Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB17009 : Network infection by WannaCry

- Virtual experience demonstration (4) -

Last Update: April 09, 2018

Since the middle of May, the ransomware WannaCry has been active in the wild. WannaCry exploits a vulnerability in Windows SMBv1 (vulnerability CVE-2017-0145, addressed by security update MS17-010), which allows remote code execution. The ransomware spreads like a network worm to infect other Windows systems with this vulnerability. HIRT-PUB17009 introduces how network infection spreads to other vulnerable Windows systems.

1. Diffusion activities of ransomware WannaCry

Ransomware WannaCry (MD5: db349b97c37d22f5ea1d1841e3c89eb4) attempts to propagate itself by infecting other vulnerable Windows systems. Therefore, it (1) probes devices in the same network, and in parallel (2) probes the IP address space randomly. In the virtual experience demonstration, we will show how the ransomware infects other devices in the network by probing within the same network using a MP4 video file. To demonstrate the way in which the ransomware infects other devices in the network, we prepared one infected PC and six PCs on which measures against the relevant vulnerability (MS17-010 CVE-2017-0145) had not been taken (Figure. 1).


Figure 1: Network configuration for demonstrating network infection
Figure 1: Network configuration for demonstrating network infection

2. Virtual experience demonstration

The virtual experience demonstration of HIRT-PUB 17009 is four times speed MP4 video file, showing the infection at about four times the actual speed. In the video, six PCs become infected in about 90 seconds. In reality, this infection would take about five minutes.


Figure 2: Virtual experience demonstration of a WannaCry network infection (at four times speed)

3. Description

The infected PC probes for PCs in the same network by continuously increasing the 4th octet of the IP address by one (in the case of the network configuration in Figure 1: 192.168.20.1, 192.168.20.2, ..., 192.168.20.254)(Figure 3). Furthermore, the infected PC probes (1) probes IP addresses in the same network as the infected PC, and in parallel (2) probes the IP address space randomly. This causes the sources of infection to rapidly increase, and causes the infection to spread (Figure 4).


Figure 3: Diagram of probing within the same network
Figure 3: Diagram of probing within the same network


Figure 4: Diagram of self-propagation
Figure 4: Diagram of self-propagation

Figure 5 shows the flow of infection shown in the virtual experience demonstration, leading to the infection of six PCs. Three groups as infection steps: {infected PC=>PC#3(120)}, {PC#3(120)=>PC#1(30), PC#2(90), PC#5)}, {PC#2(90)=>PC#4(162), PC#6(230)}. This part of the video is consistent with the rapid spread of infection due to the self- propagation shown in Figure 4, as well as the rapid increase in sources of infection.

Although infected PCs probe PCs in the same network by repeatedly increasing the 4th octet of the IP address by one, the actual order of infection is as follows: PC#3(120), PC#2(90), PC#1(30), PC#6(230), PC#4(162), PC#5(190). The infection does not necessarily spread in the order that IP addresses are probed. (The numbers in parentheses are the 4th octet of the IP address.)


Figure 5: Flow of network infection in the virtual experience demonstration
Figure 5: Flow of network infection in the virtual experience demonstration


4. References

4.1 Malware sample

Wannacry
SHA256:24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
MD5:db349b97c37d22f5ea1d1841e3c89eb4

4.2 Related Information

5. Update history

April 09, 2018
  • This webpage was created and published.

Masato Terada (HIRT), Naoko Asai (HIRT) and Naoko Ohnishi (HIRT)