host was encrypted. This was a blessing in disguise.

Unresponsive antivirus software

On May 20, redhat9i checked the PCs that accessed the Eternal Blue site in the background one by one and found that these PCs were all installed with anti-virus software and anti-virus components. Using the EICAR standard anti-virus test file and the official download address (http://www.eicar.org/85-0-Download.html) for detection, the anti-virus software all made detections, thus confirming that the anti-virus software was working properly. This made him confused again. The host had accessed the fake virus website built by the LAN itself, and then it was not encrypted, which meant that this was still the virus that appeared in the early stage, not the 2.0 variant. It was later confirmed that the 2.0 variant was a mistake made by the technicians of a certain anti-virus manufacturer, which was forwarded and reported by major media. Later, the technicians in question also publicly apologized. So far, no notification has been received about the Eternal Blue virus sample without Kill Switch. According to the information at that time, the anti-virus software could handle these viruses, so why didn't the anti-virus software detect them? Since the city has sufficient manpower, almost all PCs in the city have been reinstalled. In order to find out why the antivirus software did not respond to the virus sample, it is necessary to get the virus sample. At noon on May 20, redhat9i arranged colleagues to go to the remote area where the infected host was disconnected and had not been reinstalled in time to analyze the system operation and collect suspicious samples for analysis by the antivirus manufacturer's virus laboratory. After confirmation by the manufacturer's virus laboratory, the sample collected this time has mutated and is different from the virus code detected before. "On the afternoon of May 20, redhat9i urgently produced a removal component and found a branch company for a pilot at night. First, the server was updated, and then these components were distributed to ensure that these components would not cause system blue screens, affect customer applications, and be able to remove viruses after being updated. Then everyone went to the host that could be found one by one to ensure that the components had been updated, and watched the host for a full scan to confirm that the virus file could be successfully removed. At 1 a.m. on May 21, the redhat9i team officially notified the customer technical person in charge who was still in charge of the company headquarters that the virus sample could be removed and there were no compatibility issues.

Strange behavior

After the virus files were cleaned, whether there were still behaviors of visiting virus websites, the customer needed to conduct on-site verification. At 7:00 a.m. on May 21, redhat9i found some PCs that had been previously infected and disconnected from the Internet, and confirmed that there were virus samples in the system. After reconnecting the network cables, the network communications of these infected computers were captured, but they were not seen visiting the virus website. After multiple attempts on a large number of different computers, the previous behavior of visiting the website could not be reproduced. Could it be that there was a problem with redhat9i's packet capture? He contacted the provincial company to check the virus website access records and found no abnormal behavior of these infected PCs. This was strange, as it seemed that all the infected and non-infected PCs no longer visited the previous domain name overnight. After discussions between redhat9i and several colleagues on site, everyone speculated that the virus detection behavior might not be carried out all the time, and it should require certain conditions, such as a specific time. The ultimate reason for this is yet to be studied by the virus laboratory.

From May 20th to May 21st, day and night, after two days and two nights of handling, this war without gunpowder was basically over.

Strengthen safety awareness and prevent fire, theft and virus

The matter has been resolved, and looking back I feel that there are still many problems in this incident.

1. Patches must be taken seriously. Microsoft has been releasing system patches since the birth of Windows, but administrators seem to have not paid attention to them. Most people believe that vulnerabilities can be exploited in theory to cause some damage, but nothing has happened yet. redhat9i The most recent large-scale virus infection using a vulnerability should be Microsoft's MS08-067 vulnerability. The virus is called worm_downad.ad. This virus is really eye-opening. It not only uses the password dictionary of hundreds of Chinese people such as admin, boss123, ihavenopass, qwe123, etc. to spread and infect, but also uses Microsoft's MS08-067 vulnerability to spread on a large scale. It has been 9 years since this vulnerability was discovered, but I still find that many customers are troubled by this virus at work. Therefore, please pay attention to patches. Don't expect security software installed in a system full of vulnerabilities to solve everything for you. If the foundation of the house is not stable, can you still expect the house to shelter you from the wind and rain? Here is the download address of the MS17-010 vulnerability patch used by Eternal Blue>>

2. Build a virus access domain site. So far, after Eternal Blue is activated, it will visit www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If the domain name is found to be available, encryption will be stopped. In order to make this domain name be resolved in time, especially for the LAN that cannot connect to the Internet, it is recommended to build a site resolution record within the company.

3. If you are unfortunately infected with this virus, you can use the special killing tools provided by major security vendors to detect and kill it, or you can contact the antivirus software manufacturer you use to assist you in handling it.

At present, seven companies, including AsiaInfo, Antiy, 360, Beixinyuan, Rising, Kingsoft, and Tencent, have developed special killing tools for this virus. You can choose to use

Download address of AsiaInfo AntiVirus (32-bit): http://support.asiainfo-sec.com/Anti-Virus/Clean-Tool/ATTK_CN/supportcustomizedpackage.exe

Download address of AsiaInfo AntiVirus (64-bit): http://support.asiainfo-sec.com/Anti-Virus/Clean-Tool/ATTK_CN/supportcustomizedpackage_64.exe

Instructions for using AsiaInfo AntiVirus: http://support.asiainfo-sec.com/Anti-Virus/Clean-Tool/ATTK_CN/ATTK_USER_MANUAL.doc

Antiy Anti-Attacker download address: http://www.antiy.com/response/wannacry/ATScanner.zip

Antiy Immunity download address: http://www.antiy.com/response/wannacry/Vaccine_for_wannacry.zip.

Antiy’s response instructions link: http://www.antiy.com/response/Antiy_Wannacry_FAQ.html.

360 company immunity tool download link: http://b.360.cn/other/onionwormimmune

360 company's special killing tool download link: http://b.360.cn/other/onionwormkiller

Download link of Beixinyuan company's special killing immunity tool and instructions: http://www.vrv.com.cn/index.php?m=content&c=index&a=lists&catid=205

Rising Immunity Tool download link: http://download.rising.net.cn/zsgj/EternalBluemianyi.exe

Rising Immune Tool + Antivirus Download Link: http://download.rising.net.cn/zsgj/EternalBluemianyi_sharuan.exe

Kingsoft Security Immunity Tool (*** version, after downloading, it can automatically adapt to the user's system, suitable for any individual and corporate user) Download address: http://pan.baidu.com/s/1o8hqpXC

Kingsoft V8+ Terminal Security Protection System Immunity Tool (*** version, suitable for enterprise-level users who install this product from Kingsoft Security) Download address: http://pan.baidu.com/s/1kVHUlwz

Tencent Computer Manager Ransomware Immunity Tool and Instructions Download Link: http://guanjia.qq.com/wannacry/

Tencent PC Manager Ransomware Immunity Tool (Offline Version) Download address: http://url.cn/496kcwV

Tencent PC Manager Ransomware Immunity Tool (Online Version) Download Address: http://url.cn/498da3o

Tencent PC Manager Administrator Assistant Download address: http://url.cn/499YVsJ Command line: MS_17_010_Scan.exe 192.168.164.128

If you are also willing to share your story, please join the 51CTO developer QQ exchange group 312724475 and contact the group owner Xiaoguan. We look forward to your wonderful story!

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]