Saving BSOD protected computers under Windows XP from WannaCry infection

A new report from Kryptos Logic summed up the spread of the WannaCry worm cryptographer (WannaCrypt) two weeks after the start of the epidemic. By the way, it is in Kryptos Logic that the hacker MalwareTech works, who noticed a new botnet in the Kryptos Vantage early detection system, immediately registered the domain with which WannaCry was associated, and thus accidentally stopped the spread of the virus .

One of the interesting conclusions of the experts: it turns out that the Windows XP operating system was reinforced concrete from the virus, as many thought. It turned out that when infected with the most common version of WannaCry, computers running Windows XP SP3 just hung up and showed a “blue screen of death” followed by a reboot. No files were encrypted. Cryptographer could not function in such conditions.

In the first days after the start of WannaCry distribution, many media outlets spread the information that the main blame for the infection lies on Windows XP. The likely reason for this misconception was the massive infection of computers by the UK Public Health Service. It is said that many ancient PCs with old operating systems work in this organization. The health service decisively denied the charges : it stated that at the time of the attack, only 5% of their computers were running under Windows XP.
')
At the same time, Microsoft was criticized, and it stopped releasing security updates under Windows XP back in 2014. Microsoft experts did not argue and promptly released the necessary patch for older systems.

Two weeks of testing in the Kryptos Logic labs showed that WannaCry could really infect unpatched computers running Windows XP, but then trying to load the DoublePulsar payload then caused the system to hang.

At first, testing took place in a mode close to real, when the distribution of DoublePulsar load was checked through the EternalBlue exploit. In the second stage, DoublePulsar was manually installed on computers. It turned out that the cryptor was successfully launched on Windows 7 64-bit, SP1 machines, but the machines with Windows XP continuously crashed into the BSOD, so no infection occurred.

The researchers conclude that the machines under Windows XP could not become the main means of spreading the infection, because “the implementation of the exploit in WannaCry could not reliably launch DoublePulsar and achieve the correct RCE”. Accordingly, such a computer did not have the ability to distribute malicious code further across the network, using a vulnerability in SMB. These findings are consistent with those that Kaspersky Lab experts arrived at in the first days. They found that 98% of all infections occur on computers with Windows 7, and the proportion infected with Windows XP is “insignificant.”

“In the worst case, which is most likely,” Kryptos said, “WannaCry caused a lot of unexpected crashes with a blue screen of death.”

Probably for the first time in the history of BSOD, he did something useful and useful - he protected computers.

At the same time, computers under Windows 7 have suffered quite seriously. Based on the data from the Kryptos Vantage system, experts estimate the number of infections at 14-16 million. The total number of systems where the cryptor has triggered and encrypted user files before the stop crane is triggered is estimated at several hundred thousand.

In total, WannaCry struck networks of more than 9,500 IP-bands of Internet providers and / or organizations in 8900 cities of 90 countries. The most affected were China, the United States and Russia.



Kryptos sinkhole servers are still registering a large number of calls to the crane, including from new IP addresses. This suggests that the worm continues to spread (mainly in China). That is, millions of users have not yet installed patches, have not closed a vulnerability in Windows, and have not installed antiviruses on them. This fact can be used by newer versions of the worm - and a new infection can occur.

Kryptos considered the hacker Neil Meta’s suggestion (if you remember, he discovered Heartbleed) that the authors of WannaCry are associated with the Lazarus group , which conducted the famous attack on Sony Pictures in 2014, and two years later stole a part of the gold reserves of Bangladesh (101 million through the SWIFT). This group is associated with North Korea.

Neil Mehta pointed to the same piece of code in WannaCry and the Lazarus malware.

static const uint16_t ciphersuites[] = { 0x0003,0x0004,0x0005,0x0006,0x0008,0x0009,0x000A,0x000D, 0x0010,0x0011,0x0012,0x0013,0x0014,0x0015,0x0016,0x002F, 0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037, 0x0038,0x0039,0x003C,0x003D,0x003E,0x003F,0x0040,0x0041, 0x0044,0x0045,0x0046,0x0062,0x0063,0x0064,0x0066,0x0067, 0x0068,0x0069,0x006A,0x006B,0x0084,0x0087,0x0088,0x0096, 0x00FF,0xC001,0xC002,0xC003,0xC004,0xC005,0xC006,0xC007, 0xC008,0xC009,0xC00A,0xC00B,0xC00C,0xC00D,0xC00E,0xC00F, 0xC010,0xC011,0xC012,0xC013,0xC014,0xC023,0xC024,0xC027, 0xC02B,0xC02C,0xFEFF }; template<typename T> void store_be(void * p, T x) { // store T in p, in big-endian byte order } template<typename T> void store_le(void * p, T x) { // store T in p, in little-endian byte order } bool find(const unsigned char * list, size_t n, uint16_t x) { for(size_t i = 0; i < n; ++i) { uint16_t t = (list[2*i + 0] << 8) | packet[2*i + 1]; if(t == x) return true; } return false; } void make_client_hello(unsigned char * packet) { uint32_t timestamp = time(NULL); packet[ 0] = 0x01; // handshake type: CLIENT_HELLO packet[ 4] = 0x03; // TLS v1.0 packet[ 5] = 0x01; // TLS v1.0 random_bytes(&packet[6], 32); // random_bytes store_be(&packet[6], timestamp); // gmt_unix_time packet[38] = 0x00; // session id length const size_t cipher_num = 6*(2 + rand() % 5); store_be(&packet[39], cipher_num * 2); // ciphersuite length for(size_t i = 0; i < cipher_num;) { const size_t index = rand() % 75; // Avoid collisions if(find(&packet[41], i, ciphersuites[index])) { continue; } else { store_be(&packet[41 + 2*i], ciphersuites[index]); i += 1; } } store_be(&packet[41 + cipher_num * 2], 0x01); // compression_method_len store_be(&packet[42 + cipher_num * 2], 0x00); // compression_method store_le(&packet[0], 0x01 | ((43 + cipher_num * 2) << 8)); // handshake size } 

This is a bogus implementation of TLS 1.0 to disguise traffic under TLS. Indeed, some features of this implementation are such that they just could not repeat them by chance. This is either the same hacker group or someone else who carefully analyzed the conclusions of the analytical report (pdf) on the attack on Sony - and decided to try exactly the same method of masking traffic. Actually, it could be anyone.

The facts are such that nowadays absolutely anyone from any country in the world can conduct such attacks, even alone - thanks to leaks from the NSA and the CIA and other sources in the hands of any hacker now there are powerful tools for conducting a good quality attack on a global scale.