ETERNALBLUE vs Internet Security Suites and nextgen protections

Due to the recent #wannacry ransomware events, we initiated a quick test in our lab.

Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010).

Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!

We don’t want to disclose our test results until a fair amount of time is given to vendors to patch their product, but meanwhile we feel that we have to inform the public about the risks.

The following 3 5 6 products protected the system against the ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor and dropping a payload/executing a shellcode:

  1. ESET Smart Security – blocks the attack before DoublePulsar is installed
  2. F-Secure SAFE – but no log/alert on the console   (Update 2017-05-29) F-Secure confirmed that they do not protect against the exploit or the backdoor. What makes things more interesting is that Doublepulsar is already installed, and RunDLL just runs fine. This seems to be a bug in Fuzzbunch/Eternalblue.
  3. Kaspersky Internet Security – blocks the attack before DoublePulsar is installed
  4. Norton Internet Security- blocks the attack before DoublePulsar is installed (Update 2017-05-22)
  5. HitmanPro.Alert build 601 with anti-DoublePulsar (APC mitigation) was able to block every malicious payload DLL or shellcode introduced to the system via the Eternalblue exploit. Both original Eternalblue with Doublepulsar and Metasploit port was tested. (Update 2017-06-01)
  6. SentinelOne 1.8.4.6202 was able to block every malicious payload DLL or shellcode introduced to the system via the Eternalblue exploit, by blocking it in a generic way. Both original Eternalblue with Doublepulsar and Metasploit port was tested. (Update 2017-06-01) SentinelOne not only blocks the Meterpreter payload, but the original Peddlecheap payload as well. As more and more tests were ongoing, we have seen that multiple (typically next-gen) products were able to block the Meterpreter payload loading in a generic way, but not the Peddlecheap one. (Update 2017-06-14)
  7. AVG (Avast) beta also blocks ETERNALBLUE exploit attempts (Update 2017-06-25)

ESET Smart Security Blocking ETERNALBLUE

 

FSecure SAFE blocking ETERNALBLUE

 

Kaspersky Internet Security protecting against ETERNALBLUE

 

Norton Internet Security Blocking ETERNALBLUE exploit attempt

 

HitmanPro.Alert blocking the payload injection

SentinelOne blocking the payload injection

SentinelOne blocking the payload injection

AVG blocking the exploit attempt via network filter driver

Two product used network filtering to detect the exploit, and block it before kernel code level execution happens. We have not played with how these techniques can be bypassed (e.g. via obfuscating the exploit to bypass signatures), but that could be the content of another blog post.

Update 2017-05-19: Kaspersky Internet Security can detect the DOUBLEPULSAR in-memory backdoor via memory scan (part of quick scan).

Kaspersky Internet Security detecting DOUBLEPULSAR via memory scan

 

The BSOD

So far, we have one endpoint protection product where DOUBLEPULSAR installation failed due to Blue Screen of Death. Point 1 for integrity (hopefully) and -1 point for availability.

Update 2017-05-22: The BSOD was on Windows7 64-bit with Symantec Endpoint Protection using VMware. After discussing this with Symantec representatives, it turned out this is not what average users should see. So we tested it on a physical machine with Windows7 32-bit and Norton Internet Security, and the attack was blocked and logged, and there was no BSOD.

The BSOD that wasn’t

The FAILS

At the moment (with the latest updates), we have tested 10 home Internet Security Suite products, 1 2 Next-gen endpoint protection (Updated on 2017-06-14), 1 EDR and (UPDATE 2017-05-22) 1 micro-virtualization based solution which can’t protect (or alert) users against ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor. All vendors claim to protect against #Wannacry and some claim to protect against ETERNALBLUE. But here is the thing, protecting against the payload does not mean users are fully protected against malicious code running in kernel mode.

Our focus of test were mostly home products (internet security suites), and whenever the default firewall policy was set to public, we changed the policy to home/work. All products were used with default settings. Some products for example have intrusion prevention turned off by default – and enabling it blocks ETERNALBLUE. But not many home users tweak default settings.

All the tests were done between 15th May 2017 and 1 June.

CylancePROTECT marketing claims [updated on 2017.06.17]

Cylance has created and shared online a video attempting to demonstrate how their product CylancePROTECT protects against WannaCry:

The interesting part of the video starts at 5:00. The Doublepulsar backdoor is already installed and this means the system is already compromised and it would appear that Cylance did not realise this. 
 
There are YouTube tutorials on how one can drop Peddlecheap in-memory payloads with Eternalblue and Doublepulsar. We recommend to test this scenario for yourself on an endpoint protected with CylancePROTECT.
Update 2017-06-20: We got a feedback that this part of the post is not easy to understand. The key point here is that whenever you can see that Cylance blocks the malware payload on the protected machine, this means malicious code was already running on the machine, and this code successfully downloaded malware, and tried to start it, but it was blocked. Now let’s imagine a case when the machine is infected with a code which is not written to the disk, and this code starts in a way which is not detected by Cylance. This means it can bypass Cylance completely.

Conclusion

It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this 😉

We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication.

 

Leave reply

 

Our partners