NSA exploits were used before WannaCry

the Proofpoint security researcher Kafeine points out that was not the first time goods WannaCry the exploits of the U.S. foreign intelligence developed server message block (SMB) has used for a vulnerability in the network protocol, to infect Windows machines. According to him, is a mining-malware called Adylkuzz for the Kryptowährung locally in circulation since April 24. First statistics show that this campaign could be even greater than WannaCry.

 malware-chip-1200 (image: Shutterstock) Adylkuzz uses two NSA exploits according to his analysis. The malware combines the exploit EternalBlue aimed at the SMB gap with a backdoor named DoublePulsar. The malware was unusually effective in infection of unpatched Windows computers – Microsoft offers a patch available for the SMB since the beginning of March -.

“in the course of investigations of the WannaCry campaign set we a laboratory machine the EternalBlue attack from. “Although we expected with WannaCry, the computer was actually infected with a less striking and unexpected guest: the Kryptowährungs miner Adylkuzz”, Kafeine in the Proofpoint blog writes. “We have repeated several times the attempt, each with the same result: 20 minutes, a vulnerable computers connected to the Internet has been added to the Adylkuzz botnet.”

to spread

instead, vulnerable computers on the same network as WannaCry Adylkuzz scan the Internet on TCP port 445 to possible destinations. The backers had set up multiple virtual servers for that. “After the successful exploitation of EternalBlue the DoublePulsar systems are infected. Keep the back door then downloads Adylkuzz from another host and executes the malware”, according to the researchers.

Kafeine speculated that Adylkuzz may have prevented a greater spread of WannaCry. In an interview with ZDNet US, he explained the malware “close the door behind you” by them preventing all SMB communications to prevent more infections. “As soon as Adylkuzz is running on a computer, the computer can be no longer infected by WannaCry SMB and WannaCrys worm capabilities”, added the researchers. At least in its attempts, Adylkuzz have always successfully completed the SMB communication.

trend micro according to WannaCry is also not the last malware that the SMB gap in the visor. In his blog, the security provider warns a new Ransomware called UIWIX, which should be much more highly evolved than WannaCry. UIWIX, for example, was capable of detecting virtual machines and sand boxes. In addition, UIWIX attacking no targets in Russia, Belarus and Kazakhstan. Also a for the containment of WannyCry used kill switch do not find in the code of UIWIX. Also the new malware not only able to encrypt files and to ransom unless she could spy out credentials for Web sites, email, Messenger and the FTP protocol.


what next – BB´s storage & co: the enterprise cloud!

get to know the building blocks of enterprise cloud platform in this audio Webinar. Learn how to achieve maximum freedom and flexibility for your applications. More outcome achieved with less input – specific application examples. [Update: the webinar has already occurred.] Register now and look at the record.

[withmaterialfromLiamTung ZDNet.com ]

Tip: you know the most famous hacker? Check your knowledge – with 15 questions on silicon.de.

Be the first to comment

Leave a Reply