WannaCry Ransomware and MS17-010 Vulnerability

On Friday 12 May 2017 a large ransomware attack dubbed “WannaCry” was launched targeting more than 200,000 computers worldwide, including industries such as banks, hospitals and large telecom compani...
Published May 16, 2017
Version 1.0
BIG-IP
iRules
ms17-010
security
wannacry
M_Quevedo's avatar
M_Quevedo
Icon for Nimbostratus rankNimbostratus
May 19, 2017

WannaCry (in several variants) spreads two main ways: (1) through malicious downloads like web-page or email attachments; (2) from one computer to another by exploiting a flaw in SMB protocol handling in many versions of MS-Windows (SMB is a fileserver protocol, not a web-browser or email protocol). The second (SMB) method does not require any user interaction or Internet connectivity, but is mainly a way for the worm to spread in corporate/organizational intranets.

 

To prevent WannaCry from infecting MS-Windows computers via SMB, the WannaCry-Blocker iRule terminates an SMB connection (TCP to port 445 or 139, typically) when it detects the WannaCry attack (before the attack can succeed). The attack can be detected because it relies on sending specific byte sequences to the victim computer in SMB protocol packets.

 

The WannaCry-Blocker iRule should be used to prevent WannaCry from spreading across the organization's intranet, including site-to-site or branch-office VPN links. When using BIG-IP IP Forwarding virtual servers, you may wish to create some parallel Standard virtual servers to inspect port 445 and 139 traffic for SMB attacks.

 

SMB does not use HTTP. To prevent the initial download of the worm over HTTP (web) or email, a different approach is needed, because the exact byte sequences used in the SMB attack may not be present in a file download. Downloads are typically compressed, Base64-encoded, or contain malicious code which generates SMB attack sequences on the fly instead of including them literally.

 

To protect your organization against initial infections through web pages or email, you should use a web security tool like F5 Secure Web Gateway and a suitable email-attachment scanner.

 

Although it is probably not worth the trouble, you can alter the WannaCry-Blocker iRule and attach it to an HTTP virtual server to scan binary downloads over HTTP for the SMB attack signatures. That will still not detect malicious software which generates WannaCry SMB attacks dynamically. To scan HTTP binary download attachments add the following code to the iRule:

 

when HTTP_REQUEST { HTTP::header remove "Accept-Encoding" }